Overview
overview
10Static
static
33f631a363d...63.exe
windows10-2004-x64
10498a26c182...6f.exe
windows10-2004-x64
104b34c552db...dd.exe
windows10-2004-x64
10532834d8ce...8e.exe
windows10-2004-x64
105896992807...ed.exe
windows10-2004-x64
1059c0083cd8...df.exe
windows10-2004-x64
106fc46cbdbb...5c.exe
windows7-x64
106fc46cbdbb...5c.exe
windows10-2004-x64
108433f5b093...73.exe
windows7-x64
108433f5b093...73.exe
windows10-2004-x64
1086d4877bad...f4.exe
windows10-2004-x64
109b49de72ab...8f.exe
windows10-2004-x64
10b05d662dcb...df.exe
windows10-2004-x64
10b84e93b222...f7.exe
windows10-2004-x64
10bee0ec9430...1b.exe
windows10-2004-x64
10c95a5553b1...1a.exe
windows10-2004-x64
10ca54f6dfd1...d5.exe
windows10-2004-x64
10cca7f7e048...56.exe
windows10-2004-x64
10cf9a62d5a1...b4.exe
windows10-2004-x64
10d211b73bae...c6.exe
windows10-2004-x64
10eb23946a76...29.exe
windows10-2004-x64
7f2301f9ee1...18.exe
windows10-2004-x64
10Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 08:22
Static task
static1
Behavioral task
behavioral1
Sample
3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
4b34c552dbab5efc9560efa54f934de7c83ac3d7a313df811145ebfadf64c2dd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
532834d8ce7000d8e7eb38c91e27411e3b18295ef7db64dc83c3982ac0a9ae8e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
5896992807f979d7483ac37e3ec58f2b7816d71d0c0cc96def5c78ddb0301ded.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
8433f5b093e4f920b53f3456df2f996e8f480ad451bdcdc88ebaddda4abd8a73.exe
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
8433f5b093e4f920b53f3456df2f996e8f480ad451bdcdc88ebaddda4abd8a73.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
9b49de72ab9ae9caaaf0da01fbe6d5bef6546c46b1e0c0b4c4c3f211eaec728f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
b05d662dcb605a8af070c2bd5fadda687e65adad15dca9ac32982db6ebd36bdf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
b84e93b22256809e5241bcee59acc31b9865bdae579891d641826e1e159b15f7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
bee0ec94302af9baabb3e2b4d22397424e0fa315031f65258b35135c92ff0b1b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
c95a5553b1a709f22bba8f3f68e6c4c0eef94f99fcf143faebfb68ead35a0f1a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
ca54f6dfd1d165cc099fcff983a1e0d5045ab7589a3cefbb07c34deaf08e0dd5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
cf9a62d5a117aaa03d348685a49a3a176c6dd3ef98e68cdcecaabe67cee3aab4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
d211b73bae9760b12d1e027c009a4d8f4dbdb34ba630703d65ca56fc612e45c6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
eb23946a76bf1590eafdacfb8f44604c986536b0b24a3b11f0aa7f8eb4722829.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
f2301f9ee1f258528e83f30f1d7ea7bb59faa2f5d97139ddf14e0b5a805cd018.exe
Resource
win10v2004-20240426-en
General
-
Target
532834d8ce7000d8e7eb38c91e27411e3b18295ef7db64dc83c3982ac0a9ae8e.exe
-
Size
640KB
-
MD5
4e69763de347a093660a29f805ebc4c2
-
SHA1
36a39f3eb16a81a3b16e8b65a851333825840cac
-
SHA256
532834d8ce7000d8e7eb38c91e27411e3b18295ef7db64dc83c3982ac0a9ae8e
-
SHA512
f1be611c111dc3893577b2cbd02dbfade9e2e06a799433ca037e74a661619a5919bfb44a058b982938e3c66df2feee4bc5ce194d83fd42edd6fbdd5e3555fab3
-
SSDEEP
12288:nMrjy90j+Hx7kmR2WHBkmHN8wfWSq6vFjMaXXRLc+:0y4+HkM5NBWSqWFjM+
Malware Config
Extracted
redline
lutyr
