Overview

overview

10

Static

static

3

0e266a7216...9f.exe

windows10-2004-x64

10

0fed7be9f1...18.exe

windows10-2004-x64

10

16ac715816...ea.exe

windows10-2004-x64

10

26c470a8b0...9a.exe

windows10-2004-x64

10

2d47818e79...79.exe

windows10-2004-x64

10

2e6c446801...a5.exe

windows7-x64

10

2e6c446801...a5.exe

windows10-2004-x64

10

2f02d9074f...e7.exe

windows10-2004-x64

10

4d1fc94da1...dc.exe

windows10-2004-x64

10

521f6870a3...07.exe

windows10-2004-x64

10

5e01d698ad...d1.exe

windows10-2004-x64

10

7dc4ebbe25...36.exe

windows10-2004-x64

10

862a8f43d1...32.exe

windows10-2004-x64

10

ba494624ee...0c.exe

windows10-2004-x64

10

ba4c5213c0...28.exe

windows10-2004-x64

10

bbfb7f577d...dc.exe

windows10-2004-x64

10

be3d316058...ca.exe

windows10-2004-x64

10

e1d166047d...d0.exe

windows10-2004-x64

10

e56b24cbcd...10.exe

windows10-2004-x64

10

ef4487829b...03.exe

windows10-2004-x64

10

fdbb9a49cd...e7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef4487829bbec1eb751da8fe7227f27dccd52cd7f16d1d5d8bdcd1af42b36903.exe

  • Size

    782KB

  • MD5

    99f433c7c2dea73b9bb35968e439ee4b

  • SHA1

    c0c0ac8833349be06b8689011fe83697167d4aad

  • SHA256

    ef4487829bbec1eb751da8fe7227f27dccd52cd7f16d1d5d8bdcd1af42b36903

  • SHA512

    5d50aba2dcd8f276f6e855506fe35de69ba9aa6993ecb673b9b8eb741576c9ea8f71bffddb29f527743e29e9c1331866e2ed1429da6a149de4898b803af7a1a2

  • SSDEEP

    12288:5Mr/y90EWMGWa4K+Zh6dqf8pJ+0DGQplKkXEFG1+gzXlaJi07IfRMLN:SyHQW8Swm8/SQD3EFG4grlaJPoRM5

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef4487829bbec1eb751da8fe7227f27dccd52cd7f16d1d5d8bdcd1af42b36903.exe
    "C:\Users\Admin\AppData\Local\Temp\ef4487829bbec1eb751da8fe7227f27dccd52cd7f16d1d5d8bdcd1af42b36903.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tq8ih1Og.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tq8ih1Og.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4580
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1oA01ud0.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1oA01ud0.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1332
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:1952
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 540
              5⤵
              • Program crash
              PID:1940
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2aO021mb.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2aO021mb.exe
          3⤵
          • Executes dropped EXE
          PID:1448
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1952 -ip 1952
      1⤵
        PID:4772
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4800

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tq8ih1Og.exe
          Filesize

          581KB

          MD5

          792788a19aef936cbbbcd779f637ebdd

          SHA1

          3f8a86b11d5fa887ea0a5ca56c7545ca2fe90d09

          SHA256

          3d07aca31670722822aaa64de071875ff192c514b937824c1fca0bea2a8f2ca5

          SHA512

          17cdfe55eed14b3404510894fb8972f173cee38d4081e1e12ec9cff52fc445ee407c82dfc8f557a3daffe7b0ca60c2f4f2690ccd504a2fa062edc27dca883abd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1oA01ud0.exe
          Filesize

          1.1MB

          MD5

          6ef68ec5b2d91cbc9c66fa0553e527ec

          SHA1

          8d8ab02a5f2433cf12ba62336e4d774f2bbf21d2

          SHA256

          8ffa8c6bcf0b38b229ac57e8a8eacfad2d27bd2b6ec971af827609bfb919495f

          SHA512

          1a02ccdf3d1be279169bc25eb2a4452be337389b78050811ea4367ca624d5d169c7c7e157a73fe3be13378412e8d94606f41c157b5892cc76c4344ee85d204a6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2aO021mb.exe
          Filesize

          222KB

          MD5

          6ce5b1b4d600c87f2e975f20550e4378

          SHA1

          5e98efcb0192d913e69424e187709e829e900504

          SHA256

          61accbf7fb893486d33dd53b50c38dc7a5d294813c19afa4eb223147b363fab6

          SHA512

          0165e2f22cc3be87911cb0256b2d1197bbdd53f4732ec2e05b443805a19a4f9ff70331061a4fb31197986ca981eda496e08b36224221ac9f89462c7d6146ccb2

          Download Submit

        • memory/1448-27-0x0000000007970000-0x0000000007A7A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1448-22-0x00000000000C0000-0x00000000000FE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1448-23-0x00000000073C0000-0x0000000007964000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1448-24-0x0000000006EB0000-0x0000000006F42000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1448-25-0x0000000007050000-0x000000000705A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1448-26-0x0000000007F90000-0x00000000085A8000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/1448-28-0x0000000007260000-0x0000000007272000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1448-29-0x00000000072C0000-0x00000000072FC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/1448-30-0x0000000007300000-0x000000000734C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1952-18-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1952-16-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1952-15-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download

        • memory/1952-14-0x0000000000400000-0x0000000000432000-memory.dmp

          Filesize

          200KB

          Download