Analysis
-
max time kernel
145s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
24-05-2024 10:41
General
-
Target
6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe
-
Size
960KB
-
MD5
434e0981e30d301a832a17e279104945
-
SHA1
f1aa4d85961747aa1ffd030a074e406ef37101be
-
SHA256
6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0
-
SHA512
02cc56eb6661599b6d670e4fcdf852c76bedc34c83dbd864b42494801eea6bc6c2ae12493112c27f93b2f9256c4ef8af0fa7ad0c03d27b4e244c7777d88af117
-
SSDEEP
12288:qMrDy90XE2JeSkUMBXNM1odv9TLauZxbiJsfPMoG1whZ87XQqHUrE1D5q/1GgfgX:9yexJeDB+oZFd+JsfUonZ8ZHBKI5aC
Malware Config
Extracted
mystic
http://5.42.92.211/
Extracted
redline
breha
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 6 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Program crash 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe"C:\Users\Admin\AppData\Local\Temp\6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yc7nH31.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yc7nH31.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zx2VY19.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zx2VY19.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UX55by6.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UX55by6.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 6005⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Al5841.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Al5841.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 5725⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3MK92QP.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3MK92QP.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 5684⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4pW805zC.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4pW805zC.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 5723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4884 -ip 48841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 728 -ip 7281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1404 -ip 14041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3196 -ip 31961⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4pW805zC.exeFilesize
486KB
MD5314e9ac2292ad44e1763375c5e8c3d69
SHA131afb2af132fec502ba92f0701fc8236f635e95e
SHA25654a6eeff0577fa7a11ce53417ce3109c41ccdd9eed6188fc4c35f603e18caf18
SHA5120e01a50c3a045c1c7d770a91d156f57f37dd142c88512f1e8e89449106d8759a8fd011328a01584289ee87fb35685c2edfbd3b17d4e79e115d9f877ba8e54449
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Yc7nH31.exeFilesize
658KB
MD5ab9bd79aada7aff18e6a4d4e47ea7f1b
SHA1219b2363f804bea1f48f6968ffc587326e0e437c
SHA2569f445b2fc94d083e9facaa8121cd3723b66d978b3556d4598e0e15b7339d6530
SHA512dcc4331dc6c03deccb3c8820b6fc99f87afd13113ae48925c6400bf585963d13eb80b8c68b333cb966aed9622e5dad42d59a1aba0609b055d9717ace7cca1698
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3MK92QP.exeFilesize
295KB
MD50068dedc017dbc1a4909c43585ef85cc
SHA198c0ace3797e9b82e9985a212a11ff1b5e222f59
SHA2567b170cd436488e9dddfb4c4d49c2403739f4231bc159ca4a77d4c3ad9f63b1bd
SHA5128177aa653fbf0fcaf6829d041effac244142cecfe334dffdd0184643869f55163f797e578c9612432dd3d141423de55cca51cd10689f5eef1120487f54feac08
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zx2VY19.exeFilesize
407KB
MD5925279a3e73b5e6270024ccc22e20455
SHA1e935db224492c03f6ed49c54c84576d9aa18bf03
SHA256c589e40bf545842a746b78deb6c4cd0b2b9b34f5841d44a80eb9782acfd71969
SHA51206647fd945e399c83efcfb2c17123e076a49bbdd5a2e8ce9997da01486de83ea7ccc772b2dc0d28b1d2d9f0f684f21122fdd52c6f89ae521eee6f7dd3274099e
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UX55by6.exeFilesize
276KB
MD58e22a35113710bfde1c6f071413c7ab8
SHA1c8c7331630ddc672108fd49715847d4edd33488a
SHA2560c07ebbf10ecddbecf1395f3ec32989d1156b71b011026f911fcb063e6494b03
SHA5122a2d48c45e766f10fe0beafb737edf1debeeae857e69a5cb341762e22901767b304c6e1a8ecd351957762b43a0a05d4051a8b1f6284443bd53ca8e9ee9ed48e0
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Al5841.exeFilesize
450KB
MD5235fb90276a1f78b6d6251a291ab4ddc
SHA1a9c58e266b41fe77f4360f9cf3a848776d0902ec
SHA256e127f14498e59c5ef3b29b5353c148260096d11f021da05e9d9402bfeb4bf18a
SHA512399b84e1b2aa15fc02b41f83afb97d70f62cb153d7254e71f8033f93f814520b390d55873d17ad763856f8a3ecfc2db84618145b52fcd15c37b627605aca9999
-
memory/2116-25-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2116-26-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2116-28-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/3476-32-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4272-41-0x0000000007FC0000-0x00000000080CA000-memory.dmpFilesize
1.0MB
-
memory/4272-36-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4272-38-0x0000000007CA0000-0x0000000007D32000-memory.dmpFilesize
584KB
-
memory/4272-37-0x0000000008170000-0x0000000008714000-memory.dmpFilesize
5.6MB
-
memory/4272-39-0x0000000005160000-0x000000000516A000-memory.dmpFilesize
40KB
-
memory/4272-40-0x0000000008D40000-0x0000000009358000-memory.dmpFilesize
6.1MB
-
memory/4272-42-0x0000000007E50000-0x0000000007E62000-memory.dmpFilesize
72KB
-
memory/4272-43-0x0000000007EF0000-0x0000000007F2C000-memory.dmpFilesize
240KB
-
memory/4272-44-0x0000000007F30000-0x0000000007F7C000-memory.dmpFilesize
304KB
-
memory/4312-21-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB