Overview

overview

10

Static

static

3

04a0e65087...2d.exe

windows10-2004-x64

10

0b23052e1d...05.exe

windows10-2004-x64

10

1319d83702...15.exe

windows10-2004-x64

10

15bb5ac797...dd.exe

windows10-2004-x64

10

19eb5c3dd8...ec.exe

windows10-2004-x64

10

2864919e9f...b7.exe

windows10-2004-x64

10

2f05412e59...2c.exe

windows10-2004-x64

10

3fd9e44b8d...84.exe

windows10-2004-x64

10

4920924329...b6.exe

windows10-2004-x64

10

6d6ab7a20c...33.exe

windows10-2004-x64

10

6e839edc16...b0.exe

windows10-2004-x64

10

6ff00efb56...f0.exe

windows10-2004-x64

10

7018985aa0...8e.exe

windows10-2004-x64

10

7b28b5b2ff...4e.exe

windows10-2004-x64

10

93bee57b71...41.exe

windows10-2004-x64

10

a22d19b8f1...9a.exe

windows10-2004-x64

10

af3432152c...8d.exe

windows10-2004-x64

10

bf27d39d4b...d1.exe

windows10-2004-x64

10

db87d25edb...b5.exe

windows10-2004-x64

10

f935568ec0...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe

  • Size

    960KB

  • MD5

    434e0981e30d301a832a17e279104945

  • SHA1

    f1aa4d85961747aa1ffd030a074e406ef37101be

  • SHA256

    6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0

  • SHA512

    02cc56eb6661599b6d670e4fcdf852c76bedc34c83dbd864b42494801eea6bc6c2ae12493112c27f93b2f9256c4ef8af0fa7ad0c03d27b4e244c7777d88af117

  • SSDEEP

    12288:qMrDy90XE2JeSkUMBXNM1odv9TLauZxbiJsfPMoG1whZ87XQqHUrE1D5q/1GgfgX:9yexJeDB+oZFd+JsfUonZ8ZHBKI5aC

Score
10/10
mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

mystic

C2

http://5.42.92.211/

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe
    "C:\Users\Admin\AppData\Local\Temp\6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1516
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yc7nH31.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yc7nH31.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zx2VY19.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zx2VY19.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4908
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UX55by6.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UX55by6.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4884
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4312
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 600
            5⤵
            • Program crash
            PID:4212
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Al5841.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Al5841.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:728
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:2116
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 572
              5⤵
              • Program crash
              PID:2220
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3MK92QP.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3MK92QP.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1404
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • Checks SCSI registry key(s)
            PID:3476
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 568
            4⤵
            • Program crash
            PID:4112
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4pW805zC.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4pW805zC.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3196
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          3⤵
            PID:4272
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 572
            3⤵
            • Program crash
            PID:2444
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4884 -ip 4884
        1⤵
          PID:4184
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 728 -ip 728
          1⤵
            PID:2940
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1404 -ip 1404
            1⤵
              PID:3144
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3196 -ip 3196
              1⤵
                PID:1288

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4pW805zC.exe
                Filesize

                486KB

                MD5

                314e9ac2292ad44e1763375c5e8c3d69

                SHA1

                31afb2af132fec502ba92f0701fc8236f635e95e

                SHA256

                54a6eeff0577fa7a11ce53417ce3109c41ccdd9eed6188fc4c35f603e18caf18

                SHA512

                0e01a50c3a045c1c7d770a91d156f57f37dd142c88512f1e8e89449106d8759a8fd011328a01584289ee87fb35685c2edfbd3b17d4e79e115d9f877ba8e54449

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yc7nH31.exe
                Filesize

                658KB

                MD5

                ab9bd79aada7aff18e6a4d4e47ea7f1b

                SHA1

                219b2363f804bea1f48f6968ffc587326e0e437c

                SHA256

                9f445b2fc94d083e9facaa8121cd3723b66d978b3556d4598e0e15b7339d6530

                SHA512

                dcc4331dc6c03deccb3c8820b6fc99f87afd13113ae48925c6400bf585963d13eb80b8c68b333cb966aed9622e5dad42d59a1aba0609b055d9717ace7cca1698

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3MK92QP.exe
                Filesize

                295KB

                MD5

                0068dedc017dbc1a4909c43585ef85cc

                SHA1

                98c0ace3797e9b82e9985a212a11ff1b5e222f59

                SHA256

                7b170cd436488e9dddfb4c4d49c2403739f4231bc159ca4a77d4c3ad9f63b1bd

                SHA512

                8177aa653fbf0fcaf6829d041effac244142cecfe334dffdd0184643869f55163f797e578c9612432dd3d141423de55cca51cd10689f5eef1120487f54feac08

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zx2VY19.exe
                Filesize

                407KB

                MD5

                925279a3e73b5e6270024ccc22e20455

                SHA1

                e935db224492c03f6ed49c54c84576d9aa18bf03

                SHA256

                c589e40bf545842a746b78deb6c4cd0b2b9b34f5841d44a80eb9782acfd71969

                SHA512

                06647fd945e399c83efcfb2c17123e076a49bbdd5a2e8ce9997da01486de83ea7ccc772b2dc0d28b1d2d9f0f684f21122fdd52c6f89ae521eee6f7dd3274099e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UX55by6.exe
                Filesize

                276KB

                MD5

                8e22a35113710bfde1c6f071413c7ab8

                SHA1

                c8c7331630ddc672108fd49715847d4edd33488a

                SHA256

                0c07ebbf10ecddbecf1395f3ec32989d1156b71b011026f911fcb063e6494b03

                SHA512

                2a2d48c45e766f10fe0beafb737edf1debeeae857e69a5cb341762e22901767b304c6e1a8ecd351957762b43a0a05d4051a8b1f6284443bd53ca8e9ee9ed48e0

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Al5841.exe
                Filesize

                450KB

                MD5

                235fb90276a1f78b6d6251a291ab4ddc

                SHA1

                a9c58e266b41fe77f4360f9cf3a848776d0902ec

                SHA256

                e127f14498e59c5ef3b29b5353c148260096d11f021da05e9d9402bfeb4bf18a

                SHA512

                399b84e1b2aa15fc02b41f83afb97d70f62cb153d7254e71f8033f93f814520b390d55873d17ad763856f8a3ecfc2db84618145b52fcd15c37b627605aca9999

                Download Submit

              • memory/2116-25-0x0000000000400000-0x0000000000433000-memory.dmp

                Filesize

                204KB

                Download

              • memory/2116-26-0x0000000000400000-0x0000000000433000-memory.dmp

                Filesize

                204KB

                Download

              • memory/2116-28-0x0000000000400000-0x0000000000433000-memory.dmp

                Filesize

                204KB

                Download

              • memory/3476-32-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/4272-41-0x0000000007FC0000-0x00000000080CA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/4272-36-0x0000000000400000-0x000000000043E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/4272-38-0x0000000007CA0000-0x0000000007D32000-memory.dmp

                Filesize

                584KB

                Download

              • memory/4272-37-0x0000000008170000-0x0000000008714000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/4272-39-0x0000000005160000-0x000000000516A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/4272-40-0x0000000008D40000-0x0000000009358000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/4272-42-0x0000000007E50000-0x0000000007E62000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4272-43-0x0000000007EF0000-0x0000000007F2C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/4272-44-0x0000000007F30000-0x0000000007F7C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4312-21-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download