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral4/memory/2008-14-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral4/memory/2008-16-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral4/memory/2008-15-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral4/memory/2008-18-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral4/files/0x00070000000233cc-20.dat family_redline behavioral4/memory/852-22-0x0000000000D40000-0x0000000000D7E000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 4632 CS5fM9Zp.exe 2768 1Kp00Bb6.exe 852 2yo574uc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 532834d8ce7000d8e7eb38c91e27411e3b18295ef7db64dc83c3982ac0a9ae8e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" CS5fM9Zp.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2768 set thread context of 2008 2768 1Kp00Bb6.exe 83 -
Program crash 2 IoCs
pid pid_target Process procid_target 2336 2768 WerFault.exe 82 4980 2008 WerFault.exe 83 -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3888 wrote to memory of 4632 3888 532834d8ce7000d8e7eb38c91e27411e3b18295ef7db64dc83c3982ac0a9ae8e.exe 81 PID 3888 wrote to memory of 4632 3888 532834d8ce7000d8e7eb38c91e27411e3b18295ef7db64dc83c3982ac0a9ae8e.exe 81 PID 3888 wrote to memory of 4632 3888 532834d8ce7000d8e7eb38c91e27411e3b18295ef7db64dc83c3982ac0a9ae8e.exe 81 PID 4632 wrote to memory of 2768 4632 CS5fM9Zp.exe 82 PID 4632 wrote to memory of 2768 4632 CS5fM9Zp.exe 82 PID 4632 wrote to memory of 2768 4632 CS5fM9Zp.exe 82 PID 2768 wrote to memory of 2008 2768 1Kp00Bb6.exe 83 PID 2768 wrote to memory of 2008 2768 1Kp00Bb6.exe 83 PID 2768 wrote to memory of 2008 2768 1Kp00Bb6.exe 83 PID 2768 wrote to memory of 2008 2768 1Kp00Bb6.exe 83 PID 2768 wrote to memory of 2008 2768 1Kp00Bb6.exe 83 PID 2768 wrote to memory of 2008 2768 1Kp00Bb6.exe 83 PID 2768 wrote to memory of 2008 2768 1Kp00Bb6.exe 83 PID 2768 wrote to memory of 2008 2768 1Kp00Bb6.exe 83 PID 2768 wrote to memory of 2008 2768 1Kp00Bb6.exe 83 PID 2768 wrote to memory of 2008 2768 1Kp00Bb6.exe 83 PID 4632 wrote to memory of 852 4632 CS5fM9Zp.exe 89 PID 4632 wrote to memory of 852 4632 CS5fM9Zp.exe 89 PID 4632 wrote to memory of 852 4632 CS5fM9Zp.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\532834d8ce7000d8e7eb38c91e27411e3b18295ef7db64dc83c3982ac0a9ae8e.exe"C:\Users\Admin\AppData\Local\Temp\532834d8ce7000d8e7eb38c91e27411e3b18295ef7db64dc83c3982ac0a9ae8e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CS5fM9Zp.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CS5fM9Zp.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Kp00Bb6.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Kp00Bb6.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:2008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 5405⤵
- Program crash
PID:4980
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 5924⤵
- Program crash
PID:2336
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2yo574uc.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2yo574uc.exe3⤵
- Executes dropped EXE
PID:852
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2768 -ip 27681⤵PID:4740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2008 -ip 20081⤵PID:3344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
443KB
MD5d63f862c77881b4aac88a85221dd0bd6
SHA150c555b191de891fe88facfd58b4424a80e16281
SHA256eadf9a0e0d90b9806a3474e0f0ba5a5a91d4e500fb32855a8072c19efab489ab
SHA51225272dbfcd040394346ad4a3ef1057b8b84f22e7590fd92e93f12964365dfe7ed63ccc90fb501baf9e4e6b80695a5d725e115c74b99dc5c0d89f77a55c20d20a
-
Filesize
422KB
MD57094c0d6453e0646d3db95aba72fa820
SHA1e335985006dc9850e8b874b9afb49f28af867deb
SHA25652d77de9b60f295e1c6fe439d8644be8963a7e4ba48d5319590cedd44e3c7311
SHA512b37da45732f6d74c1461baf512b1b7893df65223acb5f9ae059c19914095f764a9deb79aecb77af2e7f6d67bb065d11ecafa6e09d1912aa860530b4c34f85fde
-
Filesize
222KB
MD587ff3c55c8c51bc6ac1df80df2dc6ba9
SHA15a40891a3886410c7aa8a9901f932eca5a1dfa6e
SHA256cc3492e69148983784dd57c3537ac5ea81b066afa0ad0d6657ff0d58c56e5430
SHA512b67b76d5b4e91811251befbb5ff5ab09936314a3cd3bc70d136782f72a4c210de1f25b1cdb1c75508e0d36decc7ce0a0ed9fb5a345981f26bd59a37cee95a78e