Overview
overview
10Static
static
30314c3cf58...62.exe
windows10-2004-x64
10142ed11f80...59.exe
windows10-2004-x64
101f54336cee...4f.exe
windows10-2004-x64
102470f02746...37.exe
windows10-2004-x64
10357dca1dd0...e2.exe
windows7-x64
10357dca1dd0...e2.exe
windows10-2004-x64
10367729c840...03.exe
windows10-2004-x64
103ae8cc733e...e3.exe
windows10-2004-x64
103ff87c5bd0...30.exe
windows10-2004-x64
104157cda315...a6.exe
windows10-2004-x64
105f318080c6...ea.exe
windows10-2004-x64
10620f9ee1b4...8f.exe
windows10-2004-x64
106817354347...3a.exe
windows10-2004-x64
10753cdc12b9...91.exe
windows10-2004-x64
10a4215d26b6...74.exe
windows10-2004-x64
10a4375e040f...82.exe
windows10-2004-x64
10a619ae77d5...2e.exe
windows10-2004-x64
10aaab139650...12.exe
windows10-2004-x64
10aefec08eba...49.exe
windows10-2004-x64
10d12f5fa25c...70.exe
windows10-2004-x64
7e5b42981fd...65.exe
windows10-2004-x64
10Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 09:02
Static task
static1
Behavioral task
behavioral1
Sample
0314c3cf5875f5a348b62f28e53ec17a9180933fb126d66b7184ebbc62e3c362.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
1f54336ceed1489c1501366db5c3d0173f045faa248587b9e1d9d3669f84114f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
2470f02746e0ace28b3f21135e43ca5574a20964c1ebe76b4d37e025bc74cf37.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
357dca1dd0b140db9468cb0bea91da2504a032397de5a581bd04f96d59e430e2.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
357dca1dd0b140db9468cb0bea91da2504a032397de5a581bd04f96d59e430e2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
3ff87c5bd0d476dfc954d3706672474698d1e412030e6189e037c2474b97b730.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
4157cda3159c7d2c99d18138d2e023dd1d821d09ae77e78901a80b26492981a6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
5f318080c6c0aef583c575f49bd61e9b4e8b6784f4c52b512e9c07090e4cedea.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
620f9ee1b442855f9904f5108cf7185b16d0acbacad9aaa076f02e0ffd4f588f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
68173543479d737f5e883a0bf3bd569d09813666a895a805fd53a18f3a96df3a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
753cdc12b984ece991f2018329d37985ee627640895e2d9b9a43a13a6dd6fb91.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
a4375e040f13128a4dc747d845dd82b7204008c71beb526483b369eea30d2582.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
a619ae77d542717361e631ceb6fe3fab295af4ccef45ae4774b92a9355b6bb2e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
aefec08ebaf1c6b975dbf83df5257e52d7efcbaf569ea4b633cec392af828049.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
d12f5fa25c8ef0ae322be4daa1b08acf499c9d1be60c2f8d6f6b5a65c28f0a70.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe
Resource
win10v2004-20240426-en
General
-
Target
e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe
-
Size
1.1MB
-
MD5
db790b8be6c16299ccf7f1dccd680b89
-
SHA1
4d13d834f004cdb6c836eb0f9d7343fea266069c
-
SHA256
e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65
-
SHA512
63518a7fd2471ed7c678e650ff45939b86d9264cf175f6d3e5e3cf6662fd54a1dbc0063b5e97707d247046d982feaff164728d7267543622c66e5394427a988f
-
SSDEEP
24576:UyMQBHbtypH1KhYSPs1h4Gur9/pok9ULO0Rtlz01EjUdkr5eM:jMAbtypH1HFajr9/6jpI52
Malware Config
Extracted
redline
kukish
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
resource yara_rule behavioral21/memory/2492-35-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral21/memory/2492-36-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral21/memory/2492-38-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral21/files/0x000700000002344e-40.dat family_redline behavioral21/memory/3380-42-0x0000000000E00000-0x0000000000E3E000-memory.dmp family_redline -
Executes dropped EXE 6 IoCs
pid Process 1528 fu0lY6TN.exe 2496 lp6RE6uj.exe 3024 sG2mu1dw.exe 2712 cr8Af0ES.exe 452 1AV93bI3.exe 3380 2VC986WS.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" lp6RE6uj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" sG2mu1dw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" cr8Af0ES.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" fu0lY6TN.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 452 set thread context of 2492 452 1AV93bI3.exe 103 -
Program crash 1 IoCs
