Overview
overview
10Static
static
3169827445a...fd.exe
windows10-2004-x64
102c5911fd0a...9f.exe
windows10-2004-x64
103d26ff1c7f...6f.exe
windows10-2004-x64
104316c9cb7f...d5.exe
windows10-2004-x64
10453554affb...f6.exe
windows10-2004-x64
104be48036db...87.exe
windows10-2004-x64
106843058b07...7b.exe
windows10-2004-x64
106ab7739b7f...d6.exe
windows10-2004-x64
10741b5d1728...11.exe
windows10-2004-x64
107dbaeca4ac...3f.exe
windows7-x64
107dbaeca4ac...3f.exe
windows10-2004-x64
10889f2baa64...76.exe
windows10-2004-x64
1092288ddafe...85.exe
windows10-2004-x64
109697ffb24d...50.exe
windows10-2004-x64
10abd0fa453e...b8.exe
windows10-2004-x64
10b28f0b1322...38.exe
windows10-2004-x64
10d89a055085...df.exe
windows10-2004-x64
10db77a8c068...dc.exe
windows7-x64
10db77a8c068...dc.exe
windows10-2004-x64
10e00e311d45...53.exe
windows10-2004-x64
10e0990290e3...28.exe
windows10-2004-x64
10fedbb32d49...4c.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 10:02
Static task
static1
Behavioral task
behavioral1
Sample
169827445a78f6e1cde6f851fe18dbe8b5850a2768cb303f453ceaacfe59d6fd.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
2c5911fd0a616aa00118b87a5216b4c3312dd590b4988b62bf0651b91fc5b29f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
3d26ff1c7f2a98b2c2c03ddc43bd17ad629931d425986a46cb7ba3ef54b1ba6f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
4316c9cb7f9e1a073313300df45a90e9457dec01ec27e4f7c9725091247276d5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
453554affb4477ef1397310265a6a90ae0953e5bca58d9b7b98e7323e7cccdf6.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
4be48036db804507d4009d7d5ef56ad2feeb011ce624c73eef68521a4acf1687.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
6843058b079dbc0a22ff6542bd36408373534e51519828b2e5059a1c3a0a837b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
6ab7739b7f0b5cc84bf55cd6f09beb3d4860ec6428202c54e8e023161020c8d6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
741b5d17281b7e19ee8dd529a91b547c0bdf8938c84539f745ec882d49373311.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe
Resource
win7-20240220-en
Behavioral task
behavioral11
Sample
7dbaeca4ac219449e315df2bb20e786dfc5c304cb5d522d6e15619a91276ba3f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
889f2baa640211bf12947cfab6157ff93a774d0b4ed9568df0eb65952cedf576.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
92288ddafeaa0f77357b90005f63961458788f6cd7af44be378bd1de6a725c85.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9697ffb24dfe38f4a40e3cf91464543c6f5a47170c56b58a949e1a93ab9df050.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
abd0fa453ed59d06e5c3d6cbafe873f404a47cab8f3c4bcd545fdfa7491ff4b8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
b28f0b13221fc5aaa297029cc7c28a22c5b5dfe8aa6626036342ae0b862d8838.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
d89a0550853b7067190a4816c540a6838fc7703bf9df0665fc491c92feb72adf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
db77a8c0688fc65498578d6fb53ea4154ece1d8d958e3b911f81835c8aa908dc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
e00e311d4566f8b67392f945545d0e1ea579af2fa76c416042196eea3ca75753.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
e0990290e38dc94b3c6a8bd8d028c230706f11717bdc17beb40d9a73dcfb2628.exe
Resource
win10v2004-20240426-en
General
-
Target
889f2baa640211bf12947cfab6157ff93a774d0b4ed9568df0eb65952cedf576.exe
-
Size
759KB
-
MD5
05e9b1e9e4a45d3390b5b633daa40716
-
SHA1
5829febba902de0be9afd3b3319f941e639ce8a9
-
SHA256
889f2baa640211bf12947cfab6157ff93a774d0b4ed9568df0eb65952cedf576
-
SHA512
5f55a5e74477426919414c3a969cd406788e58d75a4e9eb88876e5ebf331f9760129550a9fc65278581b587f993464cd4df1caad9982aea22a7d4b8f160ec4c7
-
SSDEEP
12288:dMrJy90gMXNMpwN+kHclWLslLMQcwPEH+J3sb4zTnvcgv7:oyRaOlCsqQcw5J3waDvlv7
Malware Config
Extracted
redline
kinza
77.91.124.86:19084
