Overview

overview

10

Static

static

3

02fdf4c910...66.exe

windows10-2004-x64

10

0be251d0ab...8e.exe

windows10-2004-x64

10

0e80ad3a8f...f6.exe

windows10-2004-x64

10

16688c383c...d0.exe

windows10-2004-x64

10

2fad2d07bb...73.exe

windows10-2004-x64

10

2fe920abb6...a6.exe

windows10-2004-x64

10

48143dd10c...4c.exe

windows10-2004-x64

10

4b7ea12db6...e4.exe

windows10-2004-x64

10

52365e9025...44.exe

windows10-2004-x64

10

695cd347d1...6a.exe

windows10-2004-x64

10

87139651e5...22.exe

windows10-2004-x64

10

9e061347f6...86.exe

windows10-2004-x64

10

9ec41d0e12...a4.exe

windows10-2004-x64

10

a68d0534de...a7.exe

windows10-2004-x64

10

b480c9cd31...f3.exe

windows10-2004-x64

10

cf449b541f...5e.exe

windows10-2004-x64

10

d8a34be272...bd.exe

windows10-2004-x64

7

e303858850...2c.exe

windows10-2004-x64

10

feb3084f5c...99.exe

windows10-2004-x64

10

ff0593e795...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 18:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a68d0534deb0e389e03aa786911c769caba8ce5acc03a27e3cfadf2a704811a7.exe

  • Size

    382KB

  • MD5

    9e5ad5eeb4977f30c2e8f627ba872e8b

  • SHA1

    aa80020c366200674cf0d1e7fb5c6bedabd4b4f6

  • SHA256

    a68d0534deb0e389e03aa786911c769caba8ce5acc03a27e3cfadf2a704811a7

  • SHA512

    d63fcff0e2745681fe01bb7a426828bfb6483135f7119582c36cc8a3279e9d8a7cd91c9c4e337624269d84a24d15dbbfc8dea2841af51c080bc36d8003abd41c

  • SSDEEP

    6144:KPy+bnr+Xp0yN90QEZgrMOM84oh7731r8xTughvpXMWDRS4h3J9lXXn1Sd:hMr3y90fE9xB7314rvpXhRd33tXn1C

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a68d0534deb0e389e03aa786911c769caba8ce5acc03a27e3cfadf2a704811a7.exe
    "C:\Users\Admin\AppData\Local\Temp\a68d0534deb0e389e03aa786911c769caba8ce5acc03a27e3cfadf2a704811a7.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1kY20cx0.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1kY20cx0.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:2444
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 556
            4⤵
            • Program crash
            PID:4900
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 152
          3⤵
          • Program crash
          PID:3312
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ZD438XK.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ZD438XK.exe
        2⤵
        • Executes dropped EXE
        PID:428
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2444 -ip 2444
      1⤵
        PID:3572
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 540 -ip 540
        1⤵
          PID:1520

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1kY20cx0.exe
          Filesize

          295KB

          MD5

          542b4a3030dfa0a861ba6f782d6a6d0a

          SHA1

          ca71dbaac51113c3a6e77f04da2cf80af02b8905

          SHA256

          64844b2cdddd028c9f44f65658aa599cc805e33583e9da6a13decb55f5233fa6

          SHA512

          305c5073d28cb5fa0b85cba10ff854f81e51b4be194108b3dfc2a924811f3ec2889b69eaf24a4757a28de1f9d534edb2e5093384543a0c35fad9b06c6ad8e0ff

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ZD438XK.exe
          Filesize

          222KB

          MD5

          9e5d54b37258affcaebea16eb6ddf8ce

          SHA1

          10698f249c1f60c06c437b00d841d1b2edf059c2

          SHA256

          246611f5c315dc21351ef2030a8a8fad5e8662896ebdf690d2ea039ceb895440

          SHA512

          5982a3bba80bec8bd0d842a20657ab048eff14d8edc015994ebfd8e6157dee49a731f5a3d84d1ae4c54e9701d8174d67107a01acdc74bf4ae9f413c43602d9be

          Download Submit
        • memory/428-21-0x00000000087C0000-0x0000000008DD8000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/428-20-0x0000000074820000-0x0000000074FD0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/428-27-0x0000000074820000-0x0000000074FD0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/428-26-0x000000007482E000-0x000000007482F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/428-15-0x000000007482E000-0x000000007482F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/428-16-0x0000000000970000-0x00000000009AE000-memory.dmp
          Filesize

          248KB

          Download
        • memory/428-17-0x0000000007BF0000-0x0000000008194000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/428-18-0x0000000007730000-0x00000000077C2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/428-19-0x0000000004D10000-0x0000000004D1A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/428-25-0x00000000079D0000-0x0000000007A1C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/428-24-0x0000000007990000-0x00000000079CC000-memory.dmp
          Filesize

          240KB

          Download
        • memory/428-22-0x0000000007A40000-0x0000000007B4A000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/428-23-0x0000000007930000-0x0000000007942000-memory.dmp
          Filesize

          72KB

          Download
        • memory/2444-7-0x0000000000400000-0x0000000000432000-memory.dmp
          Filesize

          200KB

          Download
        • memory/2444-11-0x0000000000400000-0x0000000000432000-memory.dmp
          Filesize

          200KB

          Download
        • memory/2444-8-0x0000000000400000-0x0000000000432000-memory.dmp
          Filesize

          200KB

          Download
        • memory/2444-9-0x0000000000400000-0x0000000000432000-memory.dmp
          Filesize

          200KB

          Download