Overview
overview
10Static
static
306f1b755da...d3.exe
windows10-2004-x64
1014b33a31c1...19.exe
windows10-2004-x64
1016f3c19a7f...1a.exe
windows10-2004-x64
10192ce44be6...d3.exe
windows10-2004-x64
10208bd49be4...cf.exe
windows10-2004-x64
102ae8e0e720...19.exe
windows10-2004-x64
102b74e820a6...32.exe
windows10-2004-x64
10396631ba37...a0.exe
windows10-2004-x64
10777259b2de...25.exe
windows10-2004-x64
107f06170b1d...e6.exe
windows10-2004-x64
1080f9db3963...66.exe
windows10-2004-x64
108d2837f05f...42.exe
windows10-2004-x64
109a7ee6b801...e4.exe
windows10-2004-x64
109c8e4ed081...a3.exe
windows10-2004-x64
10a68c5e94f5...52.exe
windows10-2004-x64
10aaed2c62a2...28.exe
windows10-2004-x64
10e097574588...fe.exe
windows10-2004-x64
10e256d9f4b9...eb.exe
windows10-2004-x64
10f02caa1867...71.exe
windows10-2004-x64
10f7447a8c0b...af.exe
windows10-2004-x64
10Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 09:54
Static task
static1
Behavioral task
behavioral1
Sample
06f1b755da951fcf461e1c619e531208a68c60a692e3a2869f7207254aaea1d3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
14b33a31c14eae72ffc4a46234312cb8185f3b8d087a90be3174c01ccc3efe19.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
16f3c19a7f77c85baa3e8093067307517cb39818cb998de30b713a8353835c1a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
192ce44be6557d6d98a2de008c00df07b0f5063ea96bbd2751389b1f82c5f6d3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
208bd49be44846fa019a8a4b21da09b934676de6c05e6688624fa6608f3917cf.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
2ae8e0e7200682b017c2fa4be81c84b2547e0238ade702b5112641b6b336bc19.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
2b74e820a68dd1debb652cc1750992f001f4f19c4e98e9c2bbce0139f6c42f32.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
396631ba370acc38e6f62756cecd042fc99d8150beb80483127f81430d279ca0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
7f06170b1d7c15c8654c820aed9d163b0f686b8b747df4651e3c2d91e1e1bee6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
80f9db396349ffd316d40f58b12121eb8671e0af591fa231cd1037ed80d55c66.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
8d2837f05ff43bc5c5c3734eb685c39e3ff19b27d50659b45d8404272838cc42.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9c8e4ed08188524a9beb39dfd35cc3c50ed0a6344464afcdff53746ddccee6a3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
a68c5e94f561ee7f4e5edc6e64db2ccc6083a9a34acd478da0b5a3003a233e52.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
aaed2c62a2146133d41a2c878d138f90f6fd57a1173b0784f6516128378b0e28.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
e0975745886991171c59c0c9a7b781238f54c7dbc7be68e29315487b94f3cafe.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
f02caa18679b8af0e356c5ecf5b840b3c4f001b4c623c0cf33686d9cf4111871.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f7447a8c0bbf4733ba4bef9129e0bcb98bcfe4fd1b57d2ec4e9349b333329aaf.exe
Resource
win10v2004-20240508-en
General
-
Target
777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025.exe
-
Size
758KB
-
MD5
58a76a83d31f69b1e0993a815a2517e0
-
SHA1
6ceac1337bc5e2da34b589f7576afb4a51418b68
-
SHA256
777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025
-
SHA512
a8971952932e832df09dc342f815a4fba0b70c2cfc749f75da4f637aec932ca65ea2d208ef6f21ffc27110ecd6208bb5249404f79c7b02ddd7a3f9531a347c22
-
SSDEEP
12288:fMrcy90nMThj98Ro0z8P0OUqXZhvGzDVhhtiGCUg5P8+zgdHQOPdJiYa7:byn5ORSLZJ8pdlCLkHZdJxU
Malware Config
Extracted
redline
kinza
77.91.124.86:19084