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral12/memory/2848-14-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral12/memory/2848-18-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral12/memory/2848-16-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral12/memory/2848-15-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral12/files/0x0007000000023412-20.dat family_redline behavioral12/memory/4084-22-0x0000000000310000-0x000000000034E000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 3984 oN1im9yz.exe 2496 1yR85eG8.exe 4084 2bt653HX.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 889f2baa640211bf12947cfab6157ff93a774d0b4ed9568df0eb65952cedf576.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" oN1im9yz.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2496 set thread context of 2848 2496 1yR85eG8.exe 86 -
Program crash 1 IoCs
pid pid_target Process procid_target 916 2848 WerFault.exe 86 -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1444 wrote to memory of 3984 1444 889f2baa640211bf12947cfab6157ff93a774d0b4ed9568df0eb65952cedf576.exe 82 PID 1444 wrote to memory of 3984 1444 889f2baa640211bf12947cfab6157ff93a774d0b4ed9568df0eb65952cedf576.exe 82 PID 1444 wrote to memory of 3984 1444 889f2baa640211bf12947cfab6157ff93a774d0b4ed9568df0eb65952cedf576.exe 82 PID 3984 wrote to memory of 2496 3984 oN1im9yz.exe 83 PID 3984 wrote to memory of 2496 3984 oN1im9yz.exe 83 PID 3984 wrote to memory of 2496 3984 oN1im9yz.exe 83 PID 2496 wrote to memory of 2848 2496 1yR85eG8.exe 86 PID 2496 wrote to memory of 2848 2496 1yR85eG8.exe 86 PID 2496 wrote to memory of 2848 2496 1yR85eG8.exe 86 PID 2496 wrote to memory of 2848 2496 1yR85eG8.exe 86 PID 2496 wrote to memory of 2848 2496 1yR85eG8.exe 86 PID 2496 wrote to memory of 2848 2496 1yR85eG8.exe 86 PID 2496 wrote to memory of 2848 2496 1yR85eG8.exe 86 PID 2496 wrote to memory of 2848 2496 1yR85eG8.exe 86 PID 2496 wrote to memory of 2848 2496 1yR85eG8.exe 86 PID 2496 wrote to memory of 2848 2496 1yR85eG8.exe 86 PID 3984 wrote to memory of 4084 3984 oN1im9yz.exe 88 PID 3984 wrote to memory of 4084 3984 oN1im9yz.exe 88 PID 3984 wrote to memory of 4084 3984 oN1im9yz.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\889f2baa640211bf12947cfab6157ff93a774d0b4ed9568df0eb65952cedf576.exe"C:\Users\Admin\AppData\Local\Temp\889f2baa640211bf12947cfab6157ff93a774d0b4ed9568df0eb65952cedf576.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oN1im9yz.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oN1im9yz.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1yR85eG8.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1yR85eG8.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 5405⤵
- Program crash
PID:916
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2bt653HX.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2bt653HX.exe3⤵
- Executes dropped EXE
PID:4084
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2848 -ip 28481⤵PID:3340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
562KB
MD5fdadb507a0c8a021bfa0424bd155114d
SHA13391445e918da31502fe82e42581beae694979b2
SHA256e54213a05ba76aff8d2fc5f565fb7694a3ed417e4fc54a96e5a36dd5a63cd7fa
SHA512dcaa427e85be4e4ce14592764737c2630f767cdd79b629aebd1c8ac4b5a296ee6194b102184b68e992e1277a9ec1234e82923c7aa423391dc1a3059b3fbd5e24
-
Filesize
1.1MB
MD5fb44588fd9e290bcc5b99d81cafe5943
SHA1a3d9c18acf30f4ddff3df14c1cc2d699977f1041
SHA2561264ce4fc831a9e67e33380fde078ec9d41ceff40f18cf2ca2c4572d87aa51c5
SHA512360e5221f6489a703f3a98a8d072ff71ab06776fde102cc017062478023cb9487c61f9c66a62cb01afa5472fe9d1b914ee72d7c1220a71557713d7d0065b3f0f
-
Filesize
222KB
MD5506e2a988825246eae31f7ad3b994902
SHA14657082ef7149cd4b88ed2279e94e3fe625bf738
SHA256eca815199ff9968b4cda2557a91bdf9c3958e596ed4ce1fc64c74b6b5b9e17a3
SHA512741afec04aa21f8d0b50eca32ef175882c6d92cb6e370279a6f6171eec1b6f14197f64040d91580cce33aa4b0ae21ac0cc6566d725d7686ad572d08132f8d920