Overview
overview
10Static
static
30314c3cf58...62.exe
windows10-2004-x64
10142ed11f80...59.exe
windows10-2004-x64
101f54336cee...4f.exe
windows10-2004-x64
102470f02746...37.exe
windows10-2004-x64
10357dca1dd0...e2.exe
windows7-x64
10357dca1dd0...e2.exe
windows10-2004-x64
10367729c840...03.exe
windows10-2004-x64
103ae8cc733e...e3.exe
windows10-2004-x64
103ff87c5bd0...30.exe
windows10-2004-x64
104157cda315...a6.exe
windows10-2004-x64
105f318080c6...ea.exe
windows10-2004-x64
10620f9ee1b4...8f.exe
windows10-2004-x64
106817354347...3a.exe
windows10-2004-x64
10753cdc12b9...91.exe
windows10-2004-x64
10a4215d26b6...74.exe
windows10-2004-x64
10a4375e040f...82.exe
windows10-2004-x64
10a619ae77d5...2e.exe
windows10-2004-x64
10aaab139650...12.exe
windows10-2004-x64
10aefec08eba...49.exe
windows10-2004-x64
10d12f5fa25c...70.exe
windows10-2004-x64
7e5b42981fd...65.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 09:02
Static task
static1
Behavioral task
behavioral1
Sample
0314c3cf5875f5a348b62f28e53ec17a9180933fb126d66b7184ebbc62e3c362.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
142ed11f8044b70abc93823879852d70e03f8fdb2b557dd5db7da572a6b40d59.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
1f54336ceed1489c1501366db5c3d0173f045faa248587b9e1d9d3669f84114f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
2470f02746e0ace28b3f21135e43ca5574a20964c1ebe76b4d37e025bc74cf37.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
357dca1dd0b140db9468cb0bea91da2504a032397de5a581bd04f96d59e430e2.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
357dca1dd0b140db9468cb0bea91da2504a032397de5a581bd04f96d59e430e2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
367729c84050746eb20cd233e6b8d8cfe0625110da6e43f4b4c486aa19d08103.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
3ff87c5bd0d476dfc954d3706672474698d1e412030e6189e037c2474b97b730.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
4157cda3159c7d2c99d18138d2e023dd1d821d09ae77e78901a80b26492981a6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
5f318080c6c0aef583c575f49bd61e9b4e8b6784f4c52b512e9c07090e4cedea.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
620f9ee1b442855f9904f5108cf7185b16d0acbacad9aaa076f02e0ffd4f588f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
68173543479d737f5e883a0bf3bd569d09813666a895a805fd53a18f3a96df3a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
753cdc12b984ece991f2018329d37985ee627640895e2d9b9a43a13a6dd6fb91.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
a4215d26b6f0c0e1bf7e0f7a14e39744684399db4b301d328c8f7df9ca1c0b74.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
a4375e040f13128a4dc747d845dd82b7204008c71beb526483b369eea30d2582.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
a619ae77d542717361e631ceb6fe3fab295af4ccef45ae4774b92a9355b6bb2e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
aaab139650da2e31907d608a912b0aa66038a21c8d946e300a44ab21b51c2c12.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
aefec08ebaf1c6b975dbf83df5257e52d7efcbaf569ea4b633cec392af828049.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
d12f5fa25c8ef0ae322be4daa1b08acf499c9d1be60c2f8d6f6b5a65c28f0a70.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
e5b42981fd5d352478cd9e79d582bc92295cb43d3d32dfd59e84008eb4216c65.exe
Resource
win10v2004-20240426-en
General
-
Target
3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3.exe
-
Size
956KB
-
MD5
c7d606e2c52cb54347c035c4f20385af
-
SHA1
fd14a9789a5cb3291a9fc9a21fc6a7011df32cfc
-
SHA256
3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3
-
SHA512
c3a07f6ef78ffdf38fee9613b451476e0c17aceebe9115bfd63c02350989197b15426fc854a3cc7a59878a3baa274c1a55b988374003389ee3ccbfa346ebce22
-
SSDEEP
24576:IyjahTARFOjnPlTRpSQ4Mh51NLlCTmBqqJj/vieOyO:P8TcIjnPlUOlwoqw3R
Malware Config
Extracted
mystic
http://5.42.92.211/
Extracted
redline
breha
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
