Overview
overview
10Static
static
32ae72cafa8...de.exe
windows10-2004-x64
102d225565e0...be.exe
windows10-2004-x64
105f94dabf69...6d.exe
windows10-2004-x64
1065296f4680...95.exe
windows7-x64
365296f4680...95.exe
windows10-2004-x64
107618ddb9e4...07.exe
windows10-2004-x64
108865ec3f94...5a.exe
windows10-2004-x64
108d796a364d...e4.exe
windows10-2004-x64
10aabdc92d30...96.exe
windows10-2004-x64
10bae99364dc...55.exe
windows10-2004-x64
10cc35c0b2bc...24.exe
windows10-2004-x64
10d63c4114c3...86.exe
windows10-2004-x64
10d65bb810cc...a7.exe
windows10-2004-x64
10d764830962...c8.exe
windows10-2004-x64
10d9124df1a4...d1.exe
windows10-2004-x64
10e1564be8f1...ad.exe
windows10-2004-x64
10e7ee230707...d5.exe
windows10-2004-x64
10e8a7f5f2b3...4b.exe
windows10-2004-x64
10e8bf7b5c22...96.exe
windows10-2004-x64
10eb214d5f58...c6.exe
windows10-2004-x64
10edacb614f4...95.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 17:36
Static task
static1
Behavioral task
behavioral1
Sample
2ae72cafa8f21759370b4609f21d845fbedad29052bfdacb21408b021b7ef6de.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
65296f468099ebcd60c98ae5a6f7f005a227427a05eda0790e32e2f0c0061d95.exe
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
65296f468099ebcd60c98ae5a6f7f005a227427a05eda0790e32e2f0c0061d95.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
7618ddb9e4a4f8eb9facccaca5f824467c35a2b211a133dc5f4f30148b77b907.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
8865ec3f949ea2778d72427ba8f147c8a4182420bdfdbe11b0a8b53c48b0a95a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
8d796a364d2a62b12d9a28d63b8503f41de8f9257083f87c02feecdb89c729e4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
aabdc92d3092215c39aff5ff3cdd7b86a2827e8ddaa5a11c8ac53332bfd6fa96.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
bae99364dcd24884412ebf95baa476884b86666b0891ad8f7c642d1e72901855.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
cc35c0b2bc4afaa3e56d0b585ddf1928790ef237331a245ad0eb919b4e8c2524.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
d63c4114c36e73dd975c0cc4a3dc67316e090266f64cd492ec17a7dabcdbe686.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
d65bb810ccd243a6f5edda6c97b9e2e03e46b6306aca9415c3ae84a27a61a7a7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
d76483096202fb3172705ac386f325854d2d6409275d9bbde9e10e329832b2c8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
d9124df1a48c55317dd58c4ab328c969efa7a2d673ba2134c19648e01de841d1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
e1564be8f124041c0c125d9557c302f4631504d0048e1c1f41b6abfb473ebbad.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
e7ee230707772fd1bd9dd07f526c692dfe119bca41b2113cadfcd511a5416cd5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
e8a7f5f2b344eb468a91c59dbe8699a08d71f9b708a1134c8948cf194516594b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
e8bf7b5c22a787af15a42638894b8f1eccc3320134f42f09939f4932df0cc796.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
eb214d5f5806ec4617c2b7cde5e3a5beb5a3c254a391dee7605decfe13174bc6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
edacb614f4d4ad4a3dd9e9d5ad37ba56d1e7d49ddad0b14ca3ce632b0a820f95.exe
Resource
win10v2004-20240508-en
General
-
Target
5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exe
-
Size
1.2MB
-
MD5
afec0a32010542d6eef2c43f978d401b
-
SHA1
a0024019ef66f21995cbc6957c32fcfde507a951
-
SHA256
5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d
-
SHA512
e005ddcb3b276dcf635ae96423f6d78b86bfe06febba57f3cb9fba0fc31f11002e9c20a1ae02e5c2bf6129cd08fa95f02c7c3db8608888b57aff802f57256d63
-
SSDEEP
24576:PyerYcveCuhO4DWmHJKjEZmmU4r+De38aPD/dLvJJXOMdJ:a4JvzeWmHJKA08rfsqFvJvd
Malware Config
Extracted
redline
gigant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
resource yara_rule behavioral3/memory/2672-35-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral3/memory/2672-38-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral3/memory/2672-36-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral3/files/0x000700000002342d-40.dat family_redline behavioral3/memory/3748-42-0x0000000000A60000-0x0000000000A9E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 60 Ie5WI1xg.exe 8 XH8Ks7qi.exe 2356 hv4YD0gy.exe 3276 Ii1ir6vd.exe 536 1dq15SY9.exe 3748 2kW114ny.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" hv4YD0gy.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" Ii1ir6vd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Ie5WI1xg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" XH8Ks7qi.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 536 set thread context of 2672 536 1dq15SY9.exe 89 -
Program crash 1 IoCs
