Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 17:01
General
-
Target
1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798.exe
-
Size
991KB
-
MD5
be582c12844f5f5dddd1d613957799da
-
SHA1
74dade2c7e5ac082f6942497e78608a33610af0a
-
SHA256
1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798
-
SHA512
233eba01255605cf18bf64cfea8b100758f615b6506f80de2aff7c4047ec2e5fd3487eae04cfbe00f796d8cf2c8b7c8c98b2187a54b2bf756c6103bd8eedffd0
-
SSDEEP
24576:pyuRmIEimkREuj6PmXXXmemqY++LKGoq+h:cu9h0uj6WHmegYGoq+
Malware Config
Extracted
redline
frant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 6 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 51 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798.exe"C:\Users\Admin\AppData\Local\Temp\1e3157fc3db10cb11bb1542831b9f07071a4baad8bb0d42282a3bd9141423798.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bl1zI65.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bl1zI65.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ER4pw82.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ER4pw82.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UQ09td3.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UQ09td3.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Eg6560.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Eg6560.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 5965⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GE77HF.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GE77HF.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 6084⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ci317VO.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ci317VO.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1980 -ip 19801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4704 -ip 47041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1832 -ip 18321⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ci317VO.exeFilesize
459KB
MD5a38ce3e2dc246d8e40f95186737c588f
SHA187eb3f865fdd506f345d1d586f4d8c4d490f669a
SHA256c42efcd5f53c75f36a6ed5c8f8be82359b848285ffb0fc5acc12fbd625c7028e
SHA5129b6dec7f0eaae988f522ec927e0082dd03ead7605387c52d6184ee899154c85e9f180622b7ca32377a9e9a0b1972e24131e0a47e2b27797c55736b25261d27c9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bl1zI65.exeFilesize
696KB
MD5ab140b00cb345dac8addfdaf0aded068
SHA109443e7f0a53cafd52c746ef013aec0a521dba17
SHA25631a6d9124dada285c1a6fe29448d49b90b21805cce361c3cdb5af9dc4aea31ac
SHA5128f44c1665257a4a5e8435e7f8ca60f6fd27b11fe87955cb13d4b08e8c1fa275b46e9c1273427247eab2c8c09cae7dcc5b5ed530bccd161d80f5364702f584e75
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3GE77HF.exeFilesize
268KB
MD5f09b788bfb242f8edcb4b4ab2bd0275a
SHA171b2273479460cbda9d08073d0b116935d2c6813
SHA256f291d8694f3198b824474d57a18792218a5d622f2f59370efe6679563db87521
SHA512709bdc1a303159b27f7e7fa793d1c78f3d6223b5a3ba2c03cbea36eafc1bd0e2edc1bd19e61f7ed5ca53a1ab5018d7c171fc9c3c4ff67b02b4087a07cfd5dda6
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ER4pw82.exeFilesize
452KB
MD5ed0c168c6d5429ab8a2a1c7fd31e91c6
SHA150195d907d10a6c56d479a2ddd9e9e3e27bd340d
SHA256064bacb6978ed2c988382e83c9c8f4b894da16f92be7aa448733bb51d90eadfb
SHA5123db371a6047f2154218ca6fe0aa4378bb9c9519d7219ca9b493ba2f4856312025f63b03908e66ebde073c2447dc5240a05a83b092b3f9171c928a7c5d1356cf1
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UQ09td3.exeFilesize
192KB
MD58904f85abd522c7d0cb5789d9583ccff
SHA15b34d8595b37c9e1fb9682b06dc5228efe07f0c6
SHA2567624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f
SHA51204dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Eg6560.exeFilesize
378KB
MD5f0831f173733de08511f3a0739f278a6
SHA106dc809d653c5d2c97386084ae13b50a73eb5b60
SHA2568b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27
SHA51219e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3
-
memory/780-56-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/780-59-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/780-57-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1108-73-0x0000000007700000-0x000000000773C000-memory.dmpFilesize
240KB
-
memory/1108-68-0x0000000007340000-0x00000000073D2000-memory.dmpFilesize
584KB
-
memory/1108-67-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1108-69-0x00000000026C0000-0x00000000026CA000-memory.dmpFilesize
40KB
-
memory/1108-70-0x0000000008420000-0x0000000008A38000-memory.dmpFilesize
6.1MB
-
memory/1108-71-0x0000000007E00000-0x0000000007F0A000-memory.dmpFilesize
1.0MB
-
memory/1108-72-0x0000000007580000-0x0000000007592000-memory.dmpFilesize
72KB
-
memory/1108-74-0x0000000007740000-0x000000000778C000-memory.dmpFilesize
304KB
-
memory/3172-63-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4720-49-0x0000000004AD0000-0x0000000004AE6000-memory.dmpFilesize
88KB
-
memory/4720-29-0x0000000004AD0000-0x0000000004AE6000-memory.dmpFilesize
88KB
-
memory/4720-25-0x0000000004AD0000-0x0000000004AE6000-memory.dmpFilesize
88KB
-
memory/4720-31-0x0000000004AD0000-0x0000000004AE6000-memory.dmpFilesize
88KB
-
memory/4720-33-0x0000000004AD0000-0x0000000004AE6000-memory.dmpFilesize
88KB
-
memory/4720-35-0x0000000004AD0000-0x0000000004AE6000-memory.dmpFilesize
88KB
-
memory/4720-37-0x0000000004AD0000-0x0000000004AE6000-memory.dmpFilesize
88KB
-
memory/4720-39-0x0000000004AD0000-0x0000000004AE6000-memory.dmpFilesize
88KB
-
memory/4720-41-0x0000000004AD0000-0x0000000004AE6000-memory.dmpFilesize
88KB
-
memory/4720-43-0x0000000004AD0000-0x0000000004AE6000-memory.dmpFilesize
88KB
-
memory/4720-45-0x0000000004AD0000-0x0000000004AE6000-memory.dmpFilesize
88KB
-
memory/4720-47-0x0000000004AD0000-0x0000000004AE6000-memory.dmpFilesize
88KB
-
memory/4720-51-0x0000000004AD0000-0x0000000004AE6000-memory.dmpFilesize
88KB
-
memory/4720-27-0x0000000004AD0000-0x0000000004AE6000-memory.dmpFilesize
88KB
-
memory/4720-24-0x0000000004AD0000-0x0000000004AE6000-memory.dmpFilesize
88KB
-
memory/4720-23-0x0000000004AD0000-0x0000000004AEC000-memory.dmpFilesize
112KB
-
memory/4720-22-0x0000000004C40000-0x00000000051E4000-memory.dmpFilesize
5.6MB
-
memory/4720-21-0x00000000022D0000-0x00000000022EE000-memory.dmpFilesize
120KB