Overview
overview
10Static
static
33f631a363d...63.exe
windows10-2004-x64
10498a26c182...6f.exe
windows10-2004-x64
104b34c552db...dd.exe
windows10-2004-x64
10532834d8ce...8e.exe
windows10-2004-x64
105896992807...ed.exe
windows10-2004-x64
1059c0083cd8...df.exe
windows10-2004-x64
106fc46cbdbb...5c.exe
windows7-x64
106fc46cbdbb...5c.exe
windows10-2004-x64
108433f5b093...73.exe
windows7-x64
108433f5b093...73.exe
windows10-2004-x64
1086d4877bad...f4.exe
windows10-2004-x64
109b49de72ab...8f.exe
windows10-2004-x64
10b05d662dcb...df.exe
windows10-2004-x64
10b84e93b222...f7.exe
windows10-2004-x64
10bee0ec9430...1b.exe
windows10-2004-x64
10c95a5553b1...1a.exe
windows10-2004-x64
10ca54f6dfd1...d5.exe
windows10-2004-x64
10cca7f7e048...56.exe
windows10-2004-x64
10cf9a62d5a1...b4.exe
windows10-2004-x64
10d211b73bae...c6.exe
windows10-2004-x64
10eb23946a76...29.exe
windows10-2004-x64
7f2301f9ee1...18.exe
windows10-2004-x64
10Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 08:22
Static task
static1
Behavioral task
behavioral1
Sample
3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
4b34c552dbab5efc9560efa54f934de7c83ac3d7a313df811145ebfadf64c2dd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
532834d8ce7000d8e7eb38c91e27411e3b18295ef7db64dc83c3982ac0a9ae8e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
5896992807f979d7483ac37e3ec58f2b7816d71d0c0cc96def5c78ddb0301ded.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
8433f5b093e4f920b53f3456df2f996e8f480ad451bdcdc88ebaddda4abd8a73.exe
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
8433f5b093e4f920b53f3456df2f996e8f480ad451bdcdc88ebaddda4abd8a73.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
9b49de72ab9ae9caaaf0da01fbe6d5bef6546c46b1e0c0b4c4c3f211eaec728f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
b05d662dcb605a8af070c2bd5fadda687e65adad15dca9ac32982db6ebd36bdf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
b84e93b22256809e5241bcee59acc31b9865bdae579891d641826e1e159b15f7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
bee0ec94302af9baabb3e2b4d22397424e0fa315031f65258b35135c92ff0b1b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
c95a5553b1a709f22bba8f3f68e6c4c0eef94f99fcf143faebfb68ead35a0f1a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
ca54f6dfd1d165cc099fcff983a1e0d5045ab7589a3cefbb07c34deaf08e0dd5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
cf9a62d5a117aaa03d348685a49a3a176c6dd3ef98e68cdcecaabe67cee3aab4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
d211b73bae9760b12d1e027c009a4d8f4dbdb34ba630703d65ca56fc612e45c6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
eb23946a76bf1590eafdacfb8f44604c986536b0b24a3b11f0aa7f8eb4722829.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
f2301f9ee1f258528e83f30f1d7ea7bb59faa2f5d97139ddf14e0b5a805cd018.exe
Resource
win10v2004-20240426-en
General
-
Target
4b34c552dbab5efc9560efa54f934de7c83ac3d7a313df811145ebfadf64c2dd.exe
-
Size
1.1MB
-
MD5
046b3bcfc5dd07fa793b5b9fc44534c6
-
SHA1
98550b4ed41e9bf23ab492a09ac21ef451f130ed
-
SHA256
4b34c552dbab5efc9560efa54f934de7c83ac3d7a313df811145ebfadf64c2dd
-
SHA512
5050898ba55a16ca78bd5274f784079aafa782c4d6d75d29024b69d3cb38c47713818caa7341a1aae7e99f0f81592d42d35f412599b904ba895f37e2abb530c7
-
SSDEEP
24576:HyHqpwwEbEGPY3bIAvlVLpaAy5SZ3+lyszXxadKi4zRJ:SKpZEYGP0JlMAykZ3+nAAR
Malware Config
Extracted
redline
kukish
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
resource yara_rule behavioral3/memory/4304-35-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral3/memory/4304-36-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral3/memory/4304-38-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral3/files/0x0007000000023603-40.dat family_redline behavioral3/memory/4588-42-0x0000000000940000-0x000000000097E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 1436 xT5OY8fb.exe 3280 os5Lw1os.exe 4348 GG0El9gL.exe 1984 JP1Ni5EG.exe 2000 1cd50VP4.exe 4588 2mJ854pa.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" GG0El9gL.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" JP1Ni5EG.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4b34c552dbab5efc9560efa54f934de7c83ac3d7a313df811145ebfadf64c2dd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" xT5OY8fb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" os5Lw1os.