pid pid_target Process procid_target 3964 452 WerFault.exe 88 -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3472 wrote to memory of 1528 3472 e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe 83 PID 3472 wrote to memory of 1528 3472 e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe 83 PID 3472 wrote to memory of 1528 3472 e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe 83 PID 1528 wrote to memory of 2496 1528 fu0lY6TN.exe 85 PID 1528 wrote to memory of 2496 1528 fu0lY6TN.exe 85 PID 1528 wrote to memory of 2496 1528 fu0lY6TN.exe 85 PID 2496 wrote to memory of 3024 2496 lp6RE6uj.exe 86 PID 2496 wrote to memory of 3024 2496 lp6RE6uj.exe 86 PID 2496 wrote to memory of 3024 2496 lp6RE6uj.exe 86 PID 3024 wrote to memory of 2712 3024 sG2mu1dw.exe 87 PID 3024 wrote to memory of 2712 3024 sG2mu1dw.exe 87 PID 3024 wrote to memory of 2712 3024 sG2mu1dw.exe 87 PID 2712 wrote to memory of 452 2712 cr8Af0ES.exe 88 PID 2712 wrote to memory of 452 2712 cr8Af0ES.exe 88 PID 2712 wrote to memory of 452 2712 cr8Af0ES.exe 88 PID 452 wrote to memory of 2492 452 1AV93bI3.exe 103 PID 452 wrote to memory of 2492 452 1AV93bI3.exe 103 PID 452 wrote to memory of 2492 452 1AV93bI3.exe 103 PID 452 wrote to memory of 2492 452 1AV93bI3.exe 103 PID 452 wrote to memory of 2492 452 1AV93bI3.exe 103 PID 452 wrote to memory of 2492 452 1AV93bI3.exe 103 PID 452 wrote to memory of 2492 452 1AV93bI3.exe 103 PID 452 wrote to memory of 2492 452 1AV93bI3.exe 103 PID 452 wrote to memory of 2492 452 1AV93bI3.exe 103 PID 452 wrote to memory of 2492 452 1AV93bI3.exe 103 PID 2712 wrote to memory of 3380 2712 cr8Af0ES.exe 107 PID 2712 wrote to memory of 3380 2712 cr8Af0ES.exe 107 PID 2712 wrote to memory of 3380 2712 cr8Af0ES.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe"C:\Users\Admin\AppData\Local\Temp\e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fu0lY6TN.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fu0lY6TN.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lp6RE6uj.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lp6RE6uj.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sG2mu1dw.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sG2mu1dw.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cr8Af0ES.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cr8Af0ES.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AV93bI3.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1AV93bI3.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:2492
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 5567⤵
- Program crash
PID:3964
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2VC986WS.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2VC986WS.exe6⤵
- Executes dropped EXE
PID:3380
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 452 -ip 4521⤵PID:3728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1008KB
MD51d27f9f4a03fe48c2f9d4b2fcbc9182d
SHA14a558c6e74c25dc8a705e004ab4dadb2c73c0fc0
SHA2563c219b549dcc418db8f235e201ec60e6f89698a896aa5cd78ba87ed032add83c
SHA512d7308fa56d614008dd666b679b0819927c86a0f28bb9e6db4395ee41b4169bf0d231d1c3adc7f9f9c3b55408455ba1500764fb766827881b456d5eaa47291135
-
Filesize
818KB
MD5fe49a3848bca12504dfd63b9d6e9b2ee
SHA1b9f30d617fe35f3ceed72433b1e842bd58e49d16
SHA256d31b3d9daf5073ec50de40234effe6eb2a6f3ecf5c452ee268f0598fb2ddeb00
SHA51227e2f8f6b26dc6aeb63d53982710066a2d9fc58f053a4edc3833f14cd5b7fb36a5f22c56b884b7d99e5a8a91967cd131416d7a24c0bdff6d424ceaacc71f564c
-
Filesize
583KB
MD570dc272df445f15cba31a6dfe47f7219
SHA17220884b80c17def7d7d6db80acd59bf472c8bdb
SHA2568cdd00c271807e4fa6025e4a879726a0f41203eb6b43849880449edfbeb1af77
SHA512d3203ef38e39c26d63ebcb2b8a2aed5354479079a15797b7427461d1d8c9e98b18d551d1a2f1bada403a5bd117e95fb1f1a1f42a290a5320b5a8b2bc852cd8ea
-
Filesize
383KB
MD52cb38ac9a5a658264401c6c84190a41e
SHA146d9f03f46a56a56a1bf789f2cd344d9ed3826f5
SHA256881d6688184668a601418e29df505e0455a5971a044b30a1019defaa207f5023
SHA512038a4f934866ab40381545d5002db489f105f9874b9271758ecc1d6704d9e0a98d8b914da36d9f6b1b7720f076fed71e23c37adbf62474a19408de4a422740d1
-
Filesize
298KB
MD514a3010a5902d0b4daf37b3cdaceb97b
SHA1b416dade9d7c544f418bb241c53d296fd61d4de2
SHA256e664bebf09874a9d32e11d45bef7d8df7783c54d5c1e04a58b5fad3a0f3ce665
SHA5129b86090e8bb8cc1c51cef9a74162e14e00871798ca0cdb0731f9eeba04842235a66172b0588a28206b43453e3a8ec73c4cce0177db06a4d46ca38ddf326e7243
-
Filesize
222KB
MD5c58ea29d3d9278ee732dabe5fc4b124c
SHA126a6d774309fd8f6b94f538eabbfb561c7870f35
SHA25657fb6e26a4a82c3c97264cb220bd0d33c0e64ce60e5cfd2bcd28202441bcda2a
SHA5124c9481a82ea29faef12dd5a563c74dbe3a2c72d86b8a09f70da4e80dc8dc0cecc216c7d7a9f7b7a9078d1f58f32cc418998146d582a018b9a0ddcf1b72b6d0a8