Overview
overview
10Static
static
30e5866c048...02.exe
windows10-2004-x64
10168a3cbbca...f6.exe
windows10-2004-x64
1023530bfa27...e2.exe
windows10-2004-x64
1025974ec913...91.exe
windows10-2004-x64
1029e8eb905d...57.exe
windows10-2004-x64
102ff2598373...ce.exe
windows10-2004-x64
1030a7bebd46...c4.exe
windows10-2004-x64
1036848c0be9...d8.exe
windows10-2004-x64
10369e096918...34.exe
windows10-2004-x64
10397f0bf375...c6.exe
windows10-2004-x64
103a437fa895...c1.exe
windows10-2004-x64
103f23e445a9...39.exe
windows10-2004-x64
1044dedbcb8a...5f.exe
windows10-2004-x64
106aec122dba...ee.exe
windows10-2004-x64
10b0d3a36603...55.exe
windows10-2004-x64
10b4f17a4609...a2.exe
windows10-2004-x64
10d2d831c046...51.exe
windows10-2004-x64
10da40ec1cf9...48.exe
windows10-2004-x64
10e7a2b48b9e...75.exe
windows10-2004-x64
10f07691246e...f6.exe
windows10-2004-x64
10Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23/05/2024, 10:08
Static task
static1
Behavioral task
behavioral1
Sample
0e5866c0482cf393f74fa629a43250b2a3d3c45a5c86eda348a71f8d88c5da02.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
168a3cbbca960033cd4ea67293c3f4f47ded711184772caf9f2050ac2f16cdf6.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
23530bfa27653b3a30a5c3778bc7c58fac12efe736252f4527f831347afec4e2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
25974ec913921f8a9dbf6d175cbf975173e12a47c730f07db9ff7336aa799391.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
29e8eb905dd243a014498d2c372ce7c07306a13d8848307d94468ecc7f523557.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
2ff2598373e4f2608549579f5029d8c3106c485e2d1768ec605951faad4c9ace.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
30a7bebd46e90f9faf44a72b002a8447cd4d7a0f4982658f32e50b6ad9e400c4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
36848c0be9ce6eaebbeca6101443f6ab369e9c84bcb678b2d8f07da9540c66d8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
397f0bf37598f6fd4fd6a8933cfdbaebedc80de5b8929b28899fdcf9b7ba0cc6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
3a437fa89562e5fc34e761a6ede9c12aa1d8ef1be68ac45a97f3719b864fd8c1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
3f23e445a9c2f529b4cbc3f4ee40ef64fa1fe69a8d4a241b103ec8c749376239.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
44dedbcb8ac06abbb0645f455edb582c6bc3a229eb0f288d6e63c6181d50d65f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
6aec122dba60c94432d6aee116732395d28cda2ecb306d8ab832d137811ceeee.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
b0d3a3660331ff8ff0504498edd9bff28eeb733ac6d718bd589cac5bf7c59855.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
b4f17a4609e2cec3a4889b16b6afbe340483f8403878fb6bc6d524be8e5764a2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
d2d831c046edce3072fd8f388c2954aefb3a8b6e2b64384d613bdd5478a9ea51.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
da40ec1cf90ce4636876a76bd250b12ca3df8f973c3aa4752203ce19ac39a548.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
e7a2b48b9e169ff5a481fe8fb2f4f1d9a8ce2a823d5e2140cb1f264b7f525175.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f07691246ef6b1342b6b3c147dc49c2f4a89eec24e4f141c8ff8768bbc4711f6.exe
Resource
win10v2004-20240508-en
General
-
Target
369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34.exe
-
Size
768KB
-
MD5
4d1dc164a1a95c87bef2a357c41bf9e9
-
SHA1
02a094938f6119cb4e44afb4eb4f568627614e61
-
SHA256
369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34
-
SHA512
acd7994b25576cc1b51dec79fe45909e37d0e11924eff27b39e75b441df4e0870472da8f8c7acbbd76dbfcc94a06830c98780c3196ffe9b87967e48b6e8b96e1
-
SSDEEP
12288:IMriy90IS6DfCzMyG1J50BDhAQTlUtajgfKoc24s9gslFkc1aBR+:aySOfCwHJ2VhAQTlU2K4Ug7+
Malware Config
Extracted
redline
kedru
77.91.124.86:19084
