Analysis
-
max time kernel
136s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
24-05-2024 07:44
General
-
Target
5e46be5a1605d21562eda70cd21e2675e650c3789e8dde9dfb908ec546adc9b4.exe
-
Size
753KB
-
MD5
322d6f9c8ae6bcbfdc6bdf1690033868
-
SHA1
b01e1ed14b5c25ae7a818cc8115c7b454c27750b
-
SHA256
5e46be5a1605d21562eda70cd21e2675e650c3789e8dde9dfb908ec546adc9b4
-
SHA512
ece712f0fc503fbd6636c2423bfdd714a840bf1e7d2fda013adc58c5f481b669ee6ed299efb54bd55c2169b98fd969617179b15e3dd7ebd0a2dd3c8d2b700fd9
-
SSDEEP
12288:oMrwy901MTCuX1YYj/gL/2CQ44hzE46TzY7aHG2FWzB7kpPP03LwEKsmPO:IyS071YAhQxTE7yGPiU3LwTbPO
Malware Config
Extracted
redline
kedru
77.91.124.86:19084
Signatures
-
Detect Mystic stealer payload 4 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e46be5a1605d21562eda70cd21e2675e650c3789e8dde9dfb908ec546adc9b4.exe"C:\Users\Admin\AppData\Local\Temp\5e46be5a1605d21562eda70cd21e2675e650c3789e8dde9dfb908ec546adc9b4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uh9SZ2CP.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uh9SZ2CP.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1iK84FZ0.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1iK84FZ0.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 1925⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Hf902up.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Hf902up.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4400 -ip 44001⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
558KB
MD5ec1381c2b362e50678796e698e2fb179
SHA1c1fb22eadf0b722bad522daedc016a8647d38f00
SHA25612245ff3cfb14f7bf304af27231f8375975bc2ee24934683d15f38023cb55b51
SHA512510f092106b96a74ac156d35a45d4ab4935519a2868fa8d002d6f0df86df63f021394df3fb3e9b2bf86a7e7027f47e8bf0a0974110b93649482a771866f8df0b
-
Filesize
1.0MB
MD5a5a72ed79ae5e9780a11e88e6c6853c2
SHA19c59ba2bdb9066bedc108596ed94633c824edec8
SHA2564d29c049f541cf4cfc30160228c05c981a115b3890004fb839ff261b99b62051
SHA51284b85e7ce7701c18bffba0a76a289ab8f43dffaa77604d2c4e3682feb3dd8e937a70b00aba3213c5303d3ffa7bfc7e97008d39505087ace7c3cce9baac9b9d88
-
Filesize
219KB
MD5f598fe73cd287df554de21f233f83afa
SHA16c8d344e679101cea810b5feebd83d7cfa594a51
SHA2561e946e36b01456f0f28512c3ca34b6802d49afcb099002d12567bbebf8f40542
SHA512fff6ba4fe7eb3b1c361cf0812a6b8c46293c8d53a393f05d113571fce3b2c499b03cfa1e730d2c077fbf9d299af4b68ed2dbecfea80d78ca726c983cb708f33e
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
5.6MB
-
Filesize
240KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB