Overview
overview
10Static
static
30a7a53ccfc...4d.exe
windows10-2004-x64
1015fd14ba21...b7.exe
windows10-2004-x64
101ded3ef8a6...eb.exe
windows10-2004-x64
10211c4e6a11...13.exe
windows10-2004-x64
102143b79ffb...90.exe
windows10-2004-x64
10262bcbb295...79.exe
windows10-2004-x64
102db3eb661b...10.exe
windows10-2004-x64
1038f672e7cb...04.exe
windows10-2004-x64
103a8f22ea92...1f.exe
windows10-2004-x64
104ad2507250...50.exe
windows10-2004-x64
104d264f872f...4d.exe
windows10-2004-x64
105dcad04e9c...98.exe
windows10-2004-x64
10838e53197e...9e.exe
windows10-2004-x64
109fb3613b82...eb.exe
windows10-2004-x64
10ada5308889...6d.exe
windows10-2004-x64
10b7edb218fe...67.exe
windows10-2004-x64
10c7a8b128f1...e0.exe
windows7-x64
10c7a8b128f1...e0.exe
windows10-2004-x64
10d0c2f16d85...04.exe
windows10-2004-x64
10d686e13696...c7.exe
windows10-2004-x64
10f2cce909ec...10.exe
windows10-2004-x64
10Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 17:10
Static task
static1
Behavioral task
behavioral1
Sample
0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
15fd14ba215a3a52dd8119cc0a0383f0cac34dab2c608f1481d6dac8a34084b7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
1ded3ef8a66199255bccbc48246fb511b05dd362acee6fc379d36afee68aa1eb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
211c4e6a11f15bd767da6f104c223571e677d598cba947fc6ecc736fb041af13.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
2143b79ffb1f51097ecfe2735d76fc401ff83d0bcaf0fd826616f6d9d198fb90.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
262bcbb295c2330c7e75858027b884202657e03c12f0537ccae57764c7e90779.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
2db3eb661bd1960f4f027053512a24f0c61f26c7314d49ff0114cec48de8d110.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
38f672e7cba986b4d9af3c51220a9df7a2a858c8744e2594475ff11d2cd80504.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
3a8f22ea9247ba12276740888c7a9a8788ce979e8b28264aa64fb310a6e2d31f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
4ad2507250fbdef342d1a5b86c7770a3cffa183db840e5cfa7a9d117b2dc0a50.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
4d264f872fb903372cc6951f97478ade2ed4cea3c43c1ac9c7b62d645b0d804d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
5dcad04e9c2aa52649ef1e07b38e5668f57adeaa2edee41a8ec26857ee232498.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
838e53197e2b7417e755d1062885d43a64760f6d02f778afd7cca835a5a99d9e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9fb3613b8287cadb1f1a45c550f5b98f012dcc95bb947f3b8b3d68303b6bc3eb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
ada5308889c1e0686823a15717a0ebb9de3bbf2d5e47447e5a340ce70ef33f6d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
b7edb218fec9ad9d3c425768ecc3c868db6dcd17f414b4c8a5337d3b4c908867.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
c7a8b128f176ee758430b94fea1f5e6ac1085905600d0d4bd333a5ff1414fae0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral20
Sample
d686e13696bd68f852ead6d9f363bc3da451cda82485f639727be0ee38b8dac7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
f2cce909eca03fb472266113aeed9ab44c81218fb6b4de31949151b9543a1f10.exe
Resource
win10v2004-20240508-en
General
-
Target
d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe
-
Size
306KB
-
MD5
ec6af98de3dd9a3fadfe95b861b2160e
-
SHA1
a34ee5b67a3e3169c5de23624f348783f46954f9
-
SHA256
d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04
-
SHA512
3bf37e1410c921e2a061e779d2b6e9464847341387d53c1d44d9151a6e2637f5cdce3c10591c8997e4ee08f2619db299dfb8d90fcf53fd6b66496c13652b9886
-
SSDEEP
6144:Khy+bnr+mp0yN90QEbWq96aGBAIVPXdXlDVdIIrHq+Nu9Mq7KJ:DMrCy90pj0/BACZuIrK+NQc
Malware Config
Extracted
amadey
3.89
04d170
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Extracted
redline
larek
77.91.124.55:19071
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral19/files/0x0007000000023266-17.dat family_redline behavioral19/memory/4956-19-0x00000000000D0000-0x000000000010E000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation aP28RD.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation explothe.exe -
