Overview
overview
10Static
static
319408d20ed...1b.exe
windows7-x64
319408d20ed...1b.exe
windows10-2004-x64
10209f361ec5...19.exe
windows7-x64
3209f361ec5...19.exe
windows10-2004-x64
102260e01650...fc.exe
windows10-2004-x64
1024b96bca46...df.exe
windows10-2004-x64
102a4e0bfefe...ad.exe
windows10-2004-x64
1030b28fbbc6...6a.exe
windows10-2004-x64
1045405e3261...66.exe
windows10-2004-x64
1055ab9707d2...50.exe
windows10-2004-x64
106568836094...3d.exe
windows10-2004-x64
1072a27ce3ad...a5.exe
windows10-2004-x64
109be0387d86...b9.exe
windows10-2004-x64
109d44150fdc...7d.exe
windows10-2004-x64
6b2402bf5ca...fa.exe
windows10-2004-x64
10c6bd926d58...44.exe
windows10-2004-x64
10cd321830f5...bc.exe
windows10-2004-x64
10cfcca94dd6...6e.exe
windows10-2004-x64
10dfa156ac28...ff.exe
windows10-2004-x64
10f1ae7fab47...cc.exe
windows10-2004-x64
10f25337a343...56.exe
windows10-2004-x64
10f5d16598bf...16.exe
windows7-x64
10f5d16598bf...16.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 17:57
Static task
static1
Behavioral task
behavioral1
Sample
19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
2a4e0bfefe7b6b2a94d46c408fe05d1682392c66666138b8b0c32e028bf15aad.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
30b28fbbc6f9f8aa27776aa07f15f77a8fe9829ca5ded9e75d26ca377674a46a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
45405e326148ce7f80326893b92fe8efe62819ee5465fdc13767a76472e21566.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
55ab9707d2ed04fd65eb47b64da270cf7fa47cedb721831c5dd0567bda7cc950.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
6568836094de3a32f9c325ced189bb981eb0cf8f4492e1b8b901ef52879c063d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
72a27ce3ad4f2daa863374d24914b9bdd41f5b34e08b440b9988fd847de7a3a5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
9d44150fdc90939c6efc8d7882f0d89238b77267f40bd7b9e9fdff66d41f587d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
c6bd926d58aa119662ccfb970124884439404950b8aa818378fa47a61a658a44.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
cfcca94dd6bef9e4222fd6347d090711d60251b7718a2a4955753cd95d8e9a6e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
f1ae7fab47b54b57b64fe4b0569d28421b914cc77c243cf2d59a0645d15e8ecc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
f25337a343c26cdecd99eb7f095938fd24fb233463a8af3fa69acc5201eed956.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
f5d16598bff76b7aeece243b4478a48e666bbf1a2adb20f2684cefe2f7d06616.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
f5d16598bff76b7aeece243b4478a48e666bbf1a2adb20f2684cefe2f7d06616.exe
Resource
win10v2004-20240508-en
General
-
Target
9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe
-
Size
514KB
-
MD5
b2a6158e5066da9cdf80f68a45607dbf
-
SHA1
9c0a1b48a8f821e1bfe1cb4266aed6fa30294c9c
-
SHA256
9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9
-
SHA512
c8a3d4dd40a4c1dcec017e78105426093d4be62bd931b72af4ab38cdce5cfef19eb3b74d2cd0c63e352bb6c3cd76ab08922f0ecc8c26f0bb159a7e393b914cf7
-
SSDEEP
12288:7MrVy90uCP6AGluvgTtGOTN8F3a56b3WEwjXh:iyG6AGsgTtLma6b2h
Malware Config
Extracted
amadey
3.85
http://77.91.68.3
-
install_dir
3ec1f323b5
-
install_file
danke.exe
-
strings_key
827021be90f1e85ab27949ea7e9347e8
-
url_paths
/home/love/index.php
Extracted
redline
nasa
77.91.68.68:19071
-
auth_value
6da71218d8a9738ea3a9a78b5677589b
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral13/files/0x0008000000023438-19.dat healer behavioral13/memory/1756-21-0x0000000000ED0000-0x0000000000EDA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1007008.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1007008.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1007008.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1007008.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1007008.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a1007008.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral13/files/0x0007000000023433-43.dat family_redline behavioral13/memory/1016-45-0x00000000004D0000-0x0000000000500000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation b8404512.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation danke.exe -
Executes dropped EXE 9 IoCs
pid Process 3636 v7929989.exe 2692 v0075279.exe 1756 a1007008.exe 4992 b8404512.exe 1428 danke.exe 3296 c7649135.exe 1016 d3259425.exe 3168 danke.exe 3216 danke.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1007008.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v7929989.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v0075279.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c7649135.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c7649135.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c7649135.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4192 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1756 a1007008.exe 1756 a1007008.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1756 a1007008.