Overview
overview
10Static
static
30d301494f1...b9.exe
windows10-2004-x64
1017123cde24...76.exe
windows10-2004-x64
103513e5a1be...0b.exe
windows10-2004-x64
103548eb3ee0...c3.exe
windows10-2004-x64
1037bb007e1a...b5.exe
windows10-2004-x64
103b8019115c...d8.exe
windows10-2004-x64
103ba16fdd2a...8a.exe
windows10-2004-x64
103c47d4d72a...e8.exe
windows10-2004-x64
105598d9028e...fd.exe
windows7-x64
105598d9028e...fd.exe
windows10-2004-x64
105d95f47641...f4.exe
windows10-2004-x64
1061d857a524...a5.exe
windows10-2004-x64
1064f004d4a2...36.exe
windows10-2004-x64
107787b07a17...49.exe
windows10-2004-x64
107cc3996906...7e.exe
windows10-2004-x64
10825d0619a8...ce.exe
windows10-2004-x64
109e6f3fd3f7...c2.exe
windows10-2004-x64
10a49c96afc3...92.exe
windows10-2004-x64
10e2945d600c...9e.exe
windows10-2004-x64
10eb8cedd00b...3b.exe
windows10-2004-x64
10f9bdee7f3d...5b.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
0d301494f1fd79496a102de54faf16772306d560cc125b858d5e57a6e12787b9.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
17123cde248bf04440dd66e0818e707111a27baaf0a0f8b46803653840d0f776.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
3513e5a1bef31ae0f1858b98a4a405bb6b73e0c22654ea595cfe351e68560d0b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
3548eb3ee082140f111579d722d1924acef2c914601158aa407cc48e37e04dc3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
37bb007e1a7b802fb160d31d43e6ee29920fb53b1d37beda1c042d893778cab5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
3b8019115c4ceca7cbcfddbb6bbe680cac9c8811275a16616d40ff294ceb6ed8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3c47d4d72a38e9bc6761e47d9e0e51429f2c67ffdd939c07a664efe29c9cd5e8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
5598d9028e8f5dbcce57fc5044a12a3e254972b90687bd0e2d8e20298065c3fd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
5d95f476419d3a3135715f2eed0aa6de69b130436772d29100fd7870a2c450f4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
61d857a52459b5cf9779c58c6ee28d8e2760da3fe873785eb0afcffa6b0680a5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
64f004d4a260338ba4eea50516df52087bab791fd6eb50d0b4eb189e6e13bb36.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
7787b07a1719f5524402ec7cf71fb92a7177ee85b0a424e2b97f619ba2b32e49.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
7cc399690625fe51c1b469f7e049782a493baa3a1ef701d932c57888bd5d237e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
825d0619a846701eef20b8c0a10ac730a81fefda0f8afdbe06a54bd4251541ce.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
9e6f3fd3f785137a445cbe56ff06c292a6df24180f53811fc86132a2bd4859c2.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral18
Sample
a49c96afc3e1c86dfaa9e2002f5ce95dbdee44cf71bf78474eaa2ab199a57f92.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
e2945d600c8d0d3d77a8528637dcb944f9c51be150c7dd4e619a249b7b9a309e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
eb8cedd00b7ab240f275eb4069c500fbebe244ecae84cca8f1700815583b7f3b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
f9bdee7f3daff1675551aa7b8f0eba683dba4df9a9998cc5de0b9da0a577135b.exe
Resource
win10v2004-20240508-en
General
-
Target
3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe
-
Size
1.2MB
-
MD5
8baab3511bf3a99728edaba28284cd3c
-
SHA1
b935a0b20f20e0f296f67fec1e2aa1c57d9eda09
