Overview
overview
10Static
static
306f1b755da...d3.exe
windows10-2004-x64
1014b33a31c1...19.exe
windows10-2004-x64
1016f3c19a7f...1a.exe
windows10-2004-x64
10192ce44be6...d3.exe
windows10-2004-x64
10208bd49be4...cf.exe
windows10-2004-x64
102ae8e0e720...19.exe
windows10-2004-x64
102b74e820a6...32.exe
windows10-2004-x64
10396631ba37...a0.exe
windows10-2004-x64
10777259b2de...25.exe
windows10-2004-x64
107f06170b1d...e6.exe
windows10-2004-x64
1080f9db3963...66.exe
windows10-2004-x64
108d2837f05f...42.exe
windows10-2004-x64
109a7ee6b801...e4.exe
windows10-2004-x64
109c8e4ed081...a3.exe
windows10-2004-x64
10a68c5e94f5...52.exe
windows10-2004-x64
10aaed2c62a2...28.exe
windows10-2004-x64
10e097574588...fe.exe
windows10-2004-x64
10e256d9f4b9...eb.exe
windows10-2004-x64
10f02caa1867...71.exe
windows10-2004-x64
10f7447a8c0b...af.exe
windows10-2004-x64
10Analysis
-
max time kernel
134s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 10:02
Static task
static1
Behavioral task
behavioral1
Sample
06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
192ce44be6557d6d98a2de008c00df07b0f5063ea96bbd2751389b1f82c5f6d3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
208bd49be44846fa019a8a4b21da09b934676de6c05e6688624fa6608f3917cf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
2b74e820a68dd1debb652cc1750992f001f4f19c4e98e9c2bbce0139f6c42f32.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral10
Sample
7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
80f9db396349ffd316d40f58b12121eb8671e0af591fa231cd1037ed80d55c66.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9c8e4ed08188524a9beb39dfd35cc3c50ed0a6344464afcdff53746ddccee6a3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
aaed2c62a2146133d41a2c878d138f90f6fd57a1173b0784f6516128378b0e28.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
f02caa18679b8af0e356c5ecf5b840b3c4f001b4c623c0cf33686d9cf4111871.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf.exe
Resource
win10v2004-20240426-en
General
-
Target
2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19.exe
-
Size
562KB
-
MD5
d251764d069bab0638824c87cb165aeb
-
SHA1
0d494f305b99a1dc6eb0a5975c9a14752a41a166
-
SHA256
2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19
-
SHA512
6b53824cf7ab1cd26f8052544a446471f1719bc8dd75ee5bdd7bd0db9044c16b756fd975c29549e8f1549027674c0b9073749cd5365dd77570e0d2fcb4f81b8d
-
SSDEEP
12288:1Mrky903T8TiTWrrVK31Ht/q7CErraIitJ00Q9ZQkoCiznSVk:tyHJCH/ErraIKu0uQkbCSm
Malware Config
Extracted
redline
gadki
77.91.124.82:19071
-
auth_value
2efd98e4d8880b45676de60a0faf778f
Signatures
-
Detect Mystic stealer payload 5 IoCs
resource yara_rule behavioral6/memory/3084-14-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral6/memory/3084-16-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral6/memory/3084-18-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral6/memory/3084-15-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral6/files/0x0007000000023412-24.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral6/files/0x0007000000023416-20.dat family_redline behavioral6/memory/1028-22-0x00000000001E0000-0x0000000000210000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 1044 x9235905.exe 1236 g1258529.exe 1028 h0591710.exe 872 i8771580.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x9235905.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1236 set thread context of 3084 1236 g1258529.exe 84 -
Program crash 3 IoCs
