Overview
overview
10Static
static
30848e1e7e1...63.exe
windows10-2004-x64
101106a57fdf...a5.exe
windows10-2004-x64
10185a521367...e2.exe
windows10-2004-x64
101a2ed241f7...81.exe
windows10-2004-x64
103933af1a19...66.exe
windows10-2004-x64
104046412564...e5.exe
windows10-2004-x64
1048b2c44ad3...cf.exe
windows10-2004-x64
106fdb50a007...59.exe
windows10-2004-x64
10708b7d578b...65.exe
windows10-2004-x64
1073dc042440...3f.exe
windows10-2004-x64
109a45e9c206...55.exe
windows10-2004-x64
109a8f8e9a46...09.exe
windows10-2004-x64
109ab135934b...fe.exe
windows10-2004-x64
10ab010a807d...38.exe
windows10-2004-x64
10b85fd724a0...c4.exe
windows10-2004-x64
10d940f9b9c6...49.exe
windows10-2004-x64
10dc87cba915...e1.exe
windows10-2004-x64
10e7bd826b7a...05.exe
windows10-2004-x64
10ffbf9f9530...19.exe
windows10-2004-x64
10Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 09:40
Static task
static1
Behavioral task
behavioral1
Sample
0848e1e7e128d7f1f97806b2608b355879b602ba08e121497f133be212790f63.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
1106a57fdfdae9114d2bb44bdacc87ca3cae04161d58f6a7da3ec41e1aa098a5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
185a521367840914ea4a144255106961422396c5ca90144e322e12b70a4598e2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
1a2ed241f75ba217ad63fa42ab55e56d8f009f93b151dd367b73459e26169081.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
3933af1a190b049a02aad532333dad6c4862e46b510cc0ec5184873641cc3166.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
404641256449db604d1af955269cb455aa5a4441ca5e7f6276ca15f5886535e5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
48b2c44ad346117214bc572f969741dfa0acfcd1fc6e23b00cdeb324c9f00fcf.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
73dc042440fa05b66d753f67af4b8f08d529e3c6a45d57710b9b74505441e13f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
9a8f8e9a46ecd10ddf934650a91f96319970ec135841d45623f9d76ab3171009.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
9ab135934b017c0850bc323f91ac4cecbc3640903406ed3576ec0747ded9e6fe.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
ab010a807d239acb2941ec42032df7751afe90303b101088fee9d258794e4a38.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
b85fd724a0f0185fdd32093b1f07f4f209b862b9406e12882311cd820c17cac4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
d940f9b9c60fd13aa5272fd2a69f035a8a08c097f0ed72b29431278d2fc4a849.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
dc87cba915fb6101c577a0531cedb5d304be24abd22d9faa34b7a606ccc5f8e1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
e7bd826b7a1c65ad222cefa93d7967f2a11f90fd400aa046a5a96ec60cff1a05.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
ffbf9f9530a3dc84123d1e676feb925ea3c13cf2876d58672bb23f55afe1ba19.exe
Resource
win10v2004-20240426-en
General
-
Target
708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe
-
Size
913KB
-
MD5
dca929d746fbc57599fd90882325f030
-
SHA1
c3374249560ea2019d57b288aef67906e1c5285e
-
SHA256
708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165
-
SHA512
617458913f5dfb76ed23c605c772a8da48f6905df2f2b46077dc810310d29ba64a334a455f360b815eab93cbf2130fe84ec8177fe099775f45319f9ba0a0896a
-
SSDEEP
24576:YyS5nbWGFJT6uokW0rDd4Q1LG//kXs60r31PeC7:fS5rJ91rDqv/vhrlPeC
Malware Config
Extracted
redline
luate
77.91.124.55:19071
-
auth_value
e45cd419aba6c9d372088ffe5629308b
Signatures
-
Detect Mystic stealer payload 3 IoCs
resource yara_rule behavioral9/memory/4872-31-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral9/memory/4872-29-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral9/memory/4872-28-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral9/files/0x000700000002343d-33.dat family_redline behavioral9/memory/2532-35-0x00000000004A0000-0x00000000004D0000-memory.dmp family_redline -
Executes dropped EXE 5 IoCs
pid Process 2972 x6027404.exe 760 x8648009.exe 1068 x7587581.exe 5008 g7829261.exe 2532 h9973163.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x7587581.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x6027404.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x8648009.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5008 set thread context of 4872 5008 g7829261.exe 91 -
