Overview
overview
10Static
static
319408d20ed...1b.exe
windows7-x64
319408d20ed...1b.exe
windows10-2004-x64
10209f361ec5...19.exe
windows7-x64
3209f361ec5...19.exe
windows10-2004-x64
102260e01650...fc.exe
windows10-2004-x64
1024b96bca46...df.exe
windows10-2004-x64
102a4e0bfefe...ad.exe
windows10-2004-x64
1030b28fbbc6...6a.exe
windows10-2004-x64
1045405e3261...66.exe
windows10-2004-x64
1055ab9707d2...50.exe
windows10-2004-x64
106568836094...3d.exe
windows10-2004-x64
1072a27ce3ad...a5.exe
windows10-2004-x64
109be0387d86...b9.exe
windows10-2004-x64
109d44150fdc...7d.exe
windows10-2004-x64
6b2402bf5ca...fa.exe
windows10-2004-x64
10c6bd926d58...44.exe
windows10-2004-x64
10cd321830f5...bc.exe
windows10-2004-x64
10cfcca94dd6...6e.exe
windows10-2004-x64
10dfa156ac28...ff.exe
windows10-2004-x64
10f1ae7fab47...cc.exe
windows10-2004-x64
10f25337a343...56.exe
windows10-2004-x64
10f5d16598bf...16.exe
windows7-x64
10f5d16598bf...16.exe
windows10-2004-x64
10Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 17:57
Static task
static1
Behavioral task
behavioral1
Sample
19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
19408d20edf49736ff3e86b9c52dcd2bf4b3da61eff72888392b2de04e27351b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
209f361ec54d3eb7e8c1324ecea4c86835a53f08014f20d8acdb405a98c70e19.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
2a4e0bfefe7b6b2a94d46c408fe05d1682392c66666138b8b0c32e028bf15aad.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
30b28fbbc6f9f8aa27776aa07f15f77a8fe9829ca5ded9e75d26ca377674a46a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
45405e326148ce7f80326893b92fe8efe62819ee5465fdc13767a76472e21566.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
55ab9707d2ed04fd65eb47b64da270cf7fa47cedb721831c5dd0567bda7cc950.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
6568836094de3a32f9c325ced189bb981eb0cf8f4492e1b8b901ef52879c063d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
72a27ce3ad4f2daa863374d24914b9bdd41f5b34e08b440b9988fd847de7a3a5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
9d44150fdc90939c6efc8d7882f0d89238b77267f40bd7b9e9fdff66d41f587d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
c6bd926d58aa119662ccfb970124884439404950b8aa818378fa47a61a658a44.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
cfcca94dd6bef9e4222fd6347d090711d60251b7718a2a4955753cd95d8e9a6e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
f1ae7fab47b54b57b64fe4b0569d28421b914cc77c243cf2d59a0645d15e8ecc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
f25337a343c26cdecd99eb7f095938fd24fb233463a8af3fa69acc5201eed956.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
f5d16598bff76b7aeece243b4478a48e666bbf1a2adb20f2684cefe2f7d06616.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
f5d16598bff76b7aeece243b4478a48e666bbf1a2adb20f2684cefe2f7d06616.exe
Resource
win10v2004-20240508-en
General
-
Target
2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe
-
Size
514KB
-
MD5
ad9443ce5e431e8295fd202f57cf1d6d
-
SHA1
330ab81f8d5d8360f11e9e15f6829608c3ed666e
-
SHA256
2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc
-
SHA512
d6bfaf96f61d6055c4e368f22542ba85d8d9c77d652480195953db43eced505a7102d5b10d79842e76483f90b1bbfa22a0d2fd6d0a423166efc8c585c3f665fb
-
SSDEEP
12288:NMrby90ooS9jGwyQikPj16mcXt3Q+snYfeplV3:GyOSTJj143Q7nmebh
Malware Config
Extracted
amadey
3.86
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
lande
77.91.124.84:19071
-
auth_value
9fa41701c47df37786234f3373f21208
