Analysis
-
max time kernel
107s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2024 20:19
Static task
static1
Behavioral task
behavioral1
Sample
3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe
Resource
win10v2004-20241007-en
General
-
Target
3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe
-
Size
1.6MB
-
MD5
0d26b42076051a0694f57161698a2eb0
-
SHA1
30f49f32b6f0f71e1ffcfce95a78e4f58cc70fbc
-
SHA256
3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8
-
SHA512
c5c9e874daf6d822f3328b028163e06f146adb0cf23a549756c9d3240c03c5980ad6dc70bfaf324da41cfc8be3cbd6dbcdc568c1cfb768f2debc1cff6e2d09ca
-
SSDEEP
24576:WyKuKgpUnfZqeIgj4+9m30htY+V5GPDt1WMMet8Lp3iyeOIpl96/k2jpVzB74X8I:lFpUffpzmWNVIt1RMymSl96s2jl4M
Malware Config
Extracted
redline
gigant
77.91.124.55:19071
Signatures
-
Detect Mystic stealer payload 3 IoCs
resource yara_rule behavioral1/memory/3784-35-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral1/memory/3784-36-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family behavioral1/memory/3784-38-0x0000000000400000-0x0000000000428000-memory.dmp mystic_family -
Mystic family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b92-40.dat family_redline behavioral1/memory/5096-42-0x0000000000EB0000-0x0000000000EEE000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 6 IoCs
pid Process 1888 oq5jq1Su.exe 3692 OY0dW1qI.exe 4268 gJ5YQ3Bt.exe 1796 jA1GH5Qw.exe 676 1PM24FE1.exe 5096 2GG502LU.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" jA1GH5Qw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" oq5jq1Su.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" OY0dW1qI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" gJ5YQ3Bt.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 676 set thread context of 3784 676 1PM24FE1.exe 92 -
Program crash 1 IoCs
pid pid_target Process procid_target 2880 676 WerFault.exe 90 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OY0dW1qI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gJ5YQ3Bt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jA1GH5Qw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1PM24FE1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2GG502LU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oq5jq1Su.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2924 wrote to memory of 1888 2924 3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe 84 PID 2924 wrote to memory of 1888 2924 3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe 84 PID 2924 wrote to memory of 1888 2924 3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe 84 PID 1888 wrote to memory of 3692 1888 oq5jq1Su.exe 85 PID 1888 wrote to memory of 3692 1888 oq5jq1Su.exe 85 PID 1888 wrote to memory of 3692 1888 oq5jq1Su.exe 85 PID 3692 wrote to memory of 4268 3692 OY0dW1qI.exe 87 PID 3692 wrote to memory of 4268 3692 OY0dW1qI.exe 87 PID 3692 wrote to memory of 4268 3692 OY0dW1qI.exe 87 PID 4268 wrote to memory of 1796 4268 gJ5YQ3Bt.exe 89 PID 4268 wrote to memory of 1796 4268 gJ5YQ3Bt.exe 89 PID 4268 wrote to memory of 1796 4268 gJ5YQ3Bt.exe 89 PID 1796 wrote to memory of 676 1796 jA1GH5Qw.exe 90 PID 1796 wrote to memory of 676 1796 jA1GH5Qw.exe 90 PID 1796 wrote to memory of 676 1796 jA1GH5Qw.exe 90 PID 676 wrote to memory of 3784 676 1PM24FE1.exe 92 PID 676 wrote to memory of 3784 676 1PM24FE1.exe 92 PID 676 wrote to memory of 3784 676 1PM24FE1.exe 92 PID 676 wrote to memory of 3784 676 1PM24FE1.exe 92 PID 676 wrote to memory of 3784 676 1PM24FE1.exe 92 PID 676 wrote to memory of 3784 676 1PM24FE1.exe 92 PID 676 wrote to memory of 3784 676 1PM24FE1.exe 92 PID 676 wrote to memory of 3784 676 1PM24FE1.exe 92 PID 676 wrote to memory of 3784 676 1PM24FE1.exe 92 PID 676 wrote to memory of 3784 676 1PM24FE1.exe 92 PID 1796 wrote to memory of 5096 1796 jA1GH5Qw.exe 96 PID 1796 wrote to memory of 5096 1796 jA1GH5Qw.exe 96 PID 1796 wrote to memory of 5096 1796 jA1GH5Qw.