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2748 wrote to memory of 3636 2748 9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe 82 PID 2748 wrote to memory of 3636 2748 9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe 82 PID 2748 wrote to memory of 3636 2748 9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe 82 PID 3636 wrote to memory of 2692 3636 v7929989.exe 83 PID 3636 wrote to memory of 2692 3636 v7929989.exe 83 PID 3636 wrote to memory of 2692 3636 v7929989.exe 83 PID 2692 wrote to memory of 1756 2692 v0075279.exe 85 PID 2692 wrote to memory of 1756 2692 v0075279.exe 85 PID 2692 wrote to memory of 4992 2692 v0075279.exe 95 PID 2692 wrote to memory of 4992 2692 v0075279.exe 95 PID 2692 wrote to memory of 4992 2692 v0075279.exe 95 PID 4992 wrote to memory of 1428 4992 b8404512.exe 97 PID 4992 wrote to memory of 1428 4992 b8404512.exe 97 PID 4992 wrote to memory of 1428 4992 b8404512.exe 97 PID 3636 wrote to memory of 3296 3636 v7929989.exe 98 PID 3636 wrote to memory of 3296 3636 v7929989.exe 98 PID 3636 wrote to memory of 3296 3636 v7929989.exe 98 PID 2748 wrote to memory of 1016 2748 9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe 99 PID 2748 wrote to memory of 1016 2748 9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe 99 PID 2748 wrote to memory of 1016 2748 9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe 99 PID 1428 wrote to memory of 4192 1428 danke.exe 100 PID 1428 wrote to memory of 4192 1428 danke.exe 100 PID 1428 wrote to memory of 4192 1428 danke.exe 100 PID 1428 wrote to memory of 624 1428 danke.exe 102 PID 1428 wrote to memory of 624 1428 danke.exe 102 PID 1428 wrote to memory of 624 1428 danke.exe 102 PID 624 wrote to memory of 972 624 cmd.exe 104 PID 624 wrote to memory of 972 624 cmd.exe 104 PID 624 wrote to memory of 972 624 cmd.exe 104 PID 624 wrote to memory of 4740 624 cmd.exe 105 PID 624 wrote to memory of 4740 624 cmd.exe 105 PID 624 wrote to memory of 4740 624 cmd.exe 105 PID 624 wrote to memory of 4904 624 cmd.exe 106 PID 624 wrote to memory of 4904 624 cmd.exe 106 PID 624 wrote to memory of 4904 624 cmd.exe 106 PID 624 wrote to memory of 4156 624 cmd.exe 107 PID 624 wrote to memory of 4156 624 cmd.exe 107 PID 624 wrote to memory of 4156 624 cmd.exe 107 PID 624 wrote to memory of 5116 624 cmd.exe 108 PID 624 wrote to memory of 5116 624 cmd.exe 108 PID 624 wrote to memory of 5116 624 cmd.exe 108 PID 624 wrote to memory of 2264 624 cmd.exe 109 PID 624 wrote to memory of 2264 624 cmd.exe 109 PID 624 wrote to memory of 2264 624 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe"C:\Users\Admin\AppData\Local\Temp\9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7929989.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7929989.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0075279.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0075279.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8404512.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8404512.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F6⤵
- Creates scheduled task(s)
PID:4192
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:972
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"7⤵PID:4740
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E7⤵PID:4904
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4156
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"7⤵PID:5116
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E7⤵PID:2264
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7649135.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7649135.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3296
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3259425.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3259425.exe2⤵
- Executes dropped EXE
PID:1016
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:3168
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:3216
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173KB
MD5dad0a56b4a46dd107ee19b0841f142bf
SHA16fb7574d16cfe7930245c996dac1cb257e1b7580
SHA2568fd81175d2e88f745ed105bb2676d61fc344cac6e2123458239e7f59e729b0c3
SHA5128ac9950d75908f9d5f649d68b40e16d7b3561787a746316e58efec2d159e4de2f00b48d24b22c66754a281e4afc248f75fb20260a0d1d10803c8ca25bc360bdd
-
Filesize
359KB
MD5e8a9f3d6ecb4c26bd6bc4e71f4b05a15
SHA1dc1e9b1c73d4e69075851b0e5ce1b37a3fb6cdd7
SHA256a19ced96b752290321528be8392b26ecfc18bc8ec036dfd0ee2f3688b6e70040
SHA512b4443c8af6beca8ae5f837c9ab5db4b85c4656a9e0d541bcde462a94cac6a0ca8d30a77135202268fa07082248e0da0ae9987bea1f2d99091389ae65ef3565e1
-
Filesize
32KB
MD5f4d46a7d58b62aa1e9aff531b58f0e01
SHA11d8584b61f64d6774fddff01b1846d3ddadce4c7
SHA256ef5f0ad02d3591bb94f82ea5db1ecdd57de252068afd1e10dbd91de7f29fab3c
SHA512c9824b40aa89c62cadf50efafa8e4f133ae28cfa0a405a2525bf77a322b3d6e105080891e84a629133cbac2258e2417b1e8709e9e2fb24ba0ff838b7061d5459
-
Filesize
234KB
MD588082d7552ff97ce093ec66b5673e820
SHA15782bd873b13b7d0a27138a3a6bed8b006aeac62
SHA256b2b6d9ee0b8974e53102bf934aadfb3ac8bac356e845dda30459be570d5a49c0
SHA51265559606241fe01d7389cf6ea00040563e70e2de51f8701418e33921859db6e6d6884f1d56f8bf9daf02a3710b40165919c6cc2661f2f377121b8d38e23372df
-
Filesize
14KB
MD59e3e1c1a3c2e043e04527d7893c74f75
SHA116488d45358b3be09e4a1f6c9ace7686dcd1c4cb
SHA2562bda16ddd92a9e1e73f1ac0f3cbf821494cccffa7021e8aeeb0747b6b4afdd90
SHA512508b5897414f39c92ffe58f2c8fcdd13066eb31798a827bac800a57a357e5dfc144ea902e2c0b6b49cfb1ea7927b01ee95032a94d70eea4fdde6af168fcb1ac2
-
Filesize
227KB
MD585a74569a8064684aa9b3270f294d22e
SHA1b6d2cac2b9db6c71e7ea5ae3c14cf035049799a8
SHA256756e1e7fc4a14d9b2a028fe8953405d103d4cac220a79f1d0ee9c85aae1c2ef9
SHA51225942708ee0a4ab138bb3138655549388811c81c14beda1c9dd97d09fb792de3796c2a34d53e6d4a32ae055edf996346d5ef6d8ae6e792378b2ad048148d7cb9