Overview
overview
10Static
static
30d301494f1...b9.exe
windows10-2004-x64
1017123cde24...76.exe
windows10-2004-x64
103513e5a1be...0b.exe
windows10-2004-x64
103548eb3ee0...c3.exe
windows10-2004-x64
1037bb007e1a...b5.exe
windows10-2004-x64
103b8019115c...d8.exe
windows10-2004-x64
103ba16fdd2a...8a.exe
windows10-2004-x64
103c47d4d72a...e8.exe
windows10-2004-x64
105598d9028e...fd.exe
windows7-x64
105598d9028e...fd.exe
windows10-2004-x64
105d95f47641...f4.exe
windows10-2004-x64
1061d857a524...a5.exe
windows10-2004-x64
1064f004d4a2...36.exe
windows10-2004-x64
107787b07a17...49.exe
windows10-2004-x64
107cc3996906...7e.exe
windows10-2004-x64
10825d0619a8...ce.exe
windows10-2004-x64
109e6f3fd3f7...c2.exe
windows10-2004-x64
10a49c96afc3...92.exe
windows10-2004-x64
10e2945d600c...9e.exe
windows10-2004-x64
10eb8cedd00b...3b.exe
windows10-2004-x64
10f9bdee7f3d...5b.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 11:07
Static task
static1
Behavioral task
behavioral1
Sample
0d301494f1fd79496a102de54faf16772306d560cc125b858d5e57a6e12787b9.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
17123cde248bf04440dd66e0818e707111a27baaf0a0f8b46803653840d0f776.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
37bb007e1a7b802fb160d31d43e6ee29920fb53b1d37beda1c042d893778cab5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
3b8019115c4ceca7cbcfddbb6bbe680cac9c8811275a16616d40ff294ceb6ed8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3c47d4d72a38e9bc6761e47d9e0e51429f2c67ffdd939c07a664efe29c9cd5e8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
5d95f476419d3a3135715f2eed0aa6de69b130436772d29100fd7870a2c450f4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
61d857a52459b5cf9779c58c6ee28d8e2760da3fe873785eb0afcffa6b0680a5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
64f004d4a260338ba4eea50516df52087bab791fd6eb50d0b4eb189e6e13bb36.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral14
Sample
7787b07a1719f5524402ec7cf71fb92a7177ee85b0a424e2b97f619ba2b32e49.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
7cc399690625fe51c1b469f7e049782a493baa3a1ef701d932c57888bd5d237e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
9e6f3fd3f785137a445cbe56ff06c292a6df24180f53811fc86132a2bd4859c2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
eb8cedd00b7ab240f275eb4069c500fbebe244ecae84cca8f1700815583b7f3b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe
Resource
win10v2004-20240426-en
General
-
Target
a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe
-
Size
879KB
-
MD5
7a5928cb075392ea164a53fdd5b3afd0
-
SHA1
2f29f7ea3d22abe93dcbe754afd698abff05bede
-
SHA256
a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92
-
SHA512
fef6e2d27d5bee66733ca4aad9115e3117f85d6d7e2f9c82cd9b41e1e0a63d8be04155931c06dcb556e6612ab675e135fc580c09d21e0f08820ff0173878dd26
-
SSDEEP
12288:DMroy90mBIeotMtXS+V3ROZtmWy0jZlcQyuTSWN/4zhr+Dn2h8iDFobRhjin:zylDiI3RLWN/6Jin25DGbRdin
Malware Config
Extracted
redline
lutyr
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
Processes:
resource yara_rule behavioral18/memory/5040-21-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral18/memory/5040-24-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral18/memory/5040-22-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2sx258dC.exe family_redline behavioral18/memory/952-28-0x0000000000940000-0x000000000097E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
