Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
24/05/2024, 10:07
General
-
Target
56d014c086bdbb8e6727c4aa360408eb457604ca6d788375c3e76d1fc1282a70.exe
-
Size
1.1MB
-
MD5
390faea7dece9ed80b3699b6223e8fd5
-
SHA1
a1e00a7cc23aacddeab3203a987ec37f645b80ac
-
SHA256
56d014c086bdbb8e6727c4aa360408eb457604ca6d788375c3e76d1fc1282a70
-
SHA512
c9d4674c9bfcf72a7616cc30c01de867b405ba46f0ff72217920fbb0e243da52a97d7c0f483c23fa96a213addbd1a84bfcd2c5ead960b23668a20a9c5e20f928
-
SSDEEP
24576:LyjTfPGEMBaeOharfPsvaRxbFFZ47NGqKN3/mJ7a/sv:+jTHGEDeT3T/ZetKZE7a/
Malware Config
Extracted
redline
magia
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\56d014c086bdbb8e6727c4aa360408eb457604ca6d788375c3e76d1fc1282a70.exe"C:\Users\Admin\AppData\Local\Temp\56d014c086bdbb8e6727c4aa360408eb457604ca6d788375c3e76d1fc1282a70.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\My3xt57.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\My3xt57.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jz0Vb45.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Jz0Vb45.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hj1wP54.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\hj1wP54.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dj64RS4.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Dj64RS4.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy7755.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Yy7755.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 6086⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3uw01Fq.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3uw01Fq.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Checks SCSI registry key(s)
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 5725⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nB010nc.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nB010nc.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 6124⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ae4ON6.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ae4ON6.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\40DC.tmp\40DD.tmp\40DE.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Ae4ON6.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4276,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=3880 /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1524 -ip 15241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3080 -ip 30801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 436 -ip 4361⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4820,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4944 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4912,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5128 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5012,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5432 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5564,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5576 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5616,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5644 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6012,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:81⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6176,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6572,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=6208 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5928,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=6632 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5124,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=6656 /prefetch:81⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5604,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5876 /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88B
MD50ec04fde104330459c151848382806e8
SHA13b0b78d467f2db035a03e378f7b3a3823fa3d156
SHA2561ee0a6f7c4006a36891e2fd72a0257e89fd79ad811987c0e17f847fe99ea695f
SHA5128b928989f17f09282e008da27e8b7fd373c99d5cafb85b5f623e02dbb6273f0ed76a9fbbfef0b080dbba53b6de8ee491ea379a38e5b6ca0763b11dd4de544b40
-
Filesize
97KB
MD509a0c9c67a668f95005d80047b1151c2
SHA1d77e6e74b61b379b2c23421bf07dddc3a54e902a
SHA2568737837e29992a01c68afc6ce6f2ba8a0f301d8cbe084b8e3a72a1a7820ec57c
SHA51246c315c219b76b8b9aa4f5faad552eecf2b6f998b0c3c787029736f3ff66ac75127c0752ecc9f12bef97125f29e12406c0cecdaf28386813dbe4cc37e38137e1
-
Filesize
1018KB
MD577dbedc62a7d1fa49469e095ef9ab1fd
SHA103482037a34640319f338eff78f1a6fa0b20e1cd
SHA2568ed95765f9964a1d8ef124463805eeabd2cca82e05230a4b27f5905897e3c415
SHA51235b567cdc3ce2003b3f431e6166fca42933d9469861e03da29b7041e714b649f25592ba3772a9908208e8dee994d1cc13365251a980184a240677dc993a7fd4a
-
Filesize
461KB
MD523e08358a6a84ce052d2ec882648cd28
SHA1ed08af4489d9939c740e4a05f320b513d3a9291c
SHA25609aa8bb7d372a6efaf64f43e794e9ead16ed0c24d3e2991c6b0305eab0fbb1b1
SHA512f62ee5cf542356436204d1160e858857d074c2e5e9846573c6b662a17ddf2316fecbf68f86183d2ee5889cd8914f69fa6512e8209cd989aa45a9e9f8756dba73
-
Filesize
723KB
MD58aa984c87f621f873df7aaa6994a50d5
SHA14e5209f9e490323925f8f4f00caef2f0b38832a8
SHA2560e619958adaec4ade50fc2833c150126779e923c4c4e2fdd6489e18fa8dc3821
SHA512e50d3978e0eb7011d7d02d81bed2c995088a93fe30ac5ccf6ed3423441de2d15be830c1e37b0b577f219ca6429bde7cf5aa4e7a8a04d6ecd165ce1eb39b63108
-
Filesize
270KB
MD5b5fd67f4c5030b8ee19789a6dc346f8d
SHA1007088144b57edb928972c6a9a1ed9ffae465335
SHA256d986c54ef77cea2350bc755f4aadd218f26e49e0ac253922e8995df01fcef02d
SHA51296c5803953a6124e17b5557f84866857ac22ac7306aa23a5cf89e9e769c1791e0464dd0a7489c6e781359ed5b0a95e1b81c16ae70a63a676cc53c6b21df4687d
-
Filesize
478KB
MD505d1080c3a5c66d98fe790c86867386d
SHA12795052a3c782d4a07a5a46668069f6f9d345f6b
SHA25611e16a3df4fca6af0c81ec959c325dbcad38efb083584fb7fa752def70d4f4e9
SHA512cf7cba9891543576474fe939625289fbc8b11e9fb21ba8a6398399eab73bf8c59a56a0705738fab4a7b0cdf95df93576feae0a3f858cf1a1d5d0e16530aae368
-
Filesize
194KB
MD56241b03d68a610324ecda52f0f84e287
SHA1da80280b6e3925e455925efd6c6e59a6118269c4
SHA256ec74de9416b8ef2c3bdb1a9835e54548b3185524210d1aeffa91c98f74f751e2
SHA512a60fe447cb0bed8e6cbd7c344b19a4602553209cbda7a40993f0fdf01e096bda4b79de0b528ecebf2efa0007f81d7bd6c7ef84252b2a160c93d642a78f0095f9
-
Filesize
422KB
MD5c8f28eafb5293f95b95e76d8d95e2a25
SHA15d1fb47251923d7105a9f996069ac20e28d20d43
SHA256778c3435847e4b9d070bb1d542190b3129d5c6ff568aa985686405be6874c480
SHA51272c6ae6ddf763ee9c6f494ea5ba5ef493b21ee7899005ade66b8917ad4a3135671582d8325cb5958cabc07fd5a88cd65b9765686e769121b058920fd0a9ee856
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
6.1MB
-
Filesize
248KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
120KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
5.6MB
-
Filesize
36KB