Overview
overview
10Static
static
304a0e65087...2d.exe
windows10-2004-x64
100b23052e1d...05.exe
windows10-2004-x64
101319d83702...15.exe
windows10-2004-x64
1015bb5ac797...dd.exe
windows10-2004-x64
1019eb5c3dd8...ec.exe
windows10-2004-x64
102864919e9f...b7.exe
windows10-2004-x64
102f05412e59...2c.exe
windows10-2004-x64
103fd9e44b8d...84.exe
windows10-2004-x64
104920924329...b6.exe
windows10-2004-x64
106d6ab7a20c...33.exe
windows10-2004-x64
106e839edc16...b0.exe
windows10-2004-x64
106ff00efb56...f0.exe
windows10-2004-x64
107018985aa0...8e.exe
windows10-2004-x64
107b28b5b2ff...4e.exe
windows10-2004-x64
1093bee57b71...41.exe
windows10-2004-x64
10a22d19b8f1...9a.exe
windows10-2004-x64
10af3432152c...8d.exe
windows10-2004-x64
10bf27d39d4b...d1.exe
windows10-2004-x64
10db87d25edb...b5.exe
windows10-2004-x64
10f935568ec0...6c.exe
windows10-2004-x64
10Analysis
-
max time kernel
145s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 10:41
Static task
static1
Behavioral task
behavioral1
Sample
04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
0b23052e1def21c0e818780565a7776ae96e61597a9cf4ab1fc690daa4a85105.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
1319d8370208b00e5260cfc0b8f145575c62bd43ab6f76605a992afeb6737f15.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
2864919e9fd253aa62ab37d5b02410fa89dd3ead4618da0b908d3b41e73167b7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
2f05412e59a8bdd056c643ef429f71b1cc81960c29ecda2121c342b304349d2c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3fd9e44b8df95e2fb188e6b032b029a961609f7baa7d332929166e71f86e8b84.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
4920924329af964d29e90b0bd3763c20450919411ad6b6ddabfd88061a7555b6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
6d6ab7a20c1331b0189166b1cb07916ad2565031332833b346f8e5728ba48833.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
6e839edc16582f1c2d53d777f08720f69ec875a29be62c7adf21eaa0b7b302b0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
7018985aa093121c146c37bf15499c6914c370d8b1e61fe98047260a3f0f5d8e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
af3432152c514465fb36f13137bae3206443814e6398ebe72ca129d56edcd08d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe
Resource
win10v2004-20240226-en
General
-
Target
6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe
-
Size
960KB
-
MD5
434e0981e30d301a832a17e279104945
-
SHA1
f1aa4d85961747aa1ffd030a074e406ef37101be
-
SHA256
6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0
-
SHA512
02cc56eb6661599b6d670e4fcdf852c76bedc34c83dbd864b42494801eea6bc6c2ae12493112c27f93b2f9256c4ef8af0fa7ad0c03d27b4e244c7777d88af117
-
SSDEEP
12288:qMrDy90XE2JeSkUMBXNM1odv9TLauZxbiJsfPMoG1whZ87XQqHUrE1D5q/1GgfgX:9yexJeDB+oZFd+JsfUonZ8ZHBKI5aC
Malware Config
Extracted
mystic
http://5.42.92.211/
Extracted
redline
breha
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
resource yara_rule behavioral12/memory/2116-25-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral12/memory/2116-28-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family behavioral12/memory/2116-26-0x0000000000400000-0x0000000000433000-memory.dmp mystic_family -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral12/memory/4272-36-0x0000000000400000-0x000000000043E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 6 IoCs