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2000 set thread context of 4304 2000 1cd50VP4.exe 115 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1760 wrote to memory of 1436 1760 4b34c552dbab5efc9560efa54f934de7c83ac3d7a313df811145ebfadf64c2dd.exe 92 PID 1760 wrote to memory of 1436 1760 4b34c552dbab5efc9560efa54f934de7c83ac3d7a313df811145ebfadf64c2dd.exe 92 PID 1760 wrote to memory of 1436 1760 4b34c552dbab5efc9560efa54f934de7c83ac3d7a313df811145ebfadf64c2dd.exe 92 PID 1436 wrote to memory of 3280 1436 xT5OY8fb.exe 93 PID 1436 wrote to memory of 3280 1436 xT5OY8fb.exe 93 PID 1436 wrote to memory of 3280 1436 xT5OY8fb.exe 93 PID 3280 wrote to memory of 4348 3280 os5Lw1os.exe 95 PID 3280 wrote to memory of 4348 3280 os5Lw1os.exe 95 PID 3280 wrote to memory of 4348 3280 os5Lw1os.exe 95 PID 4348 wrote to memory of 1984 4348 GG0El9gL.exe 96 PID 4348 wrote to memory of 1984 4348 GG0El9gL.exe 96 PID 4348 wrote to memory of 1984 4348 GG0El9gL.exe 96 PID 1984 wrote to memory of 2000 1984 JP1Ni5EG.exe 97 PID 1984 wrote to memory of 2000 1984 JP1Ni5EG.exe 97 PID 1984 wrote to memory of 2000 1984 JP1Ni5EG.exe 97 PID 2000 wrote to memory of 4304 2000 1cd50VP4.exe 115 PID 2000 wrote to memory of 4304 2000 1cd50VP4.exe 115 PID 2000 wrote to memory of 4304 2000 1cd50VP4.exe 115 PID 2000 wrote to memory of 4304 2000 1cd50VP4.exe 115 PID 2000 wrote to memory of 4304 2000 1cd50VP4.exe 115 PID 2000 wrote to memory of 4304 2000 1cd50VP4.exe 115 PID 2000 wrote to memory of 4304 2000 1cd50VP4.exe 115 PID 2000 wrote to memory of 4304 2000 1cd50VP4.exe 115 PID 2000 wrote to memory of 4304 2000 1cd50VP4.exe 115 PID 2000 wrote to memory of 4304 2000 1cd50VP4.exe 115 PID 1984 wrote to memory of 4588 1984 JP1Ni5EG.exe 116 PID 1984 wrote to memory of 4588 1984 JP1Ni5EG.exe 116 PID 1984 wrote to memory of 4588 1984 JP1Ni5EG.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b34c552dbab5efc9560efa54f934de7c83ac3d7a313df811145ebfadf64c2dd.exe"C:\Users\Admin\AppData\Local\Temp\4b34c552dbab5efc9560efa54f934de7c83ac3d7a313df811145ebfadf64c2dd.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xT5OY8fb.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xT5OY8fb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\os5Lw1os.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\os5Lw1os.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GG0El9gL.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\GG0El9gL.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JP1Ni5EG.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JP1Ni5EG.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cd50VP4.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1cd50VP4.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:4304
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mJ854pa.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2mJ854pa.exe6⤵
- Executes dropped EXE
PID:4588
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4040,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:81⤵PID:1704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD56002eba57abf2e056522f4c1e93dd8cc
SHA175c696468ec7eef56a4e8cd7a8f76b73d6b2fb51
SHA2568bed36a110b4206ad978ad8db69009763225ad9e44429415c338812c408bed99
SHA51284bfe1331c9e1f06885ba5f1f43c00753605e079198afa724968abe4245e181d2c958bf469305565288b0ed21efce95c998aaf606850c242099f1a77cdf47b22
-
Filesize
843KB
MD50918b2ea21b44eb9c939ddbb0768281c
SHA119c97cfa711c707aa8669fd0a2aaeeda8c51e063
SHA256b49cd40a724681dc01836bae9133e43d51bae306e7e51faf79c0d96531c5c721
SHA5125cf25f86af06415682f217f613f7f155f3db40ab274bb7f6494a7bffba676cac2dcdb9b0a67f66486ad945102d7c272767bbeeabe5c5c4b4ccf7f2c6b16c6dd6
-
Filesize
593KB
MD58007650883fac2235543c77a78654ef6
SHA16187db863ffba169130d137aeb010d1a495bdda0
SHA256823a939d2de147ba11a2d5a851b558adf361e1b60c552ec55d64824fefb903e0
SHA512da35b9a228dd129a132d4b1ff9b8b587044e8cf5c93fe3ffce1ceeda941484e3f058b94141c6d84717af65d7e04c0c6c99af25f8bdaba6bd68fc0619d1583cbb
-
Filesize
398KB
MD543ec0e9124078ac2c90c9a06bec3d100
SHA1a1fbeafc9e5eeff6d250630aa8b23b71b1c172b7
SHA256a2071445d989bd631e0e63d76c27c192ff2fd0d943cd5d25dc36b954b9e81503
SHA51220e521d0ff1d097f48fc5f2a6c08209a05653eacc1f137319e36df2d3a91de1023d825b27de2d491100cb8cf53dd9eea09cdc85a1cd6e08b8c9a9cc106b17ac6
-
Filesize
320KB
MD58f43c049b9ebd1cf8d75ec6012660b58
SHA1d97e6abc19730fb1e67a38df769732707e0d4897
SHA256169986bab792920d82249d76f03227ef511bc36b51d03b2267d2ba32e24976b5
SHA5121f8c76bf15a59bcb334c665c63678e6ea817c3d1918e17f7ebd18c55029a75bc6a7a5654ce4e8a9412f5ffa5fbef9b11beacdd9e6b4938eee370ef1ef3877ced
-
Filesize
222KB
MD59032bf95a18062608a40313c6e5335a2
SHA1fac2f669af5a011564fea450138da695fcfadb67
SHA25620245ac0716983eaaf2bc09451a1aa56d00b5745c15c5a4af3951894f625826b
SHA512ac4be72adc87ed22aee2ce9b70c7aa4d7bce10b01c8c8ab18aaa2ac9b0d8c363594471f172bf1184434aabef46028c71cb3598c8ae99df930587420bb6bf55d6