Overview
overview
10Static
static
30938a999b8...a3.exe
windows10-2004-x64
100ffce302b8...4a.exe
windows10-2004-x64
103b67ac2053...51.exe
windows7-x64
103b67ac2053...51.exe
windows10-2004-x64
104590646dc8...0a.exe
windows10-2004-x64
104869031eb8...36.exe
windows10-2004-x64
1060fc18182e...b7.exe
windows7-x64
360fc18182e...b7.exe
windows10-2004-x64
1067a45559c6...33.exe
windows10-2004-x64
1074375fb2d7...83.exe
windows7-x64
374375fb2d7...83.exe
windows10-2004-x64
107c0286554a...02.exe
windows10-2004-x64
108bdbf47835...d8.exe
windows7-x64
38bdbf47835...d8.exe
windows10-2004-x64
109048c42aba...63.exe
windows7-x64
39048c42aba...63.exe
windows10-2004-x64
10933ef5632c...f8.exe
windows10-2004-x64
10aa2355d799...b1.exe
windows7-x64
3aa2355d799...b1.exe
windows10-2004-x64
10ac1a519838...39.exe
windows10-2004-x64
10b8d6d40ceb...dc.exe
windows10-2004-x64
10c1b16d8ddb...05.exe
windows10-2004-x64
10cceb3dc1a5...0e.exe
windows10-2004-x64
10edcd11e45e...06.exe
windows10-2004-x64
10fa3e143197...a1.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 17:35
Static task
static1
Behavioral task
behavioral1
Sample
0938a999b8caf4ac0b0ae0df1eb9b0b22dec4dfbfa3b4cb4ac6b6fdd35c3f7a3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
3b67ac2053cfcb67f4034907cf81e72d93541e06f86ab3ac73130c4036c07651.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
3b67ac2053cfcb67f4034907cf81e72d93541e06f86ab3ac73130c4036c07651.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
4590646dc86de08c227e10ecb3a0504d9c0abf060e54eec6a608fcac2fc5600a.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
4869031eb83eeff0929b84ddb6a50211c58c3773e9a4c610f1ffe9db5f968b36.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
60fc18182efb95a4ce4e1849473f7201f8de0caf9716fc85ddf837496b3ff3b7.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
60fc18182efb95a4ce4e1849473f7201f8de0caf9716fc85ddf837496b3ff3b7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
67a45559c67180bac6f740ec616b9c74df65b1cb4a48219d705f41d667e2b233.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
74375fb2d74b7174b1444727d6bd1534918dce2deffdf037cfc3050c20679d83.exe
Resource
win7-20240508-en
Behavioral task
behavioral11
Sample
74375fb2d74b7174b1444727d6bd1534918dce2deffdf037cfc3050c20679d83.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
7c0286554ac9381c9063b805018449ecbbcd29f8ce4cd23f2f0899846f42c802.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
8bdbf47835c5a550c8e2c0097ef280b82cb81138f4766ff4ad2c7987f518d6d8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
9048c42abaabca33d5b7af1bcc44359b59b27e5665057af23d6189a59cedd063.exe
Resource
win7-20240419-en
Behavioral task
behavioral16
Sample
9048c42abaabca33d5b7af1bcc44359b59b27e5665057af23d6189a59cedd063.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
933ef5632cb9efcfdd066357d6d3cef5ee2fda4fda1ad8e2a5c8fa37a5e983f8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
aa2355d799779408d9b50fa6ad3975c9eca4e30aa4405d6a01bf647c7c688db1.exe
Resource
win7-20240221-en
Behavioral task
behavioral19
Sample
aa2355d799779408d9b50fa6ad3975c9eca4e30aa4405d6a01bf647c7c688db1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
ac1a51983828d30d00c76912304628e7ad96b59348ac9377cf93c8f7c058dc39.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
b8d6d40ceb8eb4629f70f1a83e6e09e52da0cfffaf3354a4bdd9dcef75240adc.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
c1b16d8ddb22e16efecfa0c8e36f2388f5a13885f7633da10e0c7dbc1823f505.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
cceb3dc1a54d4e14e7b2dac2489e5cd6194c0f51b064f6e726229fb798deb20e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
edcd11e45efed930a5a9563c77aa25c91d52061edd71739f3b01b63568f9d706.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
fa3e1431975485964a90b92bb444c1ca0520a5e2b03b1d0b14d263f8802620a1.exe
Resource
win10v2004-20240426-en
General
-
Target
0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a.exe
-
Size
515KB
-
MD5
61851f50c158cd9fcc18c48feffee95c
-
SHA1
f9926f92e902278822d4e8cc96ea0ad60df70fea
-
SHA256
