Overview
overview
10Static
static
304a87b8f05...aa.exe
windows10-2004-x64
10114af5c13b...fd.exe
windows10-2004-x64
101e8dd381c7...01.exe
windows10-2004-x64
1022e22c4ac4...b8.exe
windows10-2004-x64
102539ef3c9e...7a.exe
windows10-2004-x64
1028e3223b75...cb.exe
windows10-2004-x64
102a370f0b1b...d2.exe
windows10-2004-x64
10312eee3369...2a.exe
windows10-2004-x64
1049fe85c527...13.exe
windows10-2004-x64
105b3b69df98...46.exe
windows10-2004-x64
1073935ea9dd...cf.exe
windows10-2004-x64
107afbfc55db...35.exe
windows10-2004-x64
107b920ad0a6...fd.exe
windows10-2004-x64
10867a7ac357...10.exe
windows10-2004-x64
10a69474bf18...5d.exe
windows10-2004-x64
10c1509297f2...7d.exe
windows10-2004-x64
10c1821fe13b...86.exe
windows10-2004-x64
10d431e54eb0...f6.exe
windows10-2004-x64
10e0e0fe767a...79.exe
windows10-2004-x64
10f1372b1a09...cc.exe
windows10-2004-x64
10Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 17:43
Static task
static1
Behavioral task
behavioral1
Sample
04a87b8f058d7530d2e2d860d9792e27ac4a33a3865644f618340a1614a011aa.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
114af5c13b66325340fcc0e38e22cb3c0a2f713ad1346010b0a9fc80f025e1fd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
1e8dd381c7b2d8b87f2596a2bfbccc3c813d8571fdbe788e678c3a733a5cae01.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
22e22c4ac4de60508d13a9152534da8f1fe27d387785252b3e90c5daa1939eb8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
2539ef3c9ef568b60de04a70266f168cf5565fa88027d7d88812aed2417d527a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
28e3223b75032745af45a606afdbd1788365c7af9b20cc01d5892478c17d91cb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
2a370f0b1b44ffdfd5105d8de5cdb127afee410219b503b0620c23343a163ad2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
312eee33696f223c1d77f63d4f4fa6692b492a19e1815f424ea276db2dfa312a.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
49fe85c527d85f575f10ffaacbea94923608dbe00ee181347f30f31686a10513.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
5b3b69df98aea93f199289802070d29f0815829817936cfd60b3b627e0d20146.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
73935ea9dd223123d7d2e2b97d297ba24e82bd39f8b4e6004027a7cc1b07ffcf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
7afbfc55db219ad6f0335344f7e4d1119a281a9e98656ca51496a2ccedc75d35.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
7b920ad0a6eced7be30fccab39067587eeb4a839174adbe7371d2a0ebb0206fd.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
867a7ac357adfff48d6fc2820efa7db93b3c2303fa2c5f2570c1760004b2a310.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
a69474bf18a7cca7eda490dd3a0e3f56de60989fbd935adbc91521cc640dd35d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
c1509297f254a9c327f8d2f138ec5907931f396cedb4bb4796c5057e78cda87d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
c1821fe13b3b9c1fc3fe603dfd3668b199fd7d6f671e0f72b8a9fff5a38fd286.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
d431e54eb05e1ec91d96e56b56b50a6e510a259b69f7c5c8254a8954192e94f6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
e0e0fe767a4d28c22c9164941b937ca32139dda9a5ac00b380e14f39f0bc2e79.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f1372b1a0961a0c57fe69d716e6992ea2a6a82ef2944465f88c1a99f117de4cc.exe
Resource
win10v2004-20240426-en
General
-
Target
7afbfc55db219ad6f0335344f7e4d1119a281a9e98656ca51496a2ccedc75d35.exe
-
Size
1020KB
-
MD5
c22be85e25cdfff5b49395163111b939
-
SHA1
ca927b4b317b9671899f23fb87acad746302abfb
-
SHA256
7afbfc55db219ad6f0335344f7e4d1119a281a9e98656ca51496a2ccedc75d35
-
SHA512
4d26b98249b0bb8fafc761cd8478ce610dba4acdc1e7a7ff5c390244fd32d94a7266b765c467604091bc7911c61f592a8b7666777ef1d2fcd7b0d8c0e35edf68
-
SSDEEP
24576:gysH7/U6YsGdqw8AkzzXSQ//aZJpdmmzlEoBNi8yRYr1:nsb/U6YsDw8bSGIpdm4lRy6
Malware Config
Extracted
redline
magia
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
