Overview
overview
10Static
static
3006388190d...bb.exe
windows10-2004-x64
100254882920...b5.exe
windows10-2004-x64
10059acceaf9...4e.exe
windows10-2004-x64
1023e52eabfc...16.exe
windows10-2004-x64
10346c48a087...17.exe
windows10-2004-x64
103a559db9fb...76.exe
windows10-2004-x64
103bd30de35b...fb.exe
windows10-2004-x64
104563b46d64...3c.exe
windows10-2004-x64
1045ab0e1069...0f.exe
windows10-2004-x64
10545f251975...f8.exe
windows10-2004-x64
105bd9b291d7...ab.exe
windows10-2004-x64
105e70f35516...00.exe
windows10-2004-x64
107348ee4e4e...6d.exe
windows10-2004-x64
108b460dc8cc...29.exe
windows10-2004-x64
10928c96df1b...ca.exe
windows10-2004-x64
10972fcfe587...1d.exe
windows10-2004-x64
10a025c0e619...2e.exe
windows10-2004-x64
10bc0667bb8d...75.exe
windows10-2004-x64
10cf82c35e0a...89.exe
windows10-2004-x64
10fbe2b19c30...62.exe
windows10-2004-x64
10Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:20
Static task
static1
Behavioral task
behavioral1
Sample
006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
0254882920b8d79aa87aa48e3861241d6f50bc1856fc52906e5a574397e08db5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
3a559db9fbdf13125c1dec222cde0f982fe63820a3dda722db7b0f646fe80e76.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
3bd30de35b2caa677c1a1d8eeb9a0878d3c396425a4501d3fc280590146a7efb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
4563b46d64120bf9833b2c3a8c333cb31977f9c75d32f836c04620dc0ce6623c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
45ab0e1069984eb278e72231ed9a1e178170792eecd79ef0661dac877d441d0f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
5bd9b291d75af7da767ccfd9442e39fc2a36f83c84ba9416a78c62a54164b4ab.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
5e70f35516878f784c795b9bc0d243a75bde82267717162cdb1838a7e102b600.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
7348ee4e4ed1a5e949c6ba0b2c8eaee7bf5d5f120e8c79c61accf44a24e12c6d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
a025c0e61987ac5dff969885b12ced5a1064ab0b0ae71e3751eb0331b3e6332e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
cf82c35e0a5a0683a1f51d3806ea0eb39a59d81fd4fc110c9762ff99d4e3f389.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62.exe
Resource
win10v2004-20240508-en
General
-
Target
059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe
-
Size
1.3MB
-
MD5
7897a8a6ebf8c162b11b148555d5c616
-
SHA1
60992a6f05358dc6150f7c42a8b5bb42266e6e6b
-
SHA256
059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e
-
SHA512
9b37ae7168063fbf820682d3935242bf3254d1eace417b9206da7e7ea3bec26aa003cdb5347d39d2ae446f73ea77ddf5fddb7cb3e09c5bacada9863d9f9d3b34
-
SSDEEP
24576:Oy/HLy2splQy14Pz413AxpZz1MqkaZEouZugKp3:d/ry2oDWPzG3uR1MqkfZ
Malware Config
Extracted
amadey
3.89
fb0fb8
http://77.91.68.52
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
-
url_paths
/mac/index.php
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral3/files/0x0007000000023429-38.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral3/files/0x0007000000023426-41.dat family_redline behavioral3/memory/1876-43-0x0000000000FC0000-0x0000000000FF0000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation l0097372.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation explonde.exe -
Executes dropped EXE 9 IoCs
pid Process 2996 y1046607.exe 3076 y5252126.exe 3448 y6491506.exe 4252 l0097372.exe 4812 explonde.exe 2416 m1041178.exe 1876 n2300833.exe 1452 explonde.exe 4380 explonde.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y5252126.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" y6491506.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y1046607.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1332 schtasks.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 4860 wrote to memory of 2996 4860 059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe 83 PID 4860 wrote to memory of 2996 4860 059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe 83 PID 4860 wrote to memory of 2996 4860 059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe 83 PID 2996 wrote to memory of 3076 2996 y1046607.exe 84 PID 2996 wrote to memory of 3076 2996 y1046607.exe 84 PID 2996 wrote to memory of 3076 2996 y1046607.exe 84 PID 3076 wrote to memory of 3448 3076 y5252126.exe 85 PID 3076 wrote to memory of 3448 3076 y5252126.exe 85 PID 3076 wrote to memory of 3448 3076 y5252126.exe 85 PID 3448 wrote to memory of 4252 3448 y6491506.exe 86 PID 3448 wrote to memory of 4252 3448 y6491506.exe 86 PID 3448 wrote to memory of 4252 3448 y6491506.exe 86 PID 4252 wrote to memory of 4812 4252 l0097372.exe 87 PID 4252 wrote to memory of 4812 4252 l0097372.exe 87 PID 4252 wrote to memory of 4812 4252 l0097372.exe 87 PID 3448 wrote to memory of 2416 3448 y6491506.exe 88 PID 3448 wrote to memory of 2416 3448 