nM5BX0Vg.exexC6GG2NC.exe1pn58wd0.exe2sx258dC.exepid process 2316 nM5BX0Vg.exe 1368 xC6GG2NC.exe 4564 1pn58wd0.exe 952 2sx258dC.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exenM5BX0Vg.exexC6GG2NC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" nM5BX0Vg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" xC6GG2NC.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1pn58wd0.exedescription pid process target process PID 4564 set thread context of 5040 4564 1pn58wd0.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4780 4564 WerFault.exe 1pn58wd0.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exenM5BX0Vg.exexC6GG2NC.exe1pn58wd0.exedescription pid process target process PID 4620 wrote to memory of 2316 4620 a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe nM5BX0Vg.exe PID 4620 wrote to memory of 2316 4620 a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe nM5BX0Vg.exe PID 4620 wrote to memory of 2316 4620 a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe nM5BX0Vg.exe PID 2316 wrote to memory of 1368 2316 nM5BX0Vg.exe xC6GG2NC.exe PID 2316 wrote to memory of 1368 2316 nM5BX0Vg.exe xC6GG2NC.exe PID 2316 wrote to memory of 1368 2316 nM5BX0Vg.exe xC6GG2NC.exe PID 1368 wrote to memory of 4564 1368 xC6GG2NC.exe 1pn58wd0.exe PID 1368 wrote to memory of 4564 1368 xC6GG2NC.exe 1pn58wd0.exe PID 1368 wrote to memory of 4564 1368 xC6GG2NC.exe 1pn58wd0.exe PID 4564 wrote to memory of 5040 4564 1pn58wd0.exe AppLaunch.exe PID 4564 wrote to memory of 5040 4564 1pn58wd0.exe AppLaunch.exe PID 4564 wrote to memory of 5040 4564 1pn58wd0.exe AppLaunch.exe PID 4564 wrote to memory of 5040 4564 1pn58wd0.exe AppLaunch.exe PID 4564 wrote to memory of 5040 4564 1pn58wd0.exe AppLaunch.exe PID 4564 wrote to memory of 5040 4564 1pn58wd0.exe AppLaunch.exe PID 4564 wrote to memory of 5040 4564 1pn58wd0.exe AppLaunch.exe PID 4564 wrote to memory of 5040 4564 1pn58wd0.exe AppLaunch.exe PID 4564 wrote to memory of 5040 4564 1pn58wd0.exe AppLaunch.exe PID 4564 wrote to memory of 5040 4564 1pn58wd0.exe AppLaunch.exe PID 1368 wrote to memory of 952 1368 xC6GG2NC.exe 2sx258dC.exe PID 1368 wrote to memory of 952 1368 xC6GG2NC.exe 2sx258dC.exe PID 1368 wrote to memory of 952 1368 xC6GG2NC.exe 2sx258dC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe"C:\Users\Admin\AppData\Local\Temp\a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM5BX0Vg.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nM5BX0Vg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xC6GG2NC.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xC6GG2NC.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1pn58wd0.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1pn58wd0.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:5040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 5925⤵
- Program crash
PID:4780 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2sx258dC.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2sx258dC.exe4⤵
- Executes dropped EXE
PID:952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4564 -ip 45641⤵PID:3956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1308,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4460 /prefetch:81⤵PID:924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
585KB
MD55d84d9a040ed7079a5f434a6ce732b3a
SHA1cb19095e05db97c07ba869b998619f2aabc2332d
SHA25603b76d8af28aac08a86fdc89e0b8482cab7a4ecd37706b3c56f86000e14edb3d
SHA51205e64a1327d4e269b214aff7f0f1132486ec5a49bbb885d124094fb66b0a9a35d889b22dd3a3e49ee40bc022ea86c39a8e5b57191cb04b0a30439f112d0e2a78
-
Filesize
412KB
MD51b00caa89398f68407087c99a0d32d96
SHA1c1dc0ac4a5832700a212d3fd2fb370382e982614
SHA2567767d060b1bb37706be1320ee7f7e2398bfb9193575d4a808c65fed5c91cc24b
SHA512b9688fa1022eb95e3aa3c81b0748d24e890b1ed424474670afb014f89d921102e96941d2b90343c621316abfba395bef5a45651bd924692df833401040c069d8
-
Filesize
378KB
MD5bd073e92f856923e750c1d02212f56f3
SHA1744aa3395344c898e9fd30aeec2f2a75a3cb74b6
SHA256687820b69c61268f3a3546bfc37dd897d2ea377f936a939f4c26841d988bbf4a
SHA51201a8ffdcc82fc76ed557beced540990da15671196a67abd49d12ddfed23af9a2227e3f7ae8d606b30a3b97f3d9e3ea46ee703fbaf154f676b428f909a3de9bd3
-
Filesize
221KB
MD52a9b435a6ed3bdcc18c637b434031073
SHA1c07d300a9c4688ea672ace565ac7de4fee9479a7
SHA256592e3fba0f4b0c4ab97e41afd0340187b6ab373b4bdf567cdb4d43da84cd50d2
SHA512f0a3e64d6759a4ae6bd404ccf93d5d41094e1333ffc650b0804e9a98b8e341c238f670569ecd920eea708b23fe830c18f62179c9cc8d4e10ba3a4b953076897b