resource yara_rule behavioral8/memory/548-25-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral8/memory/548-28-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral8/memory/548-26-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral8/memory/4588-36-0x0000000000400000-0x000000000043E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 6 IoCs
pid Process 4444 Op9Fk77.exe 3160 rI7FK34.exe 3260 1Ff69WZ4.exe 4008 2mI8436.exe 408 3IW07tF.exe 2980 4zQ997RJ.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" rI7FK34.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Op9Fk77.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3260 set thread context of 116 3260 1Ff69WZ4.exe 86 PID 4008 set thread context of 548 4008 2mI8436.exe 94 PID 408 set thread context of 3412 408 3IW07tF.exe 98 PID 2980 set thread context of 4588 2980 4zQ997RJ.exe 102 -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5116 sc.exe -
Program crash 4 IoCs
pid pid_target Process procid_target 1284 3260 WerFault.exe 84 4140 4008 WerFault.exe 93 4272 408 WerFault.exe 97 3600 2980 WerFault.exe 101 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 116 AppLaunch.exe 116 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 116 AppLaunch.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 3324 wrote to memory of 4444 3324 3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3.exe 82 PID 3324 wrote to memory of 4444 3324 3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3.exe 82 PID 3324 wrote to memory of 4444 3324 3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3.exe 82 PID 4444 wrote to memory of 3160 4444 Op9Fk77.exe 83 PID 4444 wrote to memory of 3160 4444 Op9Fk77.exe 83 PID 4444 wrote to memory of 3160 4444 Op9Fk77.exe 83 PID 3160 wrote to memory of 3260 3160 rI7FK34.exe 84 PID 3160 wrote to memory of 3260 3160 rI7FK34.exe 84 PID 3160 wrote to memory of 3260 3160 rI7FK34.exe 84 PID 3260 wrote to memory of 792 3260 1Ff69WZ4.exe 85 PID 3260 wrote to memory of 792 3260 1Ff69WZ4.exe 85 PID 3260 wrote to memory of 792 3260 1Ff69WZ4.exe 85 PID 3260 wrote to memory of 116 3260 1Ff69WZ4.exe 86 PID 3260 wrote to memory of 116 3260 1Ff69WZ4.exe 86 PID 3260 wrote to memory of 116 3260 1Ff69WZ4.exe 86 PID 3260 wrote to memory of 116 3260 1Ff69WZ4.exe 86 PID 3260 wrote to memory of 116 3260 1Ff69WZ4.exe 86 PID 3260 wrote to memory of 116 3260 1Ff69WZ4.exe 86 PID 3260 wrote to memory of 116 3260 1Ff69WZ4.exe 86 PID 3260 wrote to memory of 116 3260 1Ff69WZ4.exe 86 PID 3160 wrote to memory of 4008 3160 rI7FK34.exe 93 PID 3160 wrote to memory of 4008 3160 rI7FK34.exe 93 PID 3160 wrote to memory of 4008 3160 rI7FK34.exe 93 PID 4008 wrote to memory of 548 4008 2mI8436.exe 94 PID 4008 wrote to memory of 548 4008 2mI8436.exe 94 PID 4008 wrote to memory of 548 4008 2mI8436.exe 94 PID 4008 wrote to memory of 548 4008 2mI8436.exe 94 PID 4008 wrote to memory of 548 4008 2mI8436.exe 94 PID 4008 wrote to memory of 548 4008 2mI8436.exe 94 PID 4008 wrote to memory of 548 4008 2mI8436.exe 94 PID 4008 wrote to memory of 548 4008 2mI8436.exe 94 PID 4008 wrote to memory of 548 4008 2mI8436.exe 94 PID 4008 wrote to memory of 548 4008 2mI8436.exe 94 PID 4444 wrote to memory of 408 4444 Op9Fk77.exe 97 PID 4444 wrote to memory of 408 4444 Op9Fk77.exe 97 PID 4444 wrote to memory of 408 4444 Op9Fk77.exe 97 PID 408 wrote to memory of 3412 408 3IW07tF.exe 98 PID 408 wrote to memory of 3412 408 3IW07tF.exe 98 PID 408 wrote to memory of 3412 408 3IW07tF.exe 98 PID 408 wrote to memory of 3412 408 3IW07tF.exe 98 PID 408 wrote to memory of 3412 408 3IW07tF.exe 98 PID 408 wrote to memory of 3412 408 3IW07tF.exe 98 PID 3324 wrote to memory of 2980 3324 3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3.exe 101 PID 3324 wrote to memory of 2980 3324 3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3.exe 101 PID 3324 wrote to memory of 2980 3324 3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3.exe 101 PID 2980 wrote to memory of 4588 2980 4zQ997RJ.exe 102 PID 2980 wrote to memory of 4588 2980 4zQ997RJ.exe 102 PID 2980 wrote to memory of 4588 2980 4zQ997RJ.exe 102 PID 2980 wrote to memory of 4588 2980 4zQ997RJ.exe 102 PID 2980 wrote to memory of 4588 2980 4zQ997RJ.exe 102 PID 2980 wrote to memory of 4588 2980 4zQ997RJ.exe 102 PID 2980 wrote to memory of 4588 2980 4zQ997RJ.exe 102 PID 2980 wrote to memory of 4588 2980 4zQ997RJ.