0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a
-
SHA512
7ce29f03b9040535c75e9416bc8039f2282b66ba742a0dd2e08e752c4def86c531388cceea134f6da68261a87cfdb1f03544e07d8d6f186d35f8b4ca16348c5c
-
SSDEEP
12288:AMrry90FXrxLoTcDl8UEJOwXdRVr3qmVRhSNF4+1uRte1:by2b9ccZ8UEJ1NvdA8+sRte1
Malware Config
Extracted
amadey
3.86
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
krast
77.91.68.68:19071
-
auth_value
9059ea331e4599de3746df73ccb24514
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral2/files/0x000800000002344b-20.dat healer behavioral2/memory/2420-22-0x0000000000070000-0x000000000007A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a0869362.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a0869362.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a0869362.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a0869362.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a0869362.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a0869362.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023446-43.dat family_redline behavioral2/memory/2844-45-0x00000000001E0000-0x0000000000210000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation b8308802.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation pdates.exe -
Executes dropped EXE 9 IoCs
pid Process 4860 v3140559.exe 3116 v2968486.exe 2420 a0869362.exe 724 b8308802.exe 4904 pdates.exe 1344 c4433994.exe 2844 d1653468.exe 980 pdates.exe 4928 pdates.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a0869362.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3140559.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v2968486.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c4433994.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c4433994.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c4433994.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4708 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2420 a0869362.exe 2420 a0869362.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2420 a0869362.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 724 b8308802.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1872 wrote to memory of 4860 1872 0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a.exe 82 PID 1872 wrote to memory of 4860 1872 0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a.exe 82 PID 1872 wrote to memory of 4860 1872 0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a.exe 82 PID 4860 wrote to memory of 3116 4860 v3140559.exe 83 PID 4860 wrote to memory of 3116 4860 v3140559.exe 83 PID 4860 wrote to memory of 3116 4860 v3140559.exe 83 PID 3116 wrote to memory of 2420 3116 v2968486.exe 85 PID 3116 wrote to memory of 2420 3116 v2968486.exe 85 PID 3116 wrote to memory of 724 3116 v2968486.exe 96 PID 3116 wrote to memory of 724 3116 v2968486.exe 96 PID 3116 wrote to memory of 724 3116 v2968486.exe 96 PID 724 wrote to memory of 4904 724 b8308802.exe 98 PID 724 wrote to memory of 4904 724 b8308802.exe 98 PID 724 wrote to memory of 4904 724 b8308802.exe 98 PID 4860 wrote to memory of 1344 4860 v3140559.exe 99 PID 4860 wrote to memory of 1344 4860 v3140559.exe 99 PID 4860 wrote to memory of 1344 4860 v3140559.exe 99 PID 1872 wrote to memory of 2844 1872 0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a.exe 100 PID 1872 wrote to memory of 2844 1872 0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a.exe 100 PID 1872 wrote to memory of 2844 1872 0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a.exe 100 PID 4904 wrote to memory of 4708 4904 pdates.exe 101 PID 4904 wrote to memory of 4708 4904 pdates.exe 101 PID 4904 wrote to memory of 4708 4904 pdates.exe 101 PID 4904 wrote to memory of 4344 4904 pdates.exe 103 PID 4904 wrote to memory of 4344 4904 pdates.exe 103 PID 4904 wrote to memory of 4344 4904 pdates.exe 103 PID 4344 wrote to memory of 3304 4344 cmd.exe 105 PID 4344 wrote to memory of 3304 4344 cmd.exe 105 PID 4344 wrote to memory of 3304 4344 cmd.exe 105 PID 4344 wrote to memory of 4200 4344 cmd.exe 106 PID 4344 wrote to memory