Overview

overview

10

Static

static

3

1b7cbee30e...8d.exe

windows10-2004-x64

10

1cb2277eea...2a.exe

windows10-2004-x64

10

26dae86d00...a2.exe

windows10-2004-x64

10

35cd974b16...ec.exe

windows10-2004-x64

10

45e7028a78...91.exe

windows10-2004-x64

10

4cd2f124df...48.exe

windows10-2004-x64

10

5fdef2b38d...0a.exe

windows10-2004-x64

10

7284e9e031...c7.exe

windows10-2004-x64

10

781c022afd...54.exe

windows10-2004-x64

10

84163f9b0d...a5.exe

windows10-2004-x64

10

90251e43cd...e4.exe

windows10-2004-x64

10

9a3023ff33...37.exe

windows10-2004-x64

10

b4b999d8f3...50.exe

windows7-x64

10

b4b999d8f3...50.exe

windows10-2004-x64

10

bdd93956fe...8b.exe

windows10-2004-x64

10

cf840721c0...70.exe

windows10-2004-x64

10

e52fb58b8a...f1.exe

windows10-2004-x64

10

ecfbac56ff...9e.exe

windows10-2004-x64

10

f0f492b9b0...9a.exe

windows10-2004-x64

10

f921df4c23...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754.exe

  • Size

    759KB

  • MD5

    aa1f1a243e1c643d3628a1d03fe3dfe5

  • SHA1

    9a7e886e9cf0a312e98a6ec70f2d2a67eb9ac486

  • SHA256

    781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754

  • SHA512

    eb319b6eeefc62ca9da42ac8a8b935988dd8f850fc0c02000dc08c4e56e8b9cd27dbdea3eef713a2c45a381c57add3fca4dd3d79663b888b4462c76929cc1337

  • SSDEEP

    12288:zMrxy90kdsZQT9R4xmy3mv88YzniUK2WsJ/wt17qS20y353p6ua4En6oxOcKmRgt:iytT9o7Wtu9WsJ30yJ3lXmJxq5

Score
10/10
mysticredlinekinzainfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754.exe
    "C:\Users\Admin\AppData\Local\Temp\781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ok5Lc0Vf.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ok5Lc0Vf.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3612
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1sr67Cy1.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1sr67Cy1.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1656
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2736
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 540
              5⤵
              • Program crash
              PID:1864
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2RB567CG.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2RB567CG.exe
          3⤵
          • Executes dropped EXE
          PID:1260
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2736 -ip 2736
      1⤵
        PID:4484

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ok5Lc0Vf.exe
        Filesize

        563KB

        MD5

        138c33958320e3e3a0f6d4d48eabcd47

        SHA1

        159ead1f9c8b9614c303d8949e0110ac4deaa307

        SHA256

        4a09067f906ac2830ba540f4a4d674b6dc0740aa443514c0c9b4387976626272

        SHA512

        fc9f213afea7cd839ab684cba872b30bbb1ee360d4a388876897fddcc6c3c5043ed8f222bce37bbac6dec24b9d0573947016c9d557dbd053357656f2389b735d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1sr67Cy1.exe
        Filesize

        1.1MB

        MD5

        ab206af415ba79326b5e785a1712fb9a

        SHA1

        e99bf49b1ea7e4bbb48fb404782b2934ca36717a

        SHA256

        cf50c17b31a2dc71085471d09dd2bbbb4123507a00f4515d9095c25391088839

        SHA512

        20e0f019ae11d2e96590f89a9b947995032b510d40b647c8162ebbf6a563f381fa42a8fe70fe01c473bae8abcd4b80c60c7a5d116e52bee98cfa8a786de83b43

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2RB567CG.exe
        Filesize

        221KB

        MD5

        3ef4b51b9e3ae103caa495e11923ad05

        SHA1

        bd868fd3bc00b77e6fc0a884b13152692ffb93e5

        SHA256

        78cd14290f7c3802dafe46bc63dd3de21340f691a6ab760fe337ac6c316bdc0a

        SHA512

        09aad3c71276f54f4c2401aeb66ad6960f5a68de4a38d8c815d08dbd410ee475ec14f1e5ea7b4679ca73b0b42e83ccc7ff840738fb7418ed0c2133822f161d77

        Download Submit
      • memory/1260-27-0x0000000008160000-0x000000000826A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1260-22-0x0000000000E40000-0x0000000000E7E000-memory.dmp
        Filesize

        248KB

        Download
      • memory/1260-23-0x0000000008280000-0x0000000008824000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/1260-24-0x0000000007D70000-0x0000000007E02000-memory.dmp
        Filesize

        584KB

        Download
      • memory/1260-25-0x00000000052E0000-0x00000000052EA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/1260-26-0x0000000008E50000-0x0000000009468000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/1260-28-0x0000000007E30000-0x0000000007E42000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1260-29-0x0000000007FB0000-0x0000000007FEC000-memory.dmp
        Filesize

        240KB

        Download
      • memory/1260-30-0x0000000007E60000-0x0000000007EAC000-memory.dmp
        Filesize

        304KB

        Download
      • memory/2736-18-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/2736-16-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/2736-15-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/2736-14-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download