Overview
overview
10Static
static
3016b8fab11...90.exe
windows10-2004-x64
10046f35763e...68.exe
windows10-2004-x64
1014e25178ee...de.exe
windows10-2004-x64
1058609bf38b...1d.exe
windows10-2004-x64
105e46be5a16...b4.exe
windows10-2004-x64
1064220efa05...b0.exe
windows10-2004-x64
107252b3ba90...cd.exe
windows10-2004-x64
10761baf17cd...b8.exe
windows10-2004-x64
1079b34442d1...59.exe
windows10-2004-x64
107bca30b01b...44.exe
windows10-2004-x64
77f2d656f1a...24.exe
windows10-2004-x64
1092903f5aac...33.exe
windows10-2004-x64
10a6fd8428c6...ff.exe
windows10-2004-x64
10a9a24c6b40...79.exe
windows10-2004-x64
10c957c1f7d6...20.exe
windows10-2004-x64
10d30a3fe09c...90.exe
windows10-2004-x64
10d4c8c5a1d2...4e.exe
windows10-2004-x64
10e2ca05276c...37.exe
windows10-2004-x64
10e79c48869d...9a.exe
windows10-2004-x64
10fff53a878c...d6.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 07:44
Static task
static1
Behavioral task
behavioral1
Sample
016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
046f35763e317ea5c0e4e5bc1725bc6e4fbd85ebf7a2820a18b9033c87584f68.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
14e25178ee8b8712bc968c820fb869e90a44dec170ecd8a6483ae8f108b1f2de.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
58609bf38be4777dd43032b4b64e68420854d83e377491d6356127f6c112181d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
5e46be5a1605d21562eda70cd21e2675e650c3789e8dde9dfb908ec546adc9b4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
64220efa0582fe1aec27096123429aeb58dc263d43340ad6613555ad427544b0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
7252b3ba9094d91a1e12f9c9944f24ccf25c9a4c75e7f7e3380ca37b8e6bfbcd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
761baf17cd7e790b03075c76f9e902cd11700ce8b920d2741b04a70371069ab8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
79b34442d1c8507ff7bb7f184e63b7b674da3847ab0d3d8203b60c93467fa859.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
7bca30b01b52faa483cb9bba6adca25589109b55d6cd6c01bb4219ef6d8f4444.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
7f2d656f1a4331d02ffea567b5177c3a772a6a6e9c022b13e9042bd0dccbf324.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
92903f5aac10e31279ef8ae844a86a677e02e1799ba17380867ee77d55b31433.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
a9a24c6b40b53ea0f85263a4222bf4792c43b7f26287058d9cd536b2ceb5a779.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
d30a3fe09c9a256105cd948f3eb2049778fcc4c34bdd05779bd39a344805a590.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
d4c8c5a1d2ba6f3920e2785153bc3ad1843efb3696b1cfd86ebffe60bc121e4e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
e2ca05276c37a88d337993eae49ec4ac99bf1c9f9e56112366021c7a649bf337.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
fff53a878cc4bf75cd2f5a6ea052244eda18185761d3173fcd0c10469adce0d6.exe
Resource
win10v2004-20240426-en
General
-
Target
016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exe
-
Size
636KB
-
MD5
14bf3b645a4a3fa119174ca38152620a
-
SHA1
647d39596c58fdf8398aa9509a70ef6e69ce0e9f
-
SHA256
016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190
-
SHA512
b89305ddf9b6ca81c0d769d740d5a52f87728a2cc58ff03df416ee0e775210c3b042f0c322e9057df103943097787869ac4d5fad23b55b78a2032a0752de48de
-
SSDEEP
12288:3Mryy90uN+HxJuPeXQP6XNK/2BEKDFpOsAQbPxySk+Tmno:xylN+H7umcn/upDFpOsAQFySDl
Malware Config
Extracted
redline
nanya
77.91.124.82:19071
-
auth_value
640aa5afe54f566d8795f0dc723f8b52
Signatures
-