of 4200 4344 cmd.exe 106 PID 4344 wrote to memory of 4200 4344 cmd.exe 106 PID 4344 wrote to memory of 2528 4344 cmd.exe 107 PID 4344 wrote to memory of 2528 4344 cmd.exe 107 PID 4344 wrote to memory of 2528 4344 cmd.exe 107 PID 4344 wrote to memory of 3020 4344 cmd.exe 108 PID 4344 wrote to memory of 3020 4344 cmd.exe 108 PID 4344 wrote to memory of 3020 4344 cmd.exe 108 PID 4344 wrote to memory of 972 4344 cmd.exe 109 PID 4344 wrote to memory of 972 4344 cmd.exe 109 PID 4344 wrote to memory of 972 4344 cmd.exe 109 PID 4344 wrote to memory of 1600 4344 cmd.exe 110 PID 4344 wrote to memory of 1600 4344 cmd.exe 110 PID 4344 wrote to memory of 1600 4344 cmd.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a.exe"C:\Users\Admin\AppData\Local\Temp\0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3140559.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3140559.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2968486.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2968486.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0869362.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0869362.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8308802.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8308802.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F6⤵
- Creates scheduled task(s)
PID:4708
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:3304
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:N"7⤵PID:4200
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:R" /E7⤵PID:2528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:3020
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:N"7⤵PID:972
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:R" /E7⤵PID:1600
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4433994.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4433994.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1344
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1653468.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1653468.exe2⤵
- Executes dropped EXE
PID:2844
-
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:980
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:4928
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD56465844a90fa05f3d45f8c8108a84670
SHA1f80df1d6d7eb1bebca2fb91efb646a83ee5a9caf
SHA256f74efae7d1faeb610d44dd89f2e61a99e01cf1e2b9c1a7faa817c23055151eeb
SHA5121a6ddfe6b5a0fc3233245730a9f23551c505b2ed4837114efcb1b47b6c4e6da9e0bb63928ca67625c3596513c8597e301252840ed7001dd08b200c41a97987a5
-
Filesize
359KB
MD5829b6c6ced5e89cbc5267ca4732d7f8f
SHA1f0ada1c7598666359da9f1caca987b02b5888dfe
SHA25604c7df80c9a520ba741cdb4245f8bb728ed31a5970a90924bb9984bad13c1d09
SHA51263a7bbaa9731a9318b0a8c703e445424c77f12031fb4ab3f718f46a426b285ae7db7ccc4591c2055ede96cc015b713106ce7a9be6f7fc5e4677c53f3f2370659
-
Filesize
35KB
MD55e08b4f966bda21f6e34f49f59ce29f0
SHA183dfb6cba2c8b318e5a61095fc7769a41e354296
SHA256c28cce242a56daa7158ba4a0520df04a36b47fed2c0dd300d717293a78aaa3e4
SHA5123db0d5f9bbe69b00274862b1452839db8f1bf7edc7bcfaa1a12b7dfab217d904a23d0e94a080b18dc23c68174e3912175b65259fb80d3f9ddf00b92a1b0b70e2
-
Filesize
234KB
MD5f88bac73ec5e5f8b9d707194ba3a3b6c
SHA10181927195d8a9e5ff905a5e97e75ada5ae35259
SHA2568cb650aa6c29e02c099c14f37fca10688bd921723c8300576fcbf1093a97faba
SHA512a5c265329b3fa923fbdeff2eedc21baa815b89113331441b5dce8176a8324e5cc89fa3c58d704b8c11d568d86abbd76e64fd17354c4dd34705fd9f14691022a8
-
Filesize
11KB
MD5ba447d378a1267606b1f361624acb6e8
SHA141ce7255de8d20141e4813e6ca50228c8622644b
SHA2566ef1b37a60a7c7c234da28d5ae1ec21c4dbceab4088a121f0cd55eb163f75668
SHA5127a8c8a548822f74c5b40c99284085939ff89a392ed73e100516aa5ac77511535d5d4563dbe9912e3e70472bf71b0d74581cc806db20fc9c79c1d519067e4c16f
-
Filesize
224KB
MD5ac90754b60676e187253605f012db42a
SHA1162c031c73480695d828ba8e1803a1caef8f3f79
SHA2566284c6c4766710744f721f48e4dadf494f685f01956b0ae07793f39bf60a95d9
SHA5126958753d3315d43648f7e7c2787abab3687162d8fb1bd3a8b90e96355d97752266cb961179bc3df6c075a58192437b2575326892c639b7ed772512fa2696f712