Overview
overview
10Static
static
33f631a363d...63.exe
windows10-2004-x64
10498a26c182...6f.exe
windows10-2004-x64
104b34c552db...dd.exe
windows10-2004-x64
10532834d8ce...8e.exe
windows10-2004-x64
105896992807...ed.exe
windows10-2004-x64
1059c0083cd8...df.exe
windows10-2004-x64
106fc46cbdbb...5c.exe
windows7-x64
106fc46cbdbb...5c.exe
windows10-2004-x64
108433f5b093...73.exe
windows7-x64
108433f5b093...73.exe
windows10-2004-x64
1086d4877bad...f4.exe
windows10-2004-x64
109b49de72ab...8f.exe
windows10-2004-x64
10b05d662dcb...df.exe
windows10-2004-x64
10b84e93b222...f7.exe
windows10-2004-x64
10bee0ec9430...1b.exe
windows10-2004-x64
10c95a5553b1...1a.exe
windows10-2004-x64
10ca54f6dfd1...d5.exe
windows10-2004-x64
10cca7f7e048...56.exe
windows10-2004-x64
10cf9a62d5a1...b4.exe
windows10-2004-x64
10d211b73bae...c6.exe
windows10-2004-x64
10eb23946a76...29.exe
windows10-2004-x64
7f2301f9ee1...18.exe
windows10-2004-x64
10Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 08:22
Static task
static1
Behavioral task
behavioral1
Sample
3f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
498a26c182a4f66822f65140c2f38df8b9da8ced42ed08651892aa416b8e3b6f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
4b34c552dbab5efc9560efa54f934de7c83ac3d7a313df811145ebfadf64c2dd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
532834d8ce7000d8e7eb38c91e27411e3b18295ef7db64dc83c3982ac0a9ae8e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
5896992807f979d7483ac37e3ec58f2b7816d71d0c0cc96def5c78ddb0301ded.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
6fc46cbdbb6e435050e052f67ee83426ac1f65c26e34bc81e339bbb10d07a55c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
8433f5b093e4f920b53f3456df2f996e8f480ad451bdcdc88ebaddda4abd8a73.exe
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
8433f5b093e4f920b53f3456df2f996e8f480ad451bdcdc88ebaddda4abd8a73.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
86d4877badbdcb1c02fdb785b5cb78ec9c4f17f7845781fd0b7513dbfb2bbff4.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
9b49de72ab9ae9caaaf0da01fbe6d5bef6546c46b1e0c0b4c4c3f211eaec728f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
b05d662dcb605a8af070c2bd5fadda687e65adad15dca9ac32982db6ebd36bdf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
b84e93b22256809e5241bcee59acc31b9865bdae579891d641826e1e159b15f7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
bee0ec94302af9baabb3e2b4d22397424e0fa315031f65258b35135c92ff0b1b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
c95a5553b1a709f22bba8f3f68e6c4c0eef94f99fcf143faebfb68ead35a0f1a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
ca54f6dfd1d165cc099fcff983a1e0d5045ab7589a3cefbb07c34deaf08e0dd5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
cca7f7e048cad1d80a1eeb878d27b78386889bd305ac5dd66bcf6ab8499b2256.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
cf9a62d5a117aaa03d348685a49a3a176c6dd3ef98e68cdcecaabe67cee3aab4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
d211b73bae9760b12d1e027c009a4d8f4dbdb34ba630703d65ca56fc612e45c6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
eb23946a76bf1590eafdacfb8f44604c986536b0b24a3b11f0aa7f8eb4722829.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
f2301f9ee1f258528e83f30f1d7ea7bb59faa2f5d97139ddf14e0b5a805cd018.exe
Resource
win10v2004-20240426-en
General
-
Target
59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe
-
Size
941KB
-
MD5
80d8470174fb9248378b139c425b1843
-
SHA1
efb142c6bb25531517d5a25c04591e3fc08075a4
-
SHA256
59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf
-
SHA512