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral9/memory/2032-14-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral9/memory/2032-15-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral9/memory/2032-18-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral9/memory/2032-16-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral9/files/0x0007000000023408-21.dat family_redline behavioral9/memory/3348-22-0x0000000000DA0000-0x0000000000DDE000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 2896 va5hN1eu.exe 772 1bD86lT3.exe 3348 2No696lW.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" va5hN1eu.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 772 set thread context of 2032 772 1bD86lT3.exe 87 -
Program crash 1 IoCs
pid pid_target Process procid_target 4804 2032 WerFault.exe 87 -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2896 2532 777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025.exe 82 PID 2532 wrote to memory of 2896 2532 777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025.exe 82 PID 2532 wrote to memory of 2896 2532 777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025.exe 82 PID 2896 wrote to memory of 772 2896 va5hN1eu.exe 83 PID 2896 wrote to memory of 772 2896 va5hN1eu.exe 83 PID 2896 wrote to memory of 772 2896 va5hN1eu.exe 83 PID 772 wrote to memory of 2032 772 1bD86lT3.exe 87 PID 772 wrote to memory of 2032 772 1bD86lT3.exe 87 PID 772 wrote to memory of 2032 772 1bD86lT3.exe 87 PID 772 wrote to memory of 2032 772 1bD86lT3.exe 87 PID 772 wrote to memory of 2032 772 1bD86lT3.exe 87 PID 772 wrote to memory of 2032 772 1bD86lT3.exe 87 PID 772 wrote to memory of 2032 772 1bD86lT3.exe 87 PID 772 wrote to memory of 2032 772 1bD86lT3.exe 87 PID 772 wrote to memory of 2032 772 1bD86lT3.exe 87 PID 772 wrote to memory of 2032 772 1bD86lT3.exe 87 PID 2896 wrote to memory of 3348 2896 va5hN1eu.exe 89 PID 2896 wrote to memory of 3348 2896 va5hN1eu.exe 89 PID 2896 wrote to memory of 3348 2896 va5hN1eu.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025.exe"C:\Users\Admin\AppData\Local\Temp\777259b2de1e73f2f79c2edbd0a7a6b94de34bca7c3376f8e9aae8a4e44be025.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\va5hN1eu.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\va5hN1eu.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1bD86lT3.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1bD86lT3.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 5405⤵
- Program crash
PID:4804
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2No696lW.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2No696lW.exe3⤵
- Executes dropped EXE
PID:3348
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2032 -ip 20321⤵PID:1968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
562KB
MD5e79bd5cd8381f56d32b28cdab48d2991
SHA1f2680006c968b8e9eaed7bf60cf9b821ad1a1398
SHA256ff4a180f04ee21e4a151def1557b612e45885eb048b6a1cdd718fba705ac7c1c
SHA51247dd0a446629ffa65238649ff87d64d0ea9377594afbe000bd38bb7f5f70d636b2315538d964d2e27b3c22e957dfafdfad51fdb2bb6b47b27fda8f49c843f47f
-
Filesize
1.1MB
MD57c92fb26f9d2384d40642d36e2976a34
SHA1ca182f885717d66e2e4335f9d46194bac13623bb
SHA2566908cb34302f507d0c713bb2fa6094e60b8c2e89e0cc451dc76c27312ae75560
SHA512490e5c728f46fc20dd2c575c8fbbfb033c351ee4c16f3fc08aafc11677431bcfc433e5a1b20216a67c3cf5d4edee53f9488bc0eca018bd5e2365cb6e4c51422f
-
Filesize
222KB
MD58c03a01326943a092d0457b1c8ea2653
SHA1004ee5ff6e6822313ce2e5cc149e1649f86bf724
SHA2562d0ec17438e9faaac3713edc628143cbddf4e21fac33696800c08eb8227e3b1c
SHA512ab17d27e8bb9c10156f5650339a31e827b7e0bc4a56e067e822ad2b1a97abbefb795acaae72b29177ef712f20b2b12cd9f3f668952a841323a183e0cd151b748