Overview
overview
10Static
static
30237b61e61...e4.exe
windows7-x64
30237b61e61...e4.exe
windows10-2004-x64
100cbf9c5b59...f9.exe
windows10-2004-x64
100edb945c8d...dd.exe
windows10-2004-x64
1013ca0bbb32...3f.exe
windows10-2004-x64
101465a638f9...f2.exe
windows10-2004-x64
101b0729839d...dd.exe
windows10-2004-x64
1027bf431b08...9f.exe
windows10-2004-x64
1034b8fdeeaf...27.exe
windows10-2004-x64
10488c7cb3b3...18.exe
windows10-2004-x64
104bc64c0375...75.exe
windows10-2004-x64
104f85c3e4ec...fe.exe
windows10-2004-x64
1055b18033bb...53.exe
windows7-x64
355b18033bb...53.exe
windows10-2004-x64
1060e7e1ac00...07.exe
windows10-2004-x64
10979a97cb16...99.exe
windows10-2004-x64
10b3eb736a5d...9f.exe
windows10-2004-x64
10d57352b171...d0.exe
windows10-2004-x64
10d62f03a558...b6.exe
windows10-2004-x64
10e72a6e51db...6d.exe
windows10-2004-x64
10f5c9c18cca...6b.exe
windows10-2004-x64
10fdb9b25099...78.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 12:56
Static task
static1
Behavioral task
behavioral1
Sample
0237b61e61fe845c052d94e1696f694fd1c69b55134971372a39facd025272e4.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
0237b61e61fe845c052d94e1696f694fd1c69b55134971372a39facd025272e4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
0cbf9c5b5986e5ea6119fe8fc3da31af9c240982a4a7cfed5ca9fb56c4d768f9.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
0edb945c8dd154bc423c54a58705917964bbfb8f0391f3350b75f33df5c740dd.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
13ca0bbb3221adeaf830fc435756121e64e03f342fec62e30bcd13f7d5c1083f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
1465a638f9237c41616fc372bd66b6e66553baab8af20a969337be53108abaf2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
1b0729839d14f565e8de6c35f683e4cf6c401cc652ea06fe9d0da0c95e9abadd.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
34b8fdeeafe15c31ab10314949d8d534bca5cfd6995d47dbab8b3506a2847a27.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
488c7cb3b3ae680032b59617bf38fb807c934eab7717cda13ee71996311ea718.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
4bc64c0375f3ffea0f45741a1f4ed6af4f66e8f13084960da4aeb003e9f45675.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
4f85c3e4ec4db9780db30f402a82cf4f34e6d0a934cf7eb35d8bdb58e46d06fe.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
55b18033bb16a6ebd933d4b24c7828c19ea0ec0937cbb06be066053c204d9753.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
55b18033bb16a6ebd933d4b24c7828c19ea0ec0937cbb06be066053c204d9753.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
60e7e1ac00410438a148bcba6a92dbac02c94531491c577d988a49e9c281cf07.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
979a97cb16762728856ff5dd929cb625d1673048544e092731742005342da799.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
b3eb736a5d62ca99c3bb61ab1572ce044dd3f3d33a0f83509bfc2cb1204b0b9f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
d57352b17144065c6fd05a0807532115ba9622e99b096ac4432dd312359b06d0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
d62f03a5584e3ca2265a79bdd4e0fb0add3d0412b01568178f46f8dcecf881b6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
e72a6e51dbac1e6313459eab1ffc1832d973b0fd23fe10aba5acdee9ba028f6d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
f5c9c18ccaa6f832b0b5e79345b5442c799774303bf84ea96f45d3c21b2a1f6b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
fdb9b250992b8c5988cfe05d255d96db5dd1d7a3ac4959de26b8546038f10c78.exe
Resource
win10v2004-20240508-en
General
-
Target
27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f.exe
-
Size
514KB
-
MD5
05b1bd5fc4cfbb5ac811b1085e421a0e
-
SHA1
cc9da7c9ffe07eac65e1c6b57d62f820a9b75e99
-
SHA256
27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f
-
SHA512
8b84c660b2a8819f5bf546405f63c359e9836fba5d4145878afbe02c98a1d30d6380df9e70a9f819494a89f6c3a5f3fd1b86ea2e1218ab5834490ef790d41c65
-
SSDEEP
