Overview

overview

10

Static

static

3

0e266a7216...9f.exe

windows10-2004-x64

10

0fed7be9f1...18.exe

windows10-2004-x64

10

16ac715816...ea.exe

windows10-2004-x64

10

26c470a8b0...9a.exe

windows10-2004-x64

10

2d47818e79...79.exe

windows10-2004-x64

10

2e6c446801...a5.exe

windows7-x64

10

2e6c446801...a5.exe

windows10-2004-x64

10

2f02d9074f...e7.exe

windows10-2004-x64

10

4d1fc94da1...dc.exe

windows10-2004-x64

10

521f6870a3...07.exe

windows10-2004-x64

10

5e01d698ad...d1.exe

windows10-2004-x64

10

7dc4ebbe25...36.exe

windows10-2004-x64

10

862a8f43d1...32.exe

windows10-2004-x64

10

ba494624ee...0c.exe

windows10-2004-x64

10

ba4c5213c0...28.exe

windows10-2004-x64

10

bbfb7f577d...dc.exe

windows10-2004-x64

10

be3d316058...ca.exe

windows10-2004-x64

10

e1d166047d...d0.exe

windows10-2004-x64

10

e56b24cbcd...10.exe

windows10-2004-x64

10

ef4487829b...03.exe

windows10-2004-x64

10

fdbb9a49cd...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbfb7f577d81fe47e80446b1eb11e1623a98b25decf06d6089302a7f9aa51adc.exe

  • Size

    1005KB

  • MD5

    887963b609c75fab94a3090c952dce34

  • SHA1

    4c985683f9c4e0d903330d944df6e71e5c378345

  • SHA256

    bbfb7f577d81fe47e80446b1eb11e1623a98b25decf06d6089302a7f9aa51adc

  • SHA512

    15f4fea1aaaeda4dbaa2e2a2a643d44b02264a1e7a45cae05ca0ecc947d9965398d82955b49f52703fbb58d9fec7beb50c2e1337c19239b26cd7e047ba0f0bfe

  • SSDEEP

    24576:ZyExiSehVkMuwYVH9DuD9lT3/8AO7klDe:MExiSe//uw49DuT3/8AD

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbfb7f577d81fe47e80446b1eb11e1623a98b25decf06d6089302a7f9aa51adc.exe
    "C:\Users\Admin\AppData\Local\Temp\bbfb7f577d81fe47e80446b1eb11e1623a98b25decf06d6089302a7f9aa51adc.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4352
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fY5kt7iT.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fY5kt7iT.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:380
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sk4Lv9ZT.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sk4Lv9ZT.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dW3jG3ML.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dW3jG3ML.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1632
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1gJ52jb8.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1gJ52jb8.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:952
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
                PID:2712
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 584
                6⤵
                • Program crash
                PID:1560
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2VT835xH.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2VT835xH.exe
              5⤵
              • Executes dropped EXE
              PID:4288
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 952 -ip 952
      1⤵
        PID:840

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fY5kt7iT.exe
        Filesize

        816KB

        MD5

        14e04c8f8a4e0a272f1367ea38cc9168

        SHA1

        412ba08423c17314a12dd845d9dc82e4d0d3125c

        SHA256

        1f55f132584e385349eeb62933f500fc78a415f1074778dfe2a11b6d30e5b03b

        SHA512

        af097a7aa6953a6dc842a39534426e4eb69b4c3e2e13bb300bd9a08ecd3ebf697344a27b08b8f46d599725017efe3511afdca511b6abd41b1c696ade8b19908c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Sk4Lv9ZT.exe
        Filesize

        583KB

        MD5

        6dc75a240b0a1726a2b19c8db68315e5

        SHA1

        4c59b7d6eb26ba8a0136ab06431755bd74e3a7cd

        SHA256

        0139c114891e09fc31afa4b386445c7c9c1158c88d228899285b7d9e8f65b558

        SHA512

        96dcc37f184dea339da5b864da59da2df520d43fa10840a645d160822b149a74249d2ad305704748a8662dc18529c149e69518eba937caaf29270a4fcaa0c8e8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dW3jG3ML.exe
        Filesize

        381KB

        MD5

        4ed908bf061305cdfa1bd61bf00631d7

        SHA1

        b86fc5affd86a3c9981721ac66297c464cecccaf

        SHA256

        a79b45a7ed9162883dd546bd173daaac10484c91ef9735a86d1ac03fed724aaf

        SHA512

        b5922f4496418ee459a37ecfa5bfca2486e83b95e071e592cec39929d27063f6963a0e48f8b0da90ee4ef6bc213a2084fb938b9e12e11552026b6ad2f288b728

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1gJ52jb8.exe
        Filesize

        295KB

        MD5

        c52ab0e3e6d74d251f86f11517e49b0d

        SHA1

        36bb9d1326e883e9ce7ddc62560246500ecf95d8

        SHA256

        ed9f3989866969b858a9f5b5ac6bcdfa2d54c21dda48446516a97d44d2b0adac

        SHA512

        84b25791aa36ffe78b39aa02f99dd69bb25a6381b42482cef407b69e2102ce5e102afedb43b4a96960fbe47857b7c9c1cccf4013011b8cc55ea262cc6098079c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2VT835xH.exe
        Filesize

        222KB

        MD5

        cc804a898eef4fc35bd66f7275c629cd

        SHA1

        6398a6e8dbd017caa11a708aa77534e8894502b9

        SHA256

        ca2217c18d5a33b3b8ac0d088360bfbff72a00dd866860e35b4dfd40ff394b17

        SHA512

        4542a1a95cc17267a09a53ffb5fa86fc32a207266278cb4c63ac12a69308d55eb7a9335633884ac4b1ba4f83c8167719332fbb87ae631c6be7b6de62c1b68015

        Download Submit

      • memory/2712-28-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2712-31-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2712-29-0x0000000000400000-0x0000000000432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4288-35-0x0000000000560000-0x000000000059E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/4288-36-0x00000000079A0000-0x0000000007F44000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4288-37-0x0000000007490000-0x0000000007522000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4288-38-0x00000000029B0000-0x00000000029BA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4288-39-0x0000000008570000-0x0000000008B88000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4288-40-0x0000000007780000-0x000000000788A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4288-41-0x0000000007670000-0x0000000007682000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4288-42-0x00000000076D0000-0x000000000770C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4288-43-0x0000000007710000-0x000000000775C000-memory.dmp

        Filesize

        304KB

        Download