Detect Mystic stealer payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/3380-19-0x0000000000400000-0x000000000042C000-memory.dmp mystic_family behavioral1/memory/3380-22-0x0000000000400000-0x000000000042C000-memory.dmp mystic_family behavioral1/memory/3380-20-0x0000000000400000-0x000000000042C000-memory.dmp mystic_family -
Detects Healer an antivirus disabler dropper 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2348-14-0x0000000000400000-0x000000000040A000-memory.dmp healer -
Processes:
AppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3548-26-0x0000000000400000-0x0000000000430000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
Processes:
v3956667.exea5885328.exeb6110286.exec1198337.exepid process 4000 v3956667.exe 1592 a5885328.exe 1764 b6110286.exe 2040 c1198337.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exev3956667.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3956667.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
a5885328.exeb6110286.exec1198337.exedescription pid process target process PID 1592 set thread context of 2348 1592 a5885328.exe AppLaunch.exe PID 1764 set thread context of 3380 1764 b6110286.exe AppLaunch.exe PID 2040 set thread context of 3548 2040 c1198337.exe AppLaunch.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3648 1592 WerFault.exe a5885328.exe 2408 1764 WerFault.exe b6110286.exe 4640 2040 WerFault.exe c1198337.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 2348 AppLaunch.exe 2348 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 2348 AppLaunch.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exev3956667.exea5885328.exeb6110286.exec1198337.exedescription pid process target process PID 1236 wrote to memory of 4000 1236 016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exe v3956667.exe PID 1236 wrote to memory of 4000 1236 016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exe v3956667.exe PID 1236 wrote to memory of 4000 1236 016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exe v3956667.exe PID 4000 wrote to memory of 1592 4000 v3956667.exe a5885328.exe PID 4000 wrote to memory of 1592 4000 v3956667.exe a5885328.exe PID 4000 wrote to memory of 1592 4000 v3956667.exe a5885328.exe PID 1592 wrote to memory of 1572 1592 a5885328.exe AppLaunch.exe PID 1592 wrote to memory of 1572 1592 a5885328.exe AppLaunch.exe PID 1592 wrote to memory of 1572 1592 a5885328.exe AppLaunch.exe PID 1592 wrote to memory of 1940 1592 a5885328.exe AppLaunch.exe PID 1592 wrote to memory of 1940 1592 a5885328.exe AppLaunch.exe PID 1592 wrote to memory of 1940 1592 a5885328.exe AppLaunch.exe PID 1592 wrote to memory of 2348 1592 a5885328.exe AppLaunch.exe PID 1592 wrote to memory of 2348 1592 a5885328.exe AppLaunch.exe PID 1592 wrote to memory of 2348 1592 a5885328.exe AppLaunch.exe PID 1592 wrote to memory of 2348 1592 a5885328.exe AppLaunch.exe PID 1592 wrote to memory of 2348 1592 a5885328.exe AppLaunch.exe PID 1592 wrote to memory of 2348 1592 a5885328.exe AppLaunch.exe PID 1592 wrote to memory of 2348 1592 a5885328.exe AppLaunch.exe PID 1592 wrote to memory of 2348 1592 a5885328.exe AppLaunch.exe PID 4000 wrote to memory of 1764 4000 v3956667.exe b6110286.exe PID 4000 wrote to memory of 1764 4000 v3956667.exe b6110286.exe PID 4000 wrote to memory of 1764 4000 v3956667.exe b6110286.exe PID 1764 wrote to memory of 3380 1764 b6110286.exe AppLaunch.exe PID 1764 wrote to memory of 3380 1764 b6110286.exe AppLaunch.exe PID 1764 wrote to memory of 3380 1764 b6110286.exe AppLaunch.exe PID 1764 wrote to memory of 3380 1764 b6110286.exe AppLaunch.exe PID 1764 wrote to memory of 3380 1764 b6110286.exe AppLaunch.exe PID 1764 wrote to memory of 3380 1764 b6110286.exe AppLaunch.exe PID 1764 wrote to memory of 3380 