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3.exe"C:\Users\Admin\AppData\Local\Temp\3ae8cc733ec108080a1919852f9eed660c71dff454329a044b21af12ce8fa4e3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Op9Fk77.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Op9Fk77.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rI7FK34.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rI7FK34.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Ff69WZ4.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Ff69WZ4.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:792
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 6085⤵
- Program crash
PID:1284
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2mI8436.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2mI8436.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 5725⤵
- Program crash
PID:4140
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3IW07tF.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3IW07tF.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Checks SCSI registry key(s)
PID:3412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 5724⤵
- Program crash
PID:4272
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4zQ997RJ.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4zQ997RJ.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:4588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 5723⤵
- Program crash
PID:3600
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3260 -ip 32601⤵PID:4216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4008 -ip 40081⤵PID:3532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 408 -ip 4081⤵PID:2960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2980 -ip 29801⤵PID:3724
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5116
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
486KB
MD500c781c1a5a925ca9bdcd6ad04ea2b06
SHA15f38e88beb9c393cea4baf891f315dab3861fa7d
SHA2567f8b87d974c6c2d287aa2900b29835cfa76fcbff144aa6e74143152f3f2fe8d1
SHA51246976b08ff464076492e837fa17a3c24611519671ef538a11f281236bf69bac715507637840113d9cd97f60cce33afc9b23aadf866717e121aa5dec9cae1d3d8
-
Filesize
654KB
MD506b98319424809f40aab2aa25a0eaa97
SHA129f5653c0c8ab96dfc5448dfa7905065e0b30eca
SHA256bfe6775656ff4b278516ca6770f7e49cdee3e0634740689f1861860ee20ed7c5
SHA512934a7379d9ad87c00a29ee0c217359e938488d7fba16e7cf0a21bbd8645b1eb7d7466afbaef6ddf03d41e8b1173ab014d08f53c0f34c6bcaf3cf748b8736763e
-
Filesize
294KB
MD57c2deede43e8c1956b006b1bba71e487
SHA10ce56c5e6b75ee49784b292eea1cde63848dc878
SHA25625b116a8d53057ce4c2fd2ddc0ebb71b29a2a06ac6d8291fcc8c4a0a38bae5e1
SHA512c4f9862a3ea8137efb4d7a3da054edb94981a0c7a262bcd9762801f642e0337a4f1c9657a5e3718bdd1c1a7a3168e93e128fe1704e62fa2f77cff69eaf294e6f
-
Filesize
403KB
MD55b0f6bb73b28259e867536399af3480c
SHA1d10b298aeb766e21d47408fc73f505a7187cbf0c
SHA256fbe4d3d9dd6925d40a98ede371080a34a3e68fef342f5c66f4d8eceaec5c342e
SHA512eca50c7f7b38a83eed685669579714c568b9198860c2dd60ead8f039f81ed9a2b241b208e31e5829fe480557f23a12fc5030796750396f0fa6ea50f310362f23
-
Filesize
277KB
MD557b209441e027b6f046eb096af754dea
SHA1c0ba339a2e2f0452f92504dc457ed0a13c75d60f
SHA25617f767d30ed32e2a7cd42ac45ef3335bde326720e7b5a04c856a2cc3ab7076b8
SHA512a93a70f7dc32d4416b392359df22da01fcc73ef84ff9484437dc6ef6d11b678abbeb7cfc4ae5b168823c44573b7ba112fc2ce3ae978240e558774cd2d738c86a
-
Filesize
450KB
MD5d4be2c5b707bf8843e59188945b51203
SHA135f0cde80b5e04204700ca82e1d866e369d1949c
SHA2568571095773c6e5ae684bb053bdc6822ab5bae4b212ccb29855d2380937a5a2fa
SHA512e914c757ce1e0f8cc8409bcb85f302c26b2cd5277a22355b3116ad54ffdea8627b28b456bf5c857d5aee1c6034ca1269f9ec5c2620a92de557032beb3cee2190