Overview

overview

10

Static

static

3

04a0e65087...2d.exe

windows10-2004-x64

10

0b23052e1d...05.exe

windows10-2004-x64

10

1319d83702...15.exe

windows10-2004-x64

10

15bb5ac797...dd.exe

windows10-2004-x64

10

19eb5c3dd8...ec.exe

windows10-2004-x64

10

2864919e9f...b7.exe

windows10-2004-x64

10

2f05412e59...2c.exe

windows10-2004-x64

10

3fd9e44b8d...84.exe

windows10-2004-x64

10

4920924329...b6.exe

windows10-2004-x64

10

6d6ab7a20c...33.exe

windows10-2004-x64

10

6e839edc16...b0.exe

windows10-2004-x64

10

6ff00efb56...f0.exe

windows10-2004-x64

10

7018985aa0...8e.exe

windows10-2004-x64

10

7b28b5b2ff...4e.exe

windows10-2004-x64

10

93bee57b71...41.exe

windows10-2004-x64

10

a22d19b8f1...9a.exe

windows10-2004-x64

10

af3432152c...8d.exe

windows10-2004-x64

10

bf27d39d4b...d1.exe

windows10-2004-x64

10

db87d25edb...b5.exe

windows10-2004-x64

10

f935568ec0...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe

  • Size

    382KB

  • MD5

    4b6a6b8c35f3dda3915da3cac190029e

  • SHA1

    3597679ae4df56f9683b53c33cbdc79a55b4bfe1

  • SHA256

    f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c

  • SHA512

    0b0433d33affb13aed2bd576a60d5a27e838dae3d7054c5e7ee9f1147cbdf2ab81d74a53c3b68d6ebc564f6937db752651ef3bc00b3fe99f40399be35452e74d

  • SSDEEP

    6144:KQy+bnr+vp0yN90QEOHNFg2bq4vsR+dfPlqz5Dq4YL+BeqliSdt9n4y9r2ja3m0n:4MrHy90S+2bm01I5zKUASdoQ2ezIBFC

Score
10/10
mysticredlinekukishinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

kukish

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 4 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe
    "C:\Users\Admin\AppData\Local\Temp\f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1XI06bE6.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1XI06bE6.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
          PID:3688
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 540
            4⤵
            • Program crash
            PID:1072
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 152
          3⤵
          • Program crash
          PID:1724
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Et292rp.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Et292rp.exe
        2⤵
        • Executes dropped EXE
        PID:4340
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3688 -ip 3688
      1⤵
        PID:4692
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1064 -ip 1064
        1⤵
          PID:3468
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:916

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1XI06bE6.exe
            Filesize

            295KB

            MD5

            23ca287e2b958b8d67e03c6783ef0a99

            SHA1

            d893dc76c6110c12e50c1c5f2c210970a46de17f

            SHA256

            a072d9a92f0f7d9f4dbb17f3cfdc234c286286eeecbb29ee7c8bc30ed2fb288c

            SHA512

            6d4f005daabbc6de920f06e12cf149e4ed7be45bbbf4cadd348e95713769c2529336e0e7e072b49db5d7103cb85e4fb1f6a94a856660b647ae0ae9208be195df

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Et292rp.exe
            Filesize

            222KB

            MD5

            21c5b31e96f384fb848cf79cf59e26ab

            SHA1

            801f17ea1b0185e612715ebaa8d7b938ec71fdc8

            SHA256

            c2c9657f2bfd2f471bf43ecd1cd1e3f0d0ca76c7d8778a7cce4bde62ba337070

            SHA512

            71e5690bb85e1797c09efd994ac711489e68e0b04fb817d7c32f7f69cb18b0283dbe3690f9056efef6b235e882acf5a3d282ffa34e9eb35d7d0e5f99ded5143a

            Download Submit
          • memory/3688-7-0x0000000000400000-0x0000000000432000-memory.dmp
            Filesize

            200KB

            Download
          • memory/3688-8-0x0000000000400000-0x0000000000432000-memory.dmp
            Filesize

            200KB

            Download
          • memory/3688-11-0x0000000000400000-0x0000000000432000-memory.dmp
            Filesize

            200KB

            Download
          • memory/3688-9-0x0000000000400000-0x0000000000432000-memory.dmp
            Filesize

            200KB

            Download
          • memory/4340-17-0x0000000007FF0000-0x0000000008594000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/4340-16-0x0000000000C30000-0x0000000000C6E000-memory.dmp
            Filesize

            248KB

            Download
          • memory/4340-15-0x000000007475E000-0x000000007475F000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4340-18-0x0000000007AF0000-0x0000000007B82000-memory.dmp
            Filesize

            584KB

            Download
          • memory/4340-19-0x0000000074750000-0x0000000074F00000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/4340-20-0x0000000007C00000-0x0000000007C0A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/4340-21-0x0000000008BC0000-0x00000000091D8000-memory.dmp
            Filesize

            6.1MB

            Download
          • memory/4340-22-0x0000000007EA0000-0x0000000007FAA000-memory.dmp
            Filesize

            1.0MB

            Download
          • memory/4340-23-0x0000000007DD0000-0x0000000007DE2000-memory.dmp
            Filesize

            72KB

            Download
          • memory/4340-24-0x0000000007E30000-0x0000000007E6C000-memory.dmp
            Filesize

            240KB

            Download
          • memory/4340-25-0x00000000085A0000-0x00000000085EC000-memory.dmp
            Filesize

            304KB

            Download
          • memory/4340-26-0x000000007475E000-0x000000007475F000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4340-27-0x0000000074750000-0x0000000074F00000-memory.dmp
            Filesize

            7.7MB

            Download