Overview

overview

10

Static

static

3

0e266a7216...9f.exe

windows10-2004-x64

10

0fed7be9f1...18.exe

windows10-2004-x64

10

16ac715816...ea.exe

windows10-2004-x64

10

26c470a8b0...9a.exe

windows10-2004-x64

10

2d47818e79...79.exe

windows10-2004-x64

10

2e6c446801...a5.exe

windows7-x64

10

2e6c446801...a5.exe

windows10-2004-x64

10

2f02d9074f...e7.exe

windows10-2004-x64

10

4d1fc94da1...dc.exe

windows10-2004-x64

10

521f6870a3...07.exe

windows10-2004-x64

10

5e01d698ad...d1.exe

windows10-2004-x64

10

7dc4ebbe25...36.exe

windows10-2004-x64

10

862a8f43d1...32.exe

windows10-2004-x64

10

ba494624ee...0c.exe

windows10-2004-x64

10

ba4c5213c0...28.exe

windows10-2004-x64

10

bbfb7f577d...dc.exe

windows10-2004-x64

10

be3d316058...ca.exe

windows10-2004-x64

10

e1d166047d...d0.exe

windows10-2004-x64

10

e56b24cbcd...10.exe

windows10-2004-x64

10

ef4487829b...03.exe

windows10-2004-x64

10

fdbb9a49cd...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e56b24cbcd2f2dc78ead0bbfb6d673cbd44be4ae5db1dbbf9a1fdb709103d010.exe

  • Size

    648KB

  • MD5

    ecf0f29a03165f33b04c38290b9a22c3

  • SHA1

    94318cf257afd1eb591aeb32f3d5b5a4e2214de1

  • SHA256

    e56b24cbcd2f2dc78ead0bbfb6d673cbd44be4ae5db1dbbf9a1fdb709103d010

  • SHA512

    ffb836622676672fe8a3c435a47c7f94d55f7d86fb77cc453df6057396c0d9c455a9bd56f54b491fc8c54281b6a100d19dae9fd5e4cc4d881eacb45dc429340f

  • SSDEEP

    12288:qMrzy90WoZD8iKa2aXjdjPwmHbyLwzUxV4K7aHOGnTZSTUEyxK4:JyyZfKqhjPVbyLIeV4LHOSZSYEyxb

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

mystic

C2

http://5.42.92.211/

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e56b24cbcd2f2dc78ead0bbfb6d673cbd44be4ae5db1dbbf9a1fdb709103d010.exe
    "C:\Users\Admin\AppData\Local\Temp\e56b24cbcd2f2dc78ead0bbfb6d673cbd44be4ae5db1dbbf9a1fdb709103d010.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uL0iR4EH.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uL0iR4EH.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Kc75SY5.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Kc75SY5.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:3828
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 552
              5⤵
              • Program crash
              PID:3688
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 580
            4⤵
            • Program crash
            PID:2280
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zF228xf.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zF228xf.exe
          3⤵
          • Executes dropped EXE
          PID:2572
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2788 -ip 2788
      1⤵
        PID:2984
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3828 -ip 3828
        1⤵
          PID:2576
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4276,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=3880 /prefetch:8
          1⤵
            PID:2196

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uL0iR4EH.exe
            Filesize

            452KB

            MD5

            a8a125755b381e251977196832f7ead6

            SHA1

            112cfd263c983de7d3b5588250490cb8857e5b40

            SHA256

            84e7be5bd01ca81fa63bec9d50b10848125bdf7df2510eaa66f23577e4d929a6

            SHA512

            0f36e50e5d5c0ad1eb127b4ce22780c37bbc846bb1ba3cfb4a76a89b476dc4bf87ecfdcccbe5eaa0a0bbcff28f620a56d19821d4748e8becd279fdc6256833c5

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Kc75SY5.exe
            Filesize

            450KB

            MD5

            235fb90276a1f78b6d6251a291ab4ddc

            SHA1

            a9c58e266b41fe77f4360f9cf3a848776d0902ec

            SHA256

            e127f14498e59c5ef3b29b5353c148260096d11f021da05e9d9402bfeb4bf18a

            SHA512

            399b84e1b2aa15fc02b41f83afb97d70f62cb153d7254e71f8033f93f814520b390d55873d17ad763856f8a3ecfc2db84618145b52fcd15c37b627605aca9999

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zF228xf.exe
            Filesize

            221KB

            MD5

            45232ffeb261758e06f951c5654a1552

            SHA1

            414240f266cb4c8e3255c1626000382d52a7f510

            SHA256

            42ce9b5d2650c5b64280c74c8588dcd4fab035e6e98d8726a382aaa72800c83f

            SHA512

            bd76db5ca10ea22c9ad7ee9bb8d52cef6705261f82f478db5c5b807bef57f458c0d234214897478f7497ccdcf813b754babc337f17b9d65e46fcc517376c2bac

            Download Submit
          • memory/2572-27-0x0000000007100000-0x000000000720A000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/2572-22-0x0000000000070000-0x00000000000AE000-memory.dmp
            Filesize

            248KB

            Download
          • memory/2572-23-0x0000000007370000-0x0000000007914000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/2572-24-0x0000000006E60000-0x0000000006EF2000-memory.dmp
            Filesize

            584KB

            Download
          • memory/2572-25-0x00000000043E0000-0x00000000043EA000-memory.dmp
            Filesize

            40KB

            Download
          • memory/2572-26-0x0000000007F40000-0x0000000008558000-memory.dmp
            Filesize

            6.1MB

            Download
          • memory/2572-28-0x0000000007030000-0x0000000007042000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2572-29-0x0000000007090000-0x00000000070CC000-memory.dmp
            Filesize

            240KB

            Download
          • memory/2572-30-0x0000000007210000-0x000000000725C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/3828-18-0x0000000000400000-0x0000000000433000-memory.dmp
            Filesize

            204KB

            Download
          • memory/3828-17-0x0000000000400000-0x0000000000433000-memory.dmp
            Filesize

            204KB

            Download
          • memory/3828-15-0x0000000000400000-0x0000000000433000-memory.dmp
            Filesize

            204KB

            Download
          • memory/3828-14-0x0000000000400000-0x0000000000433000-memory.dmp
            Filesize

            204KB

            Download