Overview

overview

10

Static

static

3

02fdf4c910...66.exe

windows10-2004-x64

10

0be251d0ab...8e.exe

windows10-2004-x64

10

0e80ad3a8f...f6.exe

windows10-2004-x64

10

16688c383c...d0.exe

windows10-2004-x64

10

2fad2d07bb...73.exe

windows10-2004-x64

10

2fe920abb6...a6.exe

windows10-2004-x64

10

48143dd10c...4c.exe

windows10-2004-x64

10

4b7ea12db6...e4.exe

windows10-2004-x64

10

52365e9025...44.exe

windows10-2004-x64

10

695cd347d1...6a.exe

windows10-2004-x64

10

87139651e5...22.exe

windows10-2004-x64

10

9e061347f6...86.exe

windows10-2004-x64

10

9ec41d0e12...a4.exe

windows10-2004-x64

10

a68d0534de...a7.exe

windows10-2004-x64

10

b480c9cd31...f3.exe

windows10-2004-x64

10

cf449b541f...5e.exe

windows10-2004-x64

10

d8a34be272...bd.exe

windows10-2004-x64

7

e303858850...2c.exe

windows10-2004-x64

10

feb3084f5c...99.exe

windows10-2004-x64

10

ff0593e795...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 18:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4.exe

  • Size

    742KB

  • MD5

    f9a8fb0e8bc08416a56f6abadce7c209

  • SHA1

    237564839550770c1347c3cf62997b953bc438b1

  • SHA256

    9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4

  • SHA512

    d11b6686e901c38c886a140d598cb2037b9c9eb8db8960dba0b17e77255bdcdbae141ba2b9f8c04abea07bc30bae3a776caa82d4e970c7587af5eaced6ea9d75

  • SSDEEP

    12288:GMrwy90oeqm9YLhnjzaA/ZFqIk1WnL1ZGfgXPan44vrYuJvNUuC:OyLex6LhjzaOp5nL1ZQgA9TVvOP

Score
10/10
mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4.exe
    "C:\Users\Admin\AppData\Local\Temp\9ec41d0e12fb2d169713827f9d9f6aea52f4b75e5343a74b114749220609bda4.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ch4SS04.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ch4SS04.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3856
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YR3Ih10.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YR3Ih10.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4620
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1aH22dc8.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1aH22dc8.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:5028
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1364
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 580
            5⤵
            • Program crash
            PID:3384
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Gq9069.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Gq9069.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4808
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:2780
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 584
              5⤵
              • Program crash
              PID:4592
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3gD29pv.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3gD29pv.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4268
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • Checks SCSI registry key(s)
            PID:1832
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 156
            4⤵
            • Program crash
            PID:2356
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4yy799Rl.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4yy799Rl.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3624
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:2736
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 148
            3⤵
            • Program crash
            PID:4052
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5028 -ip 5028
        1⤵
          PID:3956
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4808 -ip 4808
          1⤵
            PID:1940
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4268 -ip 4268
            1⤵
              PID:3820
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3624 -ip 3624
              1⤵
                PID:2436

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4yy799Rl.exe
                Filesize

                336KB

                MD5

                a78a95bcd506cfea76978c1cd60f083c

                SHA1

                e9c7f2bf4d4d6a0b3ad3a317de21e3fc07a88ec8

                SHA256

                918382d098156337cb8a4e29ccd26d34bff173c79a42db500874fed67ce5f002

                SHA512

                9abb7e669fc17f84540a54560be50c28c52a6c80203072828352bf93c1a331f7ed8aa34e2475205684368a43cff0ae22a7cd5b230470666e3a8b7983254b60e0

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ch4SS04.exe
                Filesize

                508KB

                MD5

                b27658884d00d0c579eb4e4626ae87ab

                SHA1

                f8226231b17981df7bbc220d7fa0f03d0ac5ac1a

                SHA256

                a08835ffc09be153086af2f9f90c8cb0df15241e57e28f25a16e2ac3f16974ff

                SHA512

                ff1641592f655b192e4b7a6e51e10278a65e084432775b2e601a9884ec8313c2cf5c7046562634ab888ba834d302e8ada048db0f1f385c635096def36377ddf6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3gD29pv.exe
                Filesize

                145KB

                MD5

                a9415ff452c695bd26c09bce9dc47b22

                SHA1

                4d454798821f79630abe5f0e8ccf0b8142bed80d

                SHA256

                500857910497a811963df7fab4da4f687da985c29f9fc17f563805ba7dc0a8a8

                SHA512

                b60f8389b9e2cb76be65718aa87e2de4a7b66f207e25db775c306638c84b3b808dd84e4f04e058aa680c84d15d3793aeedc015e89524d2ebf73212cda66bdd33

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YR3Ih10.exe
                Filesize

                324KB

                MD5

                74a3000341ae69b3236bc32f710be265

                SHA1

                a55899ae63bd6dfde227637fc2d75e98ff570c4a

                SHA256

                e44b6a948128f7680351db06f1840d037af8e0250ec54ed7cff963a8d357e403

                SHA512

                d801582b29fde1740b688030de4cc43d031cad95f8e9330d1757e69e11ec41b5386b7e344fd8c4cdacbefa2cf1a19f58cb6601182c5bf232d9b4b3cf18c05d54

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1aH22dc8.exe
                Filesize

                129KB

                MD5

                4ed940ea493451635145489ffbdec386

                SHA1

                4b5d0ba229b8ac04f753864c1170da0070673e35

                SHA256

                b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

                SHA512

                8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Gq9069.exe
                Filesize

                295KB

                MD5

                78076d1724db675d80d29a7a3ac4b8f4

                SHA1

                09599a4f261543155fd8e32274ec13b6e8883c89

                SHA256

                17c90d5e7da9af1ed1247078cfbc87904f54bfba87c94965d35e041fb755d036

                SHA512

                ffd90215bb74f51f79658dcb8648440b27b0c33a7c04bc718286f51db4e02cca0ab329a356373bd2edf27f445bcf9bc9d5d280ea5e2e1fbdaa50de02c5f650c3

                Download Submit

              • memory/1364-21-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/1832-32-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/2736-40-0x0000000008540000-0x0000000008B58000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/2736-36-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/2736-37-0x0000000007970000-0x0000000007F14000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/2736-38-0x00000000073C0000-0x0000000007452000-memory.dmp

                Filesize

                584KB

                Download

              • memory/2736-39-0x0000000001020000-0x000000000102A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2736-41-0x0000000007720000-0x000000000782A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/2736-42-0x0000000004EF0000-0x0000000004F02000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2736-43-0x00000000074A0000-0x00000000074DC000-memory.dmp

                Filesize

                240KB

                Download

              • memory/2736-44-0x0000000007610000-0x000000000765C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/2780-26-0x0000000000400000-0x0000000000432000-memory.dmp

                Filesize

                200KB

                Download

              • memory/2780-28-0x0000000000400000-0x0000000000432000-memory.dmp

                Filesize

                200KB

                Download

              • memory/2780-25-0x0000000000400000-0x0000000000432000-memory.dmp

                Filesize

                200KB

                Download