Executes dropped EXE 5 IoCs
pid Process 4080 aP28RD.exe 2768 explothe.exe 4956 dp344ZR.exe 3880 explothe.exe 5116 explothe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4056 schtasks.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 4528 wrote to memory of 4080 4528 d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe 92 PID 4528 wrote to memory of 4080 4528 d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe 92 PID 4528 wrote to memory of 4080 4528 d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe 92 PID 4080 wrote to memory of 2768 4080 aP28RD.exe 93 PID 4080 wrote to memory of 2768 4080 aP28RD.exe 93 PID 4080 wrote to memory of 2768 4080 aP28RD.exe 93 PID 4528 wrote to memory of 4956 4528 d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe 94 PID 4528 wrote to memory of 4956 4528 d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe 94 PID 4528 wrote to memory of 4956 4528 d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe 94 PID 2768 wrote to memory of 4056 2768 explothe.exe 95 PID 2768 wrote to memory of 4056 2768 explothe.exe 95 PID 2768 wrote to memory of 4056 2768 explothe.exe 95 PID 2768 wrote to memory of 2940 2768 explothe.exe 97 PID 2768 wrote to memory of 2940 2768 explothe.exe 97 PID 2768 wrote to memory of 2940 2768 explothe.exe 97 PID 2940 wrote to memory of 404 2940 cmd.exe 99 PID 2940 wrote to memory of 404 2940 cmd.exe 99 PID 2940 wrote to memory of 404 2940 cmd.exe 99 PID 2940 wrote to memory of 5044 2940 cmd.exe 100 PID 2940 wrote to memory of 5044 2940 cmd.exe 100 PID 2940 wrote to memory of 5044 2940 cmd.exe 100 PID 2940 wrote to memory of 2760 2940 cmd.exe 101 PID 2940 wrote to memory of 2760 2940 cmd.exe 101 PID 2940 wrote to memory of 2760 2940 cmd.exe 101 PID 2940 wrote to memory of 4804 2940 cmd.exe 102 PID 2940 wrote to memory of 4804 2940 cmd.exe 102 PID 2940 wrote to memory of 4804 2940 cmd.exe 102 PID 2940 wrote to memory of 4780 2940 cmd.exe 103 PID 2940 wrote to memory of 4780 2940 cmd.exe 103 PID 2940 wrote to memory of 4780 2940 cmd.exe 103 PID 2940 wrote to memory of 1484 2940 cmd.exe 104 PID 2940 wrote to memory of 1484 2940 cmd.exe 104 PID 2940 wrote to memory of 1484 2940 cmd.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe"C:\Users\Admin\AppData\Local\Temp\d0c2f16d854f2a43aa1e6953688db2ca945fdc7bb7578431f3ff430ebfa6dc04.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aP28RD.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aP28RD.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F4⤵
- Creates scheduled task(s)
PID:4056
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:404
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"5⤵PID:5044
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E5⤵PID:2760
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:4804
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"5⤵PID:4780
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E5⤵PID:1484
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dp344ZR.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dp344ZR.exe2⤵
- Executes dropped EXE
PID:4956
-
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:3880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:5116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
219KB
MD57e504fb708d15ee0fecda301c71b1419
SHA1a9bb242eaa851dd225365679629c04d54116c481
SHA2565b4b5dc4c74d34e0d27e351e9b0b01162f8ec4155269b2540d6546068c3b66b1
SHA51296e6ca35a624ce5d9a48202f9ee9c93a879c42969bcbe537619e8784c1557790dedaea91160cea1b4ffbabc03fd034277639ffc0fba8aa2063e6dad41d37dcce
-
Filesize
221KB
MD505d001a237e17bc14f3e7484fb69aee3
SHA15983977e147f3fadf6e9f5f4847eddd5bd7278e4
SHA256e9636a9bcdb3c6f554a50b6a23c91f0acdf7514ccbc48200b59e4a2384c04989
SHA5126f9163c2e439be5038f7fc35541706b93de07a6f4703b6da3d9b550f35f773eb9310f230f5a615732d9340466bbdb880ff43b7739cce3a78855133c2aabb3871