Overview
overview
10Static
static
30848e1e7e1...63.exe
windows10-2004-x64
101106a57fdf...a5.exe
windows10-2004-x64
10185a521367...e2.exe
windows10-2004-x64
101a2ed241f7...81.exe
windows10-2004-x64
103933af1a19...66.exe
windows10-2004-x64
104046412564...e5.exe
windows10-2004-x64
1048b2c44ad3...cf.exe
windows10-2004-x64
106fdb50a007...59.exe
windows10-2004-x64
10708b7d578b...65.exe
windows10-2004-x64
1073dc042440...3f.exe
windows10-2004-x64
109a45e9c206...55.exe
windows10-2004-x64
109a8f8e9a46...09.exe
windows10-2004-x64
109ab135934b...fe.exe
windows10-2004-x64
10ab010a807d...38.exe
windows10-2004-x64
10b85fd724a0...c4.exe
windows10-2004-x64
10d940f9b9c6...49.exe
windows10-2004-x64
10dc87cba915...e1.exe
windows10-2004-x64
10e7bd826b7a...05.exe
windows10-2004-x64
10ffbf9f9530...19.exe
windows10-2004-x64
10Analysis
-
max time kernel
136s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 09:40
Static task
static1
Behavioral task
behavioral1
Sample
0848e1e7e128d7f1f97806b2608b355879b602ba08e121497f133be212790f63.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
1106a57fdfdae9114d2bb44bdacc87ca3cae04161d58f6a7da3ec41e1aa098a5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
185a521367840914ea4a144255106961422396c5ca90144e322e12b70a4598e2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
1a2ed241f75ba217ad63fa42ab55e56d8f009f93b151dd367b73459e26169081.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
3933af1a190b049a02aad532333dad6c4862e46b510cc0ec5184873641cc3166.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
48b2c44ad346117214bc572f969741dfa0acfcd1fc6e23b00cdeb324c9f00fcf.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
73dc042440fa05b66d753f67af4b8f08d529e3c6a45d57710b9b74505441e13f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
9ab135934b017c0850bc323f91ac4cecbc3640903406ed3576ec0747ded9e6fe.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
ab010a807d239acb2941ec42032df7751afe90303b101088fee9d258794e4a38.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
b85fd724a0f0185fdd32093b1f07f4f209b862b9406e12882311cd820c17cac4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
d940f9b9c60fd13aa5272fd2a69f035a8a08c097f0ed72b29431278d2fc4a849.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
dc87cba915fb6101c577a0531cedb5d304be24abd22d9faa34b7a606ccc5f8e1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
e7bd826b7a1c65ad222cefa93d7967f2a11f90fd400aa046a5a96ec60cff1a05.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
ffbf9f9530a3dc84123d1e676feb925ea3c13cf2876d58672bb23f55afe1ba19.exe
Resource
win10v2004-20240426-en
General
-
Target
9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe
-
Size
476KB
-
MD5
eb39a2b3c68d99216a38cb0593f82005
-
SHA1
c50ccd4606ad7793cd469ceb9609974f942778f9
-
SHA256
9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009
-
SHA512
87c900f447fc115cb79ff8597fa01705ffe8bba0bfe7a8b42a51ff69a949f9d67c13ff9240946aa9d300c90ef397488762563ebb0e1120463602708d996e03db
-
SSDEEP
12288:VMrAy90EDRCEym1LQ9KRwEXYp7G9TnJQ3Ckltu3:JytRtZQ9KqEABg3
Malware Config
Extracted
amadey
3.87
59b440
http://77.91.68.18
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
-
url_paths
/nice/index.php
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral12/files/0x0007000000023268-24.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral12/files/0x0007000000023265-27.dat family_redline behavioral12/memory/4584-29-0x0000000000510000-0x0000000000540000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation r0197039.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation saves.exe -
Executes dropped EXE 7 IoCs
pid Process 4044 z5934724.exe 3376 r0197039.exe 3484 saves.exe 4060 s5597958.exe 4584 t4662464.exe 4764 saves.exe 4836 saves.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z5934724.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3224 schtasks.