12288:bMrFy90nQ3cYBUovwEOAjj3pvqur9J1VpR8/G98aYE03ZoRU:iyBsOUovwsjjMupbR2GSVlJoe
Malware Config
Extracted
amadey
3.86
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
lande
77.91.124.84:19071
-
auth_value
9fa41701c47df37786234f3373f21208
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral8/files/0x000800000002344d-20.dat healer behavioral8/memory/1980-21-0x0000000000440000-0x000000000044A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a8274244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a8274244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a8274244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a8274244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a8274244.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a8274244.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral8/memory/808-45-0x0000000000140000-0x0000000000170000-memory.dmp family_redline behavioral8/files/0x0007000000023447-44.dat family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation b8596918.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation pdates.exe -
Executes dropped EXE 9 IoCs
pid Process 3052 v4549806.exe 4596 v1515895.exe 1980 a8274244.exe 4408 b8596918.exe 4332 pdates.exe 2696 c9178124.exe 808 d4707782.exe 64 pdates.exe 4852 pdates.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a8274244.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v4549806.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v1515895.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c9178124.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c9178124.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c9178124.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4948 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1980 a8274244.exe 1980 a8274244.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1980 a8274244.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 3480 wrote to memory of 3052 3480 27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f.exe 83 PID 3480 wrote to memory of 3052 3480 27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f.exe 83 PID 3480 wrote to memory of 3052 3480 27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f.exe 83 PID 3052 wrote to memory of 4596 3052 v4549806.exe 84 PID 3052 wrote to memory of 4596 3052 v4549806.exe 84 PID 3052 wrote to memory of 4596 3052 v4549806.exe 84 PID 4596 wrote to memory of 1980 4596 v1515895.exe 85 PID 4596 wrote to memory of 1980 4596 v1515895.exe 85 PID 4596 wrote to memory of 4408 4596 v1515895.exe 95 PID 4596 wrote to memory of 4408 4596 v1515895.exe 95 PID 4596 wrote to memory of 4408 4596 v1515895.exe 95 PID 4408 wrote to memory of 4332 4408 b8596918.exe 96 PID 4408 wrote to memory of 4332 4408 b8596918.exe 96 PID 4408 wrote to memory of 4332 4408 b8596918.exe 96 PID 3052 wrote to memory of 2696 3052 v4549806.exe 97 PID 3052 wrote to memory of 2696 3052 v4549806.exe 97 PID 3052 wrote to memory of 2696 3052 v4549806.exe 97 PID 3480 wrote to memory of 808 3480 27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f.exe 98 PID 3480 wrote to memory of 808 3480 27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f.exe 98 PID 3480 wrote to memory of 808 3480 27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f.exe 98 PID 4332 wrote to memory of 4948 4332 pdates.exe 99 PID 4332 wrote to memory of 4948 4332 pdates.exe 99 PID 4332 wrote to memory of 4948 4332 pdates.exe 99 PID 4332 wrote to memory of 4476 4332 pdates.exe 101 PID 4332 wrote to memory of 4476 4332 pdates.exe 101 PID 4332 wrote to memory of 4476 4332 pdates.exe 101 PID 4476 wrote to memory of 5016 4476 cmd.exe 103 PID 4476 wrote to memory of 5016 4476 cmd.exe 103 PID 4476 wrote to memory of 5016 4476 cmd.exe 103 PID 4476 wrote to memory of 4532 4476 cmd.exe 104 PID 4476 wrote to memory of 4532 4476 cmd.exe 104 PID 4476 wrote to memory of 4532 4476 cmd.exe 104 PID 4476 wrote to memory of 3340 4476 cmd.exe 105 PID 4476 