Overview
overview
10Static
static
30a827f3afc...35.exe
windows10-2004-x64
1018184ff5db...7a.exe
windows10-2004-x64
1036b2548e8c...4f.exe
windows10-2004-x64
104105a1b5cd...10.exe
windows10-2004-x64
105c5167b5fa...58.exe
windows10-2004-x64
1063e6b5c830...f8.exe
windows10-2004-x64
106c30cb0079...67.exe
windows7-x64
106c30cb0079...67.exe
windows10-2004-x64
106e83c409a5...45.exe
windows10-2004-x64
1077f90e3384...ff.exe
windows10-2004-x64
1078bd5cf504...7c.exe
windows10-2004-x64
107ce62a9574...e1.exe
windows10-2004-x64
107d2d45b593...66.exe
windows10-2004-x64
107d9b9686db...9b.exe
windows10-2004-x64
10864fdfc64c...f0.exe
windows10-2004-x64
109607b0ce5d...c6.exe
windows10-2004-x64
10aa524ac0a8...07.exe
windows10-2004-x64
10b6f332f02a...85.exe
windows10-2004-x64
10cfebef463c...dc.exe
windows10-2004-x64
10d0feb2ba6d...72.exe
windows10-2004-x64
10df0b96135e...51.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 17:26
Static task
static1
Behavioral task
behavioral1
Sample
0a827f3afc0645954dd24f12c87e59035cad5723414cfb4b9933e600faf4ae35.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
18184ff5db7555b2c7baf1a87aa4d5046c77710bee4b4f39e6a131f30f418f7a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
36b2548e8cff694e8667d04ab33d149c6e8bc4cad4bc4adc501ac7c1189f6c4f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
5c5167b5fa76db29ca8ae12f128646effd9bcc1c8956371aaee13bddc98fbe58.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
63e6b5c83075ac978e67dd3e333b3a73cf6c4d1c644a3e8975acdc6fb9c7c1f8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467.exe
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
6c30cb007997032e419ad510193eb667e3f0e2f8af929be8fc9c20b3ae8f0467.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
6e83c409a5141acfb33dd664684ab352c7d7ecdc7a01189c46cf229a14f9b645.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
77f90e33849dda663fd4cda0660a634b060b4175b2e67325c1556e009c739dff.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
78bd5cf504a3577dc9d7f80114d8adafdd8f12cb7f983f8814a107da3aca917c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
7ce62a9574ca774ba9c6234c75799fd5cb2c153c6f1e40a65e1bea1a9c2219e1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
7d2d45b5937ea290b091c8ccd70073bfedc220269f4ab6c1833823d1678ed166.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
7d9b9686dbe7185e907f691f010b2ffdd754b22bfd13757340c6d287bc7e459b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
864fdfc64cf28ad02bb956d55c2a2ce062a178c9a8ca6100f6534277ceedd3f0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
9607b0ce5da9cdaed4a53ccbe60fb0d4863b49ad237993d21e1b23a6674e97c6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
aa524ac0a848432537ae785725900e93cb6140ebd8edeace3fe041dd64b93f07.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
b6f332f02aabba8a420db82ac6b2a3566d6384471d7dae236759ded20f8dde85.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
cfebef463cdc3659ceb74203574f47da9a4378aab8633dc93e49ef6b8641bcdc.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
d0feb2ba6d8db360600c65c0a9ff51f8124b12ca9b415bbfdedf54b559a9c672.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
df0b96135e1607d766af3caf4942e58032580d533155a67061447124b2259851.exe
Resource
win10v2004-20240426-en
General
-
Target
4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exe
-
Size
1.0MB
-
MD5
61d4845e02006e934527cd4703e90b07
-
SHA1
0b22149b814404ca6f23a55db2b0fd4f03e9f7ee
-
SHA256
4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810
-
SHA512
47d1517c5e537e90df2ef1c11193992cc7da9e242dc2cc2238643abffc1f92a63fb9cde89658f80633dd20174dbae2e9eca48947ab573b40f49012320aa8e888
-
SSDEEP
24576:xyCEn0G0jYadh62kOcE++vHldKAzUvk43i6OhqbT:kCEn0JjthByoHLNAvSjqb
Malware Config
Extracted
redline
narik
77.91.124.82:19071
-
auth_value
07924f5ef90576eb64faea857b8ba3e5
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral4/files/0x0007000000023461-68.dat mystic_family -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q7909319.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q7909319.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q7909319.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection q7909319.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q7909319.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q7909319.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral4/files/0x000700000002345e-72.dat family_redline behavioral4/memory/1788-73-0x0000000000DD0000-0x0000000000E00000-memory.dmp family_redline -
Executes dropped EXE 7 IoCs