resource yara_rule behavioral12/memory/636-56-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral12/memory/636-57-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral12/memory/636-59-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1cP61qo2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1cP61qo2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1cP61qo2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1cP61qo2.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 1cP61qo2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1cP61qo2.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral12/memory/768-67-0x0000000000400000-0x000000000043E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 6 IoCs
pid Process 2480 tn8ZL16.exe 2696 yz7JL76.exe 4624 1cP61qo2.exe 1660 2pJ9867.exe 3788 3pP83Ne.exe 2732 4ni653aC.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 1cP61qo2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 1cP61qo2.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7afbfc55db219ad6f0335344f7e4d1119a281a9e98656ca51496a2ccedc75d35.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tn8ZL16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" yz7JL76.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1660 set thread context of 636 1660 2pJ9867.exe 97 PID 3788 set thread context of 3080 3788 3pP83Ne.exe 102 PID 2732 set thread context of 768 2732 4ni653aC.exe 110 -
Program crash 3 IoCs
pid pid_target Process procid_target 5024 1660 WerFault.exe 96 1352 3788 WerFault.exe 101 4536 2732 WerFault.exe 105 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4624 1cP61qo2.exe 4624 1cP61qo2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4624 1cP61qo2.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2480 3012 7afbfc55db219ad6f0335344f7e4d1119a281a9e98656ca51496a2ccedc75d35.exe 84 PID 3012 wrote to memory of 2480 3012 7afbfc55db219ad6f0335344f7e4d1119a281a9e98656ca51496a2ccedc75d35.exe 84 PID 3012 wrote to memory of 2480 3012 7afbfc55db219ad6f0335344f7e4d1119a281a9e98656ca51496a2ccedc75d35.exe 84 PID 2480 wrote to memory of 2696 2480 tn8ZL16.exe 85 PID 2480 wrote to memory of 2696 2480 tn8ZL16.exe 85 PID 2480 wrote to memory of 2696 2480 tn8ZL16.exe 85 PID 2696 wrote to memory of 4624 2696 yz7JL76.exe 86 PID 2696 wrote to memory of 4624 2696 yz7JL76.exe 86 PID 2696 wrote to memory of 4624 2696 yz7JL76.exe 86 PID 2696 wrote to memory of 1660 2696 yz7JL76.exe 96 PID 2696 wrote to memory of 1660 2696 yz7JL76.exe 96 PID 2696 wrote to memory of 1660 2696 yz7JL76.exe 96 PID 1660 wrote to memory of 636 1660 2pJ9867.exe 97 PID 1660 wrote to memory of 636 1660 2pJ9867.exe 97 PID 1660 wrote to memory of 636 1660 2pJ9867.exe 97 PID 1660 wrote to memory of 636 1660 2pJ9867.exe 97 PID 1660 wrote to memory of 636 1660 2pJ9867.exe 97 PID 1660 wrote to memory of 636 1660 2pJ9867.exe 97 PID 1660 wrote to memory of 636 1660 2pJ9867.exe 97 PID 1660 wrote to memory of 636 1660 2pJ9867.exe 97 PID 1660 wrote to memory of 636 1660 2pJ9867.exe 97 PID 1660 wrote to memory of 636 1660 2pJ9867.exe 97 PID 2480 wrote to memory of 3788 2480 tn8ZL16.exe 101 PID 2480 wrote to memory of 3788 2480 tn8ZL16.exe 101 PID 2480 wrote to memory of 3788 2480 tn8ZL16.exe 101 PID 3788 wrote to memory of 3080 3788 3pP83Ne.exe 102 PID 3788 wrote to memory of 3080 3788 3pP83Ne.exe 102 PID 3788 wrote to memory of 3080 3788 3pP83Ne.exe 102 PID 3788 wrote to memory of 3080 3788 3pP83Ne.exe 102 PID 3788 wrote to memory of 3080 3788 3pP83Ne.exe 102 PID 3788 wrote to memory of 3080 3788 3pP83Ne.exe 102 PID 3012 wrote to memory of 2732 3012 7afbfc55db219ad6f0335344f7e4d1119a281a9e98656ca51496a2ccedc75d35.exe 105 PID 3012 wrote to memory of 2732 3012 7afbfc55db219ad6f0335344f7e4d1119a281a9e98656ca51496a2ccedc75d35.exe 105 PID 3012 wrote to memory of 2732 3012 7afbfc55db219ad6f0335344f7e4d1119a281a9e98656ca51496a2ccedc75d35.exe 105 PID 2732 wrote to memory of 3332 2732 4ni653aC.exe 106 PID 2732 wrote to memory of 3332 2732 4ni653aC.exe 106 PID 2732 wrote to memory of 3332 2732 4ni653aC.exe 106 PID 2732 wrote to memory of 828 2732 4ni653aC.exe 107 PID 2732 wrote to memory of 828 2732 4ni653aC.exe 107 PID 2732 wrote to memory of 828 2732 4ni653aC.exe 107 PID 2732 wrote to memory of 3384 2732 4ni653aC.exe 108 PID 2732 wrote to memory of 3384 2732 4ni653aC.exe 108 PID 2732 wrote to memory of 3384 2732 4ni653aC.exe 108 PID 2732 wrote to memory of 1188 2732 4ni653aC.exe 109 PID 2732 wrote to memory of 1188 2732 4ni653aC.exe 109 PID 2732 wrote to memory of 1188 2732 4ni653aC.exe 109 PID 2732 wrote to memory of 768 2732 4ni653aC.exe 110 PID 2732 wrote to memory of 768 2732 4ni653aC.exe 110 PID 2732 wrote to memory of 768 2732 4ni653aC.exe 110 PID 2732 wrote to memory of 768 2732 4ni653aC.exe 110 PID 2732 wrote to memory of 768 2732 4ni653aC.exe 110 PID 2732 wrote to memory of 768 2732 4ni653aC.exe 110 PID 2732 wrote to memory of 768 2732 4ni653aC.exe 110 PID 2732 wrote to memory of 768 2732 4ni653aC.