Overview
overview
10Static
static
327efa43e16...c1.exe
windows10-2004-x64
102fd7c050fb...83.exe
windows10-2004-x64
1031714e287a...59.exe
windows10-2004-x64
104663b4277c...a5.exe
windows10-2004-x64
104ef1a0149d...77.exe
windows10-2004-x64
1055de348478...bf.exe
windows10-2004-x64
1062e08aa290...71.exe
windows10-2004-x64
107c2b1a4696...86.exe
windows10-2004-x64
109712f3ca55...1a.exe
windows10-2004-x64
10a2578cb8fe...19.exe
windows10-2004-x64
10a2e15ecbc2...3e.exe
windows10-2004-x64
10bc1039ea1a...c2.exe
windows10-2004-x64
10c7a4524e38...ae.exe
windows10-2004-x64
10f47fb04ed8...65.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 11:02
Static task
static1
Behavioral task
behavioral1
Sample
27efa43e160a77456643b18b13206f1f8a13410ef51729dbe8fa2997f36694c1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
31714e287ace88f54febd6e8f4714a27d61ad35bc95ab8b019334acebd9cd459.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
4663b4277cecac818e54c11c72e9cf1ad537fe10a266e09ebb9f0026ab9a96a5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
4ef1a0149daef80693bc6f0b8f8337399c8687c08ca4792d24e3bdaab9bf6f77.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
55de348478f00c0877bff6a44118e1b412443ef85c1e45f12245fb8483acb6bf.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
62e08aa2909617f096cde8be4d834830bdad6f0907e76c051970413bb9a81571.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
7c2b1a4696daa48a0b33a675af61f83d79ca86e3128c3e721bb51e375d18c386.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
9712f3ca55a69dc82a720b41eeb39aa2d2482719c764715d774a1d1d1d11ea1a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
a2578cb8fe72f0748c7fe615457b7d6aaf54e7985f27f459156f659d0937f119.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
a2e15ecbc2385dacd7bc1a3a58a295213fdccc9cc1f85d38c2a7ab13a599f33e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
bc1039ea1a02cf1e898c7cea2600cac8f44dbf43b2b49c31da3024ffd998a7c2.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
c7a4524e38a070acf6ba7d4865de5125063cd4a021a47872adb720277271f3ae.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
f47fb04ed8077b20b9ca93eddc8ce4a4f05ca4367177fba67c1d87d2831d1865.exe
Resource
win10v2004-20240426-en
General
-
Target
2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783.exe
-
Size
390KB
-
MD5
88cd3287b5c63e0998547f5d6f44ee26
-
SHA1
34ee86ef1950746fb4c38d73de30714f35a49dc9
-
SHA256
2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783
-
SHA512
66881b34422644be2eb840992e90f73429d30018aec01c75c349a6041bce6aa279afe71adb404391371a55caad733a907b6cc6f4a9af86b2201bfed9523bd32b
-
SSDEEP
6144:Kuy+bnr+Sp0yN90QEnqLaM6P8is7lQuxVkkm2ptpk9h28:GMray90GJtKuikmAq9k8
Malware Config
Extracted
amadey
3.85
http://77.91.68.3
-
install_dir
3ec1f323b5
-
install_file
danke.exe
-
strings_key
827021be90f1e85ab27949ea7e9347e8
-
url_paths
/home/love/index.php
Extracted
redline
nasa
77.91.68.68:19071
-
auth_value
6da71218d8a9738ea3a9a78b5677589b
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023421-25.dat healer behavioral2/memory/4480-27-0x0000000000140000-0x000000000014A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection h3322917.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" h3322917.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" h3322917.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" h3322917.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" h3322917.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" h3322917.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x000700000002341e-30.dat family_redline behavioral2/memory/1916-32-0x0000000000010000-0x0000000000040000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation g4719279.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation danke.exe -
Executes dropped EXE 8 IoCs