50ee796d88510be9f3999960a84061745034a1d997b12cc1fb150ca007af496f7cf81cc4b54de6db713fbbcfb2183df159d9ad9e4f27ce77a5b42939fc379f20
-
SSDEEP
24576:TyctOyhluqSd8Euzhsse5O7gJIEY7JptxTp:mEhluqSdGlssBytebt1
Malware Config
Extracted
redline
kukish
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral6/files/0x00080000000235eb-19.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral6/files/0x00070000000235ec-22.dat family_redline behavioral6/memory/2684-24-0x0000000000C00000-0x0000000000C3E000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 3852 tZ0Pa9uA.exe 2600 Ny7vy5Ul.exe 516 1MR88YN2.exe 2684 2wl962PO.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" tZ0Pa9uA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Ny7vy5Ul.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 892 wrote to memory of 3852 892 59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe 92 PID 892 wrote to memory of 3852 892 59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe 92 PID 892 wrote to memory of 3852 892 59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe 92 PID 3852 wrote to memory of 2600 3852 tZ0Pa9uA.exe 93 PID 3852 wrote to memory of 2600 3852 tZ0Pa9uA.exe 93 PID 3852 wrote to memory of 2600 3852 tZ0Pa9uA.exe 93 PID 2600 wrote to memory of 516 2600 Ny7vy5Ul.exe 94 PID 2600 wrote to memory of 516 2600 Ny7vy5Ul.exe 94 PID 2600 wrote to memory of 516 2600 Ny7vy5Ul.exe 94 PID 2600 wrote to memory of 2684 2600 Ny7vy5Ul.exe 95 PID 2600 wrote to memory of 2684 2600 Ny7vy5Ul.exe 95 PID 2600 wrote to memory of 2684 2600 Ny7vy5Ul.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe"C:\Users\Admin\AppData\Local\Temp\59c0083cd89906e6947197abc27233f2d2fdeb0cc852b57cd3a6e42063bc2adf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tZ0Pa9uA.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tZ0Pa9uA.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ny7vy5Ul.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ny7vy5Ul.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1MR88YN2.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1MR88YN2.exe4⤵
- Executes dropped EXE
PID:516
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2wl962PO.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2wl962PO.exe4⤵
- Executes dropped EXE
PID:2684
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3444,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:81⤵PID:1624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
514KB
MD584d419f371b17c35212a3c7208661fea
SHA1af813b9dcc9ee822a6ba5da4426a8387b5fdf8db
SHA256ad68a7f5de07da0e6e8524f866efea5e8f17a002ed580910f1c420b7036338f2
SHA512e0ac236514d6093305c539b1cc4d2c7cab1afb0696c430952aee2d957589a382fb5f208c5dcf6c374d4f002bb4d69f0e33141257623d359850346aa478f489d7
-
Filesize
319KB
MD598681488c0719933ab6ccdbb8c23fa12
SHA1ba1b726f2188407b3be6f2cecb972fa0ccb135e7
SHA25607c0d1d76f888e5137173ec34041605fff9d79afe69aeef7896f90198b958354
SHA512da38edb43416e8f81370059c322e8424790707dedd5821aa74884005f1cf884aabff025e2a80fbebe1ab82101ceb18475a9e57b21ccb4222b156888a5598e8f4
-
Filesize
180KB
MD53f305144feb3040cf41b216841537ec2
SHA1ae9066cc3b40be6250e7e6a90bcc2de160067b84
SHA25689fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1
SHA512ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e
-
Filesize
222KB
MD5430e5b490f8c865c346017ce8deb72af
SHA1a5d7ec4e5a4f4a19c8cfc6fc9c2edd27593c21d2
SHA25616dd6bc2a8f2e4d9e8a5fea17c85536fd8c577c6d6edebe6feea8bda68d76923
SHA5125940c1ba17c548f50923e715aa13bd6072cf82eae502a59191f93d3969de49f6c4f05ef0c07ee8d37dd6c2deae6863116b45a30d11fc74d0602133669fe32df6