Overview

overview

10

Static

static

3

04a87b8f05...aa.exe

windows10-2004-x64

10

114af5c13b...fd.exe

windows10-2004-x64

10

1e8dd381c7...01.exe

windows10-2004-x64

10

22e22c4ac4...b8.exe

windows10-2004-x64

10

2539ef3c9e...7a.exe

windows10-2004-x64

10

28e3223b75...cb.exe

windows10-2004-x64

10

2a370f0b1b...d2.exe

windows10-2004-x64

10

312eee3369...2a.exe

windows10-2004-x64

10

49fe85c527...13.exe

windows10-2004-x64

10

5b3b69df98...46.exe

windows10-2004-x64

10

73935ea9dd...cf.exe

windows10-2004-x64

10

7afbfc55db...35.exe

windows10-2004-x64

10

7b920ad0a6...fd.exe

windows10-2004-x64

10

867a7ac357...10.exe

windows10-2004-x64

10

a69474bf18...5d.exe

windows10-2004-x64

10

c1509297f2...7d.exe

windows10-2004-x64

10

c1821fe13b...86.exe

windows10-2004-x64

10

d431e54eb0...f6.exe

windows10-2004-x64

10

e0e0fe767a...79.exe

windows10-2004-x64

10

f1372b1a09...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73935ea9dd223123d7d2e2b97d297ba24e82bd39f8b4e6004027a7cc1b07ffcf.exe

  • Size

    747KB

  • MD5

    c433de9c0a0f7a20b28cf2b91f09db49

  • SHA1

    a428304a4fdde5954e04ad84e432857a9da0d4a8

  • SHA256

    73935ea9dd223123d7d2e2b97d297ba24e82bd39f8b4e6004027a7cc1b07ffcf

  • SHA512

    641050f74b611c3b566290f4f466ea08f26145a3956ac2881b131635151b60caa70e6406642beaa864b273d8e812d6bf9e0781bad15c57c0c076165bc9cfeda5

  • SSDEEP

    12288:6MrAy90F1LOzr6fDc67Zi2XabPD7z01KHlrdM3w1p2w73S1C+OMg7N5t9e:WyWk+r7Zi2ayKHvGo73S1C+OMEfe

Score
10/10
mysticredlinefrantevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

frant

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73935ea9dd223123d7d2e2b97d297ba24e82bd39f8b4e6004027a7cc1b07ffcf.exe
    "C:\Users\Admin\AppData\Local\Temp\73935ea9dd223123d7d2e2b97d297ba24e82bd39f8b4e6004027a7cc1b07ffcf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\df8Rb23.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\df8Rb23.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3248
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1BH01Qb3.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1BH01Qb3.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:932
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eA44rQ.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eA44rQ.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:4500
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 152
            4⤵
            • Program crash
            PID:1756
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3QD8902.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3QD8902.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1400
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:2444
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 152
            3⤵
            • Program crash
            PID:1960
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2620 -ip 2620
        1⤵
          PID:1824
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1400 -ip 1400
          1⤵
            PID:1176
          • C:\Windows\system32\sc.exe
            C:\Windows\system32\sc.exe start wuauserv
            1⤵
            • Launches sc.exe
            PID:2744

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3QD8902.exe
            Filesize

            459KB

            MD5

            a38ce3e2dc246d8e40f95186737c588f

            SHA1

            87eb3f865fdd506f345d1d586f4d8c4d490f669a

            SHA256

            c42efcd5f53c75f36a6ed5c8f8be82359b848285ffb0fc5acc12fbd625c7028e

            SHA512

            9b6dec7f0eaae988f522ec927e0082dd03ead7605387c52d6184ee899154c85e9f180622b7ca32377a9e9a0b1972e24131e0a47e2b27797c55736b25261d27c9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\df8Rb23.exe
            Filesize

            452KB

            MD5

            157072cd36de9231a92dd0e5381e7b38

            SHA1

            cba43a3e1887d5d4ae4a598ca559632aabf7ba74

            SHA256

            31c4e83d28c94e0693560e7ad3b97f8ceb8f37f71d78176601df6289970ac372

            SHA512

            91dd600f665035d17508ff06df992026e4d4dbe0b0d8c1fe23ff29d9d248e92f0f6b715ba2d1712d0c8bdeb226ff4168132f40316c5e307d42c58a083b35dabf

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1BH01Qb3.exe
            Filesize

            192KB

            MD5

            8904f85abd522c7d0cb5789d9583ccff

            SHA1

            5b34d8595b37c9e1fb9682b06dc5228efe07f0c6

            SHA256

            7624b62fe97c8e370c82bc86f69c2f627328e701ce1f3d9bed92a1e5fe11fd7f

            SHA512

            04dd0c4e612b6287af6a655425085d687538d756dcd639ecb6c62bcdafddde52c56ae305a6240ee1329a95d9cc59dee6de5000d273a5a560ad1adc3284e00e12

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2eA44rQ.exe
            Filesize

            378KB

            MD5

            f0831f173733de08511f3a0739f278a6

            SHA1

            06dc809d653c5d2c97386084ae13b50a73eb5b60

            SHA256

            8b00f9dce8ceb2123fba3bc9f88419960d1e661b6287eafeba4f0a2ee4be3d27

            SHA512

            19e3176ce1f154758f685cc4582e93587aa534a251de315473e35758dcd6ff6315880be7602097308dc89c355742be4729bad81de597e8d430a8e868082314e3

            Download Submit

          • memory/932-30-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/932-24-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/932-18-0x0000000004990000-0x00000000049AC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/932-19-0x0000000073CE0000-0x0000000074490000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/932-20-0x0000000073CE0000-0x0000000074490000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/932-46-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/932-48-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/932-44-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/932-42-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/932-40-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/932-38-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/932-36-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/932-34-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/932-32-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/932-16-0x0000000004AE0000-0x0000000005084000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/932-28-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/932-26-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/932-17-0x0000000073CE0000-0x0000000074490000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/932-22-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/932-21-0x0000000004990000-0x00000000049A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/932-50-0x0000000073CE0000-0x0000000074490000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/932-15-0x00000000022D0000-0x00000000022EE000-memory.dmp

            Filesize

            120KB

            Download

          • memory/932-14-0x0000000073CEE000-0x0000000073CEF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2444-61-0x0000000000400000-0x000000000043E000-memory.dmp

            Filesize

            248KB

            Download

          • memory/2444-62-0x00000000072F0000-0x0000000007382000-memory.dmp

            Filesize

            584KB

            Download

          • memory/2444-63-0x00000000025A0000-0x00000000025AA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2444-64-0x0000000008390000-0x00000000089A8000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/2444-65-0x0000000007650000-0x000000000775A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2444-66-0x00000000074B0000-0x00000000074C2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2444-67-0x0000000007540000-0x000000000757C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2444-68-0x00000000074D0000-0x000000000751C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/4500-57-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/4500-55-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download

          • memory/4500-54-0x0000000000400000-0x0000000000428000-memory.dmp

            Filesize

            160KB

            Download