Overview

overview

10

Static

static

3

04a0e65087...2d.exe

windows10-2004-x64

10

0b23052e1d...05.exe

windows10-2004-x64

10

1319d83702...15.exe

windows10-2004-x64

10

15bb5ac797...dd.exe

windows10-2004-x64

10

19eb5c3dd8...ec.exe

windows10-2004-x64

10

2864919e9f...b7.exe

windows10-2004-x64

10

2f05412e59...2c.exe

windows10-2004-x64

10

3fd9e44b8d...84.exe

windows10-2004-x64

10

4920924329...b6.exe

windows10-2004-x64

10

6d6ab7a20c...33.exe

windows10-2004-x64

10

6e839edc16...b0.exe

windows10-2004-x64

10

6ff00efb56...f0.exe

windows10-2004-x64

10

7018985aa0...8e.exe

windows10-2004-x64

10

7b28b5b2ff...4e.exe

windows10-2004-x64

10

93bee57b71...41.exe

windows10-2004-x64

10

a22d19b8f1...9a.exe

windows10-2004-x64

10

af3432152c...8d.exe

windows10-2004-x64

10

bf27d39d4b...d1.exe

windows10-2004-x64

10

db87d25edb...b5.exe

windows10-2004-x64

10

f935568ec0...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5.exe

  • Size

    818KB

  • MD5

    7967bbff3e07fba124d8dea54e35eb77

  • SHA1

    ddc12b8277caecdd80f5b01d69b1ab7b0c2e47da

  • SHA256

    db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5

  • SHA512

    fb2db1d102f8fd17ebe1e0e49ac195a671b3222529436d177d5561bc843357106e863a190e9b06052bc6c4493ca045226aa5c9cb0d2d552a6c1edd82b6ff555a

  • SSDEEP

    24576:jyD5iE2i4/+TVlB7ISI6Ajq4VCSeJ2j2ab1A:21ID/onBmVLj28

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 2 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5.exe
    "C:\Users\Admin\AppData\Local\Temp\db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4492
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lZ7Ij1rd.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lZ7Ij1rd.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu3Qy3qw.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu3Qy3qw.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2792
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UZ83nq3.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UZ83nq3.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4928
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:2368
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              5⤵
                PID:1344
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 588
                5⤵
                • Program crash
                PID:3316
            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2SI637GC.exe
              C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2SI637GC.exe
              4⤵
              • Executes dropped EXE
              PID:888
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4444,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:8
        1⤵
          PID:1460
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4928 -ip 4928
          1⤵
            PID:1412

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lZ7Ij1rd.exe
            Filesize

            583KB

            MD5

            3cb8ab596c2f49decc3c80e0809b5bfb

            SHA1

            6dfdc50e8dbd6b1d393a9d9a22b8d43d8309decf

            SHA256

            5ec3536683e22c7ac0f4b87f8eeb050c839dde046f1b848120e1bea9e5d772c2

            SHA512

            a5692534273c605f121083e7583e046fd56ca1a1d59b7cafba90d1fbac8bcd3b3996a8c5e20edbde725b180f18775f471b6b376d30a5afa66ff98b58cee92c6f

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cu3Qy3qw.exe
            Filesize

            383KB

            MD5

            93833fe8aab95b2c03057b727f4cf1e4

            SHA1

            035778f8574072c91b0f24e884b81fb04307d267

            SHA256

            26c470a8b0d923529cb630dee55e87b901f38e0ee675c3213b68e8b1db239e9a

            SHA512

            df64baedc559146652d0463b8164f0c546c8c6ada13b66b1e5adc47a5391d6b1894d46ad3563e839072144296786c90b1658686058207646f779a563afddfb52

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1UZ83nq3.exe
            Filesize

            298KB

            MD5

            4537b33120339c8cd45fdfaca6e2ba28

            SHA1

            d8e3aa200f29478769eb9ba985e62755c2c2ddf2

            SHA256

            f204bf582b6fcf0e28397ba3e40ba16eb2af1756d20ae2caf1e64b3c1870ece8

            SHA512

            337dd140c442ca3bf34d071a7ff454cee5340ad5ea85cdff1e27678a89b98c0a0ff4a4bfe7296a2766decf4de0bb4ca1cce76503c05a1b0e1a31d7a8b8f2eb1c

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2SI637GC.exe
            Filesize

            222KB

            MD5

            6fa7339f30118f8861b9c0e60bc7680e

            SHA1

            379f2426b2f25c401783a13fcf245cefdd8f7b6d

            SHA256

            dd4dd74c6f607744352dbafccf31ee23126ad9dbf8eebbc91c7847cb5368910b

            SHA512

            a907dd11a640e9a8a1c671b7c963c09f138b14c8c0d13374ca3a09a3a9960356a4183a33ae5f18cc56037556637873bfdf8c2e5080adfe0edc126e40c86c192a

            Download Submit
          • memory/888-29-0x0000000002C70000-0x0000000002C7A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/888-26-0x0000000000A50000-0x0000000000A8E000-memory.dmp
            Filesize

            248KB

            Download
          • memory/888-27-0x0000000007D70000-0x0000000008314000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/888-28-0x0000000007860000-0x00000000078F2000-memory.dmp
            Filesize

            584KB

            Download
          • memory/888-30-0x0000000008940000-0x0000000008F58000-memory.dmp
            Filesize

            6.1MB

            Download
          • memory/888-31-0x0000000007B80000-0x0000000007C8A000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/888-32-0x00000000079F0000-0x0000000007A02000-memory.dmp
            Filesize

            72KB

            Download
          • memory/888-33-0x0000000007A60000-0x0000000007A9C000-memory.dmp
            Filesize

            240KB

            Download
          • memory/888-34-0x0000000007AA0000-0x0000000007AEC000-memory.dmp
            Filesize

            304KB

            Download
          • memory/1344-22-0x0000000000400000-0x0000000000432000-memory.dmp
            Filesize

            200KB

            Download
          • memory/1344-21-0x0000000000400000-0x0000000000432000-memory.dmp
            Filesize

            200KB

            Download