Overview
overview
10Static
static
31b7cbee30e...8d.exe
windows10-2004-x64
101cb2277eea...2a.exe
windows10-2004-x64
1026dae86d00...a2.exe
windows10-2004-x64
1035cd974b16...ec.exe
windows10-2004-x64
1045e7028a78...91.exe
windows10-2004-x64
104cd2f124df...48.exe
windows10-2004-x64
105fdef2b38d...0a.exe
windows10-2004-x64
107284e9e031...c7.exe
windows10-2004-x64
10781c022afd...54.exe
windows10-2004-x64
1084163f9b0d...a5.exe
windows10-2004-x64
1090251e43cd...e4.exe
windows10-2004-x64
109a3023ff33...37.exe
windows10-2004-x64
10b4b999d8f3...50.exe
windows7-x64
10b4b999d8f3...50.exe
windows10-2004-x64
10bdd93956fe...8b.exe
windows10-2004-x64
10cf840721c0...70.exe
windows10-2004-x64
10e52fb58b8a...f1.exe
windows10-2004-x64
10ecfbac56ff...9e.exe
windows10-2004-x64
10f0f492b9b0...9a.exe
windows10-2004-x64
10f921df4c23...0d.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:55
Static task
static1
Behavioral task
behavioral1
Sample
1b7cbee30e4459916b5b164befe5e20b7a876df411fdb5d2d2cd7c073a28b18d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
1cb2277eead0aab1238acbbff542f7d6307542e95025dda95856efeb7bc12a2a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
26dae86d0011ac84e93abfd2169b28a6dee3498b8be9c3b84f657506d4e2a9a2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
4cd2f124dfaf247a46d235c0823069c1056a2efb67c0f74547fb75dcfb603748.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
7284e9e031d95f98bb1c673f3691adb26e5acc31e6d2c745b85bc97fc82edec7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
84163f9b0d959067de44eac4cb117f34b55119476a35c8291d0be25585618ea5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
90251e43cdd68d8c070a8180eb78fdfc113d4e2ff40733af3a3332c51744eae4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
9a3023ff334b34f4bea043eedeced95c41485b4799d3c2d56c0cb04b60143937.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
b4b999d8f3fb923a4d4cd17b173ba8474c698443430fdc63b8da6ad6eae57d50.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
b4b999d8f3fb923a4d4cd17b173ba8474c698443430fdc63b8da6ad6eae57d50.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
bdd93956feba699c1eac73030a5ce8e55ae51fab4852062d8e46e8ed460a2b8b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
cf840721c08fa286313bd7ac68fc5bac88559652036dfbdcc7b3c6f0cfa13d70.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
e52fb58b8a7d4f8b7eea558e3f50385d34e76f92baeede9698343046ba3273f1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
ecfbac56ff2c59238da4332d5cd1561d05a08ac0d65b57b9caf329f063fc939e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f921df4c23777a797ffd956196cd2ea4805eaf3eefcc839de781c7e6af836f0d.exe
Resource
win10v2004-20240508-en
General
-
Target
35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe
-
Size
1.3MB
-
MD5
d1f9a12cbe2463928f93af9df2581972
-
SHA1
9d71be92b4a421e298ae6fc509d326e6fcd3b3c1
-
SHA256
35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec
-
SHA512
125939fc5108d907644aea134f4c3a4ec961a3bb1a6111db4863b532ed671f685165154689a14f9bc735ab887d1296aed99f373ab3f98c1a0f9a590d52a41e83
-
SSDEEP
24576:by9RXWCPEo9sN4cLWpA7eCKs6Rg8m/ZWOBjSYK9SvBsn64boafIBQ01K0Vry:O9RXWSEo9smcL++cs6inHBjSBA+rpk
Malware Config
Extracted
amadey
3.89
fb0fb8
http://77.91.68.52
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
-
url_paths
/mac/index.php
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Signatures
-
Detect Mystic stealer payload 1 IoCs
resource yara_rule behavioral4/files/0x0007000000023460-38.dat mystic_family -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral4/files/0x000700000002345d-41.dat family_redline behavioral4/memory/1760-43-0x0000000000250000-0x0000000000280000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation l1296671.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation explonde.exe -
Executes dropped EXE 10 IoCs
pid Process 4156 y5819175.exe 1364 y0598187.exe 4456 y5500197.exe 1276 l1296671.exe 2272 explonde.exe 2032 m5176152.exe 1760 n4997969.exe 5116 explonde.exe 4552 explonde.exe 1056 explonde.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" y5500197.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y5819175.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y0598187.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4788 schtasks.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 3612 wrote to memory of 4156 3612 35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe 83 PID 3612 wrote to memory of 4156 3612 35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe 83 PID 3612 wrote to memory of 4156 3612 35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe 83 PID 4156 wrote to memory of 1364 4156 y5819175.exe 85 PID 4156 wrote to memory of 1364 4156 y5819175.exe 85 PID 4156 wrote to memory of 1364 4156 y5819175.exe 85 PID 1364 wrote to memory of 4456 1364 y0598187.exe 86 PID 1364 wrote to memory of 4456 1364 y0598187.exe 86 PID 1364 wrote to memory of 4456 1364 y0598187.exe 86 PID 4456 wrote to memory of 1276 4456 y5500197.exe 87 PID 4456 wrote to memory of 1276 4456 y5500197.exe 87 PID 4456 wrote to memory of 1276 4456 y5500197.exe 