Overview
overview
10Static
static
30d17733c30...5d.exe
windows10-2004-x64
1012afd6aace...a7.exe
windows10-2004-x64
101a9919325d...ce.exe
windows10-2004-x64
101b565f7ed3...1d.exe
windows10-2004-x64
102c58ee5805...6e.exe
windows10-2004-x64
1033598ea86e...12.exe
windows10-2004-x64
104e5d421522...cb.exe
windows10-2004-x64
104ff3477e4f...b7.exe
windows10-2004-x64
106ee2a56c58...f5.exe
windows10-2004-x64
10803bdeb4bc...3b.exe
windows10-2004-x64
1082c26e730c...f6.exe
windows10-2004-x64
1092d5779e2c...c1.exe
windows10-2004-x64
10b0845c677f...61.exe
windows10-2004-x64
10b82c1f093a...b3.exe
windows10-2004-x64
10c52f1aa452...c1.exe
windows10-2004-x64
10c7bf16d19a...5c.exe
windows10-2004-x64
10d85805160c...b3.exe
windows10-2004-x64
10e4e49b8568...6d.exe
windows10-2004-x64
10e5ef76e6dd...ba.exe
windows10-2004-x64
10fac8fce7e3...0e.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 17:09
Static task
static1
Behavioral task
behavioral1
Sample
0d17733c3019d71570f413fb2cf93247ef44984d57c0d378e5853597b1efcc5d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
1a9919325da63b8484a6bd765fb24e43189e13130d5740306b71aac0ea7178ce.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
1b565f7ed39bcb3768a8d15009e2ee03870984f6900010642cd696ee9c5efc1d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
2c58ee580588f3af770bfbe1f4b90e3f3abc1db0635b5db9df6dc396c7e7666e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
33598ea86e5fb6e4703678ac412886ef6b59161a6c845c900d25dda182afa112.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
4e5d421522773b4acede9491200eb6a0479ef03a8892230b81ba0d0ed10d98cb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
4ff3477e4f6bd6e3e862b79ae405c63df8d69b707138781208fb58578b8246b7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
6ee2a56c58d7b91b6debe8aed2285fcef3c3e50613fe3c8b6f7d5a94968b59f5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
803bdeb4bc4493002015ca620d956227797f6d2e1f4fb5f4b09b86d3c2be303b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
82c26e730c449cb8fa3b24eb4cad396dfb875eecd3ee1ccbb1d8fe29530d3ef6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
92d5779e2c52f5941931dde42396f724a8986970826adad853ad885da3caccc1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
b0845c677fbb6f6769b22ee306bf30e9c9d49caa3bfd274fceb91e91bd6ee061.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
b82c1f093a07f8365a76b180a16ceba720e598167e3d606f93fedc39de6692b3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
c52f1aa4527983452b72bfcc7c7498055116825e436d192acbb7b799124415c1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
c7bf16d19af53ce0e356ff0a03ca5f2bf14034d9e265c438dc88513cd09cf55c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
d85805160cf3294fe4b79968f7cee19fdaf73c0a9ed5ab8fffa11fa7fd3bddb3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
e4e49b8568937c43bba5621fcfe9e3762efb9c4078b3287603ef249c522d126d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
e5ef76e6dd861b064544fe5f0400d8d476e07d29a56f78d564dd2a73252e39ba.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
fac8fce7e33f863be353a7bbf44a4fc673ab60a051fa66cebe5511a000ee1a0e.exe
Resource
win10v2004-20240226-en
General
-
Target
12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe
-
Size
747KB
-
MD5
34d77e8b622d28f48bd184ef3c91df85
-
SHA1
d60559183722c9fe5dfed24eb8203bf54bfdb405
-
SHA256
12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7
-
SHA512
19ea6bdb290b283d8c3d23cd5ebea3295c8182fcbf4d4da3f086a91fb1ed98955d1e2ee9ae90ccfa0aad3b0871aced16f1a3130a6b37a7576d41f44133bb8ffc
-
SSDEEP
12288:bMrMy90zXi2rhvtabiPHBZjT9CFcJGNUJh7gvztpRxxMg4kASa:7yELfBR9CgYuMtpFMg4LZ
Malware Config
Extracted
redline
frant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
resource yara_rule behavioral2/memory/1180-53-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral2/memory/1180-54-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral2/memory/1180-56-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 1Lm73aI8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1Lm73aI8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1Lm73aI8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1Lm73aI8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1Lm73aI8.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1Lm73aI8.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4464-60-0x0000000000400000-0x000000000043E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 2988 Pi5ZN69.exe 4760 1Lm73aI8.exe 4544 2aP21au.exe 4708 3zi0508.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 1Lm73aI8.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 1Lm73aI8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Pi5ZN69.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4544 set thread context of 1180 4544 2aP21au.exe 97 PID 4708 set thread context of 4464 4708 3zi0508.exe 105 -
