Overview

overview

10

Static

static

3

0d17733c30...5d.exe

windows10-2004-x64

10

12afd6aace...a7.exe

windows10-2004-x64

10

1a9919325d...ce.exe

windows10-2004-x64

10

1b565f7ed3...1d.exe

windows10-2004-x64

10

2c58ee5805...6e.exe

windows10-2004-x64

10

33598ea86e...12.exe

windows10-2004-x64

10

4e5d421522...cb.exe

windows10-2004-x64

10

4ff3477e4f...b7.exe

windows10-2004-x64

10

6ee2a56c58...f5.exe

windows10-2004-x64

10

803bdeb4bc...3b.exe

windows10-2004-x64

10

82c26e730c...f6.exe

windows10-2004-x64

10

92d5779e2c...c1.exe

windows10-2004-x64

10

b0845c677f...61.exe

windows10-2004-x64

10

b82c1f093a...b3.exe

windows10-2004-x64

10

c52f1aa452...c1.exe

windows10-2004-x64

10

c7bf16d19a...5c.exe

windows10-2004-x64

10

d85805160c...b3.exe

windows10-2004-x64

10

e4e49b8568...6d.exe

windows10-2004-x64

10

e5ef76e6dd...ba.exe

windows10-2004-x64

10

fac8fce7e3...0e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ee2a56c58d7b91b6debe8aed2285fcef3c3e50613fe3c8b6f7d5a94968b59f5.exe

  • Size

    991KB

  • MD5

    6ef947676fa334d38379a2fda493b8a5

  • SHA1

    4ee6dcca6bbf609046e66bc82040246ae7c0250f

  • SHA256

    6ee2a56c58d7b91b6debe8aed2285fcef3c3e50613fe3c8b6f7d5a94968b59f5

  • SHA512

    2ec1e0e21e461c621a933476897e0bba7d635e6509f32bf0afd614fd37b0dfe76c2595b165fcb29954358a3a25b9ddb151e0d8e4e28ec8c2f638d55ce594e185

  • SSDEEP

    24576:SyMWu2HJLjK0CSP55myltVEu0v/ciz7dh:5E2HljCi55fFEu0v0k

Score
10/10
mysticredlinesmokeloaderfrantbackdoorevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

frant

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ee2a56c58d7b91b6debe8aed2285fcef3c3e50613fe3c8b6f7d5a94968b59f5.exe
    "C:\Users\Admin\AppData\Local\Temp\6ee2a56c58d7b91b6debe8aed2285fcef3c3e50613fe3c8b6f7d5a94968b59f5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oo8Nr58.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oo8Nr58.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4660
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yl4TJ91.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yl4TJ91.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bC97nU3.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bC97nU3.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5040
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2FU6609.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2FU6609.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2500
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:2984
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 596
              5⤵
              • Program crash
              PID:3848
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Ps69La.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Ps69La.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3508
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:1884
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              4⤵
              • Checks SCSI registry key(s)
              PID:4064
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 612
              4⤵
              • Program crash
              PID:540
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4yC662Hw.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4yC662Hw.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            3⤵
              PID:4328
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 156
              3⤵
              • Program crash
              PID:692
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2500 -ip 2500
          1⤵
            PID:4340
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3508 -ip 3508
            1⤵
              PID:2932
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2688 -ip 2688
              1⤵
                PID:4832

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4yC662Hw.exe
                Filesize

                459KB

                MD5

                a38ce3e2dc246d8e40f95186737c588f

                SHA1

                87eb3f865fdd506f345d1d586f4d8c4d490f669a

                SHA256

                c42efcd5f53c75f36a6ed5c8f8be82359b848285ffb0fc5acc12fbd625c7028e

                SHA512

                9b6dec7f0eaae988f522ec927e0082dd03ead7605387c52d6184ee899154c85e9f180622b7ca32377a9e9a0b1972e24131e0a47e2b27797c55736b25261d27c9

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oo8Nr58.exe
                Filesize

