Analysis
-
max time kernel
108s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 22:42
Static task
static1
Behavioral task
behavioral1
Sample
ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe
Resource
win10v2004-20241007-en
General
-
Target
ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe
-
Size
1.4MB
-
MD5
d33b7d13c5fb379d2a3817ecaa8bef20
-
SHA1
cc4d43a964b2cd8b196791936a38eb39195fb5b5
-
SHA256
ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6
-
SHA512
7b8513247feb0adecacd6210024141cac7a12d382cdaa93ab1e778c29f9f4904f11d0a86761dbd621053decc6feb0939f8cbaeffefa8621f2a2b7831c9eb55bb
-
SSDEEP
24576:3yOvZtvSMg4248k6TPs8GcVE0ZketvxXnwbrtd5CYXaiFUVfCT0lfTI:CMtvSMg4L/6TPsh0me3gbr/kYqrVq4
Malware Config
Extracted
redline
kinza
77.91.124.86:19084
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/4144-21-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral1/memory/4144-25-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral1/memory/4144-23-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family behavioral1/memory/4144-22-0x0000000000400000-0x0000000000432000-memory.dmp mystic_family -
Mystic family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023ca2-27.dat family_redline behavioral1/memory/1080-29-0x0000000000AE0000-0x0000000000B1E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 4792 YP3Nl4dB.exe 212 Er9Yg5DU.exe 5068 1cF59Db8.exe 1080 2ix410tC.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" YP3Nl4dB.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Er9Yg5DU.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5068 set thread context of 4144 5068 1cF59Db8.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ix410tC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YP3Nl4dB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Er9Yg5DU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1cF59Db8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 3600 wrote to memory of 4792 3600 ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe 84 PID 3600 wrote to memory of 4792 3600 ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe 84 PID 3600 wrote to memory of 4792 3600 ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe 84 PID 4792 wrote to memory of 212 4792 YP3Nl4dB.exe 85 PID 4792 wrote to memory of 212 4792 YP3Nl4dB.exe 85 PID 4792 wrote to memory of 212 4792 YP3Nl4dB.exe 85 PID 212 wrote to memory of 5068 212 Er9Yg5DU.exe 88 PID 212 wrote to memory of 5068 212 Er9Yg5DU.exe 88 PID 212 wrote to memory of 5068 212 Er9Yg5DU.exe 88 PID 5068 wrote to memory of 4144 5068 1cF59Db8.exe 90 PID 5068 wrote to memory of 4144 5068 1cF59Db8.exe 90 PID 5068 wrote to memory of 4144 5068 1cF59Db8.exe 90 PID 5068 wrote to memory of 4144 5068 1cF59Db8.exe 90 PID 5068 wrote to memory of 4144 5068 1cF59Db8.exe 90 PID 5068 wrote to memory of 4144 5068 1cF59Db8.exe 90 PID 5068 wrote to memory of 4144 5068 1cF59Db8.exe 90 PID 5068 wrote to memory of 4144 5068 1cF59Db8.exe 90 PID 5068 wrote to memory of 4144 5068 1cF59Db8.exe 90 PID 5068 wrote to memory of 4144 5068 1cF59Db8.exe 90 PID 212 wrote to memory of 1080 212 Er9Yg5DU.exe 91 PID 212 wrote to memory of 1080 212 Er9Yg5DU.exe 91 PID 212 wrote to memory of 1080 212 Er9Yg5DU.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe"C:\Users\Admin\AppData\Local\Temp\ebed7638ed1683139872218c9acfcf40e689f609f9d79dfdd60af3faa53897a6N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YP3Nl4dB.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YP3Nl4dB.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Er9Yg5DU.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Er9Yg5DU.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cF59Db8.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1cF59Db8.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- System Location Discovery: System Language Discovery
PID:4144
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ix410tC.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ix410tC.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1080
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
874KB
MD5e6b1d59bb6f139b7f415e496ef99b3e5
SHA1b56905fd9f26f4f99539e53d2669b22e145c4fca
SHA2560178c66540aa42349124a6c13e15abbd0a111bc790084a1d1eab63a3db9a63d2
SHA512404d05d01932ca725198447ef99f1ec5a8e36c92395cad113c0e039464ebdfa6bb39814b3d417a455b465c9fe6f32a6ccb1a71890dbb25c682799760b0b56409
-
Filesize
678KB
MD5809e72b60c534a9e32aca15039d5c560
SHA1914934908c05809566f284dd977813d667cb4590
SHA2564f09e5659794eaea5955bcb72eafe75510d97aa047565312f4c4d37826f3d93a
SHA512e37d266520692ec449859ef3eb67519a5fbb8ecc5a7361b2ce375f2a7fa7600343296edb16076f8b8094fd188cfe9a031b821f849d40a4178789e830dc686885
-
Filesize
1.8MB
MD59e2dfae93300da40f441af5b783f580a
SHA1b01a13d60ae482d65886534e64217a736f9a0f45
SHA2565b1e847932e40e4097d7e5eb568a82ad39a4581482763cb395e470ce0344be23
SHA5122eb3bd6cfd28b143a5cefdd851354520341553ce3ee953d759d819bd319afb3b00e56968062d22c4f3d11b7335d92ac40d54e5359f34c439b276a088b53e7ba8
-
Filesize
221KB
MD5dc217dce419378409e174e845291c230
SHA119e22cf01328f1a372f0bcd6ed81d5646c59b89a
SHA256f241941b9299d1e1a55e992c94be4c7fdec00623db55ac2c6b74a5a7517a63c8
SHA5124018a1bf5cfa51c161fd61fada479a2933a858907b71474ad3fbe373892150783d82a98fb69e414ccde9db10a4ff9b8fbf81663dba94d48c3f5bea61c72f443e