Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 11:07
General
-
Target
3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3.exe
-
Size
746KB
-
MD5
0f8508d9978491f6d3a929d927921ede
-
SHA1
719fff86d85f89b1880351d7f4f63be966154074
-
SHA256
3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3
-
SHA512
a85485e8770ab2ceed8eb5a25112f3822d48c756afa8063834f3c32f3d7c75a5e468cd2adb8da5c0dbd83657040f858bc545889c065e93c9701814a65b180aa0
-
SSDEEP
12288:dMrly90S1AJyflj4NMT1PloI8MoV9u8PzwTLjZ:QyhAk9jJ1PlRP5ekfZ
Malware Config
Extracted
redline
frant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3.exe"C:\Users\Admin\AppData\Local\Temp\3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fw7Ec60.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fw7Ec60.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nw90kF0.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nw90kF0.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ng98Pz.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ng98Pz.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 1604⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3iT9623.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3iT9623.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 6003⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2204 -ip 22041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1576 -ip 15761⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
459KB
MD5e068637314979d2a3f9df751092aeb88
SHA1ddfe433783d38e86eafcfda8f1a4b4bfb33a58fb
SHA25696123443820d60fc3ba013fc503acf05893af9074567be4d191a57f760e9a750
SHA512d485604186b35ca212cd799a3b6eca4a5b2b0e8222293b445fbd7e02f9d6f88bfcd5ff61f5cc87356f9360ca312a3f97db8d7be683a37a69f2c9e47f4679154f
-
Filesize
452KB
MD56ae56f5902ca0d6a7584d9302ba26820
SHA1ee1883d13d55faaa2f35940d011f4efd0a345646
SHA25668465085a51dc7be146dc2e847fa75a39e3bacabbc7ee6f3a9720d16504a686a
SHA5124e5bc533661e9f48d3076fe967318235fa63e43f32a75bdcb4d62c0539d78016e600ea3096aa4585864e60df16db19a04c18c88f30ac4c59d478485e7118bc0e
-
Filesize
192KB
MD58904f85abd522c7d0cb5789d9583ccff
SHA15b34d8595b37c9e1fb9682b06dc5228efe07f0c6
SHA2567624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f
SHA51204dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12
-
Filesize
378KB
MD50028cf0329d7216dfc11b8b377135a8e
SHA1c00c471b097f37a7d074dd7d3b4da0b6cbf2afb5
SHA256a5d37f4f6302f8b0f5a489f6e9d3bac21dbd32627f4b47acd51dfa6ad79d8c8c
SHA5121500c46974f04e0488bc44344bcb57aed342bee077a5720e0d7a7f09ac65352f64a4b19ed64256af89792a958dc0d87ea82608ad6730e497555d95d068efd18a
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
240KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
304KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
7.7MB
-
Filesize
112KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
4KB