pid Process 3548 Yc7nH31.exe 4908 zx2VY19.exe 4884 1UX55by6.exe 728 2Al5841.exe 1404 3MK92QP.exe 3196 4pW805zC.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" zx2VY19.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Yc7nH31.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4884 set thread context of 4312 4884 1UX55by6.exe 86 PID 728 set thread context of 2116 728 2Al5841.exe 94 PID 1404 set thread context of 3476 1404 3MK92QP.exe 98 PID 3196 set thread context of 4272 3196 4pW805zC.exe 102 -
Program crash 4 IoCs
pid pid_target Process procid_target 4212 4884 WerFault.exe 85 2220 728 WerFault.exe 92 4112 1404 WerFault.exe 97 2444 3196 WerFault.exe 101 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4312 AppLaunch.exe 4312 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4312 AppLaunch.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 1516 wrote to memory of 3548 1516 6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe 83 PID 1516 wrote to memory of 3548 1516 6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe 83 PID 1516 wrote to memory of 3548 1516 6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe 83 PID 3548 wrote to memory of 4908 3548 Yc7nH31.exe 84 PID 3548 wrote to memory of 4908 3548 Yc7nH31.exe 84 PID 3548 wrote to memory of 4908 3548 Yc7nH31.exe 84 PID 4908 wrote to memory of 4884 4908 zx2VY19.exe 85 PID 4908 wrote to memory of 4884 4908 zx2VY19.exe 85 PID 4908 wrote to memory of 4884 4908 zx2VY19.exe 85 PID 4884 wrote to memory of 4312 4884 1UX55by6.exe 86 PID 4884 wrote to memory of 4312 4884 1UX55by6.exe 86 PID 4884 wrote to memory of 4312 4884 1UX55by6.exe 86 PID 4884 wrote to memory of 4312 4884 1UX55by6.exe 86 PID 4884 wrote to memory of 4312 4884 1UX55by6.exe 86 PID 4884 wrote to memory of 4312 4884 1UX55by6.exe 86 PID 4884 wrote to memory of 4312 4884 1UX55by6.exe 86 PID 4884 wrote to memory of 4312 4884 1UX55by6.exe 86 PID 4908 wrote to memory of 728 4908 zx2VY19.exe 92 PID 4908 wrote to memory of 728 4908 zx2VY19.exe 92 PID 4908 wrote to memory of 728 4908 zx2VY19.exe 92 PID 728 wrote to memory of 2116 728 2Al5841.exe 94 PID 728 wrote to memory of 2116 728 2Al5841.exe 94 PID 728 wrote to memory of 2116 728 2Al5841.exe 94 PID 728 wrote to memory of 2116 728 2Al5841.exe 94 PID 728 wrote to memory of 2116 728 2Al5841.exe 94 PID 728 wrote to memory of 2116 728 2Al5841.exe 94 PID 728 wrote to memory of 2116 728 2Al5841.exe 94 PID 728 wrote to memory of 2116 728 2Al5841.exe 94 PID 728 wrote to memory of 2116 728 2Al5841.exe 94 PID 728 wrote to memory of 2116 728 2Al5841.exe 94 PID 3548 wrote to memory of 1404 3548 Yc7nH31.exe 97 PID 3548 wrote to memory of 1404 3548 Yc7nH31.exe 97 PID 3548 wrote to memory of 1404 3548 Yc7nH31.exe 97 PID 1404 wrote to memory of 3476 1404 3MK92QP.exe 98 PID 1404 wrote to memory of 3476 1404 3MK92QP.exe 98 PID 1404 wrote to memory of 3476 1404 3MK92QP.exe 98 PID 1404 wrote to memory of 3476 1404 3MK92QP.exe 98 PID 1404 wrote to memory of 3476 1404 3MK92QP.exe 98 PID 1404 wrote to memory of 3476 1404 3MK92QP.exe 98 PID 1516 wrote to memory of 3196 1516 6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe 101 PID 1516 wrote to memory of 3196 1516 6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe 101 PID 1516 wrote to memory of 3196 1516 6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe 101 PID 3196 wrote to memory of 4272 3196 4pW805zC.exe 102 PID 3196 wrote to memory of 4272 3196 4pW805zC.exe 102 PID 3196 wrote to memory of 4272 3196 4pW805zC.exe 102 PID 3196 wrote to memory of 4272 3196 4pW805zC.exe 102 PID 3196 wrote to memory of 4272 3196 4pW805zC.exe 102 PID 3196 wrote to memory of 4272 3196 4pW805zC.exe 102 PID 3196 wrote to memory of 4272 3196 4pW805zC.exe 102 PID 3196 wrote to memory of 4272 3196 4pW805zC.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe"C:\Users\Admin\AppData\Local\Temp\6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yc7nH31.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yc7nH31.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zx2VY19.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zx2VY19.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UX55by6.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UX55by6.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 6005⤵
