Analysis
-
max time kernel
108s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2024 19:17
Static task
static1
Behavioral task
behavioral1
Sample
4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe
Resource
win10v2004-20241007-en
General
-
Target
4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe
-
Size
678KB
-
MD5
809e72b60c534a9e32aca15039d5c560
-
SHA1
914934908c05809566f284dd977813d667cb4590
-
SHA256
4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93a
-
SHA512
e37d266520692ec449859ef3eb67519a5fbb8ecc5a7361b2ce375f2a7fa7600343296edb16076f8b8094fd188cfe9a031b821f849d40a4178789e830dc686885
-
SSDEEP
12288:LMrQy909nEKRresal5ngE2BeVHs3lv0wOD1zruOR+jeVh2hOaBe9IU5Wh9YVl:HyUnEKR96xn2f3tx+1DIK72hbB+vr
Malware Config
Extracted
redline
kinza
77.91.124.86:19084
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/3048-7-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral1/memory/3048-8-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral1/memory/3048-11-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral1/memory/3048-9-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family -
Mystic family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cb1-13.dat family_redline behavioral1/memory/5000-16-0x0000000000FB0000-0x0000000000FEE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 4756 1cF59Db8.exe 5000 2ix410tC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4756 set thread context of 3048 4756 1cF59Db8.exe 88 -
Program crash 1 IoCs
pid pid_target Process procid_target 2068 3048 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1cF59Db8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ix410tC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1228 wrote to memory of 4756 1228 4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe 84 PID 1228 wrote to memory of 4756 1228 4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe 84 PID 1228 wrote to memory of 4756 1228 4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe 84 PID 4756 wrote to memory of 3048 4756 1cF59Db8.exe 88 PID 4756 wrote to memory of 3048 4756 1cF59Db8.exe 88 PID 4756 wrote to memory of 3048 4756 1cF59Db8.exe 88 PID 4756 wrote to memory of 3048 4756 1cF59Db8.exe 88 PID 4756 wrote to memory of 3048 4756 1cF59Db8.exe 88 PID 4756 wrote to memory of 3048 4756 1cF59Db8.exe 88 PID 4756 wrote to memory of 3048 4756 1cF59Db8.exe 88 PID 4756 wrote to memory of 3048 4756 1cF59Db8.exe 88 PID 4756 wrote to memory of 3048 4756 1cF59Db8.exe 88 PID 4756 wrote to memory of 3048 4756 1cF59Db8.exe 88 PID 1228 wrote to memory of 5000 1228 4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe 89 PID 1228 wrote to memory of 5000 1228 4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe 89 PID 1228 wrote to memory of 5000 1228 4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe"C:\Users\Admin\AppData\Local\Temp\4f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93aN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cF59Db8.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1cF59Db8.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 5404⤵
- Program crash
PID:2068
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ix410tC.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2ix410tC.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3048 -ip 30481⤵PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD59e2dfae93300da40f441af5b783f580a
SHA1b01a13d60ae482d65886534e64217a736f9a0f45
SHA2565b1e847932e40e4097d7e5eb568a82ad39a4581482763cb395e470ce0344be23
SHA5122eb3bd6cfd28b143a5cefdd851354520341553ce3ee953d759d819bd319afb3b00e56968062d22c4f3d11b7335d92ac40d54e5359f34c439b276a088b53e7ba8
-
Filesize
221KB
MD5dc217dce419378409e174e845291c230
SHA119e22cf01328f1a372f0bcd6ed81d5646c59b89a
SHA256f241941b9299d1e1a55e992c94be4c7fdec00623db55ac2c6b74a5a7517a63c8
SHA5124018a1bf5cfa51c161fd61fada479a2933a858907b71474ad3fbe373892150783d82a98fb69e414ccde9db10a4ff9b8fbf81663dba94d48c3f5bea61c72f443e