Overview

overview

10

Static

static

3

0d301494f1...b9.exe

windows10-2004-x64

10

17123cde24...76.exe

windows10-2004-x64

10

3513e5a1be...0b.exe

windows10-2004-x64

10

3548eb3ee0...c3.exe

windows10-2004-x64

10

37bb007e1a...b5.exe

windows10-2004-x64

10

3b8019115c...d8.exe

windows10-2004-x64

10

3ba16fdd2a...8a.exe

windows10-2004-x64

10

3c47d4d72a...e8.exe

windows10-2004-x64

10

5598d9028e...fd.exe

windows7-x64

10

5598d9028e...fd.exe

windows10-2004-x64

10

5d95f47641...f4.exe

windows10-2004-x64

10

61d857a524...a5.exe

windows10-2004-x64

10

64f004d4a2...36.exe

windows10-2004-x64

10

7787b07a17...49.exe

windows10-2004-x64

10

7cc3996906...7e.exe

windows10-2004-x64

10

825d0619a8...ce.exe

windows10-2004-x64

10

9e6f3fd3f7...c2.exe

windows10-2004-x64

10

a49c96afc3...92.exe

windows10-2004-x64

10

e2945d600c...9e.exe

windows10-2004-x64

10

eb8cedd00b...3b.exe

windows10-2004-x64

10

f9bdee7f3d...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3.exe

  • Size

    746KB

  • MD5

    0f8508d9978491f6d3a929d927921ede

  • SHA1

    719fff86d85f89b1880351d7f4f63be966154074

  • SHA256

    3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3

  • SHA512

    a85485e8770ab2ceed8eb5a25112f3822d48c756afa8063834f3c32f3d7c75a5e468cd2adb8da5c0dbd83657040f858bc545889c065e93c9701814a65b180aa0

  • SSDEEP

    12288:dMrly90S1AJyflj4NMT1PloI8MoV9u8PzwTLjZ:QyhAk9jJ1PlRP5ekfZ

Score
10/10
mysticredlinefrantevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

frant

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3.exe
    "C:\Users\Admin\AppData\Local\Temp\3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3940
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fw7Ec60.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fw7Ec60.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3536
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nw90kF0.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nw90kF0.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2376
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ng98Pz.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ng98Pz.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1800
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3472
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 600
            4⤵
            • Program crash
            PID:912
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3iT9623.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3iT9623.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4632
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:1696
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 152
            3⤵
            • Program crash
            PID:4924
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1800 -ip 1800
        1⤵
          PID:3252
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4632 -ip 4632
          1⤵
            PID:2008

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3iT9623.exe
            Filesize

            459KB

            MD5

            e068637314979d2a3f9df751092aeb88

            SHA1

            ddfe433783d38e86eafcfda8f1a4b4bfb33a58fb

            SHA256

            96123443820d60fc3ba013fc503acf05893af9074567be4d191a57f760e9a750

            SHA512

            d485604186b35ca212cd799a3b6eca4a5b2b0e8222293b445fbd7e02f9d6f88bfcd5ff61f5cc87356f9360ca312a3f97db8d7be683a37a69f2c9e47f4679154f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fw7Ec60.exe
            Filesize

            452KB

            MD5

            6ae56f5902ca0d6a7584d9302ba26820

            SHA1

            ee1883d13d55faaa2f35940d011f4efd0a345646

            SHA256

            68465085a51dc7be146dc2e847fa75a39e3bacabbc7ee6f3a9720d16504a686a

            SHA512

            4e5bc533661e9f48d3076fe967318235fa63e43f32a75bdcb4d62c0539d78016e600ea3096aa4585864e60df16db19a04c18c88f30ac4c59d478485e7118bc0e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nw90kF0.exe
            Filesize

            192KB

            MD5

            8904f85abd522c7d0cb5789d9583ccff

            SHA1

            5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

            SHA256

            7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

            SHA512

            04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Ng98Pz.exe
            Filesize

            378KB

            MD5

            0028cf0329d7216dfc11b8b377135a8e

            SHA1

            c00c471b097f37a7d074dd7d3b4da0b6cbf2afb5

            SHA256

            a5d37f4f6302f8b0f5a489f6e9d3bac21dbd32627f4b47acd51dfa6ad79d8c8c

            SHA512

            1500c46974f04e0488bc44344bcb57aed342bee077a5720e0d7a7f09ac65352f64a4b19ed64256af89792a958dc0d87ea82608ad6730e497555d95d068efd18a

            Download Submit

          • memory/1696-67-0x0000000007EE0000-0x0000000007F2C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1696-66-0x0000000007EA0000-0x0000000007EDC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/1696-64-0x0000000007F50000-0x000000000805A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/1696-65-0x0000000007E40000-0x0000000007E52000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1696-63-0x0000000008D30000-0x0000000009348000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/1696-62-0x0000000005080000-0x000000000508A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1696-61-0x0000000007C50000-0x0000000007CE2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/1696-60-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2376-28-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2376-20-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2376-38-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2376-34-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2376-32-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2376-30-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2376-42-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2376-26-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2376-24-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2376-22-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2376-19-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2376-49-0x0000000073E20000-0x00000000745D0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2376-47-0x0000000073E20000-0x00000000745D0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2376-14-0x0000000073E2E000-0x0000000073E2F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2376-15-0x0000000002270000-0x000000000228E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/2376-17-0x0000000004AC0000-0x0000000005064000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/2376-44-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2376-46-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2376-37-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2376-40-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/2376-18-0x0000000004990000-0x00000000049AC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/2376-16-0x0000000073E20000-0x00000000745D0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3472-53-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/3472-56-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/3472-54-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download