Overview
overview
10Static
static
335c135016a...ef.exe
windows10-2004-x64
103ab23a3036...c6.exe
windows10-2004-x64
103b8cd7306b...71.exe
windows10-2004-x64
103ea65c50a2...63.exe
windows7-x64
33ea65c50a2...63.exe
windows10-2004-x64
1051c9916d6f...bf.exe
windows10-2004-x64
1053cf9b6e16...08.exe
windows10-2004-x64
1064792ffeec...35.exe
windows10-2004-x64
1071d1420ff1...80.exe
windows10-2004-x64
107a08e2a624...2b.exe
windows10-2004-x64
107dbf05d83f...65.exe
windows7-x64
37dbf05d83f...65.exe
windows10-2004-x64
107f80787d38...fd.exe
windows10-2004-x64
109176ff0f1c...21.exe
windows10-2004-x64
10babd836631...1d.exe
windows10-2004-x64
10cbd8058875...48.exe
windows7-x64
3cbd8058875...48.exe
windows10-2004-x64
10d134576ca7...48.exe
windows10-2004-x64
10da09729d57...e8.exe
windows10-2004-x64
10dcfab037f7...a0.exe
windows10-2004-x64
10eca60134d9...3f.exe
windows10-2004-x64
10f16db96028...f1.exe
windows10-2004-x64
10f5957f382e...6a.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 14:29
Static task
static1
Behavioral task
behavioral1
Sample
35c135016a0f649443e821c488d88916ba73f8c81eba1b57cf92cbafb9cd49ef.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
3ab23a30366cb3cfeded88ccba1999ff26ead2bcde69af9aad7e2ed1fa054cc6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
3b8cd7306bcee474040656c20f071e99345caea6d53f3bae9bb55dfbe680b571.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe
Resource
win7-20240508-en
Behavioral task
behavioral5
Sample
3ea65c50a29c3ae43f9bd78041b110785429a768b3e006da768baaf12f327b63.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
51c9916d6f5b5ac66aa9b7e4343b3d5a2fa54d57996f9b7bb0d4b18987afd8bf.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
53cf9b6e163fb85f7a2983777330f4b842b13db5809af32dc4a7847702037208.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
64792ffeeccbab6bb3d100eb7b35cb61c8c90b802e42d83350baf6d1ceefbb35.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
71d1420ff1b7b7e37d536b943d3ba7e0a2fa5972fce4156cbbc73c7416d49d80.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
7dbf05d83f893a3fd85e266599155069e13d532333012d62fa0a41a625878965.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
7f80787d38486459a9c104bc8c42dd78c68e0e27411be54897379c415c7c73fd.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9176ff0f1ca08377671891eab2e7fd1bad29e129985b386e1486b543767b2721.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
babd836631e288a3898e6b871ded792269de5c0014085887296a642d03a14d1d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe
Resource
win7-20240221-en
Behavioral task
behavioral17
Sample
cbd8058875fbf90f6f6a3c6825fab01a2bac4ffb1903f2a0405d451060ea1a48.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
d134576ca7416e71db7bd5aad43296de284dd20154fd0784d9bf45d27603fc48.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
da09729d570cd93ed61c515d8407a5f4b201aca65e870a52b3082a39645d32e8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
dcfab037f7269dd60bc810f260b86d7331030c746f879fa94f4b6bf922ae96a0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
eca60134d922b4bca2cb5060841b6d45581f33e04f763a9c118fc9f22e289e3f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
f16db96028a7afeb1141a5506032310d36b0354cd63f796d585fdd9cd3b2c8f1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
f5957f382ef0f17bbf1d83cc0b5d4f133ae56c9c5a3101548b66b2462dbe9b6a.exe
Resource
win10v2004-20240508-en
General
-
Target
7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe
-
Size
514KB
-
MD5
0fa62ebed394e0d1ca75a047dfcd8883
-
SHA1
c320dd1803bf38cd5822882b9c3aed0c0d2df000
-
SHA256
7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b
-
SHA512
d36d9c9ce7042ca5942ec1a762e109c21a717057b6895b8d1b74892c6b08ff7b017c7142012685eb2112ac6800344910e8f2086980887641717db5a20fb437da
-
SSDEEP
12288:VMrNy90LyyzBA8YCgPxn4VxjSadSX9zheZnSW:cykXgPaSadSX9tmnSW
Malware Config
