Overview
overview
10Static
static
306f1b755da...d3.exe
windows10-2004-x64
1014b33a31c1...19.exe
windows10-2004-x64
1016f3c19a7f...1a.exe
windows10-2004-x64
10192ce44be6...d3.exe
windows10-2004-x64
10208bd49be4...cf.exe
windows10-2004-x64
102ae8e0e720...19.exe
windows10-2004-x64
102b74e820a6...32.exe
windows10-2004-x64
10396631ba37...a0.exe
windows10-2004-x64
10777259b2de...25.exe
windows10-2004-x64
107f06170b1d...e6.exe
windows10-2004-x64
1080f9db3963...66.exe
windows10-2004-x64
108d2837f05f...42.exe
windows10-2004-x64
109a7ee6b801...e4.exe
windows10-2004-x64
109c8e4ed081...a3.exe
windows10-2004-x64
10a68c5e94f5...52.exe
windows10-2004-x64
10aaed2c62a2...28.exe
windows10-2004-x64
10e097574588...fe.exe
windows10-2004-x64
10e256d9f4b9...eb.exe
windows10-2004-x64
10f02caa1867...71.exe
windows10-2004-x64
10f7447a8c0b...af.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 09:54
Static task
static1
Behavioral task
behavioral1
Sample
06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
192ce44be6557d6d98a2de008c00df07b0f5063ea96bbd2751389b1f82c5f6d3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
208bd49be44846fa019a8a4b21da09b934676de6c05e6688624fa6608f3917cf.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
2b74e820a68dd1debb652cc1750992f001f4f19c4e98e9c2bbce0139f6c42f32.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
80f9db396349ffd316d40f58b12121eb8671e0af591fa231cd1037ed80d55c66.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9c8e4ed08188524a9beb39dfd35cc3c50ed0a6344464afcdff53746ddccee6a3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
aaed2c62a2146133d41a2c878d138f90f6fd57a1173b0784f6516128378b0e28.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
f02caa18679b8af0e356c5ecf5b840b3c4f001b4c623c0cf33686d9cf4111871.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf.exe
Resource
win10v2004-20240508-en
General
-
Target
f02caa18679b8af0e356c5ecf5b840b3c4f001b4c623c0cf33686d9cf4111871.exe
-
Size
912KB
-
MD5
e9b14be79a6909ca38f58170004f3cdd
-
SHA1
b00c579790015e8312c932100446631bac44ae79
-
SHA256
f02caa18679b8af0e356c5ecf5b840b3c4f001b4c623c0cf33686d9cf4111871
-
SHA512
f40e080f0d45ea975a223a017af846ab7b28a50ef55a44cf3c25fe708008d5e89a21913192da271001c5589b339e8ee1e27aa3d8820ea93cb383680c4d3f1115
-
SSDEEP
24576:6yqPzRmBHa4Zyi7tOIfXl93jr+Du4dk1j:Bq8aFaNPzIu40
Malware Config
Extracted
redline
luate
77.91.124.55:19071
-
auth_value
e45cd419aba6c9d372088ffe5629308b
Signatures
-
Detect Mystic stealer payload 3 IoCs
resource yara_rule behavioral19/memory/1288-28-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral19/memory/1288-31-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral19/memory/1288-29-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral19/files/0x00070000000233f0-33.dat family_redline behavioral19/memory/3688-35-0x0000000000A40000-0x0000000000A70000-memory.dmp family_redline -
Executes dropped EXE 5 IoCs
pid Process 2820 x7266531.exe 4644 x1568463.exe 4388 x9099077.exe 3064 g4219675.exe 3688 h0750968.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f02caa18679b8af0e356c5ecf5b840b3c4f001b4c623c0cf33686d9cf4111871.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x7266531.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x1568463.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x9099077.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3064 set thread context of 1288 3064 g4219675.exe 90 -
Program crash 1 IoCs
