Analysis
-
max time kernel
107s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 12:51
Static task
static1
Behavioral task
behavioral1
Sample
7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe
Resource
win10v2004-20241007-en
General
-
Target
7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe
-
Size
821KB
-
MD5
639d8042d16de28c65e78469e505a4e0
-
SHA1
8382e873cf83e53adc9808d492010052375d194a
-
SHA256
7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832
-
SHA512
9e5c3b437202b17c0d9c7d1fdb303c5402d5dc95ffea514e0ab61c3368d9f08c32bcbea1ef23e35ed32a60f1a6b574a30a6b79d2f95cc5c338a252d823b6086a
-
SSDEEP
12288:iMrFy90iQyaEisqVQ2/SmB8sMySNPrr28fxpIN/tyBmUUBfAChHsvVp4DMJsW:PyxuEC/SecuEIuBzyfhkHJJsW
Malware Config
Extracted
redline
gigant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral1/memory/2044-14-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral1/memory/2044-16-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral1/memory/2044-15-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral1/memory/2044-18-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family -
Mystic family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023c86-20.dat family_redline behavioral1/memory/3816-22-0x0000000000600000-0x000000000063E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 3 IoCs
pid Process 224 lf3tK1yY.exe 1332 1TR55Yr7.exe 3816 2zE388fI.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" lf3tK1yY.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1332 set thread context of 2044 1332 1TR55Yr7.exe 88 -
Program crash 2 IoCs
pid pid_target Process procid_target 3208 1332 WerFault.exe 85 2200 2044 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2zE388fI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lf3tK1yY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1TR55Yr7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1220 wrote to memory of 224 1220 7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe 84 PID 1220 wrote to memory of 224 1220 7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe 84 PID 1220 wrote to memory of 224 1220 7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe 84 PID 224 wrote to memory of 1332 224 lf3tK1yY.exe 85 PID 224 wrote to memory of 1332 224 lf3tK1yY.exe 85 PID 224 wrote to memory of 1332 224 lf3tK1yY.exe 85 PID 1332 wrote to memory of 2044 1332 1TR55Yr7.exe 88 PID 1332 wrote to memory of 2044 1332 1TR55Yr7.exe 88 PID 1332 wrote to memory of 2044 1332 1TR55Yr7.exe 88 PID 1332 wrote to memory of 2044 1332 1TR55Yr7.exe 88 PID 1332 wrote to memory of 2044 1332 1TR55Yr7.exe 88 PID 1332 wrote to memory of 2044 1332 1TR55Yr7.exe 88 PID 1332 wrote to memory of 2044 1332 1TR55Yr7.exe 88 PID 1332 wrote to memory of 2044 1332 1TR55Yr7.exe 88 PID 1332 wrote to memory of 2044 1332 1TR55Yr7.exe 88 PID 1332 wrote to memory of 2044 1332 1TR55Yr7.exe 88 PID 224 wrote to memory of 3816 224 lf3tK1yY.exe 96 PID 224 wrote to memory of 3816 224 lf3tK1yY.exe 96 PID 224 wrote to memory of 3816 224 lf3tK1yY.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe"C:\Users\Admin\AppData\Local\Temp\7d9837d308d96f96fc3b7fc68a7e4a933a1c4268a974e34629661dec50214832N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lf3tK1yY.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lf3tK1yY.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1TR55Yr7.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1TR55Yr7.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 5405⤵
- Program crash
PID:2200
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 5764⤵
- Program crash
PID:3208
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zE388fI.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2zE388fI.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3816
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1332 -ip 13321⤵PID:3940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2044 -ip 20441⤵PID:2008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649KB
MD59d4830cb45213fa515d2049449b7bec2
SHA1fe5913ac72500ef8959872656132b46537d9c47d
SHA256fdb849c735d10ee2ca41cdd4fb52c78a8d7132935ae6ced77703602a461d66d2
SHA5124192d3e840c0a7675091b516502e2adf962c8c1a4a928d7856dd9b9b5913120b469f4d297f087817e8144bd5cd31d706821e0ae7d48e25785dbc98ebb66a714c
-
Filesize
1.7MB
MD5144dc3c0a5275a93ff86f00b5c61b9ec
SHA1784168ab3c4711737656ca13dc4cb59ca267fa45
SHA256179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787
SHA5129af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783
-
Filesize
231KB
MD558ffdba1578ba9ce2b6e6b79516a0c1c
SHA193c666283fa9dc31d6694e1d3146f9a5d8bac89b
SHA2563018ab9f37209c8d3fe16bf6c4ad3867775ce998d0394020b5b8432d464cc1f5
SHA51238077c50437f600116143aaaffd8d3b05e0f46045b85e38390f67ae71ce42418cfd350259de3e60459e8ff4b8baf6e2afe89b9a4b39d67d9dbf488b60329d7f3