Extracted
amadey
3.85
http://77.91.68.3
-
install_dir
3ec1f323b5
-
install_file
danke.exe
-
strings_key
827021be90f1e85ab27949ea7e9347e8
-
url_paths
/home/love/index.php
Extracted
redline
roma
77.91.68.56:19071
-
auth_value
f099c2cf92834dbc554a94e1456cf576
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral10/files/0x0008000000023431-20.dat healer behavioral10/memory/3040-21-0x00000000009F0000-0x00000000009FA000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a2141193.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a2141193.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a2141193.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a2141193.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a2141193.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a2141193.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral10/files/0x000700000002342c-43.dat family_redline behavioral10/memory/2588-45-0x0000000000230000-0x0000000000260000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation b4366386.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation danke.exe -
Executes dropped EXE 10 IoCs
pid Process 692 v8266423.exe 3340 v0782272.exe 3040 a2141193.exe 3800 b4366386.exe 4864 danke.exe 3192 c3646519.exe 2588 d8228646.exe 2340 danke.exe 8 danke.exe 4964 danke.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a2141193.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v8266423.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v0782272.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c3646519.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c3646519.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c3646519.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3752 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3040 a2141193.exe 3040 a2141193.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3040 a2141193.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1192 wrote to memory of 692 1192 7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe 83 PID 1192 wrote to memory of 692 1192 7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe 83 PID 1192 wrote to memory of 692 1192 7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe 83 PID 692 wrote to memory of 3340 692 v8266423.exe 84 PID 692 wrote to memory of 3340 692 v8266423.exe 84 PID 692 wrote to memory of 3340 692 v8266423.exe 84 PID 3340 wrote to memory of 3040 3340 v0782272.exe 85 PID 3340 wrote to memory of 3040 3340 v0782272.exe 85 PID 3340 wrote to memory of 3800 3340 v0782272.exe 88 PID 3340 wrote to memory of 3800 3340 v0782272.exe 88 PID 3340 wrote to memory of 3800 3340 v0782272.exe 88 PID 3800 wrote to memory of 4864 3800 b4366386.exe 89 PID 3800 wrote to memory of 4864 3800 b4366386.exe 89 PID 3800 wrote to memory of 4864 3800 b4366386.exe 89 PID 692 wrote to memory of 3192 692 v8266423.exe 90 PID 692 wrote to memory of 3192 692 v8266423.exe 90 PID 692 wrote to memory of 3192 692 v8266423.exe 90 PID 1192 wrote to memory of 2588 1192 7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe 91 PID 1192 wrote to memory of 2588 1192 7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe 91 PID 1192 wrote to memory of 2588 1192 7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe 91 PID 4864 wrote to memory of 3752 4864 danke.exe 92 PID 4864 wrote to memory of 3752 4864 danke.exe 92 PID 4864 wrote to memory of 3752 4864 danke.exe 92 PID 4864 wrote to memory of 4808 4864 danke.exe 93 PID 4864 wrote to memory of 4808 4864 danke.exe 93 PID 4864 wrote to memory of 4808 4864 danke.exe 93 PID 4808 wrote to memory of 1344 4808 cmd.exe 96 PID 4808 wrote to memory of 1344 4808 cmd.exe 96 PID 4808 wrote to memory of 1344 4808 cmd.exe 96 PID 4808 wrote to memory of 4432 4808 cmd.exe 97 PID 4808 wrote to memory of 4432 4808 cmd.exe 97 PID 4808 wrote to memory of 4432 4808 cmd.exe 97 PID 4808 