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 112 wrote to memory of 4044 112 9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe 92 PID 112 wrote to memory of 4044 112 9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe 92 PID 112 wrote to memory of 4044 112 9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe 92 PID 4044 wrote to memory of 3376 4044 z5934724.exe 93 PID 4044 wrote to memory of 3376 4044 z5934724.exe 93 PID 4044 wrote to memory of 3376 4044 z5934724.exe 93 PID 3376 wrote to memory of 3484 3376 r0197039.exe 94 PID 3376 wrote to memory of 3484 3376 r0197039.exe 94 PID 3376 wrote to memory of 3484 3376 r0197039.exe 94 PID 4044 wrote to memory of 4060 4044 z5934724.exe 95 PID 4044 wrote to memory of 4060 4044 z5934724.exe 95 PID 4044 wrote to memory of 4060 4044 z5934724.exe 95 PID 112 wrote to memory of 4584 112 9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe 96 PID 112 wrote to memory of 4584 112 9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe 96 PID 112 wrote to memory of 4584 112 9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe 96 PID 3484 wrote to memory of 3224 3484 saves.exe 97 PID 3484 wrote to memory of 3224 3484 saves.exe 97 PID 3484 wrote to memory of 3224 3484 saves.exe 97 PID 3484 wrote to memory of 4640 3484 saves.exe 99 PID 3484 wrote to memory of 4640 3484 saves.exe 99 PID 3484 wrote to memory of 4640 3484 saves.exe 99 PID 4640 wrote to memory of 548 4640 cmd.exe 101 PID 4640 wrote to memory of 548 4640 cmd.exe 101 PID 4640 wrote to memory of 548 4640 cmd.exe 101 PID 4640 wrote to memory of 3964 4640 cmd.exe 102 PID 4640 wrote to memory of 3964 4640 cmd.exe 102 PID 4640 wrote to memory of 3964 4640 cmd.exe 102 PID 4640 wrote to memory of 772 4640 cmd.exe 103 PID 4640 wrote to memory of 772 4640 cmd.exe 103 PID 4640 wrote to memory of 772 4640 cmd.exe 103 PID 4640 wrote to memory of 4052 4640 cmd.exe 104 PID 4640 wrote to memory of 4052 4640 cmd.exe 104 PID 4640 wrote to memory of 4052 4640 cmd.exe 104 PID 4640 wrote to memory of 4088 4640 cmd.exe 105 PID 4640 wrote to memory of 4088 4640 cmd.exe 105 PID 4640 wrote to memory of 4088 4640 cmd.exe 105 PID 4640 wrote to memory of 1436 4640 cmd.exe 106 PID 4640 wrote to memory of 1436 4640 cmd.exe 106 PID 4640 wrote to memory of 1436 4640 cmd.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe"C:\Users\Admin\AppData\Local\Temp\9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5934724.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5934724.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0197039.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0197039.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F5⤵
- Creates scheduled task(s)
PID:3224
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:548
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"6⤵PID:3964
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E6⤵PID:772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4052
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"6⤵PID:4088
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E6⤵PID:1436
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s5597958.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s5597958.exe3⤵
- Executes dropped EXE
PID:4060
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4662464.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4662464.exe2⤵
- Executes dropped EXE
PID:4584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:696
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:4764
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:4836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD5ee9b4f0c162d2daa941050ab28499d58
SHA118ada0317d2aa4b1446f0ee4ab6f008c513efa0e
SHA2565a1202d3c20b0701f7a5c8f95431f5836ff2ac3958508fd32b2a9cfff3e013aa
SHA512056f38c7a1ca30985b2d8e8d4c0d3f9eae742476e71f572b36a26f40417ac989705456259fa71bb64f4b6da2a139cfc3987ea8fee653cbf93f4cb9aaf8fa8a8b
-
Filesize
320KB
MD547966dd7fc1929878cb7fec97ba46736
SHA170b2b993bcfed20db87549635cb3d333ed442c9b
SHA256a17608af12c75b7086160347860c305a4d6b972f59003a1a32dfc0944f59b5be
SHA5123367d77ee57e831554a317f74c35854c41bc4de251d5de29b4994f7a988ce44c46ff74ebdbf86a1f8e88094a3188711a129cb9e6ddd8e16446b1648f591fb8a6
-
Filesize
337KB
MD5b11b64c53b6dafda0597379aa918212a
SHA18f10a2e0747799ece273508956c7829dd84b96dc
SHA256a8b1de07b3dcaf27a2c37493054ea9b84d53bb39ab24dcb5ec00fc17a48a8602
SHA51202dfb9d333db53cd5dd67ab6069d9161a025ebd9a5856f4a6775c15849dafc5b492a04cc4cc995174b027b8989d9f9dc502c6997c0f513fc364573d3d9fa6850
-
Filesize
142KB
MD5f353dd9e5ffac243ec089584fb80a650
SHA15f36dbc06d2bf9b99aebe1aff740f39d8f320a00
SHA2562518994c7c3b1c100264cedb61df7f96495917883f2a7c7d18e46f3fcca5f390
SHA512839f3d00a144f956e178865ecddc1439dda8562ffac0072682cb89588a6473cea77ed71b637400b9203aedc4641cbce872675b12eb8b6ae45de0b9e3d03f6ecd