Overview
overview
10Static
static
30848e1e7e1...63.exe
windows10-2004-x64
101106a57fdf...a5.exe
windows10-2004-x64
10185a521367...e2.exe
windows10-2004-x64
101a2ed241f7...81.exe
windows10-2004-x64
103933af1a19...66.exe
windows10-2004-x64
104046412564...e5.exe
windows10-2004-x64
1048b2c44ad3...cf.exe
windows10-2004-x64
106fdb50a007...59.exe
windows10-2004-x64
10708b7d578b...65.exe
windows10-2004-x64
1073dc042440...3f.exe
windows10-2004-x64
109a45e9c206...55.exe
windows10-2004-x64
109a8f8e9a46...09.exe
windows10-2004-x64
109ab135934b...fe.exe
windows10-2004-x64
10ab010a807d...38.exe
windows10-2004-x64
10b85fd724a0...c4.exe
windows10-2004-x64
10d940f9b9c6...49.exe
windows10-2004-x64
10dc87cba915...e1.exe
windows10-2004-x64
10e7bd826b7a...05.exe
windows10-2004-x64
10ffbf9f9530...19.exe
windows10-2004-x64
10Analysis
-
max time kernel
134s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 09:40
Static task
static1
Behavioral task
behavioral1
Sample
0848e1e7e128d7f1f97806b2608b355879b602ba08e121497f133be212790f63.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
1106a57fdfdae9114d2bb44bdacc87ca3cae04161d58f6a7da3ec41e1aa098a5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
185a521367840914ea4a144255106961422396c5ca90144e322e12b70a4598e2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
1a2ed241f75ba217ad63fa42ab55e56d8f009f93b151dd367b73459e26169081.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
3933af1a190b049a02aad532333dad6c4862e46b510cc0ec5184873641cc3166.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
48b2c44ad346117214bc572f969741dfa0acfcd1fc6e23b00cdeb324c9f00fcf.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
73dc042440fa05b66d753f67af4b8f08d529e3c6a45d57710b9b74505441e13f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
9ab135934b017c0850bc323f91ac4cecbc3640903406ed3576ec0747ded9e6fe.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
ab010a807d239acb2941ec42032df7751afe90303b101088fee9d258794e4a38.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
b85fd724a0f0185fdd32093b1f07f4f209b862b9406e12882311cd820c17cac4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
d940f9b9c60fd13aa5272fd2a69f035a8a08c097f0ed72b29431278d2fc4a849.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
dc87cba915fb6101c577a0531cedb5d304be24abd22d9faa34b7a606ccc5f8e1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
e7bd826b7a1c65ad222cefa93d7967f2a11f90fd400aa046a5a96ec60cff1a05.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
ffbf9f9530a3dc84123d1e676feb925ea3c13cf2876d58672bb23f55afe1ba19.exe
Resource
win10v2004-20240426-en
General
-
Target
404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe
-
Size
761KB
-
MD5
216c4829a35a74ecacf925e3d47f46cc
-
SHA1
3792b2f30a7237382361cae16251ced767d973fd
-
SHA256
404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5
-
SHA512
c4ac9a5edd6200a7734a5fc2048ab52d974516e3a8607c3113dd38fca253adf6aee950b9adaa06ee9b923eeb694c8f2899790eaa19d8b995102473229c8adf15
-
SSDEEP
12288:LMrdy90rTPMHf9/WOfbJ2lkpZUAHwTHOXSVAsAwCGPjcfMgNLW7Wnbq9KsHfo:GyGPMHfp3DJppmAaHOXcMijcfMg1Wosw
Malware Config
Extracted
redline
kinza
77.91.124.86:19084
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral6/memory/1816-14-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral6/memory/1816-18-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral6/memory/1816-20-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral6/memory/1816-17-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral6/files/0x0007000000023538-16.dat family_redline behavioral6/memory/2264-22-0x0000000000160000-0x000000000019E000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 2532 BE0Oy8Td.exe 632 1qj07gX3.exe 2264 2Tu073Gd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" BE0Oy8Td.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 632 set thread context of 1816 632 1qj07gX3.exe 93 -
Program crash 1 IoCs
pid pid_target Process procid_target 4932 1816 WerFault.exe 93 -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3584 wrote to memory of 2532 3584 404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe 90 PID 3584 wrote to memory of 2532 3584 404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe 90 PID 3584 wrote to memory of 2532 3584 404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe 90 PID 2532 wrote to memory of 632 2532 BE0Oy8Td.exe 91 PID 2532 wrote to memory of 632 2532 BE0Oy8Td.exe 91 PID 2532 wrote to memory of 632 2532 BE0Oy8Td.exe 91 PID 632 wrote to memory of 1816 632 1qj07gX3.exe 93 PID 632 wrote to memory of 1816 632 1qj07gX3.exe 93 PID 632 wrote to memory of 1816 632 1qj07gX3.exe 93 PID 632 wrote to memory of 1816 632 1qj07gX3.exe 93 PID 632 wrote to memory of 1816 632 1qj07gX3.exe 93 PID 632 wrote to memory of 1816 632 1qj07gX3.exe 93 PID 632 wrote to memory of 1816 632 1qj07gX3.exe 93 PID 632 wrote to memory of 1816 632 1qj07gX3.exe 93 PID 632 wrote to memory of 1816 632 1qj07gX3.exe 93 PID 632 wrote to memory of 1816 632 1qj07gX3.exe 93 PID 2532 wrote to memory of 2264 2532 BE0Oy8Td.exe 94 PID 2532 wrote to memory of 2264 2532 BE0Oy8Td.exe 94 PID 2532 wrote to memory of 2264 2532 BE0Oy8Td.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe"C:\Users\Admin\AppData\Local\Temp\404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BE0Oy8Td.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BE0Oy8Td.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qj07gX3.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1qj07gX3.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:1816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 5405⤵
- Program crash
PID:4932
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Tu073Gd.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Tu073Gd.exe3⤵
- Executes dropped EXE
PID:2264
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1816 -ip 18161⤵PID:2040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:81⤵PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
565KB
MD547f6def103d025da62719ad1dfbdf553
SHA17eac9c64389618e85e2d4232c151c43da44b2252
SHA25602095c8ea70d9ef8f9f6f084e65f54c1154e3bf40463b149dab1796b76001025
SHA5121be9f122d37e7f59acb25cfcf863e67094e0ed030b7faa6efea91272376702c7fef91542265024d94a1988754f21f53eda9882ca4b8356befa7b09da476cb29d
-
Filesize
1.1MB
MD5ddc7b24fd3ceb2a26b44d3fd4e7de888
SHA18b4f5929bf345b6393747480d4287ded2bf0a4f4
SHA25610acf9580ebdc269ec8006e664151e59bc923256a5d2dc180796bb3ac2fc5e6a
SHA512b6cf9c95a29dcfdffd121e2bdbffa5efde937b45217a697af331557ee7a6b387e80c3c6924bc6e168507c8184743c929f934190f1dcb923e9d6d7c6aba0e5fb6
-
Filesize
222KB
MD5fe8e9374126fb44db5e22c1bb457879a
SHA146536277ab6e785683e9936a49141887cbb47919
SHA2567e96e339a8a9f1bbf8a3c2cfa4ba0b691681761315684f78b15a5551828510a9
SHA512fe2efff14904134e52fb6fb43448f4b21f696e194b15208981d0712011a728444852ddf0c8e0523c831b9d3be1133f455e1457c219e85a003020c41b979d5254