wrote to memory of 5048 4808 cmd.exe 98 PID 4808 wrote to memory of 5048 4808 cmd.exe 98 PID 4808 wrote to memory of 5048 4808 cmd.exe 98 PID 4808 wrote to memory of 4820 4808 cmd.exe 99 PID 4808 wrote to memory of 4820 4808 cmd.exe 99 PID 4808 wrote to memory of 4820 4808 cmd.exe 99 PID 4808 wrote to memory of 4824 4808 cmd.exe 100 PID 4808 wrote to memory of 4824 4808 cmd.exe 100 PID 4808 wrote to memory of 4824 4808 cmd.exe 100 PID 4808 wrote to memory of 1576 4808 cmd.exe 101 PID 4808 wrote to memory of 1576 4808 cmd.exe 101 PID 4808 wrote to memory of 1576 4808 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe"C:\Users\Admin\AppData\Local\Temp\7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8266423.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8266423.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0782272.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0782272.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4366386.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4366386.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F6⤵
- Creates scheduled task(s)
PID:3752
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1344
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"7⤵PID:4432
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E7⤵PID:5048
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4820
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"7⤵PID:4824
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E7⤵PID:1576
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3646519.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3646519.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3192
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8228646.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8228646.exe2⤵
- Executes dropped EXE
PID:2588
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:2340
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:8
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:4964
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD5497cc12633c7b690fc84fe172ff0a210
SHA17e9536fcd70a4c9ad1648b6b6c03f73402d72839
SHA25653acb8295d1517e6cd156542b43e84bf57713a7962aa2feb2c787e5aa5603f5f
SHA512699c014824c4ddd1ff9eb0f3cc669ee626645f098687bf8e54bd3f4c780eb7adb72e92789f078fb3ebfa872e308e09727914ad3913ad21162fcadbe033020629
-
Filesize
359KB
MD5718ccdae6522b3565b00d5b5115a54a3
SHA12791911108e9025489c6a38e53a2d4647ae82ece
SHA25641ce2351f24593197ae25dd9ebdcd3c80ba4fae58ab0da8bed75214c7090d3fc
SHA5121c49c00dd8244dfe894531ffb34cf18db9d3067b0fe4471d3b049d7900933268b7290af53fe401db951746c800692b55b7222c56cf1c5d2ba7f9578e8cad6e05
-
Filesize
31KB
MD5314fa0836479755b541b458a7c348818
SHA1e19844a55994fe5b8b89eb9615b1b97f92836025
SHA256b4514de3acdd6e051b3bb0aa10353c14310c726bb338a007ab9d46b3843341a7
SHA512eb8d39b7cfe1b1a847549518b14b4ea85b98ec40bdfce423239560e48aee4cd6ea7f393ee81c916ab7aaa19024dfb33211c1991759a1a54f9a89afca0e98afd9
-
Filesize
235KB
MD53a307272bdc873647e125f30374ad454
SHA1ec3832c7facaf5951522ccda4873ddb9c6a66734
SHA256d1470ff18fc503704258b59863b706ddc9dd0b9ebddc89c3dcd6f37386590b9b
SHA5122ec0adcf2b9fac89e9c14f75b71af6c0b4669c0571c64ff552c301b9f0f81c31c3dd048fdd68de5a450b6675a7d406fa7645b91d9f589936a971b3ac65871cd3
-
Filesize
13KB
MD57fcbf387238b1edd626f4438f4754e56
SHA1fc497bfd4594da7fc54580773335d14e676672fc
SHA256f426ef07d2b5c8c64227e1d8d6ec1bc609e228255c341a1ac37ef90d4b477d7d
SHA5123f6021efd6a3a696bf654c713a4fbb1f7e1e7aaf4c5f03769faa772e895268152654b00fe02f5b6c88efa4eed86e1bcb122a385714ec0ccce4d5c61b7efd5176
-
Filesize
225KB
MD5c44455cce9ce61149ee6633001620646
SHA1c5e1b8ae1ad1490e76eccfaaa9381921afe6e86c
SHA25618ab09cc53d5236f8e572106e31040ff62f192115dad1518ea43ceb36c675730
SHA512d2cd6db8246ab5ce4285035ece5a9290759a5f309240afcdc0f5ab0592bca44e46e39e9c7fac3387d571e0a532c5af3b091348ae5b58750911ffc889b64ba50d