-
SHA256
3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a
-
SHA512
0ac0e6eedb7d6db2f1c383f74d8fcb32829ab7446025670905caf2ceb95bd089fc21e95aa8f00b37c29815c0fc49fbbcad3b9774633d1cffc9dc7ccf57b20b8d
-
SSDEEP
24576:3y9ILra17CLHayHuMfvmkZOgEopve3fN2o78WXgzCkB6:C9ky7CLRHuMfvmKHpvkV2lkIZB
Malware Config
Extracted
redline
lutyr
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
Processes:
resource yara_rule behavioral7/memory/2172-35-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral7/memory/2172-38-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral7/memory/2172-36-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tI389xr.exe family_redline behavioral7/memory/4796-42-0x0000000000DA0000-0x0000000000DDE000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
Processes:
yu5Zx2kB.exeBy5WQ8iX.exeTG4Bs8cm.exeud9mP7ZB.exe1TN49Uv4.exe2tI389xr.exepid process 2216 yu5Zx2kB.exe 4500 By5WQ8iX.exe 536 TG4Bs8cm.exe 716 ud9mP7ZB.exe 3508 1TN49Uv4.exe 4796 2tI389xr.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exeyu5Zx2kB.exeBy5WQ8iX.exeTG4Bs8cm.exeud9mP7ZB.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" yu5Zx2kB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" By5WQ8iX.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" TG4Bs8cm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" ud9mP7ZB.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1TN49Uv4.exedescription pid process target process PID 3508 set thread context of 2172 3508 1TN49Uv4.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3488 3508 WerFault.exe 1TN49Uv4.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exeyu5Zx2kB.exeBy5WQ8iX.exeTG4Bs8cm.exeud9mP7ZB.exe1TN49Uv4.exedescription pid process target process PID 64 wrote to memory of 2216 64 3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe yu5Zx2kB.exe PID 64 wrote to memory of 2216 64 3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe yu5Zx2kB.exe PID 64 wrote to memory of 2216 64 3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe yu5Zx2kB.exe PID 2216 wrote to memory of 4500 2216 yu5Zx2kB.exe By5WQ8iX.exe PID 2216 wrote to memory of 4500 2216 yu5Zx2kB.exe By5WQ8iX.exe PID 2216 wrote to memory of 4500 2216 yu5Zx2kB.exe By5WQ8iX.exe PID 4500 wrote to memory of 536 4500 By5WQ8iX.exe TG4Bs8cm.exe PID 4500 wrote to memory of 536 4500 By5WQ8iX.exe TG4Bs8cm.exe PID 4500 wrote to memory of 536 4500 By5WQ8iX.exe TG4Bs8cm.exe PID 536 wrote to memory of 716 536 TG4Bs8cm.exe ud9mP7ZB.exe PID 536 wrote to memory of 716 536 TG4Bs8cm.exe ud9mP7ZB.exe PID 536 wrote to memory of 716 536 TG4Bs8cm.exe ud9mP7ZB.exe PID 716 wrote to memory of 3508 716 ud9mP7ZB.exe 1TN49Uv4.exe PID 716 wrote to memory of 3508 716 ud9mP7ZB.exe 1TN49Uv4.exe PID 716 wrote to memory of 3508 716 ud9mP7ZB.exe 1TN49Uv4.exe PID 3508 wrote to memory of 2172 3508 1TN49Uv4.exe AppLaunch.exe PID 3508 wrote to memory of 2172 3508 1TN49Uv4.exe AppLaunch.exe PID 3508 wrote to memory of 2172 3508 1TN49Uv4.exe AppLaunch.exe PID 3508 wrote to memory of 2172 3508 1TN49Uv4.exe AppLaunch.exe PID 3508 wrote to memory of 2172 3508 1TN49Uv4.exe AppLaunch.exe PID 3508 wrote to memory of 2172 3508 1TN49Uv4.exe AppLaunch.exe PID 3508 wrote to memory of 2172 3508 1TN49Uv4.exe AppLaunch.exe PID 3508 wrote to memory of 2172 3508 1TN49Uv4.exe AppLaunch.exe