Overview
overview
10Static
static
304a0e65087...2d.exe
windows10-2004-x64
100b23052e1d...05.exe
windows10-2004-x64
101319d83702...15.exe
windows10-2004-x64
1015bb5ac797...dd.exe
windows10-2004-x64
1019eb5c3dd8...ec.exe
windows10-2004-x64
102864919e9f...b7.exe
windows10-2004-x64
102f05412e59...2c.exe
windows10-2004-x64
103fd9e44b8d...84.exe
windows10-2004-x64
104920924329...b6.exe
windows10-2004-x64
106d6ab7a20c...33.exe
windows10-2004-x64
106e839edc16...b0.exe
windows10-2004-x64
106ff00efb56...f0.exe
windows10-2004-x64
107018985aa0...8e.exe
windows10-2004-x64
107b28b5b2ff...4e.exe
windows10-2004-x64
1093bee57b71...41.exe
windows10-2004-x64
10a22d19b8f1...9a.exe
windows10-2004-x64
10af3432152c...8d.exe
windows10-2004-x64
10bf27d39d4b...d1.exe
windows10-2004-x64
10db87d25edb...b5.exe
windows10-2004-x64
10f935568ec0...6c.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 10:41
Static task
static1
Behavioral task
behavioral1
Sample
04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
0b23052e1def21c0e818780565a7776ae96e61597a9cf4ab1fc690daa4a85105.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
1319d8370208b00e5260cfc0b8f145575c62bd43ab6f76605a992afeb6737f15.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
2864919e9fd253aa62ab37d5b02410fa89dd3ead4618da0b908d3b41e73167b7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
2f05412e59a8bdd056c643ef429f71b1cc81960c29ecda2121c342b304349d2c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3fd9e44b8df95e2fb188e6b032b029a961609f7baa7d332929166e71f86e8b84.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
4920924329af964d29e90b0bd3763c20450919411ad6b6ddabfd88061a7555b6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
6d6ab7a20c1331b0189166b1cb07916ad2565031332833b346f8e5728ba48833.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
6e839edc16582f1c2d53d777f08720f69ec875a29be62c7adf21eaa0b7b302b0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
7018985aa093121c146c37bf15499c6914c370d8b1e61fe98047260a3f0f5d8e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
af3432152c514465fb36f13137bae3206443814e6398ebe72ca129d56edcd08d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe
Resource
win10v2004-20240226-en
General
-
Target
f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe
-
Size
382KB
-
MD5
4b6a6b8c35f3dda3915da3cac190029e
-
SHA1
3597679ae4df56f9683b53c33cbdc79a55b4bfe1
-
SHA256
f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c
-
SHA512
0b0433d33affb13aed2bd576a60d5a27e838dae3d7054c5e7ee9f1147cbdf2ab81d74a53c3b68d6ebc564f6937db752651ef3bc00b3fe99f40399be35452e74d
-
SSDEEP
6144:KQy+bnr+vp0yN90QEOHNFg2bq4vsR+dfPlqz5Dq4YL+BeqliSdt9n4y9r2ja3m0n:4MrHy90S+2bm01I5zKUASdoQ2ezIBFC
Malware Config
Extracted
redline
kukish
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral20/memory/3688-7-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral20/memory/3688-8-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral20/memory/3688-11-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral20/memory/3688-9-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral20/files/0x0007000000023252-13.dat family_redline behavioral20/memory/4340-16-0x0000000000C30000-0x0000000000C6E000-memory.dmp family_redline -
Executes dropped EXE 2 IoCs
pid Process 1064 1XI06bE6.exe 4340 2Et292rp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1064 set thread context of 3688 1064 1XI06bE6.exe 92 -
Program crash 2 IoCs
pid pid_target Process procid_target 1724 1064 WerFault.exe 90 1072 3688 WerFault.exe 92 -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2348 wrote to memory of 1064 2348 f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe 90 PID 2348 wrote to memory of 1064 2348 f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe 90 PID 2348 wrote to memory of 1064 2348 f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe 90 PID 1064 wrote to memory of 3688 1064 1XI06bE6.exe 92 PID 1064 wrote to memory of 3688 1064 1XI06bE6.exe 92 PID 1064 wrote to memory of 3688 1064 1XI06bE6.exe 92 PID 1064 wrote to memory of 3688 1064 1XI06bE6.exe 92 PID 1064 wrote to memory of 3688 1064 1XI06bE6.exe 92 PID 1064 wrote to memory of 3688 1064 1XI06bE6.exe 92 PID 1064 wrote to memory of 3688 1064 1XI06bE6.exe 92 PID 1064 wrote to memory of 3688 1064 1XI06bE6.exe 92 PID 1064 wrote to memory of 3688 1064 1XI06bE6.exe 92 PID 1064 wrote to memory of 3688 1064 1XI06bE6.exe 92 PID 2348 wrote to memory of 4340 2348 f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe 99 PID 2348 wrote to memory of 4340 2348 f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe 99 PID 2348 wrote to memory of 4340 2348 f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe"C:\Users\Admin\AppData\Local\Temp\f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1XI06bE6.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1XI06bE6.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵PID:3688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 5404⤵
- Program crash
PID:1072
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 1523⤵
- Program crash
PID:1724
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Et292rp.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2Et292rp.exe2⤵
- Executes dropped EXE
PID:4340
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3688 -ip 36881⤵PID:4692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1064 -ip 10641⤵PID:3468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
295KB
MD523ca287e2b958b8d67e03c6783ef0a99
SHA1d893dc76c6110c12e50c1c5f2c210970a46de17f
SHA256a072d9a92f0f7d9f4dbb17f3cfdc234c286286eeecbb29ee7c8bc30ed2fb288c
SHA5126d4f005daabbc6de920f06e12cf149e4ed7be45bbbf4cadd348e95713769c2529336e0e7e072b49db5d7103cb85e4fb1f6a94a856660b647ae0ae9208be195df
-
Filesize
222KB
MD521c5b31e96f384fb848cf79cf59e26ab
SHA1801f17ea1b0185e612715ebaa8d7b938ec71fdc8
SHA256c2c9657f2bfd2f471bf43ecd1cd1e3f0d0ca76c7d8778a7cce4bde62ba337070
SHA51271e5690bb85e1797c09efd994ac711489e68e0b04fb817d7c32f7f69cb18b0283dbe3690f9056efef6b235e882acf5a3d282ffa34e9eb35d7d0e5f99ded5143a