Overview
overview
10Static
static
3016b8fab11...90.exe
windows10-2004-x64
10046f35763e...68.exe
windows10-2004-x64
1014e25178ee...de.exe
windows10-2004-x64
1058609bf38b...1d.exe
windows10-2004-x64
105e46be5a16...b4.exe
windows10-2004-x64
1064220efa05...b0.exe
windows10-2004-x64
107252b3ba90...cd.exe
windows10-2004-x64
10761baf17cd...b8.exe
windows10-2004-x64
1079b34442d1...59.exe
windows10-2004-x64
107bca30b01b...44.exe
windows10-2004-x64
77f2d656f1a...24.exe
windows10-2004-x64
1092903f5aac...33.exe
windows10-2004-x64
10a6fd8428c6...ff.exe
windows10-2004-x64
10a9a24c6b40...79.exe
windows10-2004-x64
10c957c1f7d6...20.exe
windows10-2004-x64
10d30a3fe09c...90.exe
windows10-2004-x64
10d4c8c5a1d2...4e.exe
windows10-2004-x64
10e2ca05276c...37.exe
windows10-2004-x64
10e79c48869d...9a.exe
windows10-2004-x64
10fff53a878c...d6.exe
windows10-2004-x64
10Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 07:44
Static task
static1
Behavioral task
behavioral1
Sample
016b8fab114770bc330d8c49bc8909920899011e9018ceeaa5233b1b572c4190.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
046f35763e317ea5c0e4e5bc1725bc6e4fbd85ebf7a2820a18b9033c87584f68.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
14e25178ee8b8712bc968c820fb869e90a44dec170ecd8a6483ae8f108b1f2de.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
58609bf38be4777dd43032b4b64e68420854d83e377491d6356127f6c112181d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
5e46be5a1605d21562eda70cd21e2675e650c3789e8dde9dfb908ec546adc9b4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
64220efa0582fe1aec27096123429aeb58dc263d43340ad6613555ad427544b0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
7252b3ba9094d91a1e12f9c9944f24ccf25c9a4c75e7f7e3380ca37b8e6bfbcd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
761baf17cd7e790b03075c76f9e902cd11700ce8b920d2741b04a70371069ab8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
79b34442d1c8507ff7bb7f184e63b7b674da3847ab0d3d8203b60c93467fa859.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
7bca30b01b52faa483cb9bba6adca25589109b55d6cd6c01bb4219ef6d8f4444.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
7f2d656f1a4331d02ffea567b5177c3a772a6a6e9c022b13e9042bd0dccbf324.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
92903f5aac10e31279ef8ae844a86a677e02e1799ba17380867ee77d55b31433.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
a6fd8428c609450c9b2629eda53c7749e0bb145c64d6bcfc5071adec21c467ff.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
a9a24c6b40b53ea0f85263a4222bf4792c43b7f26287058d9cd536b2ceb5a779.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
d30a3fe09c9a256105cd948f3eb2049778fcc4c34bdd05779bd39a344805a590.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
d4c8c5a1d2ba6f3920e2785153bc3ad1843efb3696b1cfd86ebffe60bc121e4e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
e2ca05276c37a88d337993eae49ec4ac99bf1c9f9e56112366021c7a649bf337.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
e79c48869da7300155b8f28e75c456d3c8b56a174d85529c97d8307a157a099a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
fff53a878cc4bf75cd2f5a6ea052244eda18185761d3173fcd0c10469adce0d6.exe
Resource
win10v2004-20240426-en
General
-
Target
c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020.exe
-
Size
382KB
-
MD5
61ea25d77feb05e4700cba7bbf682ccd
-
SHA1
da9b0a03694cf3766fcd1b2438cbbd7094a893ce
-
SHA256
c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020
-
SHA512
acc7845555d396393e8362deb0ebcfe924ae2f51b195c0d71ee1a1300c2f3b474b9756137eed1e8d6c745838b69ef15620e7708582ee1e620b539ea23673c5c5
-
SSDEEP
6144:K2y+bnr+zp0yN90QEBoOVYvi8Qy1gPu7gsM/hlVj9NNqb4eIHukyZ6c+ea447dNx:KMrzy90ToOVYae1gPeyZl9f0bmHuuD7B
Malware Config
Extracted
redline
kukish
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral15/memory/4308-7-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral15/memory/4308-9-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral15/memory/4308-11-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral15/memory/4308-8-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral15/files/0x0007000000023277-13.dat family_redline behavioral15/memory/2440-16-0x00000000006A0000-0x00000000006DE000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 2060 1Us96Bt3.exe 2440 2Yj544Vo.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2060 set thread context of 4308 2060 1Us96Bt3.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 2036 2060 WerFault.exe 90 3052 4308 WerFault.exe 92 -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3696 wrote to memory of 2060 3696 c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020.exe 90 PID 3696 wrote to memory of 2060 3696 c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020.exe 90 PID 3696 wrote to memory of 2060 3696 c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020.exe 90 PID 2060 wrote to memory of 4308 2060 1Us96Bt3.exe 92 PID 2060 wrote to memory of 4308 2060 1Us96Bt3.exe 92 PID 2060 wrote to memory of 4308 2060 1Us96Bt3.exe 92 PID 2060 wrote to memory of 4308 2060 1Us96Bt3.exe 92 PID 2060 wrote to memory of 4308 2060 1Us96Bt3.exe 92 PID 2060 wrote to memory of 4308 2060 1Us96Bt3.exe 92 PID 2060 wrote to memory of 4308 2060 1Us96Bt3.exe 92 PID 2060 wrote to memory of 4308 2060 1Us96Bt3.exe 92 PID 2060 wrote to memory of 4308 2060 1Us96Bt3.exe 92 PID 2060 wrote to memory of 4308 2060 1Us96Bt3.exe 92 PID 3696 wrote to memory of 2440 3696 c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020.exe 98 PID 3696 wrote to memory of 2440 3696 c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020.exe 98 PID 3696 wrote to memory of 2440 3696 c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020.exe"C:\Users\Admin\AppData\Local\Temp\c957c1f7d6e812384412b37342974d2234a9d5e5aaa2e53f0e6e41977b4af020.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Us96Bt3.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1Us96Bt3.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:4308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 5684⤵
- Program crash
PID:3052
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 1523⤵
- Program crash
PID:2036
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Yj544Vo.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Yj544Vo.exe2⤵
- Executes dropped EXE
PID:2440
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 96 -p 2060 -ip 20601⤵PID:2348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4308 -ip 43081⤵PID:4048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3488 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵PID:1768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
295KB
MD5c66ed367e7a9ddd6900cb76e6f0f439e
SHA1952805454a646eea8ad3eb2b73f6297feae28ea8
SHA256bfbcbb013562ffee211482b744cefbec7eff48490ecadbbf94c19e1edccf2f97
SHA512a5ce9283a4e0e6662cd939ce91effb25f840e4b2221f15e5e925c209209e1aefe27fab476b015d461c3f3e68c4bc31d977e97e8cc61dca270b36af78a6361c52
-
Filesize
222KB
MD56a077360b4084c382664ea953eba35f7
SHA130be54e181330247e50f24d92f296fe1aab85ae9
SHA2568a79f299db7e267d94370fde874182d13d0ab5c8b1b549234c2f91eb7620d3d5
SHA5121aa26b9fa99e35136d2800a7be43684180d9f5b366a27a24ab6fd55edfaf621cc1d9412f6ad00e089ebe0ab9ab4cef4bc0f6eb46b7a76abb496f1c8977f8141f