Overview
overview
10Static
static
304a0e65087...2d.exe
windows10-2004-x64
100b23052e1d...05.exe
windows10-2004-x64
101319d83702...15.exe
windows10-2004-x64
1015bb5ac797...dd.exe
windows10-2004-x64
1019eb5c3dd8...ec.exe
windows10-2004-x64
102864919e9f...b7.exe
windows10-2004-x64
102f05412e59...2c.exe
windows10-2004-x64
103fd9e44b8d...84.exe
windows10-2004-x64
104920924329...b6.exe
windows10-2004-x64
106d6ab7a20c...33.exe
windows10-2004-x64
106e839edc16...b0.exe
windows10-2004-x64
106ff00efb56...f0.exe
windows10-2004-x64
107018985aa0...8e.exe
windows10-2004-x64
107b28b5b2ff...4e.exe
windows10-2004-x64
1093bee57b71...41.exe
windows10-2004-x64
10a22d19b8f1...9a.exe
windows10-2004-x64
10af3432152c...8d.exe
windows10-2004-x64
10bf27d39d4b...d1.exe
windows10-2004-x64
10db87d25edb...b5.exe
windows10-2004-x64
10f935568ec0...6c.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 10:41
Static task
static1
Behavioral task
behavioral1
Sample
04a0e650872d7846563cdcc0dd200fe4ab443abf6a07ee52486d24d18d6aba2d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
0b23052e1def21c0e818780565a7776ae96e61597a9cf4ab1fc690daa4a85105.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
1319d8370208b00e5260cfc0b8f145575c62bd43ab6f76605a992afeb6737f15.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
15bb5ac797303fa462001ce5fd88a7bfc4702cd65f0a1768f9b994f6495a49dd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
2864919e9fd253aa62ab37d5b02410fa89dd3ead4618da0b908d3b41e73167b7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
2f05412e59a8bdd056c643ef429f71b1cc81960c29ecda2121c342b304349d2c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
3fd9e44b8df95e2fb188e6b032b029a961609f7baa7d332929166e71f86e8b84.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
4920924329af964d29e90b0bd3763c20450919411ad6b6ddabfd88061a7555b6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
6d6ab7a20c1331b0189166b1cb07916ad2565031332833b346f8e5728ba48833.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
6e839edc16582f1c2d53d777f08720f69ec875a29be62c7adf21eaa0b7b302b0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
6ff00efb56e1358cc67995d20e4e1edfffeb0789812a5cd830e2f477e16f63f0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
7018985aa093121c146c37bf15499c6914c370d8b1e61fe98047260a3f0f5d8e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
7b28b5b2ffa7298e1bc65ee1f5e49125dd2ae16da86952d43e4d1ac1e04c6e4e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
93bee57b7167fba61070c22f0c719ebb27499c5ff106633260f340e4917cf741.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
a22d19b8f183bcd64a7c85a1e82f19e6db501a7e19b93ebc313864c2a0e6ce9a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
af3432152c514465fb36f13137bae3206443814e6398ebe72ca129d56edcd08d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
bf27d39d4bcefd6acc1e63fd0bf1bee8152a76443458be36ca71657a91e2d4d1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
db87d25edb56c618d7d41f2f458fbc54cabc5289ab771f1eb34a0e08d92928b5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f935568ec008833a6b510aaa18da8f703b0263d31ec0ee4a4442facb817a946c.exe
Resource
win10v2004-20240226-en
General
-
Target
19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe
-
Size
582KB
-
MD5
d56c66c9d163f9ffbee7639f49480fc3
-
SHA1
142c8ebad2060d80751aca395115aedcda26cc34
-
SHA256
19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec
-
SHA512
30cbac04de264e17c6e178376107ac6112b4f58a189dbd01b2cfbdf7d7811d759d22a720a02e595f8e35300931932ef0c303f8f91471b311423e975829191ba3
-
SSDEEP
12288:RMrRy90yRvnRHnhtDc3YLtYWBQy+K1edjYz84GLjC4k9Ur0w:Ayh/RHhhc3YZGPKiE8RNJrb
Malware Config
Extracted
redline
kukish
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral5/memory/3224-14-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral5/memory/3224-15-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral5/memory/3224-18-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral5/memory/3224-16-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral5/files/0x00070000000233d2-20.dat family_redline behavioral5/memory/3160-22-0x0000000000920000-0x000000000095E000-memory.dmp family_redline -