Program crash 2 IoCs
pid pid_target Process procid_target 2452 4544 WerFault.exe 95 1976 4708 WerFault.exe 101 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4760 1Lm73aI8.exe 4760 1Lm73aI8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4760 1Lm73aI8.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2600 wrote to memory of 2988 2600 12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe 83 PID 2600 wrote to memory of 2988 2600 12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe 83 PID 2600 wrote to memory of 2988 2600 12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe 83 PID 2988 wrote to memory of 4760 2988 Pi5ZN69.exe 84 PID 2988 wrote to memory of 4760 2988 Pi5ZN69.exe 84 PID 2988 wrote to memory of 4760 2988 Pi5ZN69.exe 84 PID 2988 wrote to memory of 4544 2988 Pi5ZN69.exe 95 PID 2988 wrote to memory of 4544 2988 Pi5ZN69.exe 95 PID 2988 wrote to memory of 4544 2988 Pi5ZN69.exe 95 PID 4544 wrote to memory of 1180 4544 2aP21au.exe 97 PID 4544 wrote to memory of 1180 4544 2aP21au.exe 97 PID 4544 wrote to memory of 1180 4544 2aP21au.exe 97 PID 4544 wrote to memory of 1180 4544 2aP21au.exe 97 PID 4544 wrote to memory of 1180 4544 2aP21au.exe 97 PID 4544 wrote to memory of 1180 4544 2aP21au.exe 97 PID 4544 wrote to memory of 1180 4544 2aP21au.exe 97 PID 4544 wrote to memory of 1180 4544 2aP21au.exe 97 PID 4544 wrote to memory of 1180 4544 2aP21au.exe 97 PID 4544 wrote to memory of 1180 4544 2aP21au.exe 97 PID 2600 wrote to memory of 4708 2600 12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe 101 PID 2600 wrote to memory of 4708 2600 12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe 101 PID 2600 wrote to memory of 4708 2600 12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe 101 PID 4708 wrote to memory of 4464 4708 3zi0508.exe 105 PID 4708 wrote to memory of 4464 4708 3zi0508.exe 105 PID 4708 wrote to memory of 4464 4708 3zi0508.exe 105 PID 4708 wrote to memory of 4464 4708 3zi0508.exe 105 PID 4708 wrote to memory of 4464 4708 3zi0508.exe 105 PID 4708 wrote to memory of 4464 4708 3zi0508.exe 105 PID 4708 wrote to memory of 4464 4708 3zi0508.exe 105 PID 4708 wrote to memory of 4464 4708 3zi0508.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe"C:\Users\Admin\AppData\Local\Temp\12afd6aace975903b46162ca80f43ceaeffd722715cf2a23433c1c09c4bdf7a7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pi5ZN69.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pi5ZN69.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Lm73aI8.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Lm73aI8.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2aP21au.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2aP21au.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:1180
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 1524⤵
- Program crash
PID:2452
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3zi0508.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3zi0508.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:4464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 1563⤵
- Program crash
PID:1976
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4544 -ip 45441⤵PID:2724
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4708 -ip 47081⤵PID:1176
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
459KB
MD5a8041be69bfff4789e52bdda0e13e3e3
SHA1a1d1d75969b56ecfdb13ccdf35c4e5e4e5969836
SHA25649a1a7a7665d39297972bb1188175b2cea1e1a7802d0c7050db47acbe488b5b2
SHA5128f25dfe43675272b71976d03f21cf6fb5a58ff88f59edc6336b95bfd368e1f612e978882db81975942aac5f01947e467e4f53c242b0c2f381062a713b6033fcf
-
Filesize
452KB
MD5c1974e114247601e40aaa9e5146ec1ac
SHA1acb75352a7e4eb093adcecf551ad6f594a3c9124
SHA2564cfb319b5e29fb1823ca64c75a303652b799ed5aadf3e606a08d508a7c306d38
SHA51200831340f50805e6fc48ec3cd96fd56b864f88954ed3725a680b9ff92929ee5d299b5ab3371ce8c493f6b06acf920c94319fba4244aa26b0c4a60f5430485209
-
Filesize
192KB
MD58904f85abd522c7d0cb5789d9583ccff
SHA15b34d8595b37c9e1fb9682b06dc5228efe07f0c6
SHA2567624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f
SHA51204dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12
-
Filesize
378KB
MD532b9897e8aeda75a8b718044ef406a5b
SHA19c7c2edfd89c52099858419482128e4528f3be1a
SHA256c6a4e06cc2890a2fd4697bf9a95ebb187bf2f041afff1a5e57a3af84785c5e8a
SHA512b3dc2e6fa817cd7def9911e825d45f55e9e69f7b5f1c26e43c96750331ccf2735e731f5bd57898ba083d45ea67a43f0c88e3d215b1ca5d279eb2db62b2662d02