Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
23-05-2024 17:46
General
-
Target
aaf88983ad022d086513c9772cb520815581005e78de7f2ea63f2135933d34f6.exe
-
Size
1.3MB
-
MD5
1da52a515fcdb048ad76d7864464cfb0
-
SHA1
e473f6794205d1deb62b752a3fc6ab1ee2b117ae
-
SHA256
aaf88983ad022d086513c9772cb520815581005e78de7f2ea63f2135933d34f6
-
SHA512
a2b3123a6f2693a9d5ebff9c23949cdd342ddf34e534c88a99e5e178cbb35d2e20e7dc79d61b2ededbde0a65bb04f06a4ef363842d60e06f05b8b2b92f581d40
-
SSDEEP
24576:HyDpyG2BdeCmEa6MW0uUCfd5J45NAxLzlN/8C5Z23cHYKWKMxHbE1X9lr4:SmYCfMWDUskNoXM534YqMuB
Malware Config
Extracted
redline
trush
77.91.124.82:19071
-
auth_value
c13814867cde8193679cd0cad2d774be
Signatures
-
Detect Mystic stealer payload 3 IoCs
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 8 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\aaf88983ad022d086513c9772cb520815581005e78de7f2ea63f2135933d34f6.exe"C:\Users\Admin\AppData\Local\Temp\aaf88983ad022d086513c9772cb520815581005e78de7f2ea63f2135933d34f6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5832951.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5832951.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2254232.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2254232.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8380457.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8380457.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6776859.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6776859.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4942427.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4942427.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 1486⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5470569.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5470569.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 6125⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4457621.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4457621.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 1484⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8864796.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8864796.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1212 -ip 12121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4744 -ip 47441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1000 -ip 10001⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8864796.exeFilesize
17KB
MD5de9367f72e48f43edc2f1979ace7a2bc
SHA15219e61d941a421315e32eabc7ac9c3944f80181
SHA256c7b26d2ebb210eca38eed90eefe474b254f53dca6496fd044a87ccfe7bbe6c86
SHA5127a3d286cae4bb3816dd1af0bb46ea6591568c28ca8cee0eb5aeb1caafb6886476183159041d367201077d8ab2d22be827af5e95ca39eedb457e01ba9be4c768e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5832951.exeFilesize
1.2MB
MD5eb4f12e3eb5a61a3cc43c606b04e85fb
SHA12955eac7466e41dfb9d70ccb708eab600b1b2d9a
SHA256be58893697215a2384e1b6d915971e46a6506757718ff8d92be24e4c043f119e
SHA51282ee482088c38ca825ce89a41a10fa17be3664a8856f2897a7588a4d2e69030b19bc7003062599158c988d890308688dd2ed82a41b70aafaf51a67f17b2146c8
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4457621.exeFilesize
1.0MB
MD51b30e2b46651a132dce68651e98312de
SHA1f98fe544db67756111c5f49dfce5ee748a933c61
SHA2561374fb694ed022d7cc221b2bdab447cb28368914ad2e0715c663de26001fe541
SHA512bba3099f9d12ba4f1e5c2513bb2cbb918b170e678f536ad21f6e8e7f127cc35082a2394957d4d3c7311a80b56c59c3c0ee1db158fac4f79e1f60bd5bb84b3ffb
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2254232.exeFilesize
835KB
MD577da02fd3836daf3a716b5f15188c8a6
SHA1644abdb953e857a803ad5d7edc9a2f25949cac92
SHA25601888d19433a22cf8d9fb00c2617568e9423878c9a189e2f8fc8ea51b70a90ab
SHA512ae9a1a729178db70ea86ae355f0be777d94f7390473aad2fd5afc4971fbc7198e5a76391b6f406861648c29654855195134bcfdc67f593ef7e372b81def622e1
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5470569.exeFilesize
884KB
MD5f9ebf61a1a4bfd8251d830ce1959b4a3
SHA1b13e8f00d0438f8304c6c1da3549977e0803287e
SHA25620a34a5b3ea0182f831dbc7b48ea03223daeb2afdd3540fcaef6cca6fe2972b9
SHA51200c336e2de833be8d227994644cd2cbcf665d7f36aa93de0647ddc67bb5a80098aadc902ac71d0953dccae2bfb109ec1a6e0d581949833a9346331a3ed732db8
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8380457.exeFilesize
475KB
MD58414aa5388c54ecc9045c0fc78b7b3bd
SHA18ca702c68c1b6dd02e8f4759e13e102e91ea23eb
SHA2568bbd0f18ff7becb8601892364ac8a96951b915493898de58e5e9b43c906c814a
SHA5126469e5953798db16ac294588b0febc10af3af74c2fadd006cf6920cc993a6bec77cb91e416f551598671fedf13587550f33600342e18dafa56e838aaa60cbc2c
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a6776859.exeFilesize
11KB
MD540366aa5d4e7524ca65f8188a6c13b2e
SHA1b5d52afb53bb31d7aea23bd1c89b98820ab8e329
SHA256f34d4e4cb5012c143d25055a9b7a899ddbfbd5e88c6fb3979bb382a3f5b1b69b
SHA5127bffbd6f30f4b0b15cd4e27152e6ec46ad3efc25e3b47318d3e893f6ec7f2336107e03d091660c660e79844e5b49d804b993093b7bd09c726a21d4ff37c977a3
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4942427.exeFilesize
1.0MB
MD5fc4c90f9a7556f7f9d380000559aa293
SHA1c558b17befdd5747afe5552ff0676f15299efe44
SHA2565d2f8086eaf672566d2b7950b0681773ba7568b742e4d6c05657af9192b103ac
SHA512f4f9ef3694fef80e5702d1a97b8bd6d335c6042998ad51267c67a13b40901613001971d9b0379e0ae8da7f47808db7ca7d617d04979b0d9cd551383c5f6f8082
-
memory/1036-49-0x000000000B400000-0x000000000BA18000-memory.dmpFilesize
6.1MB
-
memory/1036-44-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1036-45-0x0000000003240000-0x0000000003246000-memory.dmpFilesize
24KB
-
memory/1036-50-0x000000000AEF0000-0x000000000AFFA000-memory.dmpFilesize
1.0MB
-
memory/1036-51-0x000000000AE00000-0x000000000AE12000-memory.dmpFilesize
72KB
-
memory/1036-52-0x000000000AE60000-0x000000000AE9C000-memory.dmpFilesize
240KB
-
memory/1036-53-0x00000000053A0000-0x00000000053EC000-memory.dmpFilesize
304KB
-
memory/1164-28-0x00000000000F0000-0x00000000000FA000-memory.dmpFilesize
40KB
-
memory/2780-36-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2780-34-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2780-33-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3860-40-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB