Overview

overview

10

Static

static

3

04a87b8f05...aa.exe

windows10-2004-x64

10

114af5c13b...fd.exe

windows10-2004-x64

10

1e8dd381c7...01.exe

windows10-2004-x64

10

22e22c4ac4...b8.exe

windows10-2004-x64

10

2539ef3c9e...7a.exe

windows10-2004-x64

10

28e3223b75...cb.exe

windows10-2004-x64

10

2a370f0b1b...d2.exe

windows10-2004-x64

10

312eee3369...2a.exe

windows10-2004-x64

10

49fe85c527...13.exe

windows10-2004-x64

10

5b3b69df98...46.exe

windows10-2004-x64

10

73935ea9dd...cf.exe

windows10-2004-x64

10

7afbfc55db...35.exe

windows10-2004-x64

10

7b920ad0a6...fd.exe

windows10-2004-x64

10

867a7ac357...10.exe

windows10-2004-x64

10

a69474bf18...5d.exe

windows10-2004-x64

10

c1509297f2...7d.exe

windows10-2004-x64

10

c1821fe13b...86.exe

windows10-2004-x64

10

d431e54eb0...f6.exe

windows10-2004-x64

10

e0e0fe767a...79.exe

windows10-2004-x64

10

f1372b1a09...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04a87b8f058d7530d2e2d860d9792e27ac4a33a3865644f618340a1614a011aa.exe

  • Size

    1.2MB

  • MD5

    7b68089b89d04dd24d22a1332d87cf08

  • SHA1

    66d956dadfe8dc098330dc3ec94a6a625c6a0462

  • SHA256

    04a87b8f058d7530d2e2d860d9792e27ac4a33a3865644f618340a1614a011aa

  • SHA512

    0c1e561ae6e3c4111379c19618bc871c9c12b27ea5d2ae50396682e433e8369a97577e1b5f5ee3816fd2f4dfe2d8f749261a19c4cc20d0c517edfb282b45b592

  • SSDEEP

    24576:dyXzrx5oWmhku7V5d2FZ9+p3tthEEovRH3OIspEK:4XJ5oJhR0Ff+t3EEopeIw

Score
10/10
mysticredlinegigantinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

gigant

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04a87b8f058d7530d2e2d860d9792e27ac4a33a3865644f618340a1614a011aa.exe
    "C:\Users\Admin\AppData\Local\Temp\04a87b8f058d7530d2e2d860d9792e27ac4a33a3865644f618340a1614a011aa.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3312
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gp6VD5cp.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gp6VD5cp.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Di7kU6hV.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Di7kU6hV.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qx0JO7Ga.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qx0JO7Ga.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2192
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\OD7gs6lm.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\OD7gs6lm.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:3528
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ou44cU8.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ou44cU8.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1232
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                  PID:3464
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                  7⤵
                    PID:3876
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 608
                    7⤵
                    • Program crash
                    PID:2636
                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cX813nF.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cX813nF.exe
                  6⤵
                  • Executes dropped EXE
                  PID:2216
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1232 -ip 1232
        1⤵
          PID:4660
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4332,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8
          1⤵
            PID:2052

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gp6VD5cp.exe
            Filesize

            1.0MB

            MD5

            350a9aefb013b853f73d99cedd610549

            SHA1

            9b31e2f5ecd0d35f40ee4ef9b178065d015183b6

            SHA256

            0708a0d94f95345b0f7971438db685a48b2fe9f61f2776bca56d20e6415ef320

            SHA512

            58727bf11ace8b19aa4bb3064ef124fb7f240ec5e5083dc7ee7ab28d199f1003d7b90fd4c0cdcf8f11bf63b9cf2dd742881a109071f2c95fd72b16f49e7e14d2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Di7kU6hV.exe
            Filesize

            884KB

            MD5

            faf29c5bfb1c743cfb4533d937cb948e

            SHA1

            0c6cbc17f12f05ed0901b26acbfd2c602d407259

            SHA256

            8b23865c9d2ef9bb55779b50828a932163c41986847859fbf7a7aa7036a2b66a

            SHA512

            99ea67c12671e2cd2185f6dc360fee776b0f5e3e984b4130889ba563d1e0293159451de135508cdd6ef5dff86f2f7290a208ac7dfd169d760192339fa94fe1f0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qx0JO7Ga.exe
            Filesize

            590KB

            MD5

            0967c4ca01d4cba8a138452daad2a4b7

            SHA1

            6a9f5a8af4f8fbf4804001cd2eb47b4f27cbe9d2

            SHA256

            b030de41361a5885ed02752bf9b2d11da1af3e778bbcc46a4c6f74976facf89b

            SHA512

            c00a6d9e096ee77ffb4835ad16e1b517ebffad4282db226ed9f0c43f67d8950dd32b54310e0a66aebca1f091e017a885bc0664180673a3fafcc344c5d406f6e0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\OD7gs6lm.exe
            Filesize

            417KB

            MD5

            3445d676db6b3d9d4928cbfdee5ce3be

            SHA1

            fa37bee8ae0d2beeb22d5722648fd296df0decaa

            SHA256

            90cc0eb1b01bca5b36373198fd7c25b5760042a69030929d29fbf03db7eaf894

            SHA512

            a1d0d850f3b2145e3c3c7eb9112bea017e0c760591bb0c192b2437fca3513e5aa046d85360a006704b6ebc43981a03a4ee642172780a00f8dc31f562f1bfdf24

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Ou44cU8.exe
            Filesize

            378KB

            MD5

            f0831f173733de08511f3a0739f278a6

            SHA1

            06dc809d653c5d2c97386084ae13b50a73eb5b60

            SHA256

            8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

            SHA512

            19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2cX813nF.exe
            Filesize

            231KB

            MD5

            d0165cebe4443ac7f5d2b8c85f89f3bd

            SHA1

            5caa5137538f3363cf02188bf59066ca351f5f1b

            SHA256

            22b8bf3184007ff96e992a4b2aa7892b2463c49c9ebea52a21e8a3b774f9014a

            SHA512

            75cbae061efb3a1acbbdf6f5becd9e96e57dd06fec84e22cde1bb735569160935f388899c4f7d0ef39e7cacacb5606f1e691b470823fc24dd5836fc0db0e4343

            Download Submit

          • memory/2216-42-0x0000000000BF0000-0x0000000000C2E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2216-43-0x0000000007EC0000-0x0000000008464000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/2216-44-0x00000000079B0000-0x0000000007A42000-memory.dmp

            Filesize

            584KB

            Download

          • memory/2216-45-0x0000000002F00000-0x0000000002F0A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2216-46-0x0000000008A90000-0x00000000090A8000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/2216-47-0x0000000007CC0000-0x0000000007DCA000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2216-48-0x0000000007BA0000-0x0000000007BB2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2216-49-0x0000000007C00000-0x0000000007C3C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2216-50-0x0000000007C40000-0x0000000007C8C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/3876-36-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/3876-38-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/3876-35-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download