PID 3508 wrote to memory of 2172 3508 1TN49Uv4.exe AppLaunch.exe PID 3508 wrote to memory of 2172 3508 1TN49Uv4.exe AppLaunch.exe PID 716 wrote to memory of 4796 716 ud9mP7ZB.exe 2tI389xr.exe PID 716 wrote to memory of 4796 716 ud9mP7ZB.exe 2tI389xr.exe PID 716 wrote to memory of 4796 716 ud9mP7ZB.exe 2tI389xr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe"C:\Users\Admin\AppData\Local\Temp\3ba16fdd2a3366af19641ad21ef4ff828edfd310b6fd8c6b4e24aa854d8a668a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yu5Zx2kB.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yu5Zx2kB.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\By5WQ8iX.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\By5WQ8iX.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TG4Bs8cm.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TG4Bs8cm.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ud9mP7ZB.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ud9mP7ZB.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TN49Uv4.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1TN49Uv4.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:2172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1527⤵
- Program crash
PID:3488
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tI389xr.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tI389xr.exe6⤵
- Executes dropped EXE
PID:4796
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3508 -ip 35081⤵PID:3196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD514912fe90c87f625293b7950c3737cf5
SHA18ee5a913e589fb2aeea1e66abe20353e229dabeb
SHA256a01cf01c4a51f51d0aac0db4abd75da7c86dc3fe4eb4ced30e5a700f790b8c7f
SHA512ff9d03a43f100b2d9729b1f13ef491cbd2a3fc22bf7771e47f05f1af30704ce5b84b01361b03daf79a6d5eac601c4a32247338057179b5f48464d8fb5e36cbbf
-
Filesize
878KB
MD5b96d024dcec48f44b0e634a0d00b0223
SHA149c0257d1656bba562b78ec9ceef0a852bf0f9e2
SHA2560db5661ebf50793bdeff7536da4cb9ffb340dd640bed042a0261bc85ed758014
SHA5121ef86c93b05e3bf163272baefd31c44be913fbb0ae5c70469c7e70adfc697f11a0097ba1d6d6e5101087d99adc17a9d997db32c50dcd91f263944ee097042359
-
Filesize
585KB
MD5595ba700772de93abca49bc60f72fd93
SHA10f3d73f972a990e96a2b7980ef39c64408c92cdb
SHA2566c6f96047ea0811502e9b66c7c24fe647bf990fb1f36bac4c6eb7284d01130fb
SHA512f21135fe826a515f9edae818359b96e7c90f30544822c792ade243b712420e787d419b2064a0c38afffadf30254e39fdddc4d196b77a1de04ca9d7aaa7678d6a
-
Filesize
412KB
MD58cccf9dfbf727e134a0283c6db3108f1
SHA1c7cfe5d37931b15213e6ed2e068d4c3d9ec35968
SHA256235557ff9d81e1539021021a81ef33e5a19b68c4983212d98dbca367474a7025
SHA512950b007c08420cc515dd021d6521ac7b94d29ae8b70fbcdefd1d1b6183862e141489d3a623ed40657d9d3244db4d853e159b24b12ff512a2c6968b88001e9b9f
-
Filesize
378KB
MD5489492c387af0075b9d1a9bcdaae552c
SHA1020850bcae1226a62dec53d9cd6111f5d47488ca
SHA256c120782a83cd92cf61f248892c6243486b19e5193196aeac3fdb46c3aef027eb
SHA512df327f7c12f5ce6ff2d3387cc4778fdceeedf7a073e2b4167fae37b87881b9bbef4a01b38ae8464e4f1a002bc55460986ce94c544b3e61c828fc90bb56281371
-
Filesize
221KB
MD52aef8be54c8cb6e31931f4551c5a6b51
SHA1ff7a407c5c036a306f04819777055d0a29e1da5d
SHA256af529dbb38a191ff597cf3c0382f8641d8961a7efe18db5abd347a5b74186ad9
SHA512c6f8013403d4638daa5b847c17820ea1bf0533bc8291e1fb0b5b2494af626965044c28631f9a553da15b95ab0717922ffd4f1b35dd45fdb8e441dcdbe1a83413