Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 07:44

General

  • Target

    016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exe

  • Size

    636KB

  • MD5

    14bf3b645a4a3fa119174ca38152620a

  • SHA1

    647d39596c58fdf8398aa9509a70ef6e69ce0e9f

  • SHA256

    016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190

  • SHA512

    b89305ddf9b6ca81c0d769d740d5a52f87728a2cc58ff03df416ee0e775210c3b042f0c322e9057df103943097787869ac4d5fad23b55b78a2032a0752de48de

  • SSDEEP

    12288:3Mryy90uN+HxJuPeXQP6XNK/2BEKDFpOsAQbPxySk+Tmno:xylN+H7umcn/upDFpOsAQFySDl

Malware Config

Extracted

Family

redline

Botnet

nanya

C2

77.91.124.82:19071

Attributes
  • auth_value

    640aa5afe54f566d8795f0dc723f8b52

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exe
    "C:\Users\Admin\AppData\Local\Temp\016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3956667.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3956667.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4000
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5885328.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5885328.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:1572
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:1940
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              4⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2348
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 580
              4⤵
              • Program crash
              PID:3648
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6110286.exe
            C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6110286.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1764
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              4⤵
                PID:3380
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 552
                4⤵
                • Program crash
                PID:2408
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c1198337.exe
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c1198337.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2040
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              3⤵
                PID:3548
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 572
                3⤵
                • Program crash
                PID:4640
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1592 -ip 1592
            1⤵
              PID:5080
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1764 -ip 1764
              1⤵
                PID:1324
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2040 -ip 2040
                1⤵
                  PID:776

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c1198337.exe

                  Filesize

                  414KB

                  MD5

                  145f62b2df14a9e72a599a059e411612

                  SHA1

                  a61be9e92694faa10bc05e06e00f80ab539c2374

                  SHA256

                  a168c32d4d93aea20ac12f7740d4455a0ccaf6280c6d53516f8e2311926f98b4

                  SHA512

                  7d84e520ab9248394b67ecd7185ee404566143937af01bfe96449c24dba8deef0b9ac6dac2430eb47a61c9a24e385f5a0b393d676b7b714abbc04eee5ebd72ef

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3956667.exe

                  Filesize

                  361KB

                  MD5

                  2feb83d2becd3f93ee14a2055a202745

                  SHA1

                  33884cb3714bebfd6a9e85b6b727547670b55014

                  SHA256

                  401f14d8cbc922b68555b7223131d815aa41802e371f8a92948e9fa8eb7e0fa5

                  SHA512

                  dea8f8d6d3541633cdfe37bc209b25603054339138a4a419cb6f412cd82041a05771a919f5a59499faa28200ba949a62fefb6bba6df2796df751596d99b93857

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5885328.exe

                  Filesize

                  251KB

                  MD5

                  bb81d942249c86a65f9dfce1a95a56c9

                  SHA1

                  1518f774bcd039a7f6ac849d60d064e2c5d5d97a

                  SHA256

                  854d6dc24a63aea9269b62be3555cd2675d121219303a2deb2b3bb37b967f91f

                  SHA512

                  e9787bc37f7098ecb1811e8cca43b0179d4661b31f366a015107475e9ad9897d81dffae4f0998a5be38c72a9b24852b38d2f3145d15f43ead22034d551dd5d62

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6110286.exe

                  Filesize

                  396KB

                  MD5

                  1cae3954e01408e9ed8f2bb98b3dd33c

                  SHA1

                  4fc7a35d136d894dacad9f1f0ab86d148450584a

                  SHA256

                  a0ed2809ec917683bb22e1ba675275f6a8f239c447aec0e4dddf360eaa4198ff

                  SHA512

                  bba2e0eb745de74e3ada78762da1f2ad5c9d992aba1ed2103de9bdc092f9654c944088d3f9f6ec86f475044a4b67ea5cacde70821870e1c2b0f8c65762bd08ff

                • memory/2348-15-0x000000007436E000-0x000000007436F000-memory.dmp

                  Filesize

                  4KB

                • memory/2348-14-0x0000000000400000-0x000000000040A000-memory.dmp

                  Filesize

                  40KB

                • memory/3380-19-0x0000000000400000-0x000000000042C000-memory.dmp

                  Filesize

                  176KB

                • memory/3380-22-0x0000000000400000-0x000000000042C000-memory.dmp

                  Filesize

                  176KB

                • memory/3380-20-0x0000000000400000-0x000000000042C000-memory.dmp

                  Filesize

                  176KB

                • memory/3548-26-0x0000000000400000-0x0000000000430000-memory.dmp

                  Filesize

                  192KB

                • memory/3548-27-0x00000000055C0000-0x00000000055C6000-memory.dmp

                  Filesize

                  24KB

                • memory/3548-28-0x000000000B0D0000-0x000000000B6E8000-memory.dmp

                  Filesize

                  6.1MB

                • memory/3548-29-0x000000000AC50000-0x000000000AD5A000-memory.dmp

                  Filesize

                  1.0MB

                • memory/3548-30-0x000000000AB90000-0x000000000ABA2000-memory.dmp

                  Filesize

                  72KB

                • memory/3548-31-0x000000000ABF0000-0x000000000AC2C000-memory.dmp

                  Filesize

                  240KB

                • memory/3548-32-0x0000000002F60000-0x0000000002FAC000-memory.dmp

                  Filesize

                  304KB