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe"C:\Users\Admin\AppData\Local\Temp\3b4c5828362b10aa3f5adabbb7df2fe252f38e07b0d9b5bbfabdc749916c26a8N.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oq5jq1Su.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oq5jq1Su.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OY0dW1qI.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OY0dW1qI.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJ5YQ3Bt.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gJ5YQ3Bt.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jA1GH5Qw.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jA1GH5Qw.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PM24FE1.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1PM24FE1.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- System Location Discovery: System Language Discovery
PID:3784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 5727⤵
- Program crash
PID:2880
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GG502LU.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GG502LU.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5096
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 676 -ip 6761⤵PID:1064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5b5d9c4748193051363e0aa85f45b6477
SHA1b79de1878d845884831b2a7ee50b2e307a50faef
SHA25613e414602caa2f59db58b471ce294ad77a342ed95d2634e789a36b4da4c6a8de
SHA51238cb6cada3fa572402b2c7c48831edcb94ebf53612b4b91dcf5e599161e249425c755162b7b22ea7d456ff1a44aa272d794b4ee281e259c13f946e8b71055a76
-
Filesize
1.3MB
MD584825357547bb42bff87a38ee9b44b8b
SHA1612d4fc996e8e3f855aa04fb1968ef24457ea175
SHA2562aac44669e8af8e580188df28ff107e12763a7d031b2cdd2ba7aea8cd1803447
SHA51227445bcb8ea55176659257fa82927d918e56def2f2940aaabbc141013e1d5cc31f38516ebd2bffa9cc941132261b9dcbf46043a24dc7a6b346d1c7d47563b4ac
-
Filesize
821KB
MD5b7e6e27f65274bfa7a8115a1834a260b
SHA1242ed07cb41349f3f5d7e41b602a2df3070ee091
SHA256ac19624914ef0f344a7d2af3c4fa957e81040c787f593d52511836f1a4c3e7c9
SHA512440a0844696ebfe1cbfe0e29ca6a4347657bdf5c3ae0fffc46b3f199882d84ef80a48a9ccdf516b23bbd7ce727ab1eb3bbe704d66bbe7570071bef4aa2dd43d8
-
Filesize
649KB
MD5ad1d878048d6e08c37790a5863d1abfe
SHA19184eecd10c7c5ee61c2c632cf3653a0a4a600ad
SHA25679d4c8579ffe78b191775fee4e919b2671ec1e0bb2d8508ca70653118572f0f8
SHA5123d4c7764471b085f7412dfa15df3c073a5b4e064cf9442b6b5deee78aa2952495480828ae48d90426ff89b326be13141257d693871c1a6ae9f22c6c7cd66cd19
-
Filesize
1.7MB
MD5144dc3c0a5275a93ff86f00b5c61b9ec
SHA1784168ab3c4711737656ca13dc4cb59ca267fa45
SHA256179649325e561f83a53c5cba99cd8f1f589064c8d0f2029fb8e06f61ae986787
SHA5129af6a9870077621eb046d6fed0fac88eba35edd4cd5e60f49c46018ab633d5cc77ddb9a93886178544198099a4e3b20726a32729ec9d1cf89524b4a579afb783
-
Filesize
231KB
MD554655d0f1e3a5ca7543947018cffb46b
SHA1309c4dd94b69bc0118adf700d9ef007e71707a80
SHA256d374bf2a87f954fead7e3540d474988afc5647a1b0ed79f5036531c76c8a727e
SHA512c51938125705b2781bba57f2b833f73989a55a14ec322763a62bb3d6ddfb1f16f765f64ab5c0986e6f133eb9e5ce6e97fc1900a715cf5b2e09c65a8926f859f7