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral9/memory/3108-14-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral9/memory/3108-15-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral9/memory/3108-16-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral9/memory/3108-18-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral9/files/0x00070000000233cc-19.dat family_redline behavioral9/memory/3084-22-0x0000000000720000-0x000000000075C000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 1700 Rz7dO3CO.exe 1688 1DT09If6.exe 3084 2OZ166hG.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Rz7dO3CO.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1688 set thread context of 3108 1688 1DT09If6.exe 83 -
Program crash 2 IoCs
pid pid_target Process procid_target 2296 3108 WerFault.exe 83 852 1688 WerFault.exe 82 -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 4868 wrote to memory of 1700 4868 369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34.exe 81 PID 4868 wrote to memory of 1700 4868 369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34.exe 81 PID 4868 wrote to memory of 1700 4868 369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34.exe 81 PID 1700 wrote to memory of 1688 1700 Rz7dO3CO.exe 82 PID 1700 wrote to memory of 1688 1700 Rz7dO3CO.exe 82 PID 1700 wrote to memory of 1688 1700 Rz7dO3CO.exe 82 PID 1688 wrote to memory of 3108 1688 1DT09If6.exe 83 PID 1688 wrote to memory of 3108 1688 1DT09If6.exe 83 PID 1688 wrote to memory of 3108 1688 1DT09If6.exe 83 PID 1688 wrote to memory of 3108 1688 1DT09If6.exe 83 PID 1688 wrote to memory of 3108 1688 1DT09If6.exe 83 PID 1688 wrote to memory of 3108 1688 1DT09If6.exe 83 PID 1688 wrote to memory of 3108 1688 1DT09If6.exe 83 PID 1688 wrote to memory of 3108 1688 1DT09If6.exe 83 PID 1688 wrote to memory of 3108 1688 1DT09If6.exe 83 PID 1688 wrote to memory of 3108 1688 1DT09If6.exe 83 PID 1700 wrote to memory of 3084 1700 Rz7dO3CO.exe 91 PID 1700 wrote to memory of 3084 1700 Rz7dO3CO.exe 91 PID 1700 wrote to memory of 3084 1700 Rz7dO3CO.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34.exe"C:\Users\Admin\AppData\Local\Temp\369e096918ca2cc20f1329b7cf7076b3fabb1107c1cb2113ef54eeda92e41e34.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rz7dO3CO.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rz7dO3CO.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1DT09If6.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1DT09If6.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:3108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 5405⤵
- Program crash
PID:2296
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 5684⤵
- Program crash
PID:852
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2OZ166hG.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2OZ166hG.exe3⤵
- Executes dropped EXE
PID:3084
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3108 -ip 31081⤵PID:1912
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1688 -ip 16881⤵PID:1264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
573KB
MD5271d63b01319617a1614afaa99456684
SHA1a6497295abfa2f9a774b562912e1ab4e2ba6725b
SHA2565ff354a516b82b3b5e3920ab61fdcdb98d5e4b5ee5dff942e0c0d41fd23b9826
SHA512f3d1eecb78f4f713364a93c64c8860b42d3ac36a37665edeff2baa7d9a180908f6d9f4e2793b1bc36bb28c089b7564b389b4f8d9835ebe9a28615b9df8cd8b87
-
Filesize
1.1MB
MD50c5f1346aac4747364c2da051ce8beed
SHA149b48a2a804c97ff1f171652fea01283abb48724
SHA256b514d284eafe5c9acd5f68a1290e6a6b7d5a5fee5b7ae9ce4ef853fa6948bb4c
SHA512e634ed76ac1e114415a2664a3773e1c70a35d4f67dbf06898ae576be28f8f241099ab0f19aeb96e6f95ebc6cdfc609ecb45e3895ecc346271c0d449aa1f94345
-
Filesize
219KB
MD5db31cd92867dade24448b9e8f78d49b6
SHA164b70b0143d124a301bff8bf1ecd79b2d53ee619
SHA25681cef48c3f3823d918f398c7e28111901927779a8d67ddd25851f91315693332
SHA512039d9f00cc5b30b22456ebd31fe371f7432359dbf0915740998a2cffaaea35d506ec0e1d10bb9d87e1b4064a90dff7057562f503c469128874c956dc6a463a62