Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 09:54

General

  • Target

    777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025.exe

  • Size

    758KB

  • MD5

    58a76a83d31f69b1e0993a815a2517e0

  • SHA1

    6ceac1337bc5e2da34b589f7576afb4a51418b68

  • SHA256

    777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025

  • SHA512

    a8971952932e832df09dc342f815a4fba0b70c2cfc749f75da4f637aec932ca65ea2d208ef6f21ffc27110ecd6208bb5249404f79c7b02ddd7a3f9531a347c22

  • SSDEEP

    12288:fMrcy90nMThj98Ro0z8P0OUqXZhvGzDVhhtiGCUg5P8+zgdHQOPdJiYa7:byn5ORSLZJ8pdlCLkHZdJxU

Malware Config

Extracted

Family

redline

Botnet

kinza

C2

77.91.124.86:19084

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025.exe
    "C:\Users\Admin\AppData\Local\Temp\777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\va5hN1eu.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\va5hN1eu.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1bD86lT3.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1bD86lT3.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:772
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2032
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 540
              5⤵
              • Program crash
              PID:4804
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2No696lW.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2No696lW.exe
          3⤵
          • Executes dropped EXE
          PID:3348
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2032 -ip 2032
      1⤵
        PID:1968

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\va5hN1eu.exe

        Filesize

        562KB

        MD5

        e79bd5cd8381f56d32b28cdab48d2991

        SHA1

        f2680006c968b8e9eaed7bf60cf9b821ad1a1398

        SHA256

        ff4a180f04ee21e4a151def1557b612e45885eb048b6a1cdd718fba705ac7c1c

        SHA512

        47dd0a446629ffa65238649ff87d64d0ea9377594afbe000bd38bb7f5f70d636b2315538d964d2e27b3c22e957dfafdfad51fdb2bb6b47b27fda8f49c843f47f

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1bD86lT3.exe

        Filesize

        1.1MB

        MD5

        7c92fb26f9d2384d40642d36e2976a34

        SHA1

        ca182f885717d66e2e4335f9d46194bac13623bb

        SHA256

        6908cb34302f507d0c713bb2fa6094e60b8c2e89e0cc451dc76c27312ae75560

        SHA512

        490e5c728f46fc20dd2c575c8fbbfb033c351ee4c16f3fc08aafc11677431bcfc433e5a1b20216a67c3cf5d4edee53f9488bc0eca018bd5e2365cb6e4c51422f

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2No696lW.exe

        Filesize

        222KB

        MD5

        8c03a01326943a092d0457b1c8ea2653

        SHA1

        004ee5ff6e6822313ce2e5cc149e1649f86bf724

        SHA256

        2d0ec17438e9faaac3713edc628143cbddf4e21fac33696800c08eb8227e3b1c

        SHA512

        ab17d27e8bb9c10156f5650339a31e827b7e0bc4a56e067e822ad2b1a97abbefb795acaae72b29177ef712f20b2b12cd9f3f668952a841323a183e0cd151b748

      • memory/2032-14-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2032-15-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2032-18-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/2032-16-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

      • memory/3348-23-0x0000000007FF0000-0x0000000008594000-memory.dmp

        Filesize

        5.6MB

      • memory/3348-22-0x0000000000DA0000-0x0000000000DDE000-memory.dmp

        Filesize

        248KB

      • memory/3348-24-0x0000000007B20000-0x0000000007BB2000-memory.dmp

        Filesize

        584KB

      • memory/3348-25-0x0000000005110000-0x000000000511A000-memory.dmp

        Filesize

        40KB

      • memory/3348-26-0x0000000008BC0000-0x00000000091D8000-memory.dmp

        Filesize

        6.1MB

      • memory/3348-27-0x0000000007EB0000-0x0000000007FBA000-memory.dmp

        Filesize

        1.0MB

      • memory/3348-28-0x0000000007D60000-0x0000000007D72000-memory.dmp

        Filesize

        72KB

      • memory/3348-29-0x0000000007DE0000-0x0000000007E1C000-memory.dmp

        Filesize

        240KB

      • memory/3348-30-0x0000000007E20000-0x0000000007E6C000-memory.dmp

        Filesize

        304KB