wrote to memory of 3340 4476 cmd.exe 105 PID 4476 wrote to memory of 3340 4476 cmd.exe 105 PID 4476 wrote to memory of 4944 4476 cmd.exe 106 PID 4476 wrote to memory of 4944 4476 cmd.exe 106 PID 4476 wrote to memory of 4944 4476 cmd.exe 106 PID 4476 wrote to memory of 3048 4476 cmd.exe 107 PID 4476 wrote to memory of 3048 4476 cmd.exe 107 PID 4476 wrote to memory of 3048 4476 cmd.exe 107 PID 4476 wrote to memory of 2692 4476 cmd.exe 108 PID 4476 wrote to memory of 2692 4476 cmd.exe 108 PID 4476 wrote to memory of 2692 4476 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f.exe"C:\Users\Admin\AppData\Local\Temp\27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4549806.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4549806.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1515895.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1515895.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8274244.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8274244.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8596918.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8596918.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F6⤵
- Creates scheduled task(s)
PID:4948
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:5016
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:N"7⤵PID:4532
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:R" /E7⤵PID:3340
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4944
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:N"7⤵PID:3048
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:R" /E7⤵PID:2692
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9178124.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9178124.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2696
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4707782.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4707782.exe2⤵
- Executes dropped EXE
PID:808
-
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:64
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:4852
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
172KB
MD5324b9c52a440df10451ea56cddbb933f
SHA179a4aac847a6e13f4309434507cf418d1db1a0be
SHA256ebdd5ae808c56954a715afbc029e8d8c58ee33b8a9351d83031a9a7cef0441e4
SHA512881f26d3c69f4dde394ce450c9ec742f8a90932430bdf69986fdf72fd48bdea9e786272a0acd5ba24e1904d0f434e93794fdf3145ff5104c8e37f083e79c373f
-
Filesize
359KB
MD59687f62b277e9e4c38388e52a3914ca6
SHA1a9cd5f4023526c8df5d9442244133c8c5471d057
SHA256daa2762feeb31382796706720fe749e99ab594f942baf09480423a79c3c6d383
SHA51258560f27f3ed5040564a8d270fd67dbe0c3212649e3c46df89b89516e140a6f88c4a4f000562cdb02607b777ed86cc0a6207980e46530ba689bb0d27f9f9df9b
-
Filesize
35KB
MD525142518552111557da73643ef6ace9e
SHA1505a10b7ad3556ef3af75354a2aae0a061e19a0a
SHA256dea04fdae7f23df334a0481f22f9fdb14ca4b9c99cfacbca80d160ac1ec05927
SHA51244cdfdb33a767bdcc14c1fcb0e251332fa48d929b47244536adcd5b2ee596bf017fd9b802684b7e8d9102c0094453c291b72238260acb013b46e17e9ad6440dc
-
Filesize
234KB
MD5a7fff079383e825173137379ab670cd5
SHA11fc0bf08810633f1e20c0c350ba50042e95bf6ec
SHA25621854cd5d1a30272f224300bcd8b41a10c020cd805952a6fa59d6e97d7052294
SHA5124371434fbc5f814d7c93ad3b7506f6b9d95aeabb7923bbb7739daa97a3d54e3ebe4dfecb92cc5eeca8750c5bc60c3fecabe73dece70feb0142118af2a50109d4
-
Filesize
12KB
MD5dd8411c84825addf4c2fb62ea2de05e7
SHA194eee2c85a6cf96bac81febe04a23f0d4996d87a
SHA25603e09dd7805602f105f3744033d0db0937e6f08145c0245c916d5fd1ddec18b2
SHA5123a78176b1214c2af3bedb1822c6da3874d5d50e1a00efc40e220f77cfd79b42cb402e4162af05b8d1b805188f6eb57843863403256a218c978d91d9442d7fd2b
-
Filesize
224KB
MD50c18ddfc5cf775eb6ac1c62de1fedc90
SHA1da280fea7c358272c21dc5c5372e32454ef99b0d
SHA2564986eb6b0771f1600534231e29d7dad8f1a124763664535c485fe2db4ab8f403
SHA512a3c8e5f994c4ff4bbb9f46c57fd8118fc69ce41f6c4f7c91d04fb06ffd31f9c5452a6734f6c1c45513c89f4cf89e97d3bdb63468033c100ee87213627a7f8afa