87 PID 1276 wrote to memory of 2272 1276 l1296671.exe 88 PID 1276 wrote to memory of 2272 1276 l1296671.exe 88 PID 1276 wrote to memory of 2272 1276 l1296671.exe 88 PID 4456 wrote to memory of 2032 4456 y5500197.exe 89 PID 4456 wrote to memory of 2032 4456 y5500197.exe 89 PID 4456 wrote to memory of 2032 4456 y5500197.exe 89 PID 1364 wrote to memory of 1760 1364 y0598187.exe 90 PID 1364 wrote to memory of 1760 1364 y0598187.exe 90 PID 1364 wrote to memory of 1760 1364 y0598187.exe 90 PID 2272 wrote to memory of 4788 2272 explonde.exe 91 PID 2272 wrote to memory of 4788 2272 explonde.exe 91 PID 2272 wrote to memory of 4788 2272 explonde.exe 91 PID 2272 wrote to memory of 2404 2272 explonde.exe 93 PID 2272 wrote to memory of 2404 2272 explonde.exe 93 PID 2272 wrote to memory of 2404 2272 explonde.exe 93 PID 2404 wrote to memory of 2520 2404 cmd.exe 96 PID 2404 wrote to memory of 2520 2404 cmd.exe 96 PID 2404 wrote to memory of 2520 2404 cmd.exe 96 PID 2404 wrote to memory of 4592 2404 cmd.exe 97 PID 2404 wrote to memory of 4592 2404 cmd.exe 97 PID 2404 wrote to memory of 4592 2404 cmd.exe 97 PID 2404 wrote to memory of 3680 2404 cmd.exe 98 PID 2404 wrote to memory of 3680 2404 cmd.exe 98 PID 2404 wrote to memory of 3680 2404 cmd.exe 98 PID 2404 wrote to memory of 4568 2404 cmd.exe 99 PID 2404 wrote to memory of 4568 2404 cmd.exe 99 PID 2404 wrote to memory of 4568 2404 cmd.exe 99 PID 2404 wrote to memory of 1028 2404 cmd.exe 100 PID 2404 wrote to memory of 1028 2404 cmd.exe 100 PID 2404 wrote to memory of 1028 2404 cmd.exe 100 PID 2404 wrote to memory of 1844 2404 cmd.exe 101 PID 2404 wrote to memory of 1844 2404 cmd.exe 101 PID 2404 wrote to memory of 1844 2404 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe"C:\Users\Admin\AppData\Local\Temp\35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5819175.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5819175.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0598187.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0598187.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5500197.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y5500197.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1296671.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1296671.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F7⤵
- Creates scheduled task(s)
PID:4788
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:2520
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:N"8⤵PID:4592
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:R" /E8⤵PID:3680
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4568
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"8⤵PID:1028
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E8⤵PID:1844
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m5176152.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m5176152.exe5⤵
- Executes dropped EXE
PID:2032
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4997969.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4997969.exe4⤵
- Executes dropped EXE
PID:1760
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:5116
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:4552
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
PID:1056
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5ac5e91f34cbbf36db18a8686c4a0699e
SHA1ffd0c05caa8abb8b62f2e295c2de4ca699a08773
SHA256a598d4f7bb893e669979fe1dcfb20f39ddfafe2819e104834e633ad18df6eede
SHA512919e50401266f62b48b52ccc3c2a1e48c023f9e12e5075fcdbfb1870cdf93ceef6f431e2f0a3ae6018853574ca3c7fd33a82579aa15e32ea6b318607354ffc85
-
Filesize
434KB
MD5f36451207c72f33d6ca31907ab61db21
SHA1f29364ddd5d34fd486c75b3f4e8fdb96393c43a0
SHA2561792d13f98d1a8003fd48d754fc49cad8a5fd221ecd08e071fbf41166ca9b4c5
SHA512e5ca4c0f2f8beaca51fc7dfc576ebcb76f42b8663dccb7077f9de3577ff128ab6be8cac55a44923c5209c7138c08c16b1c9d53da4d8a4a6ab05a95d4d8525de0
-
Filesize
175KB
MD5b990afc2893e5a1ac8f09c38db87fd24
SHA10058b2ab5476531588b93db0276e0de9e2577083
SHA256c99b98cf3b36a6ba38773c7d1da85312c96feee8d4489ad984fa6fc012771efe
SHA5123df6ec43cba8c8c280f93f1234cb5fe8b81f5f27a3b7fa766c79f7d2ef03027b7c775735c2901f99ac71cdde20021c6edde392f49f05114a32681085ad53193e
-
Filesize
279KB
MD51860359c97adcc0fb54039d68983e735
SHA1c374e47ee26618d638e8d0d38ed986080f4f2a34
SHA2562c1a53454cdb3c93d4275741d1748b54d553b493f7a630e4c719ac73c199fc9a
SHA5120938142996ebaa197ee297fd0347ef6568ae085c82d871dce5f869a9a4397ce6ebfe867e99e950103441ea000b62c4f00fc5aecb5fd25c7888a25685dd43305e
-
Filesize
220KB
MD570d33a5b3b4bffa31324723b548c781d
SHA102b9739a982b1fbd6b4e7ba46cedd7240f5950f1
SHA25669b72d6ea69bb3f832121e1163211a108e658c6943dfd89fe3fadf72493122de
SHA5124486f85390979a1e647c58b276dc576064c8bbefe77e0bf6cfcdf2cbd2383db26951306f83974f2975077bc0b0c237e1b2200ab400083c29935b3a6585a4cf22
-
Filesize
141KB
MD574c01e48552336ca838e7c500d9e0c3b
SHA1d13d1c145066549fcd80010373d520962412a8a1
SHA25667e37fde308a038c0aaf65716d679f7588fc2ea74c855372ca86f8ec50a3daac
SHA5127818cfa81976239c7918d8dae5141cb644a07c568136592a97d31b6e6de9050bd9d529720ad0917ec85632b484dd097e59fe61a62aae09b1ca9584b299adccb5