Executes dropped EXE 3 IoCs
pid Process 3876 MW4BA0Ad.exe 2064 1jF56MM6.exe 3160 2VG400Hw.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" MW4BA0Ad.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2064 set thread context of 3224 2064 1jF56MM6.exe 86 -
Program crash 2 IoCs
pid pid_target Process procid_target 4936 2064 WerFault.exe 83 5080 3224 WerFault.exe 86 -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3048 wrote to memory of 3876 3048 19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe 82 PID 3048 wrote to memory of 3876 3048 19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe 82 PID 3048 wrote to memory of 3876 3048 19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe 82 PID 3876 wrote to memory of 2064 3876 MW4BA0Ad.exe 83 PID 3876 wrote to memory of 2064 3876 MW4BA0Ad.exe 83 PID 3876 wrote to memory of 2064 3876 MW4BA0Ad.exe 83 PID 2064 wrote to memory of 4996 2064 1jF56MM6.exe 85 PID 2064 wrote to memory of 4996 2064 1jF56MM6.exe 85 PID 2064 wrote to memory of 4996 2064 1jF56MM6.exe 85 PID 2064 wrote to memory of 3224 2064 1jF56MM6.exe 86 PID 2064 wrote to memory of 3224 2064 1jF56MM6.exe 86 PID 2064 wrote to memory of 3224 2064 1jF56MM6.exe 86 PID 2064 wrote to memory of 3224 2064 1jF56MM6.exe 86 PID 2064 wrote to memory of 3224 2064 1jF56MM6.exe 86 PID 2064 wrote to memory of 3224 2064 1jF56MM6.exe 86 PID 2064 wrote to memory of 3224 2064 1jF56MM6.exe 86 PID 2064 wrote to memory of 3224 2064 1jF56MM6.exe 86 PID 2064 wrote to memory of 3224 2064 1jF56MM6.exe 86 PID 2064 wrote to memory of 3224 2064 1jF56MM6.exe 86 PID 3876 wrote to memory of 3160 3876 MW4BA0Ad.exe 94 PID 3876 wrote to memory of 3160 3876 MW4BA0Ad.exe 94 PID 3876 wrote to memory of 3160 3876 MW4BA0Ad.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe"C:\Users\Admin\AppData\Local\Temp\19eb5c3dd82e78329d1d98ef6b119402fff11484aea9cfea0e3e1135eea669ec.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MW4BA0Ad.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MW4BA0Ad.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1jF56MM6.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1jF56MM6.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:4996
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵PID:3224
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 5445⤵
- Program crash
PID:5080
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1484⤵
- Program crash
PID:4936
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2VG400Hw.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2VG400Hw.exe3⤵
- Executes dropped EXE
PID:3160
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3224 -ip 32241⤵PID:3144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2064 -ip 20641⤵PID:4704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD5c8296c95ac5a07d3e8f5a35e12d2c77d
SHA1c28cfbb88a915c485597220988d0593574e05cc6
SHA256e3f99a38f5764ad5edb0b479c62a3f1641883af760ef7c8f31930ff45c5e3d82
SHA51271308f3281e12a2fdfa76db11ed4fe1e72c36e21c8b0697602c3a3a1b71859a7b686412e176ad8c4abef619ad7fe0752011b065ed6e44740d72d27f6c53a1e5a
-
Filesize
295KB
MD5e40afd5775ee3f2f95895ac15725ebb8
SHA11894dfaf92f94f317b68c1173945e67b6009c6df
SHA2562ff19b92c42c98c6435e5c247506a23ce9cb5f4e078bc85b2352ffa67c95c6e9
SHA5121a8a1ee7591c2e0b272a8f8d29abe6a6d254ef5b21ef855191a81ec7835d1ea52acd8afbb9a2182e3dd7818c041596fde9b3b4851292fc43b987919e3e012065
-
Filesize
222KB
MD5264f6b8412bef8ea723db54352674ad5
SHA1e701011372a8928059038122f6411608cf311268
SHA256cde355a2e795143e13bba5c06a576dcf358263511efac9a55e51529d5d9f1f06
SHA51268f5c19fafb92903687f56f58adb5d057926757ec27caa22a0a6623c7a72337cee7130565020bae8764d2f348612c5d783575c769bda95b9ecebbf35d9585dd7