Program crash 1 IoCs
pid pid_target Process procid_target 3824 5008 WerFault.exe 86 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4520 wrote to memory of 2972 4520 708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe 83 PID 4520 wrote to memory of 2972 4520 708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe 83 PID 4520 wrote to memory of 2972 4520 708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe 83 PID 2972 wrote to memory of 760 2972 x6027404.exe 84 PID 2972 wrote to memory of 760 2972 x6027404.exe 84 PID 2972 wrote to memory of 760 2972 x6027404.exe 84 PID 760 wrote to memory of 1068 760 x8648009.exe 85 PID 760 wrote to memory of 1068 760 x8648009.exe 85 PID 760 wrote to memory of 1068 760 x8648009.exe 85 PID 1068 wrote to memory of 5008 1068 x7587581.exe 86 PID 1068 wrote to memory of 5008 1068 x7587581.exe 86 PID 1068 wrote to memory of 5008 1068 x7587581.exe 86 PID 5008 wrote to memory of 4872 5008 g7829261.exe 91 PID 5008 wrote to memory of 4872 5008 g7829261.exe 91 PID 5008 wrote to memory of 4872 5008 g7829261.exe 91 PID 5008 wrote to memory of 4872 5008 g7829261.exe 91 PID 5008 wrote to memory of 4872 5008 g7829261.exe 91 PID 5008 wrote to memory of 4872 5008 g7829261.exe 91 PID 5008 wrote to memory of 4872 5008 g7829261.exe 91 PID 5008 wrote to memory of 4872 5008 g7829261.exe 91 PID 5008 wrote to memory of 4872 5008 g7829261.exe 91 PID 5008 wrote to memory of 4872 5008 g7829261.exe 91 PID 1068 wrote to memory of 2532 1068 x7587581.exe 95 PID 1068 wrote to memory of 2532 1068 x7587581.exe 95 PID 1068 wrote to memory of 2532 1068 x7587581.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe"C:\Users\Admin\AppData\Local\Temp\708b7d578b1052d5139aa1c7696980dfbb558c7f9d79340c923242e497b33165.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6027404.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6027404.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8648009.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8648009.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7587581.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7587581.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7829261.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g7829261.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:4872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1566⤵
- Program crash
PID:3824
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9973163.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9973163.exe5⤵
- Executes dropped EXE
PID:2532
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5008 -ip 50081⤵PID:772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
811KB
MD50f07669b66ccd6f1c5b6963f5b2ae9c5
SHA17bc3abee80209cb52c6038384c68b08acb8f3409
SHA2566411b0e276fb83489e6a1e08731c098ca266c966a559540423dc38dc9fc78a80
SHA5124e18cc4b7253f7744c46b6c9ee9f49691de33caf68ced924c0bd63909a5ab760d4e00c423f1fe1c0d8ec5c83bbc5ea5db13647b359e577265ce0cae8205492a0
-
Filesize
547KB
MD5937152ca3f53ce0c68efef8378127450
SHA10508eb52806c614292f04bc92c2024f2c6b84217
SHA2567c03fd4242f4f647db931ae650423889bee86792511f847926e0251c2021e388
SHA5128168ce723e016bafad741e3224df03761db8d6f95056c0042d2451fc03186a92a2c1aece4f82b108b0d85ba49d1a7215cd185ff053753f2d52e490e92e6812c3
-
Filesize
381KB
MD5b0d4c42d0c0eeb5598e4c668adb22f40
SHA1fa243292e93f73b013a14e722a3da2496c43c524
SHA2564e4a2f964c1de3ff4cf11aed792c50f44f925c8a832f8541199ffb4d66c676c7
SHA512a038bbd7a3e8033953da7ca2c3a3dbccd4f73c3cbb3a003e99b6aca84db3d2ecb538e81adc2e2551c3b760b903579634f3a9d06481b1cab7753af1f5e3b071f6
-
Filesize
346KB
MD5b9430811c94b808e8a839ef6890dfe1b
SHA15cd0e206c73ab70af97f3321fc8a9510b47f0014
SHA2567114377f2f4b5894838ed771629756d80d1b8f43e6f63ec40cd80b388e6e6b18
SHA5124888c48ba0529f179903b7d5c3777dba750abbd8112afe8e4ca485a84fd1d84fd66a8c754d5c52e1265caa1266cd6ac1c670f8524abb4f91f820db2bdbf30681
-
Filesize
174KB
MD544aafdaf9e850b9a6dc4e45c4785ca43
SHA17cfb5cc8dc4061ac8255a0f4f65c3286bf42b767
SHA256f6d36a04b311f0f39a0060d0a615cefb9e13fe90461b2dcd89e0a0757cc836d5
SHA512534b568e5ff13f0b35761a3dcb9fc9a0f9188597af30472ef81eda4b9b83b095d702cc302eadae89dd84fb05cdbce501361cf096c4696a74448e0c1122744e8c