Overview
overview
10Static
static
300dd845a27...d6.exe
windows10-2004-x64
100e4f6fa259...f8.exe
windows10-2004-x64
10160cf91bb4...9b.exe
windows10-2004-x64
102469003f42...fb.exe
windows10-2004-x64
1037d87e8c1a...0c.exe
windows10-2004-x64
104c3f025b17...a7.exe
windows10-2004-x64
104de214f155...f2.exe
windows10-2004-x64
104fe5ee134e...25.exe
windows10-2004-x64
105bc4a6b3d5...f6.exe
windows10-2004-x64
1062325240aa...fc.exe
windows10-2004-x64
1077ac4e5ef8...53.exe
windows10-2004-x64
1078a2f3c49d...66.exe
windows10-2004-x64
107c1372b4b0...fc.exe
windows10-2004-x64
107cd3eb4cd6...0e.exe
windows10-2004-x64
107dee432d6d...a7.exe
windows10-2004-x64
10a277894fe9...7d.exe
windows10-2004-x64
10cd0d56c5ce...15.exe
windows10-2004-x64
10d304eb3331...e2.exe
windows10-2004-x64
10d3dd28146b...8b.exe
windows10-2004-x64
10ece19c5d5c...54.exe
windows10-2004-x64
10f9789caac1...5f.exe
windows7-x64
10f9789caac1...5f.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:50
Static task
static1
Behavioral task
behavioral1
Sample
00dd845a27cdd6a841129f3f25bc36fd11c64b769481d2a584164a99fbd2c3d6.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
0e4f6fa259d45f6b8b8d2e708ff9cac68a58307c15686d384502402302d450f8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
160cf91bb49336d03ce250710ca49b29f76f5f8f37ef5aafda22ed8e547bed9b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
2469003f42fad7f59b70f7ba006c65ee5db3798dfa579f761b047cd449e394fb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
37d87e8c1add733f6b0f726eb97fd64542de486c7b60c80ffabe798eb6c54a0c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
4c3f025b17ec1550b7a07d7cea6744acb261f9a5de6fd780bef377978b6b2ca7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
4de214f1550efd374ec68367fd536997f015281d98450fd9bab8a16d5fce87f2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
4fe5ee134e6a340110e2fe9b3471372154b727e90d980f5660e2c7d24f779f25.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
5bc4a6b3d5d850441455c1201b411fa16528c9d21a13517fd2f373d1536d57f6.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral10
Sample
62325240aae3c7c9afa8a69fb248924b6c42b1aa556bfb2b52c84490eef10afc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
78a2f3c49d7778a1b4924bb7355ccbbd6bbeeef4a1876c8a4fd0f6f984769466.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
7c1372b4b0e76a7d202143cbcc40dce411a401341f2168aef3204cfc9f9da9fc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
7cd3eb4cd6f49efea0958d092cf89c4360141c9e96cf89f3bd4042291e628b0e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
7dee432d6dab18e0292eb8319fa33010db26568b716e784875a7bd4e9ea455a7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
a277894fe9048cd5fca86a41cd15d3ca798f15ec412ab35d84f136d39597b97d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
cd0d56c5cef765fb6cc44988f16cfea540a6eacff2349df1adde54d8bdf0ac15.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
d304eb3331ed5f7542898adf235b0119e5ae9bf4622b4c36147856e87a8ec8e2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
d3dd28146bf63b331c212ebde477e7662e2106b598849cd8a25001adc825728b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
ece19c5d5cfa838169dfe734221c3efc216214049218bf9ed62549dcc068a854.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
f9789caac1d5ebec982c1e56156eeaba9635c705104c77a48602d2aa3f43635f.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
f9789caac1d5ebec982c1e56156eeaba9635c705104c77a48602d2aa3f43635f.exe
Resource
win10v2004-20240426-en
General
-
Target
77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe
-
Size
572KB
-
MD5
1ac19b91e5253c091061691c660c70fb
-
SHA1
7b113146e03c198d1cd4a7b1d10c2dad5bb6a909
-
SHA256
77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053
-
SHA512
6ed54774d55e8fc33480a56533c43f8eeffa64c225832e9e7aa932566c66bc80a0c1b9cf95db749f2a024316d57779255659151a483d7c5acc9c24e483e6af08
-
SSDEEP
12288:6Mr9y90/DGsxoXIq17/+FrSBIEBOFgJdHsKPdg54J:HysGwo4cb+dSOA7rPfJ
Malware Config
Extracted
amadey
3.89
fb0fb8
http://77.91.68.52
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
-
url_paths
/mac/index.php
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral11/files/0x0008000000023411-19.dat healer behavioral11/memory/2576-21-0x0000000000CF0000-0x0000000000CFA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q7686010.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q7686010.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q7686010.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q7686010.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection q7686010.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q7686010.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral11/files/0x000700000002340f-37.dat family_redline behavioral11/memory/3424-39-0x0000000000500000-0x0000000000530000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation r7196851.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation explonde.exe -
Executes dropped EXE 9 IoCs