pid pid_target Process procid_target 2828 1236 WerFault.exe 83 4628 3084 WerFault.exe 84 2424 1028 WerFault.exe 93 -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2524 wrote to memory of 1044 2524 2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19.exe 82 PID 2524 wrote to memory of 1044 2524 2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19.exe 82 PID 2524 wrote to memory of 1044 2524 2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19.exe 82 PID 1044 wrote to memory of 1236 1044 x9235905.exe 83 PID 1044 wrote to memory of 1236 1044 x9235905.exe 83 PID 1044 wrote to memory of 1236 1044 x9235905.exe 83 PID 1236 wrote to memory of 3084 1236 g1258529.exe 84 PID 1236 wrote to memory of 3084 1236 g1258529.exe 84 PID 1236 wrote to memory of 3084 1236 g1258529.exe 84 PID 1236 wrote to memory of 3084 1236 g1258529.exe 84 PID 1236 wrote to memory of 3084 1236 g1258529.exe 84 PID 1236 wrote to memory of 3084 1236 g1258529.exe 84 PID 1236 wrote to memory of 3084 1236 g1258529.exe 84 PID 1236 wrote to memory of 3084 1236 g1258529.exe 84 PID 1236 wrote to memory of 3084 1236 g1258529.exe 84 PID 1236 wrote to memory of 3084 1236 g1258529.exe 84 PID 1044 wrote to memory of 1028 1044 x9235905.exe 93 PID 1044 wrote to memory of 1028 1044 x9235905.exe 93 PID 1044 wrote to memory of 1028 1044 x9235905.exe 93 PID 2524 wrote to memory of 872 2524 2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19.exe 96 PID 2524 wrote to memory of 872 2524 2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19.exe 96 PID 2524 wrote to memory of 872 2524 2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19.exe"C:\Users\Admin\AppData\Local\Temp\2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9235905.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9235905.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1258529.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1258529.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:3084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 5605⤵
- Program crash
PID:4628
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 5644⤵
- Program crash
PID:2828
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h0591710.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h0591710.exe3⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 9284⤵
- Program crash
PID:2424
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i8771580.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i8771580.exe2⤵
- Executes dropped EXE
PID:872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3084 -ip 30841⤵PID:3932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1236 -ip 12361⤵PID:3820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1028 -ip 10281⤵PID:4508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD503f1f8704f8431e86ad34599160b5f72
SHA1e5794faa16938d4ab3b04a3243c34faf2d5acfa9
SHA256b713fb351f89eb437fbd77566e3241b747405d3d85d98ff03f1317692667eb01
SHA51278e2bc19192b70535b46de672b348faa27e6a7081c53d398ca426f906add08070cb5ed57bb07741f497f9109666dad1029e6f5f5dac9492d56ee1337842e2c75
-
Filesize
397KB
MD57d3d599a978cdb7a9ad1ac3f4e0a4a7c
SHA12f9383d00016041334b2e951b276505a83e16ef1
SHA2565f582f2e92bbfbb81c7df8218c3bc4b117bf9ec238b6c946e94129b98f780fa2
SHA5122e02683f8016e6b0177bec6436d359c23d28ecb76da40f5fb5249da500fa5469c088c3c9b1e73642f3091e5d14e2537affab4d4fba55d2ebfeffd1e11b9d03eb
-
Filesize
379KB
MD555dfba89fa4ed4918c600a908a53c0d0
SHA1b1cc334314d0b29b7e6a792f5b0e75e536830fc9
SHA2562021f0bd15ad360b7d84ba0b921e540636e8a205225f4e780086e4a9bf6eda14
SHA512ba650a0ed21da04dd8baa6b6747c0cd0ab78e54e8435a93786b286585126cbbcdaea0208e49bc08941c5576f89219363541a6f8aa1def697e8f371b1354b6785
-
Filesize
174KB
MD5b7f3ca30d5c6ea94d5a2a1c9d5c41ef0
SHA14c238a4542a441bd69df4a2cbe582f9fd5f3f38b
SHA25645196ef8cc6f6246c196c09190a57735b05d61f5b1ae39ed0339650e7365b684
SHA5129db4267b64c288688f6762996dc5d52e1945209237e88a297239905358fcdef244e5fbc6346884b5b263a1c414c05851003eb2705fc0adcc7a948d2a25740847