Overview

overview

10

Static

static

3

d7f22b7eeb...46.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 03:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d7f22b7eebe108f78403cd95501e598191ac75d3ec959f746efec4767e6c2c46.exe

  • Size

    956KB

  • MD5

    57b7364686bb815599ac2e803a7186f5

  • SHA1

    0931a586aa2b6e1772006409ecc94d9b46942b77

  • SHA256

    d7f22b7eebe108f78403cd95501e598191ac75d3ec959f746efec4767e6c2c46

  • SHA512

    1bc1d2504c1b0dd3334633b7934477f2fef7d320ac3733b48347cb0715e32ea080332f87ec1aa82ecb7abba02404a43412eab78804e8d2abc64df04c73d69f46

  • SSDEEP

    12288:fMr1y90ELP7G5gWanByhVHtWDCwQ2QkAlJjyAM6c2d4XuNTvaU2NC/tItquzQSGO:Gy3zgWByhzWDw2QkiJndhQC/tri

Score
10/10
mysticredlinetuxiuinfostealerpersistencestealer

Malware Config

Extracted

Family

redline

Botnet

tuxiu

C2

77.91.124.82:19071

Attributes
  • auth_value

    29610cdad07e7187eec70685a04b89fe

Signatures

  • Detect Mystic stealer payload 3 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Detects executables containing SQL queries to confidential data stores. Observed in infostealers 3 IoCs
  • Detects executables packed with ConfuserEx Mod 2 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 3 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d7f22b7eebe108f78403cd95501e598191ac75d3ec959f746efec4767e6c2c46.exe
    "C:\Users\Admin\AppData\Local\Temp\d7f22b7eebe108f78403cd95501e598191ac75d3ec959f746efec4767e6c2c46.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3704
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1236883.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1236883.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1366142.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1366142.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2424
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5097275.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5097275.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2820
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9530733.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9530733.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2408
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
                PID:4852
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 552
                6⤵
                • Program crash
                PID:3320
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0724987.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0724987.exe
              5⤵
              • Executes dropped EXE
              PID:4620
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2408 -ip 2408
      1⤵
        PID:4644

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1236883.exe
        Filesize

        854KB

        MD5

        a23fe4ddbe05836d8be8cced1811f33c

        SHA1

        6ddddc7b3ac627a534b280c625c3b200cc38b7eb

        SHA256

        39caa3b0340bdd38d8752dd747b6c4b9f16d6a70bbd21dadb41d80c6c0844362

        SHA512

        275d4d74174966e7f42897d8ac6e3f31f0927f407211960dbedfd9e5ae7e6e2be0f1948e2b05da02f7d00a69ab4af4c848fa8dd8c2b78ec016ee768e5af0e162

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1366142.exe
        Filesize

        580KB

        MD5

        fb09d2e108d3962191c9b7ff09f0bb75

        SHA1

        4a63fd9f814725fc857d983326e276c8c6639bf8

        SHA256

        edd40aae4d913cbcd9b24c34a0469e4da0bceb75f1cfd76a2d56ae9ed11b089a

        SHA512

        74c3d600ceb698881a6b4286c9a4b842548ff4557a64c8bddd73abb13fdf0545c534b6c273873632800b813d0e1d48b49984f06f88b1c3dbe27b6a4b04606e41

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5097275.exe
        Filesize

        404KB

        MD5

        42c702055e630e1bdf5d75b28f61d560

        SHA1

        a14b9d634d3144aab946690928085cd6b4308a6b

        SHA256

        040d5889f0bbd2ee975ab99cf43ad5b78b45c3b40a6f364c80c44ffcfbb09d0c

        SHA512

        fc96164ae4dbde884aa5a8ddf8029bb47d7ca0e80983ca1a1368e7fd37f65b938a269e17baa791cb71a1bb8c32e16085173d7e1aa8616987dbd72426582981f6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9530733.exe
        Filesize

        396KB

        MD5

        3d6f132473e68104b45f34f9bb38289a

        SHA1

        3d0bb37f5e135e7860cbb429718fcdce517e1b58

        SHA256

        5a2104e3272275380b6815abce23326ebd9f50a684ad4616267dbfebc46c051d

        SHA512

        aa7cf1801e42e14066d064d9f5e71f8f183d1b5156969b9727cb74947e629b85b0302c7ff594ac7934f7e1805be01a3ea96db9693f312b303efc4b5b711ef76f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0724987.exe
        Filesize

        175KB

        MD5

        8cf7b0af8ab3d277b25db483f5cf40d4

        SHA1

        5eec584fef89089a266b8a14335737c582c223ab

        SHA256

        d069d8092055f45b407cd1b280da0989baf9455a1ea633502c0dbbc5288f3da4

        SHA512

        b40cc94b7197aa5f1d2d470d4e8f6ba221753b0fe815a6eafbce849c40dd4bf38572d10268141052fe5dc1634fbd286c131cee530f3f59e2f3b4245ff4c688bc

        Download Submit

      • memory/4620-36-0x0000000002840000-0x0000000002846000-memory.dmp

        Filesize

        24KB

        Download

      • memory/4620-35-0x0000000000570000-0x00000000005A0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4620-37-0x00000000055B0000-0x0000000005BC8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4620-38-0x00000000050A0000-0x00000000051AA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4620-39-0x0000000004DF0000-0x0000000004E02000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4620-40-0x0000000004F90000-0x0000000004FCC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4620-41-0x0000000004FD0000-0x000000000501C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4852-31-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/4852-29-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/4852-28-0x0000000000400000-0x000000000042C000-memory.dmp

        Filesize

        176KB

        Download