Analysis
-
max time kernel
139s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
23-05-2024 09:42
General
-
Target
7cac44d1ecd3f5639f33ee135e671d1baab428e0ead20f5eae7b4d2be71debc4.exe
-
Size
758KB
-
MD5
7bc7a630b99ec4f5cb33509167d30fde
-
SHA1
ee5c020cc75b7540d3a5e62fc42c7ae50f466688
-
SHA256
7cac44d1ecd3f5639f33ee135e671d1baab428e0ead20f5eae7b4d2be71debc4
-
SHA512
ec1523aef1fdef867403b57b0b5d0623d7b4888785f815d69fbb6899ee9179e473d1500694a32d81a4a4cd4574559d888e9d189bdee9fad651f293db7ba77562
-
SSDEEP
12288:LMrey90q1dkxynN0p0WWoxYvlehFYk3ImYhABJyE846g5I57TSMQlOPDpg9avL1Q:Ry3eqN0pbxYvl4FZ33Bm/X57T7W0DpZ6
Malware Config
Extracted
redline
kinza
77.91.124.86:19084
Signatures
-
Detect Mystic stealer payload 4 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cac44d1ecd3f5639f33ee135e671d1baab428e0ead20f5eae7b4d2be71debc4.exe"C:\Users\Admin\AppData\Local\Temp\7cac44d1ecd3f5639f33ee135e671d1baab428e0ead20f5eae7b4d2be71debc4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xv1UJ1re.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xv1UJ1re.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1mY87nK9.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1mY87nK9.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 5405⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2el999np.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2el999np.exe3⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1208 -ip 12081⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
561KB
MD5f02cbf025696f2c6ef6397a2121aef26
SHA1a9ee09ec4b3f29c104d859f4eabdefd9f264646d
SHA256496dc4cb94c63f5225849a34565f98698162a3efa046859f7c8c9219466b3f8c
SHA512958c7d62212a325b34a158cd43714171171a6f0d61926dd7f7b00340549ba7260c81874c5a4455c66525641d5624ecdeb906f3b14889fa6c7b2112e89120fe1d
-
Filesize
1.1MB
MD5ddb08d4dcd250a344da7b98e36cb278a
SHA10cf71361ea5fda75eaeccdf8ba10e81816fd8640
SHA256dcaff6dd963e502627f209945a23d1ba0569a752a5ce56768482e56fade576e5
SHA512ab1a7d9298009c67a574f727eb4a0e9aec4f3066b5e3e4584f0a4d9636a6122758ebedbedaa6e20b8a41042a5b13e1c15a831b2e7c8bc4f65ef733b784349c44
-
Filesize
222KB
MD5275f601a9ebc9f1d469ada1903fefa94
SHA1196000f4e1c9623090934bd10758eb2ab94e66d4
SHA256b3ca94e0e5f18d5faecd3c30b1fdf8e61b2f6fddf741e776d9998638d7f58b41
SHA51246cf0d6673709da5669302ccbebc46e23de98a64b55d9a2e497afc92522df1ea7c65e895bdf0a93a2f639e36c60669c139eb3ada5b3d440981cbce98e4ccccb7
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
5.6MB
-
Filesize
248KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB