Overview

overview

10

Static

static

3

131b47af99...32.exe

windows10-2004-x64

10

227ab56ef5...eb.exe

windows10-2004-x64

10

4537f51b0d...4c.exe

windows10-2004-x64

10

4852dcede8...5b.exe

windows7-x64

10

4852dcede8...5b.exe

windows10-2004-x64

10

4d68d381e4...34.exe

windows10-2004-x64

10

62d27d23e1...d0.exe

windows10-2004-x64

10

6f4e5c3b3a...2b.exe

windows10-2004-x64

10

775b7a0479...3d.exe

windows10-2004-x64

10

80a8dab579...f7.exe

windows10-2004-x64

10

a28852a355...af.exe

windows10-2004-x64

7

d02a87f385...3a.exe

windows10-2004-x64

10

d0c1074be1...1f.exe

windows10-2004-x64

10

d427832084...e1.exe

windows10-2004-x64

10

d53f5a64de...d1.exe

windows10-2004-x64

10

d62198c81d...0d.exe

windows10-2004-x64

10

dd0f820c33...a3.exe

windows10-2004-x64

10

e3c377dc6b...f7.exe

windows10-2004-x64

10

e9172c1691...86.exe

windows10-2004-x64

10

f6c86e8cbc...da.exe

windows10-2004-x64

10

fbd8d72f7e...0c.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 08:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4537f51b0d234db42162223f94f6617d6df0e7eb077362a4b5249ab8da1e684c.exe

  • Size

    918KB

  • MD5

    b8365d87b8119c3374d71028fbe72382

  • SHA1

    baa6b90ca7d0c8b3649819e5255c5523d7228740

  • SHA256

    4537f51b0d234db42162223f94f6617d6df0e7eb077362a4b5249ab8da1e684c

  • SHA512

    3d074a6e1fc5c1a37e75d656b21cb48fe384b287c007018f436e4e33d7f471703d884bb7f99931607a97885ecae0275b8e508e48bad56d26ef2cfff0480bc252

  • SSDEEP

    24576:SyfJi0RO8s7j4giInc2xlkIYQ6F0M2kjStFS:5RfyjhnWzF0M2kjKF

Score
10/10
mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

mystic

C2

http://5.42.92.211/

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4537f51b0d234db42162223f94f6617d6df0e7eb077362a4b5249ab8da1e684c.exe
    "C:\Users\Admin\AppData\Local\Temp\4537f51b0d234db42162223f94f6617d6df0e7eb077362a4b5249ab8da1e684c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OJ6zi77.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OJ6zi77.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4992
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mG8bw52.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mG8bw52.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3964
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Dj96gq6.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Dj96gq6.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2580
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4272
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 564
            5⤵
            • Program crash
            PID:4768
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2BO3621.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2BO3621.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4560
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:1848
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              5⤵
                PID:2036
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 596
                5⤵
                • Program crash
                PID:3364
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3IA82ld.exe
            C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3IA82ld.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2452
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              4⤵
              • Checks SCSI registry key(s)
              PID:4616
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 564
              4⤵
              • Program crash
              PID:4932
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4zi119HN.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4zi119HN.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1720
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            3⤵
              PID:748
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 564
              3⤵
              • Program crash
              PID:1028
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2580 -ip 2580
          1⤵
            PID:1628
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4560 -ip 4560
            1⤵
              PID:876
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2452 -ip 2452
              1⤵
                PID:1564
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1720 -ip 1720
                1⤵
                  PID:4836
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=996,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:8
                  1⤵
                    PID:4444

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4zi119HN.exe
                    Filesize

                    449KB

                    MD5

                    b20706a0ec04c57ed2b4a5e46913e7d9

                    SHA1

                    89650de60fddea0132a01e2733cbf9059c314b26

                    SHA256

                    a034dbd97ab78040031f44e1d3d9518e5353dd066a0a31a0bccf8c7b7e56c2ff

                    SHA512

                    177576faec6f08a1c26443c96991f2d4c1f6097ad0b1351a63369132cd5e7eb2a6add244ed446b13a7127026e980bcde26c2674e815493de41a6386e38c17dd6

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OJ6zi77.exe
                    Filesize