y6491506.exe 88 PID 3448 wrote to memory of 2416 3448 y6491506.exe 88 PID 3076 wrote to memory of 1876 3076 y5252126.exe 89 PID 3076 wrote to memory of 1876 3076 y5252126.exe 89 PID 3076 wrote to memory of 1876 3076 y5252126.exe 89 PID 4812 wrote to memory of 1332 4812 explonde.exe 90 PID 4812 wrote to memory of 1332 4812 explonde.exe 90 PID 4812 wrote to memory of 1332 4812 explonde.exe 90 PID 4812 wrote to memory of 2016 4812 explonde.exe 91 PID 4812 wrote to memory of 2016 4812 explonde.exe 91 PID 4812 wrote to memory of 2016 4812 explonde.exe 91 PID 2016 wrote to memory of 4952 2016 cmd.exe 94 PID 2016 wrote to memory of 4952 2016 cmd.exe 94 PID 2016 wrote to memory of 4952 2016 cmd.exe 94 PID 2016 wrote to memory of 2796 2016 cmd.exe 95 PID 2016 wrote to memory of 2796 2016 cmd.exe 95 PID 2016 wrote to memory of 2796 2016 cmd.exe 95 PID 2016 wrote to memory of 5068 2016 cmd.exe 96 PID 2016 wrote to memory of 5068 2016 cmd.exe 96 PID 2016 wrote to memory of 5068 2016 cmd.exe 96 PID 2016 wrote to memory of 5116 2016 cmd.exe 98 PID 2016 wrote to memory of 5116 2016 cmd.exe 98 PID 2016 wrote to memory of 5116 2016 cmd.exe 98 PID 2016 wrote to memory of 3972 2016 cmd.exe 99 PID 2016 wrote to memory of 3972 2016 cmd.exe 99 PID 2016 wrote to memory of 3972 2016 cmd.exe 99 PID 2016 wrote to memory of 560 2016 cmd.exe 100 PID 2016 wrote to memory of 560 2016 cmd.exe 100 PID 2016 wrote to memory of 560 2016 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe"C:\Users\Admin\AppData\Local\Temp\059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1046607.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1046607.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5252126.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5252126.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y6491506.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y6491506.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l0097372.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l0097372.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F7⤵
- Creates scheduled task(s)
PID:1332
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4952
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:N"8⤵PID:2796
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:R" /E8⤵PID:5068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:5116
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"8⤵PID:3972
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E8⤵PID:560
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1041178.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m1041178.exe5⤵
- Executes dropped EXE
PID:2416
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2300833.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n2300833.exe4⤵
- Executes dropped EXE
PID:1876
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:1452
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:4380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD51e9a27aa9157170b437e05ae18507821
SHA1e3c088ffa8852292747489b906b9b84c325d750d
SHA2562b5b290d9fd8b03155e0d1ee86a9f001aef68b3c6881ef9de54853f3ef0de438
SHA5123a337a75494dbed1c30a092caa1a5ed6a41eeb73e8d4c9f5a87206f757cdc0818e5f0d3495c87a47417f1bc9f0142bd4543ae3e6c083e1898b656e05d68efd5f
-
Filesize
434KB
MD56d040370483bbc6f04183e953b0af85a
SHA1fea9bf0bf465a390ddc92cd9e3b7e6ea4617f7d4
SHA256e8f2bb49e38541dc2b99455b42a7ffc4dec76b2dc45bb6804d76fc13ee406229
SHA512240d84b822469eaf09099f3b546c35b2d990937b11973612bc9828545cf43884208ed6937c0a1d73e277cfeedb030b0ba3f86334b6a6f15c3312b4896603d35d
-
Filesize
175KB
MD5c9e0023d107132671a9f96713906d45f
SHA1c0e7957dc4c543ca0901ad12b61c5dbc1adc51bc
SHA25611e8531637f40c8e85155faec54b4f35d335c8c852e633832efb680d89529086
SHA512812fcd7e1cca5ea28f062358eebb3dfd57b5d0adff0a442a7803d48a8b57bf881151712cc82945561e21eb05cf1bec6a610b39276a8a61056ba18b0e332c3330
-
Filesize
279KB
MD5b23b673f32d9d279165aaff685f579d7
SHA1af45a41be1b7264e00695452a3ca8b540e41ead5
SHA2563be0de8caf72ae50738d4408b005111bfe27de0f506322059553bdbe28ba6f16
SHA5121b5b24a41f0cc4f43e4c66613c611f8385d0402dbef86d9d141fb0d11316e5c39853225abe017ea854fbaaa2faf3f2d5be9ea22df7ed4dd46cdb8547ff390a64
-
Filesize
220KB
MD57276c73b538d19d7cae92db68f6f732d
SHA16bbc693032f7b825f07bbd684e43617b14f818e7
SHA2562d67baa155bd29c3ea239132c8b52263560bb2e65b7bb579a964b44c1fdec08c
SHA5128f6392a0b530b90f2955d431ab1b8b7ad155a13822b749aa4e6bc935ec5178518c1abc8b0af6673a2bf553f618a5500c7cdfa0a149486e099a012a702de2210f
-
Filesize
141KB
MD5dee9f54a9d9c33a56f8f1b2b077557fc
SHA16cdd896ae974891b3c96105d333e59d2d26b403f
SHA2562ad8f8a9affbb5ce21e2518fecaf04e2d4fca93cb454e8ee5b6624b0185f0fae
SHA512da83b213c1a397eeb729b04e9cb5c28cef3dfd4eb6b9cb937932f81c97ee0494839d7bdf8572134f9aa7c4cddc28c71646249d70365298e22b9ca77ca0008c8b