Overview

overview

10

Static

static

3

428992dba5...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-05-2024 11:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    428992dba52134bc4f24fef76b6deb00_NeikiAnalytics.exe

  • Size

    743KB

  • MD5

    428992dba52134bc4f24fef76b6deb00

  • SHA1

    f7ac3844b23d2ef68ce5abd29ae72e8c197404bc

  • SHA256

    522ef7ed5dee9a88fd0e157cf30caee38b2797c64e4d3e150f0e618147156bcb

  • SHA512

    81cab0e00fceccb1b9cb52e9102ca32c5821370f5293a1afc89c5f4c0ce4704114f44455f4e022c41e9f39abef338efbc55714d4a15ccbfb7d20f402cc482ba8

  • SSDEEP

    12288:FMrny902sofq/Zv6FIzBF/I6cJVVcz6qovPHcVIXJ9lwyrpr:myu1hvSIzBFg6c/VfqovvcVIZ/l

Score
10/10
mysticredlinesmokeloaderbrehabackdoorevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

breha

C2

77.91.124.55:19071

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\428992dba52134bc4f24fef76b6deb00_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\428992dba52134bc4f24fef76b6deb00_NeikiAnalytics.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fy9HR62.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fy9HR62.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:212
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vC7ol08.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vC7ol08.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5076
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1zQ25ak6.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1zQ25ak6.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:664
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4692
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 572
            5⤵
            • Program crash
            PID:4260
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2XS3648.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2XS3648.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2284
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:4616
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              5⤵
                PID:728
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 600
                5⤵
                • Program crash
                PID:1660
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3nJ91oF.exe
            C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3nJ91oF.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3244
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              4⤵
              • Checks SCSI registry key(s)
              PID:1060
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 152
              4⤵
              • Program crash
              PID:1576
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4du773rX.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4du773rX.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1248
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            3⤵
              PID:2488
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              3⤵
                PID:216
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 584
                3⤵
                • Program crash
                PID:4820
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 664 -ip 664
            1⤵
              PID:2168
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2284 -ip 2284
              1⤵
                PID:3460
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3244 -ip 3244
                1⤵
                  PID:4400
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1248 -ip 1248
                  1⤵
                    PID:608
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4456,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4472 /prefetch:8
                    1⤵
                      PID:1252

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4du773rX.exe
                      Filesize

                      336KB

                      MD5

                      95604fd57e2b5711e25790eb55ba11cd

                      SHA1

                      0c53f906f03a2bfcb703aca579053368980f82aa

                      SHA256

                      375499f67d3044ad98c537e6071ee591d5b270533ad71ccb72dc9fa5da98aa1c

                      SHA512

                      1b6566da5fd20da8aa823c1164e5990f9615968d5f7d18f7edf6ae9ef458d50117d7bf9a75231cc330f463f0716447af76265c32fe87b8347b56cb7e23f09169

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fy9HR62.exe
                      Filesize

                      509KB

                      MD5

                      5ded212835c43bd38b9d24e84bb35b7e

                      SHA1

                      8dac06330040022fffb631b9a2ca3b28ae4c10fd

                      SHA256

                      f02438bdfbf6b526865e085e41a51bd54139809ce02f3f3836b250d40c1e0784

                      SHA512

                      d14870cc50e54eee3c3cf4cf81e8d9c3c42af8ac5cdc72d5d15f6d33b259e60ea4193e2697b846d6ba34f4dc404de86b917d992ba6fa61e1c80cb81501274902

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3nJ91oF.exe
                      Filesize

                      145KB

                      MD5

                      4b36b6ae6984fc3029f7e71cc552561e

                      SHA1

                      ee2fe1cc3c5f92a5a67df42a3e4f220bc708a33b

                      SHA256

                      033f8ad9166fdd0e483a0ba198c663ebc25a58c3afc34c9edfcb0a16eca30f6b

                      SHA512

                      0313312fd80b7efb5e4e29dd44ffcafaf964e2f24f73c6d05d9c4c39398fbaa3d5e0961e2947b5b2201359d982ea7a51922cfc2f4a2e439676a43bb1b80aa558

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vC7ol08.exe
                      Filesize

                      325KB

                      MD5

                      e60cd25ef90f1e3467442bd1b3682941

                      SHA1

                      89cad7c402c9e12c3760ee66c61a5915d2e7cb7d

                      SHA256

                      d6efde9bbe548ac554251ffba7189465381192e2310340ec037594c0ee71a627

                      SHA512

                      3b4cd9b7c1c51ccdbf5d2989ea40ee59a4ced7ae14276f7c1f93c0977d35f9942ba3c638498954bb587c355452e8fffc7add1e4197db63fd02dd3b0f78951258

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1zQ25ak6.exe
                      Filesize

                      129KB

                      MD5

                      4ed940ea493451635145489ffbdec386

                      SHA1

                      4b5d0ba229b8ac04f753864c1170da0070673e35

                      SHA256

                      b736077e8eccf72bc48e2a28576bb47d59bdaa335baa2dc333fb3701becfacaa

                      SHA512

                      8feea024e7bb279f401e144d80c20bd6022249ebe381e1ed36b7e19a382e1e7edd3a2b1e4f74e54a5e6dbe6bfe6ff3b27fb44fd0c2407551b1a33fbea9be229c

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2XS3648.exe
                      Filesize

                      295KB

                      MD5

                      a7d374710fcecb71233c825f2a6ef2da

                      SHA1

                      86bcc8204de3af0281e8f3502a8798cb4d707a3d

                      SHA256

                      09e0708e55aefdd063e766501927ce8bfa6c0dbe41cd17334809be5420d2a7a8

                      SHA512

                      aa91b798926c07e4315016c7d46731eb9e5e7fe9c8bba1cc378c475effd0f5c0db4bb2cae37b707860eff1cb07b634a6c74990d5f06516537f35b39768ebd2b0

                      Download Submit

                    • memory/216-40-0x0000000008310000-0x0000000008928000-memory.dmp

                      Filesize

                      6.1MB

                      Download

                    • memory/216-41-0x0000000007620000-0x000000000772A000-memory.dmp

                      Filesize

                      1.0MB

                      Download

                    • memory/216-44-0x0000000007590000-0x00000000075DC000-memory.dmp

                      Filesize

                      304KB

                      Download

                    • memory/216-43-0x0000000007550000-0x000000000758C000-memory.dmp

                      Filesize

                      240KB

                      Download

                    • memory/216-42-0x00000000074B0000-0x00000000074C2000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/216-36-0x0000000000400000-0x000000000043E000-memory.dmp

                      Filesize

                      248KB

                      Download

                    • memory/216-37-0x0000000007740000-0x0000000007CE4000-memory.dmp

                      Filesize

                      5.6MB

                      Download

                    • memory/216-38-0x0000000007280000-0x0000000007312000-memory.dmp

                      Filesize

                      584KB

                      Download

                    • memory/216-39-0x00000000046E0000-0x00000000046EA000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/728-26-0x0000000000400000-0x0000000000432000-memory.dmp

                      Filesize

                      200KB

                      Download

                    • memory/728-25-0x0000000000400000-0x0000000000432000-memory.dmp

                      Filesize

                      200KB

                      Download

                    • memory/728-28-0x0000000000400000-0x0000000000432000-memory.dmp

                      Filesize

                      200KB

                      Download

                    • memory/1060-32-0x0000000000400000-0x0000000000409000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/4692-21-0x0000000000400000-0x000000000040A000-memory.dmp

                      Filesize

                      40KB

                      Download