                    628KB

                    MD5

                    20467f7f123bb694478cd1efa17e7f19

                    SHA1

                    7ad523c5a4256229adfdfc56880fe973d3a91453

                    SHA256

                    69878d00b6962523943b43ae4a14b09b0b90ca5ed819cc43ecf792bf06fbbde1

                    SHA512

                    c52dde78e7c876b8b829a69bbb341a2e9ca73959bc91886aa4094e8d346d98810bac94eee6a436beaf716496dc6947fc8aa56bf6ae800dd2b5ee720224fa6dad

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3IA82ld.exe
                    Filesize

                    258KB

                    MD5

                    eb418b8fd4cbd92d1c114c2e20568818

                    SHA1

                    edd8f650f0dabd4ac13644150d6f4742eff5b090

                    SHA256

                    ed2e182a9df58e4562681a15c7723a618d07970a9af4288cc7dd87aae9b8f996

                    SHA512

                    60d22123eac01fce3d4bff463bcdf1734c03f412fa55c6f9ab45f58f5265e8b5711b45a4957acab15aa7c52857b105f592473a7fdd146d943d2694e4c8b35027

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\mG8bw52.exe
                    Filesize

                    388KB

                    MD5

                    58e995e36dc0136677189ddd667574a9

                    SHA1

                    87681dbf9b043617531f040fba0703df318d1acb

                    SHA256

                    1cc98dab453853fb2a1ed08d8eec4029387526c8c4f42e50dbf45e75e3e042cd

                    SHA512

                    30afb08376b80d6aa052b5d603be4c3b49cc2c30bf62bfe1056b799b894d25990035da201ba2ead8a375aff2d992fb4d3d2290d08bbe99c77d88e4179f00c9a0

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Dj96gq6.exe
                    Filesize

                    232KB

                    MD5

                    3ff825411b1fe07e712a5dcae34f80eb

                    SHA1

                    e3e4358cabfa74d6e36e26754b01ed78434a6877

                    SHA256

                    69bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739

                    SHA512

                    325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2BO3621.exe
                    Filesize

                    410KB

                    MD5

                    846849a0002c63dae41ebc306e0ad461

                    SHA1

                    e2dd0e1d0c6ad149dce2b245bf7d93aa16738e64

                    SHA256

                    e4dec70236439be082de61d6a386c6269529556989d4e9bac096c3804468fa33

                    SHA512

                    0dc328f01efd3d68563288cf3d37b051542aa5eb0539f56d3e927072a9b30b4a510256c1d091a7322e1059e5ee8189ced979ad6726b32df1a98c647498a56951

                    Download Submit
                  • memory/748-40-0x00000000083C0000-0x00000000089D8000-memory.dmp
                    Filesize

                    6.1MB

                    Download
                  • memory/748-41-0x0000000007620000-0x000000000772A000-memory.dmp
                    Filesize

                    1.0MB

                    Download
                  • memory/748-44-0x0000000007470000-0x00000000074BC000-memory.dmp
                    Filesize

                    304KB

                    Download
                  • memory/748-43-0x0000000007510000-0x000000000754C000-memory.dmp
                    Filesize

                    240KB

                    Download
                  • memory/748-42-0x00000000072A0000-0x00000000072B2000-memory.dmp
                    Filesize

                    72KB

                    Download
                  • memory/748-36-0x0000000000400000-0x000000000043E000-memory.dmp
                    Filesize

                    248KB

                    Download
                  • memory/748-37-0x00000000077F0000-0x0000000007D94000-memory.dmp
                    Filesize

                    5.6MB

                    Download
                  • memory/748-38-0x00000000072E0000-0x0000000007372000-memory.dmp
                    Filesize

                    584KB

                    Download
                  • memory/748-39-0x0000000002620000-0x000000000262A000-memory.dmp
                    Filesize

                    40KB

                    Download
                  • memory/2036-28-0x0000000000400000-0x0000000000433000-memory.dmp
                    Filesize

                    204KB

                    Download
                  • memory/2036-25-0x0000000000400000-0x0000000000433000-memory.dmp
                    Filesize

                    204KB

                    Download
                  • memory/2036-26-0x0000000000400000-0x0000000000433000-memory.dmp
                    Filesize

                    204KB

                    Download
                  • memory/4272-21-0x0000000000400000-0x000000000040A000-memory.dmp
                    Filesize

                    40KB

                    Download
                  • memory/4616-32-0x0000000000400000-0x0000000000409000-memory.dmp
                    Filesize

                    36KB

                    Download