                696KB

                MD5

                bc157c64b1b6abbfd383165d6400ed08

                SHA1

                927f749974432f95ca3dc8917c1bf42d2e421665

                SHA256

                95c0c498aee014e9ce0fcbb4882d54d97b0dd80e257f09f19467e7137d6d6e88

                SHA512

                730af361f1dc2f9c027200376b872dd36242a6ab47c59f52a8374c65efb68b37963d109cfb07b0cf49849e251d85a0f61c72244344517fa273fdae9e2e98dc55

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Ps69La.exe
                Filesize

                268KB

                MD5

                f09b788bfb242f8edcb4b4ab2bd0275a

                SHA1

                71b2273479460cbda9d08073d0b116935d2c6813

                SHA256

                f291d8694f3198b824474d57a18792218a5d622f2f59370efe6679563db87521

                SHA512

                709bdc1a303159b27f7e7fa793d1c78f3d6223b5a3ba2c03cbea36eafc1bd0e2edc1bd19e61f7ed5ca53a1ab5018d7c171fc9c3c4ff67b02b4087a07cfd5dda6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Yl4TJ91.exe
                Filesize

                452KB

                MD5

                926a1d98af5f587a0c943222fffd5d0d

                SHA1

                e399f38a5a536d4dd049ae1d8b1a44152c24881c

                SHA256

                5ebcef1ca0954bb66e095bba171335808084c6a847d5bf152f055d2e3b9c76e1

                SHA512

                f5bf07ba36acf490669ca5ed76a293ce61b6d8f22dc70c39e6c69fe33d33e610f82d14a2e0a3d83b9152a72d8272dd71dd48e2afeafda4935d81f67ef37193a3

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1bC97nU3.exe
                Filesize

                192KB

                MD5

                8904f85abd522c7d0cb5789d9583ccff

                SHA1

                5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

                SHA256

                7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

                SHA512

                04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2FU6609.exe
                Filesize

                378KB

                MD5

                f0831f173733de08511f3a0739f278a6

                SHA1

                06dc809d653c5d2c97386084ae13b50a73eb5b60

                SHA256

                8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

                SHA512

                19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

                Download Submit

              • memory/2984-56-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/2984-59-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/2984-57-0x0000000000400000-0x0000000000428000-memory.dmp

                Filesize

                160KB

                Download

              • memory/4064-63-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/4328-73-0x00000000078A0000-0x00000000078DC000-memory.dmp

                Filesize

                240KB

                Download

              • memory/4328-67-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/4328-68-0x00000000074D0000-0x0000000007562000-memory.dmp

                Filesize

                584KB

                Download

              • memory/4328-69-0x0000000001000000-0x000000000100A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/4328-70-0x00000000085B0000-0x0000000008BC8000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/4328-71-0x0000000007F90000-0x000000000809A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/4328-72-0x0000000007840000-0x0000000007852000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4328-74-0x00000000078E0000-0x000000000792C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/5040-45-0x00000000049A0000-0x00000000049B6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/5040-25-0x00000000049A0000-0x00000000049B6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/5040-24-0x00000000049A0000-0x00000000049B6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/5040-27-0x00000000049A0000-0x00000000049B6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/5040-29-0x00000000049A0000-0x00000000049B6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/5040-31-0x00000000049A0000-0x00000000049B6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/5040-35-0x00000000049A0000-0x00000000049B6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/5040-38-0x00000000049A0000-0x00000000049B6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/5040-51-0x00000000049A0000-0x00000000049B6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/5040-40-0x00000000049A0000-0x00000000049B6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/5040-41-0x00000000049A0000-0x00000000049B6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/5040-43-0x00000000049A0000-0x00000000049B6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/5040-47-0x00000000049A0000-0x00000000049B6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/5040-49-0x00000000049A0000-0x00000000049B6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/5040-33-0x00000000049A0000-0x00000000049B6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/5040-23-0x00000000049A0000-0x00000000049BC000-memory.dmp

                Filesize

                112KB

                Download

              • memory/5040-22-0x0000000004B40000-0x00000000050E4000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/5040-21-0x0000000002380000-0x000000000239E000-memory.dmp

                Filesize

                120KB

                Download