pid Process 4596 z2121682.exe 3444 z2849645.exe 2576 q7686010.exe 2672 r7196851.exe 4868 explonde.exe 3424 s1871232.exe 4956 explonde.exe 8 explonde.exe 3664 explonde.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q7686010.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z2121682.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z2849645.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4728 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4112 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2576 q7686010.exe 2576 q7686010.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2576 q7686010.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2904 wrote to memory of 4596 2904 77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe 82 PID 2904 wrote to memory of 4596 2904 77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe 82 PID 2904 wrote to memory of 4596 2904 77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe 82 PID 4596 wrote to memory of 3444 4596 z2121682.exe 83 PID 4596 wrote to memory of 3444 4596 z2121682.exe 83 PID 4596 wrote to memory of 3444 4596 z2121682.exe 83 PID 3444 wrote to memory of 2576 3444 z2849645.exe 84 PID 3444 wrote to memory of 2576 3444 z2849645.exe 84 PID 3444 wrote to memory of 2672 3444 z2849645.exe 96 PID 3444 wrote to memory of 2672 3444 z2849645.exe 96 PID 3444 wrote to memory of 2672 3444 z2849645.exe 96 PID 2672 wrote to memory of 4868 2672 r7196851.exe 97 PID 2672 wrote to memory of 4868 2672 r7196851.exe 97 PID 2672 wrote to memory of 4868 2672 r7196851.exe 97 PID 4596 wrote to memory of 3424 4596 z2121682.exe 98 PID 4596 wrote to memory of 3424 4596 z2121682.exe 98 PID 4596 wrote to memory of 3424 4596 z2121682.exe 98 PID 4868 wrote to memory of 4112 4868 explonde.exe 99 PID 4868 wrote to memory of 4112 4868 explonde.exe 99 PID 4868 wrote to memory of 4112 4868 explonde.exe 99 PID 4868 wrote to memory of 3488 4868 explonde.exe 100 PID 4868 wrote to memory of 3488 4868 explonde.exe 100 PID 4868 wrote to memory of 3488 4868 explonde.exe 100 PID 3488 wrote to memory of 1364 3488 cmd.exe 103 PID 3488 wrote to memory of 1364 3488 cmd.exe 103 PID 3488 wrote to memory of 1364 3488 cmd.exe 103 PID 3488 wrote to memory of 2820 3488 cmd.exe 104 PID 3488 wrote to memory of 2820 3488 cmd.exe 104 PID 3488 wrote to memory of 2820 3488 cmd.exe 104 PID 3488 wrote to memory of 1432 3488 cmd.exe 105 PID 3488 wrote to memory of 1432 3488 cmd.exe 105 PID 3488 wrote to memory of 1432 3488 cmd.exe 105 PID 3488 wrote to memory of 4048 3488 cmd.exe 106 PID 3488 wrote to memory of 4048 3488 cmd.exe 106 PID 3488 wrote to memory of 4048 3488 cmd.exe 106 PID 3488 wrote to memory of 1504 3488 cmd.exe 107 PID 3488 wrote to memory of 1504 3488 cmd.exe 107 PID 3488 wrote to memory of 1504 3488 cmd.exe 107 PID 3488 wrote to memory of 4304 3488 cmd.exe 108 PID 3488 wrote to memory of 4304 3488 cmd.exe 108 PID 3488 wrote to memory of 4304 3488 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe"C:\Users\Admin\AppData\Local\Temp\77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2121682.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2121682.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2849645.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2849645.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q7686010.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q7686010.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r7196851.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r7196851.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F6⤵
- Creates scheduled task(s)
PID:4112
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1364
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:N"7⤵PID:2820
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:R" /E7⤵PID:1432
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4048
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵PID:1504
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵PID:4304
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1871232.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1871232.exe3⤵
- Executes dropped EXE
PID:3424
-
-
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:4956
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:8
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4728
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:3664
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390KB
MD5af64dd4608c03a5ccca7f0c55331acb2
SHA128225983cb51e94173ef73fa058fd6e27a3d4c30
SHA2569e5e86873a0dd192be96daacd1c15a9d5231dd48887c55b1ad2b6580f4ecac5f
SHA51230d3858d35fdfa9e269ebe72e7df341099d08791b708b14f848f1e05671d2cf8edee2e1d8f5229a6968fd464039e429744f03fa4e76bcce9ad47aa414496a226
-
Filesize
176KB
MD5484aa8a994e4b0d4f6394de29572fedf
SHA1136dd59824c115d7ed7177b1cd443d8aea19917e
SHA2565f251747cc00b6519344a8eab58b8bc8d321280d88e27c5bff306f40a53df0b4
SHA512984122db98e575fd3ec63a9198905bd24123620656345b76930d3428d5c1d88bf9ce7563b0f1212147a72ff8c16924a6c2259c9672bad511112c76893b07b8c4
-
Filesize
234KB
MD545e93a000b07f25fe943fdf1f7b65357
SHA187725546f53447d680f47e63a0cc581dcd4503fa
SHA2569a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755
SHA51283cb89078894b96f0bf1f7a8ef6b2983d7e21f60bd575004772267424c4603b75e18f9f805535634a9678aa58494f25eb83fdfc36553f25b3c80bdd4691b2c6d
-
Filesize
12KB
MD505d44dca7da313a6875ab2e2ce15cf4c
SHA1fb62bcfc8209d7246dce532fd00d4ea2d56ecb71
SHA256b894a0dc444adc2774ca868edb76d306b089eccd9dbea910c9a5f8bb7f4dc50c
SHA51201075dd204512cb35dcd4cb0f77fe2962ee2e8709ff48cf36b3e681b96caafe1c4edcb0b4cab6be77754f791907dfd368570b425e89f740231578f19e2fc3fb7
-
Filesize
221KB
MD5a179aaa8b2da45d6806e6a737696d101
SHA10d5e6174461ffb16368cd80216abca674d893660
SHA256f13ad3f74496d3eb644233b1f70c1b9c10abdd4b777007daa0d391fbfdd44a73
SHA51241b53c48d9f6ba2bb744e48654957b12c93493cb1f2bfc11bac85694eaac5642bb3480fbaea1d16d5a89b886289efcbfc527c762114a4d85f7cbbef7eac3d375