pid pid_target Process procid_target 1232 536 WerFault.exe 87 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4160 wrote to memory of 60 4160 5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exe 83 PID 4160 wrote to memory of 60 4160 5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exe 83 PID 4160 wrote to memory of 60 4160 5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exe 83 PID 60 wrote to memory of 8 60 Ie5WI1xg.exe 84 PID 60 wrote to memory of 8 60 Ie5WI1xg.exe 84 PID 60 wrote to memory of 8 60 Ie5WI1xg.exe 84 PID 8 wrote to memory of 2356 8 XH8Ks7qi.exe 85 PID 8 wrote to memory of 2356 8 XH8Ks7qi.exe 85 PID 8 wrote to memory of 2356 8 XH8Ks7qi.exe 85 PID 2356 wrote to memory of 3276 2356 hv4YD0gy.exe 86 PID 2356 wrote to memory of 3276 2356 hv4YD0gy.exe 86 PID 2356 wrote to memory of 3276 2356 hv4YD0gy.exe 86 PID 3276 wrote to memory of 536 3276 Ii1ir6vd.exe 87 PID 3276 wrote to memory of 536 3276 Ii1ir6vd.exe 87 PID 3276 wrote to memory of 536 3276 Ii1ir6vd.exe 87 PID 536 wrote to memory of 2672 536 1dq15SY9.exe 89 PID 536 wrote to memory of 2672 536 1dq15SY9.exe 89 PID 536 wrote to memory of 2672 536 1dq15SY9.exe 89 PID 536 wrote to memory of 2672 536 1dq15SY9.exe 89 PID 536 wrote to memory of 2672 536 1dq15SY9.exe 89 PID 536 wrote to memory of 2672 536 1dq15SY9.exe 89 PID 536 wrote to memory of 2672 536 1dq15SY9.exe 89 PID 536 wrote to memory of 2672 536 1dq15SY9.exe 89 PID 536 wrote to memory of 2672 536 1dq15SY9.exe 89 PID 536 wrote to memory of 2672 536 1dq15SY9.exe 89 PID 3276 wrote to memory of 3748 3276 Ii1ir6vd.exe 96 PID 3276 wrote to memory of 3748 3276 Ii1ir6vd.exe 96 PID 3276 wrote to memory of 3748 3276 Ii1ir6vd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exe"C:\Users\Admin\AppData\Local\Temp\5f94dabf691f3432b26ad16c1f7ecb24292db785b9562faeb1131ea9306e6a6d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ie5WI1xg.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ie5WI1xg.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XH8Ks7qi.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XH8Ks7qi.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hv4YD0gy.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hv4YD0gy.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ii1ir6vd.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Ii1ir6vd.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq15SY9.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1dq15SY9.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:2672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1527⤵
- Program crash
PID:1232
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kW114ny.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2kW114ny.exe6⤵
- Executes dropped EXE
PID:3748
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 536 -ip 5361⤵PID:4040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD529e5166714861916d6928fa82a3eb914
SHA1bf5b4f5c3a7633098ae024ba5e5b5d22df722874
SHA2567fa3dd3690cf75ed676fc07c8547923658d76679a824e982bb3e8ed6e28774c4
SHA512291df911e2baf0dee7027e9a074110d872f73874b6e9de4edc1e8038177325f4a36936bd420caf5e1288443e7e0b2179204e1bbbbcde38b5c4007f3be568f20a
-
Filesize
884KB
MD5371da857c9eabeb754e39426063cafc4
SHA187b79ad5726d499946a208740ecf2d69dd331229
SHA256a297abe360750e258587d0e4baaadc7aeb96a87a70d411c2f9b5146e1624007f
SHA512d243612243513d67a5dd8b1bee1f56be80ffd7dc7759b773349413bf419200a64192bf08964b44cd6e9b754ff7190497d413a19fd2685df6db6799665bebdc3f
-
Filesize
590KB
MD5b32810979fd7f8256d0c846b3acf50af
SHA17a59a94ef9094b9f4ffa67b582e6dbcc30ed559d
SHA2566692c60f2483b5fe5c686259be2664a9c061c1033a95ed9b0675610d4ff12c5f
SHA512c2f6825aecb9fe9068d461681514cc4f99d0a5d3ae3218affecfbeb84e10a4f01e9b38c2a8e5a03d5d70ad9db0b84f4610430b43359f2a9c842417ada33b8a41
-
Filesize
417KB
MD53f2a41a75c7b5a327aa8c40b4a0a026c
SHA11bfdc49528320ac1d39b61ab28ff473c844488af
SHA256f5282228634bac6da6f78d909a005f21551fd067bb8153009809b5114d52d616
SHA5122286e87eff25b2053e5f7934bdb84f8cbdcbee3fa5b50ef33544a167fac0bddbb77d98b66326043320e13fca65a148ab300ec6e15c976b16f49ba1840dd6413a
-
Filesize
378KB
MD5c0ff76f293d1f3685ee33070e7fe3c5c
SHA10aa3d9025549e823e03933e5c7d3a09232395681
SHA2568af785979292fb266052650af73c5a49df59cc8a7bdd1cc53a22978e4d72748c
SHA5127fc9e3c22e984d66e59162f6395ff626c7bfec014817dcb06672e38c6024e2bdba429ffa77506bd79f6d3a5fb327438734b48e65d7135739e5acb9508ea9435d
-
Filesize
231KB
MD54c7e65161f26ed57ed3250c2c2b8557d
SHA1577831d9f302f9272c0dda85046925b286bf02b9
SHA2560a6e29af91adc9c581159e52b46a9a0efb6cb87ea5d0e78366b3919eb75ac358
SHA512a98c6655b2c0c333ab19cae4a5f771a981a6e1b95b9405478fb8def4a7dcdb2aa95b2e73bf660976cd3918033f8ebc567f64e18de16a4545cf56c58c56406cf5