pid pid_target Process procid_target 3344 3064 WerFault.exe 86 -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 4452 wrote to memory of 2820 4452 f02caa18679b8af0e356c5ecf5b840b3c4f001b4c623c0cf33686d9cf4111871.exe 83 PID 4452 wrote to memory of 2820 4452 f02caa18679b8af0e356c5ecf5b840b3c4f001b4c623c0cf33686d9cf4111871.exe 83 PID 4452 wrote to memory of 2820 4452 f02caa18679b8af0e356c5ecf5b840b3c4f001b4c623c0cf33686d9cf4111871.exe 83 PID 2820 wrote to memory of 4644 2820 x7266531.exe 84 PID 2820 wrote to memory of 4644 2820 x7266531.exe 84 PID 2820 wrote to memory of 4644 2820 x7266531.exe 84 PID 4644 wrote to memory of 4388 4644 x1568463.exe 85 PID 4644 wrote to memory of 4388 4644 x1568463.exe 85 PID 4644 wrote to memory of 4388 4644 x1568463.exe 85 PID 4388 wrote to memory of 3064 4388 x9099077.exe 86 PID 4388 wrote to memory of 3064 4388 x9099077.exe 86 PID 4388 wrote to memory of 3064 4388 x9099077.exe 86 PID 3064 wrote to memory of 1288 3064 g4219675.exe 90 PID 3064 wrote to memory of 1288 3064 g4219675.exe 90 PID 3064 wrote to memory of 1288 3064 g4219675.exe 90 PID 3064 wrote to memory of 1288 3064 g4219675.exe 90 PID 3064 wrote to memory of 1288 3064 g4219675.exe 90 PID 3064 wrote to memory of 1288 3064 g4219675.exe 90 PID 3064 wrote to memory of 1288 3064 g4219675.exe 90 PID 3064 wrote to memory of 1288 3064 g4219675.exe 90 PID 3064 wrote to memory of 1288 3064 g4219675.exe 90 PID 3064 wrote to memory of 1288 3064 g4219675.exe 90 PID 4388 wrote to memory of 3688 4388 x9099077.exe 95 PID 4388 wrote to memory of 3688 4388 x9099077.exe 95 PID 4388 wrote to memory of 3688 4388 x9099077.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\f02caa18679b8af0e356c5ecf5b840b3c4f001b4c623c0cf33686d9cf4111871.exe"C:\Users\Admin\AppData\Local\Temp\f02caa18679b8af0e356c5ecf5b840b3c4f001b4c623c0cf33686d9cf4111871.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7266531.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7266531.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1568463.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1568463.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9099077.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9099077.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4219675.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4219675.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:1288
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1366⤵
- Program crash
PID:3344
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0750968.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0750968.exe5⤵
- Executes dropped EXE
PID:3688
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3064 -ip 30641⤵PID:1112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
810KB
MD56171aa0144fda3e719c89aab628ec508
SHA1e64177cc7bbeb1549281b4462c7850e5f01adf4e
SHA2564aef90392bbd474e5bedb860c9d721d28c65cba2b23025678dfeb8309a769634
SHA512f93db930f7c046ac841fe3c656c792a80a3abdc2d94d5f226e9d1175a27f6f15f93e77ed9b452f4f93045ccfd753b687e8c5c805e5c87dbb479cd84cddb65c8a
-
Filesize
547KB
MD530f34f309e18ffb01d60d0e3039dbcaa
SHA1f3d2d138a35679ab1fc75fdcff58e25710f5e44c
SHA256405a2bfafda43aa18c79bd58d0c675dbbc0609921bb257c4bc86a8d5c8e38efe
SHA512042c0b3326fde5813427da524b5b293413822a5828f72f9b17c785b3837ce5d8e15456f949ac6ba2115c31f49de6c3b281d8f0bc95aa7f6843f58717a9ada0f3
-
Filesize
381KB
MD5c719a50919a7715703f922fc70cc00d6
SHA1d0989a6ee6dea2b65a70999fd9c6d78699d50470
SHA2567729e0884205725cbe7c86dc566e363fcf29afbe5521681f7c2bfc1b22087ee1
SHA512616feb50879917afd884f31c15992dff49692ed85462416f5991a3d19ae3fc0d9dd4a9ff2b5426938608a8e2b5eeff4d6d71cfc7600145e7bf2ee633e577cef5
-
Filesize
346KB
MD5fe1d5ad313e7f6621aa3c893e08cf494
SHA10b9878c06d1825e51d9b413ba96e6be58935fcd6
SHA2569c716a6b50b1b967de579d688ef9c452ee22b746a5e7481f13fe2a1d763debd9
SHA51246b5f302b6ab7e155beb76228b5aa33dfbf9b88a75d5cd5dcec79793da6cc5398c4283e23cddfe143ec641b1a91a4001de484011023140a74340e34781469ead
-
Filesize
174KB
MD57921ed3b87eddc6b1977fdcee2877a09
SHA1559dafdf2f846cb09851f5d707bdd1200ef85fdc
SHA2564bf5bb9ad10950fc2396269bb4aaac2a5f4c76fa2901be4fa73a586cc72bd9b8
SHA5128b297c32b9d3672c93c172de00a76b3ee2d68648d0021f7a52ad4cc7a6e38dd720ce50cdd06161988d2812cd1ceca2ea3d52efa764b3adf441896a3407b74143