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\7afbfc55db219ad6f0335344f7e4d1119a281a9e98656ca51496a2ccedc75d35.exe"C:\Users\Admin\AppData\Local\Temp\7afbfc55db219ad6f0335344f7e4d1119a281a9e98656ca51496a2ccedc75d35.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn8ZL16.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tn8ZL16.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yz7JL76.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yz7JL76.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cP61qo2.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cP61qo2.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pJ9867.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pJ9867.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 2005⤵
- Program crash
PID:5024
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3pP83Ne.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3pP83Ne.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Checks SCSI registry key(s)
PID:3080
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 5964⤵
- Program crash
PID:1352
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ni653aC.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4ni653aC.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:3332
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:828
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:3384
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:1188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:768
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 5883⤵
- Program crash
PID:4536
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1660 -ip 16601⤵PID:508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3788 -ip 37881⤵PID:3096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2732 -ip 27321⤵PID:2484
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
462KB
MD5174693c48b92b043b56e3b4d39ebad7c
SHA1d0c14c93948e40a678547b46368cc1a899c6fc5b
SHA25642fe15c6fa6071faad97b3f1ce7977c8c6be241915fe92186e59eae257362451
SHA5123d37a4775000d2a8d520954777a4c106545dbbc4fc0bd8b0fbec59f1acac2cd9aa4f28a930b970e40e4373dd1d5c529642b0ab900b4af54e6067577a8b1f19fb
-
Filesize
725KB
MD5ec542cebd2c84750e6f3f56557f278e2
SHA1c370c9b1c0a658a954e99359a7729d319ca92b5b
SHA2560318f83928e5e3f72b5bba84d08188caeabf37779f60149377c5fdbc0570ff30
SHA512e0fca122db9aa177e856eccce8e937b769959ba97b8d1eab22f432225c5df0ec2bd751766bea054dc45b2bec12668bb0e84e5c9d4f7d17b47a65d02d5aaa19ed
-
Filesize
271KB
MD53b497c95b0bac91eef71e274ee3d6ffe
SHA199edf776fc089b1bcd141dfbfd4efbd032c9b52d
SHA25642705bdaea79a3f15b61b44edba486dc2317bc4e20efc8ed8a257a7493614cf3
SHA512cf84086cbb4719f7ec9c2177705c1ac3f8f3e90b2d611ef1d3e6edc16db0b97ab7126f0525daa6fd535067a22ea0f9da7a64c6372900362b297f3b0b066a567e
-
Filesize
479KB
MD5cb388fa3f7f5b8512054d67d4ce95457
SHA18374bc892a6d50bfe5e7fde9e007de67adc4bc23
SHA256ff88ed6470f90d070b6fbe50a585283b52ce07617d77256ddd7ebb6e21f74586
SHA512561632b7aa9f1ee9d2deea077b4250046b3378358d642e5302831a43afa88499df7fef70aa188f83eadb64bd4cc67af13698693bd38299862bd20958311a2fb7
-
Filesize
194KB
MD535d718538c3e1346cb4fcf54aaa0f141
SHA1234c0aa0465c27c190a83936e8e3aa3c4b991224
SHA25697e62bfa90aca06c595fb150e36f56b4a285f58cc072b8c458ae79805523fc36
SHA5124bcf5cabe93ec54608ccb95d80822f411bb32c2746be609873a493045913fb53e0a953e75f82dfe620d661f049437da7a70d34995dc915bb0b09426e97f0aec3
-
Filesize
423KB
MD5dac14faabaeb1102198b735e979ca06c
SHA1edbd52a612f27123d6e780a11191c3617f7ebe29
SHA25605d8455fc78df1631db55fa8f14b979c106082037602bb35de9feae662f65c8f
SHA512437856b18f90a3c6524b8c62444d2d432c2f233371edaddd42d4ba5ab7980d29a39088fba94897a28767fc293a6307e14c6c037c505177e30e90a59a8dc27f05