pid Process 624 z1560207.exe 3572 z7263287.exe 4952 z7085338.exe 464 z3981529.exe 4636 q7909319.exe 5008 r0279475.exe 1788 s7454159.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features q7909319.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" q7909319.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z3981529.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z1560207.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z7263287.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z7085338.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2596 sc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4636 q7909319.exe 4636 q7909319.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4636 q7909319.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 916 wrote to memory of 624 916 4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exe 83 PID 916 wrote to memory of 624 916 4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exe 83 PID 916 wrote to memory of 624 916 4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exe 83 PID 624 wrote to memory of 3572 624 z1560207.exe 84 PID 624 wrote to memory of 3572 624 z1560207.exe 84 PID 624 wrote to memory of 3572 624 z1560207.exe 84 PID 3572 wrote to memory of 4952 3572 z7263287.exe 85 PID 3572 wrote to memory of 4952 3572 z7263287.exe 85 PID 3572 wrote to memory of 4952 3572 z7263287.exe 85 PID 4952 wrote to memory of 464 4952 z7085338.exe 87 PID 4952 wrote to memory of 464 4952 z7085338.exe 87 PID 4952 wrote to memory of 464 4952 z7085338.exe 87 PID 464 wrote to memory of 4636 464 z3981529.exe 89 PID 464 wrote to memory of 4636 464 z3981529.exe 89 PID 464 wrote to memory of 4636 464 z3981529.exe 89 PID 464 wrote to memory of 5008 464 z3981529.exe 95 PID 464 wrote to memory of 5008 464 z3981529.exe 95 PID 464 wrote to memory of 5008 464 z3981529.exe 95 PID 4952 wrote to memory of 1788 4952 z7085338.exe 96 PID 4952 wrote to memory of 1788 4952 z7085338.exe 96 PID 4952 wrote to memory of 1788 4952 z7085338.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exe"C:\Users\Admin\AppData\Local\Temp\4105a1b5cdeab0ddd1945cda27d5cdaea78ffeef93a6e4ea79194dfe247fa810.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1560207.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1560207.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7263287.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7263287.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7085338.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7085338.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3981529.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3981529.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7909319.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7909319.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0279475.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0279475.exe6⤵
- Executes dropped EXE
PID:5008
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7454159.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7454159.exe5⤵
- Executes dropped EXE
PID:1788
-
-
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2596
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
933KB
MD5cd95be2e70de537f6c25fd9b9ba8198d
SHA17a669b99c64b7e11e195eede0e28f83ec743d016
SHA256523026a63cdc7b6796bd13fff885b34f5499edd607423cb9819e906a38ea7f21
SHA5123808abe18e337044e4f3b877aff45034b127dfa976be04c860d79d85483ffd75f03348806afa316a5d62267fb72b142ad61d23593f061f214c6982e87643e023
-
Filesize
708KB
MD519cb8141a615be2648a9b2d9bd3266b1
SHA1ab11162830d4ab8204cbaf78c0221b0227008620
SHA2563d287dcb5837cb5f73cc0c83b615f802b7630c8d6edd4a4ef36fed5163e6d5fb
SHA5128f7afd83f78d6c26024670c82670c4578015d664883071839598e44e7739a7e70503ccc0f5a381c3dae4aa2b0f421ee98fac5271447ace2bc155814efbd5d120
-
Filesize
482KB
MD5aebc2d53e93d68529288f87de8e61497
SHA19e0db9ac16c71347e398bfff2c8eb5c4b862defd
SHA2566dfd65efb2f26729172d5a9eeabef87f820991a73bd33fb14a4f3b4fb5e106b7
SHA512f5d96a5785a43b55223d00969c44568ee814e460ea2bc9f52eb14ebe5e38b79f7827def66ec37cf0231f2a429db9d4bb380abe863d3f505d4162a49225e9a4c0
-
Filesize
174KB
MD59ca2a939485c004de7216277b50014eb
SHA1b52520eed2f1cb48d7125bd4b29bda45816d5d99
SHA2561cbd00edb7fe58ca78e1f0c40b6ed4c6bfe8b07cd15950009d2d8593785d14db
SHA512bd8b6549fe1f73bf963269d812d1bfad8588b85683e8c5f5e49ec3eab7438620469f4caf95ced945f74d18fb2fe420e5d451d749913f20d542c6fd22c1f1d681
-
Filesize
325KB
MD5a2c6c53327f067d2e8d790e1a5f2d137
SHA136b3e638e5966354b10a0caa90489b15ba355070
SHA2561a4686f0efcf05c0f318759d14b3c37ca181ef08eddfc5059f72332b2cc99541
SHA51201e6f91888cede86934546adf7af861219d6e6c6cbb4961410cb132890f92f4fa75577f6a55de9815cf599115ca41f9c0cdddd5a2b12a1f8a64c32f3b1b0a1db
-
Filesize
184KB
MD568b49b85e77061b6370ba7934897414d
SHA1003eab06dd19d12aa8d4c6ca2c65e096e5408d8c
SHA2569dbf47894144a9c8d68c329e7832a48e82817941b96eb38cffbd3b2a8645d201
SHA512f092c8b18f56e33e34d2e08df6956330645f9e27867f36e8fb700a48980ae42e734f6a9a91462e691241ae7eed6c7b8e4a64db1f022d67e876ecb852eaa5b086
-
Filesize
141KB
MD5de38582a55bb3cf592afa411e14bdea6
SHA1fb97f241910b138433986e83263ecee75b91de84
SHA2569ca5152e18984464ac7d9f537f13516d18bc3baf5a4c9889729e0538fe5e4d3a
SHA51232055d93664f61af1d9b8ea0d987a1fa4843569cad366a4453633a549084ff116423aa6e78291b8471644695d1aaa94ea25b6724b0965f86251380de73468549