Overview

overview

10

Static

static

3

016b8fab11...90.exe

windows10-2004-x64

10

046f35763e...68.exe

windows10-2004-x64

10

14e25178ee...de.exe

windows10-2004-x64

10

58609bf38b...1d.exe

windows10-2004-x64

10

5e46be5a16...b4.exe

windows10-2004-x64

10

64220efa05...b0.exe

windows10-2004-x64

10

7252b3ba90...cd.exe

windows10-2004-x64

10

761baf17cd...b8.exe

windows10-2004-x64

10

79b34442d1...59.exe

windows10-2004-x64

10

7bca30b01b...44.exe

windows10-2004-x64

7

7f2d656f1a...24.exe

windows10-2004-x64

10

92903f5aac...33.exe

windows10-2004-x64

10

a6fd8428c6...ff.exe

windows10-2004-x64

10

a9a24c6b40...79.exe

windows10-2004-x64

10

c957c1f7d6...20.exe

windows10-2004-x64

10

d30a3fe09c...90.exe

windows10-2004-x64

10

d4c8c5a1d2...4e.exe

windows10-2004-x64

10

e2ca05276c...37.exe

windows10-2004-x64

10

e79c48869d...9a.exe

windows10-2004-x64

10

fff53a878c...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 07:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020.exe

  • Size

    382KB

  • MD5

    61ea25d77feb05e4700cba7bbf682ccd

  • SHA1

    da9b0a03694cf3766fcd1b2438cbbd7094a893ce

  • SHA256

    c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020

  • SHA512

    acc7845555d396393e8362deb0ebcfe924ae2f51b195c0d71ee1a1300c2f3b474b9756137eed1e8d6c745838b69ef15620e7708582ee1e620b539ea23673c5c5

  • SSDEEP

    6144:K2y+bnr+zp0yN90QEBoOVYvi8Qy1gPu7gsM/hlVj9NNqb4eIHukyZ6c+ea447dNx:KMrzy90ToOVYae1gPeyZl9f0bmHuuD7B

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020.exe
    "C:\Users\Admin\AppData\Local\Temp\c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Us96Bt3.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Us96Bt3.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2060
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:4308
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 568
            4⤵
            • Program crash
            PID:3052
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 152
          3⤵
          • Program crash
          PID:2036
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Yj544Vo.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Yj544Vo.exe
        2⤵
        • Executes dropped EXE
        PID:2440
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 96 -p 2060 -ip 2060
      1⤵
        PID:2348
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4308 -ip 4308
        1⤵
          PID:4048
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3488 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:1768

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Us96Bt3.exe
            Filesize

            295KB

            MD5

            c66ed367e7a9ddd6900cb76e6f0f439e

            SHA1

            952805454a646eea8ad3eb2b73f6297feae28ea8

            SHA256

            bfbcbb013562ffee211482b744cefbec7eff48490ecadbbf94c19e1edccf2f97

            SHA512

            a5ce9283a4e0e6662cd939ce91effb25f840e4b2221f15e5e925c209209e1aefe27fab476b015d461c3f3e68c4bc31d977e97e8cc61dca270b36af78a6361c52

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Yj544Vo.exe
            Filesize

            222KB

            MD5

            6a077360b4084c382664ea953eba35f7

            SHA1

            30be54e181330247e50f24d92f296fe1aab85ae9

            SHA256

            8a79f299db7e267d94370fde874182d13d0ab5c8b1b549234c2f91eb7620d3d5

            SHA512

            1aa26b9fa99e35136d2800a7be43684180d9f5b366a27a24ab6fd55edfaf621cc1d9412f6ad00e089ebe0ab9ab4cef4bc0f6eb46b7a76abb496f1c8977f8141f

            Download Submit
          • memory/2440-21-0x00000000085D0000-0x0000000008BE8000-memory.dmp
            Filesize

            6.1MB

            Download
          • memory/2440-20-0x0000000007620000-0x000000000762A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/2440-27-0x00000000742F0000-0x0000000074AA0000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/2440-26-0x00000000742FE000-0x00000000742FF000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2440-15-0x00000000742FE000-0x00000000742FF000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2440-16-0x00000000006A0000-0x00000000006DE000-memory.dmp
            Filesize

            248KB

            Download
          • memory/2440-17-0x0000000007A00000-0x0000000007FA4000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/2440-18-0x0000000007450000-0x00000000074E2000-memory.dmp
            Filesize

            584KB

            Download
          • memory/2440-19-0x00000000742F0000-0x0000000074AA0000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/2440-25-0x00000000078E0000-0x000000000792C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/2440-24-0x0000000007760000-0x000000000779C000-memory.dmp
            Filesize

            240KB

            Download
          • memory/2440-22-0x00000000077D0000-0x00000000078DA000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/2440-23-0x0000000007700000-0x0000000007712000-memory.dmp
            Filesize

            72KB

            Download
          • memory/4308-7-0x0000000000400000-0x0000000000432000-memory.dmp
            Filesize

            200KB

            Download
          • memory/4308-11-0x0000000000400000-0x0000000000432000-memory.dmp
            Filesize

            200KB

            Download
          • memory/4308-9-0x0000000000400000-0x0000000000432000-memory.dmp
            Filesize

            200KB

            Download
          • memory/4308-8-0x0000000000400000-0x0000000000432000-memory.dmp
            Filesize

            200KB

            Download