1764 b6110286.exe AppLaunch.exe PID 1764 wrote to memory of 3380 1764 b6110286.exe AppLaunch.exe PID 1764 wrote to memory of 3380 1764 b6110286.exe AppLaunch.exe PID 1764 wrote to memory of 3380 1764 b6110286.exe AppLaunch.exe PID 1236 wrote to memory of 2040 1236 016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exe c1198337.exe PID 1236 wrote to memory of 2040 1236 016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exe c1198337.exe PID 1236 wrote to memory of 2040 1236 016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exe c1198337.exe PID 2040 wrote to memory of 3548 2040 c1198337.exe AppLaunch.exe PID 2040 wrote to memory of 3548 2040 c1198337.exe AppLaunch.exe PID 2040 wrote to memory of 3548 2040 c1198337.exe AppLaunch.exe PID 2040 wrote to memory of 3548 2040 c1198337.exe AppLaunch.exe PID 2040 wrote to memory of 3548 2040 c1198337.exe AppLaunch.exe PID 2040 wrote to memory of 3548 2040 c1198337.exe AppLaunch.exe PID 2040 wrote to memory of 3548 2040 c1198337.exe AppLaunch.exe PID 2040 wrote to memory of 3548 2040 c1198337.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exe"C:\Users\Admin\AppData\Local\Temp\016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3956667.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3956667.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5885328.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5885328.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:1572
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:1940
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 5804⤵
- Program crash
PID:3648 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6110286.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6110286.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:3380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 5524⤵
- Program crash
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c1198337.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c1198337.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:3548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 5723⤵
- Program crash
PID:4640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1592 -ip 15921⤵PID:5080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1764 -ip 17641⤵PID:1324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2040 -ip 20401⤵PID:776
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
414KB
MD5145f62b2df14a9e72a599a059e411612
SHA1a61be9e92694faa10bc05e06e00f80ab539c2374
SHA256a168c32d4d93aea20ac12f7740d4455a0ccaf6280c6d53516f8e2311926f98b4
SHA5127d84e520ab9248394b67ecd7185ee404566143937af01bfe96449c24dba8deef0b9ac6dac2430eb47a61c9a24e385f5a0b393d676b7b714abbc04eee5ebd72ef
-
Filesize
361KB
MD52feb83d2becd3f93ee14a2055a202745
SHA133884cb3714bebfd6a9e85b6b727547670b55014
SHA256401f14d8cbc922b68555b7223131d815aa41802e371f8a92948e9fa8eb7e0fa5
SHA512dea8f8d6d3541633cdfe37bc209b25603054339138a4a419cb6f412cd82041a05771a919f5a59499faa28200ba949a62fefb6bba6df2796df751596d99b93857
-
Filesize
251KB
MD5bb81d942249c86a65f9dfce1a95a56c9
SHA11518f774bcd039a7f6ac849d60d064e2c5d5d97a
SHA256854d6dc24a63aea9269b62be3555cd2675d121219303a2deb2b3bb37b967f91f
SHA512e9787bc37f7098ecb1811e8cca43b0179d4661b31f366a015107475e9ad9897d81dffae4f0998a5be38c72a9b24852b38d2f3145d15f43ead22034d551dd5d62
-
Filesize
396KB
MD51cae3954e01408e9ed8f2bb98b3dd33c
SHA14fc7a35d136d894dacad9f1f0ab86d148450584a
SHA256a0ed2809ec917683bb22e1ba675275f6a8f239c447aec0e4dddf360eaa4198ff
SHA512bba2e0eb745de74e3ada78762da1f2ad5c9d992aba1ed2103de9bdc092f9654c944088d3f9f6ec86f475044a4b67ea5cacde70821870e1c2b0f8c65762bd08ff