pid Process 2780 x5924303.exe 1688 g4719279.exe 2600 danke.exe 4480 h3322917.exe 1916 j2498725.exe 4924 danke.exe 5072 danke.exe 664 danke.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" h3322917.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x5924303.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4832 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4480 h3322917.exe 4480 h3322917.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4480 h3322917.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1016 wrote to memory of 2780 1016 2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783.exe 83 PID 1016 wrote to memory of 2780 1016 2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783.exe 83 PID 1016 wrote to memory of 2780 1016 2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783.exe 83 PID 2780 wrote to memory of 1688 2780 x5924303.exe 84 PID 2780 wrote to memory of 1688 2780 x5924303.exe 84 PID 2780 wrote to memory of 1688 2780 x5924303.exe 84 PID 1688 wrote to memory of 2600 1688 g4719279.exe 86 PID 1688 wrote to memory of 2600 1688 g4719279.exe 86 PID 1688 wrote to memory of 2600 1688 g4719279.exe 86 PID 2780 wrote to memory of 4480 2780 x5924303.exe 87 PID 2780 wrote to memory of 4480 2780 x5924303.exe 87 PID 2600 wrote to memory of 4832 2600 danke.exe 88 PID 2600 wrote to memory of 4832 2600 danke.exe 88 PID 2600 wrote to memory of 4832 2600 danke.exe 88 PID 2600 wrote to memory of 1092 2600 danke.exe 90 PID 2600 wrote to memory of 1092 2600 danke.exe 90 PID 2600 wrote to memory of 1092 2600 danke.exe 90 PID 1092 wrote to memory of 5000 1092 cmd.exe 92 PID 1092 wrote to memory of 5000 1092 cmd.exe 92 PID 1092 wrote to memory of 5000 1092 cmd.exe 92 PID 1092 wrote to memory of 2684 1092 cmd.exe 93 PID 1092 wrote to memory of 2684 1092 cmd.exe 93 PID 1092 wrote to memory of 2684 1092 cmd.exe 93 PID 1092 wrote to memory of 3056 1092 cmd.exe 94 PID 1092 wrote to memory of 3056 1092 cmd.exe 94 PID 1092 wrote to memory of 3056 1092 cmd.exe 94 PID 1092 wrote to memory of 4192 1092 cmd.exe 95 PID 1092 wrote to memory of 4192 1092 cmd.exe 95 PID 1092 wrote to memory of 4192 1092 cmd.exe 95 PID 1092 wrote to memory of 2316 1092 cmd.exe 96 PID 1092 wrote to memory of 2316 1092 cmd.exe 96 PID 1092 wrote to memory of 2316 1092 cmd.exe 96 PID 1092 wrote to memory of 2324 1092 cmd.exe 97 PID 1092 wrote to memory of 2324 1092 cmd.exe 97 PID 1092 wrote to memory of 2324 1092 cmd.exe 97 PID 1016 wrote to memory of 1916 1016 2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783.exe 100 PID 1016 wrote to memory of 1916 1016 2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783.exe 100 PID 1016 wrote to memory of 1916 1016 2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783.exe"C:\Users\Admin\AppData\Local\Temp\2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5924303.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5924303.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4719279.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4719279.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F5⤵
- Creates scheduled task(s)
PID:4832
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:5000
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"6⤵PID:2684
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E6⤵PID:3056
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4192
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"6⤵PID:2316
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E6⤵PID:2324
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3322917.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3322917.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2498725.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2498725.exe2⤵
- Executes dropped EXE
PID:1916
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:4924
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:5072
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:664
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD508fd147a1e9edded8d0bd4e2d606b190
SHA13751f9a867c5a9754d058ba1dcd475e2d4acf85d
SHA256af53befab6e920f24d498773a18ceff54ab78c6f9a8f2609d4cd693486db7eb9
SHA512645f0c318608308e011c563030a25fec36e199fe9c74a6b684a0008a7c75af6771728276414db61495316deb032bd6cb006779fef39abf68afb92ec16c629a2a
-
Filesize
234KB
MD5799a816ea4d3026a25c673503b6821ea
SHA174fcbc62374af486599c392a94afc6859ede3fad
SHA25631e450f20ad58e7cc3658ccccd0a02b68dcd50f18461a0f3080264a3aac5bf75
SHA51297c5bfc0a370d44ab6fbd17a7d2b81e30e7e70c5de8e0b0b77f00a226052af23654014ab0062588b1c557cd3ab3bb2214a50dfe967838c51ae5c0f8248430c5d
-
Filesize
224KB
MD58c6b79ec436d7cf6950a804c1ec7d3e9
SHA14a589d5605d8ef785fdc78b0bf64e769e3a21ad6
SHA2564e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d
SHA51206f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91