- Program crash
PID:4212
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Al5841.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Al5841.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:2116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 5725⤵
- Program crash
PID:2220
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3MK92QP.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3MK92QP.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Checks SCSI registry key(s)
PID:3476
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 5684⤵
- Program crash
PID:4112
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4pW805zC.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4pW805zC.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:4272
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 5723⤵
- Program crash
PID:2444
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4884 -ip 48841⤵PID:4184
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 728 -ip 7281⤵PID:2940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1404 -ip 14041⤵PID:3144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3196 -ip 31961⤵PID:1288
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
486KB
MD5314e9ac2292ad44e1763375c5e8c3d69
SHA131afb2af132fec502ba92f0701fc8236f635e95e
SHA25654a6eeff0577fa7a11ce53417ce3109c41ccdd9eed6188fc4c35f603e18caf18
SHA5120e01a50c3a045c1c7d770a91d156f57f37dd142c88512f1e8e89449106d8759a8fd011328a01584289ee87fb35685c2edfbd3b17d4e79e115d9f877ba8e54449
-
Filesize
658KB
MD5ab9bd79aada7aff18e6a4d4e47ea7f1b
SHA1219b2363f804bea1f48f6968ffc587326e0e437c
SHA2569f445b2fc94d083e9facaa8121cd3723b66d978b3556d4598e0e15b7339d6530
SHA512dcc4331dc6c03deccb3c8820b6fc99f87afd13113ae48925c6400bf585963d13eb80b8c68b333cb966aed9622e5dad42d59a1aba0609b055d9717ace7cca1698
-
Filesize
295KB
MD50068dedc017dbc1a4909c43585ef85cc
SHA198c0ace3797e9b82e9985a212a11ff1b5e222f59
SHA2567b170cd436488e9dddfb4c4d49c2403739f4231bc159ca4a77d4c3ad9f63b1bd
SHA5128177aa653fbf0fcaf6829d041effac244142cecfe334dffdd0184643869f55163f797e578c9612432dd3d141423de55cca51cd10689f5eef1120487f54feac08
-
Filesize
407KB
MD5925279a3e73b5e6270024ccc22e20455
SHA1e935db224492c03f6ed49c54c84576d9aa18bf03
SHA256c589e40bf545842a746b78deb6c4cd0b2b9b34f5841d44a80eb9782acfd71969
SHA51206647fd945e399c83efcfb2c17123e076a49bbdd5a2e8ce9997da01486de83ea7ccc772b2dc0d28b1d2d9f0f684f21122fdd52c6f89ae521eee6f7dd3274099e
-
Filesize
276KB
MD58e22a35113710bfde1c6f071413c7ab8
SHA1c8c7331630ddc672108fd49715847d4edd33488a
SHA2560c07ebbf10ecddbecf1395f3ec32989d1156b71b011026f911fcb063e6494b03
SHA5122a2d48c45e766f10fe0beafb737edf1debeeae857e69a5cb341762e22901767b304c6e1a8ecd351957762b43a0a05d4051a8b1f6284443bd53ca8e9ee9ed48e0
-
Filesize
450KB
MD5235fb90276a1f78b6d6251a291ab4ddc
SHA1a9c58e266b41fe77f4360f9cf3a848776d0902ec
SHA256e127f14498e59c5ef3b29b5353c148260096d11f021da05e9d9402bfeb4bf18a
SHA512399b84e1b2aa15fc02b41f83afb97d70f62cb153d7254e71f8033f93f814520b390d55873d17ad763856f8a3ecfc2db84618145b52fcd15c37b627605aca9999