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral5/files/0x0008000000023445-19.dat healer behavioral5/memory/4496-21-0x0000000000170000-0x000000000017A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a0410470.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a0410470.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a0410470.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a0410470.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a0410470.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a0410470.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral5/files/0x0007000000023440-43.dat family_redline behavioral5/memory/3780-45-0x0000000000CA0000-0x0000000000CD0000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation pdates.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation b0689294.exe -
Executes dropped EXE 9 IoCs
pid Process 1016 v1715175.exe 1812 v5470627.exe 4496 a0410470.exe 3056 b0689294.exe 1240 pdates.exe 4516 c1053362.exe 2612 pdates.exe 3780 d7760520.exe 1820 pdates.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a0410470.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1715175.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5470627.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c1053362.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c1053362.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c1053362.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4056 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4496 a0410470.exe 4496 a0410470.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4496 a0410470.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2088 wrote to memory of 1016 2088 2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe 85 PID 2088 wrote to memory of 1016 2088 2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe 85 PID 2088 wrote to memory of 1016 2088 2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe 85 PID 1016 wrote to memory of 1812 1016 v1715175.exe 86 PID 1016 wrote to memory of 1812 1016 v1715175.exe 86 PID 1016 wrote to memory of 1812 1016 v1715175.exe 86 PID 1812 wrote to memory of 4496 1812 v5470627.exe 87 PID 1812 wrote to memory of 4496 1812 v5470627.exe 87 PID 1812 wrote to memory of 3056 1812 v5470627.exe 97 PID 1812 wrote to memory of 3056 1812 v5470627.exe 97 PID 1812 wrote to memory of 3056 1812 v5470627.exe 97 PID 3056 wrote to memory of 1240 3056 b0689294.exe 98 PID 3056 wrote to memory of 1240 3056 b0689294.exe 98 PID 3056 wrote to memory of 1240 3056 b0689294.exe 98 PID 1016 wrote to memory of 4516 1016 v1715175.exe 99 PID 1016 wrote to memory of 4516 1016 v1715175.exe 99 PID 1016 wrote to memory of 4516 1016 v1715175.exe 99 PID 1240 wrote to memory of 4056 1240 pdates.exe 100 PID 1240 wrote to memory of 4056 1240 pdates.exe 100 PID 1240 wrote to memory of 4056 1240 pdates.exe 100 PID 1240 wrote to memory of 2732 1240 pdates.exe 102 PID 1240 wrote to memory of 2732 1240 pdates.exe 102 PID 1240 wrote to memory of 2732 1240 pdates.exe 102 PID 2732 wrote to memory of 1688 2732 cmd.exe 104 PID 2732 wrote to memory of 1688 2732 cmd.exe 104 PID 2732 wrote to memory of 1688 2732 cmd.exe 104 PID 2732 wrote to memory of 1580 2732 cmd.exe 105 PID 2732 wrote to memory of 1580 2732 cmd.exe 105 PID 2732 wrote to memory of 1580 2732 cmd.exe 105 PID 2732 wrote to memory of 2232 2732 cmd.exe 106 PID 2732 wrote to memory of 2232 2732 cmd.exe 106 PID 2732 wrote to memory of 2232 2732 cmd.exe 106 PID 2732 wrote to memory of 1984 2732 cmd.exe 107 PID 2732 wrote to memory of 1984 2732 cmd.exe 107 PID 2732 wrote to memory of 1984 2732 cmd.exe 107 PID 2732 wrote to memory of 3280 2732 cmd.exe 108 PID 2732 wrote to memory of 3280 2732 cmd.exe 108 PID 2732 wrote to memory of 3280 2732 cmd.exe 108 PID 2732 wrote to memory of 1980 2732 cmd.exe 109 PID 2732 wrote to memory of 1980 2732 cmd.exe 109 PID 2732 wrote to memory of 1980 2732 cmd.exe 109 PID 2088 wrote to memory of 3780 2088 2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe 115 PID 2088 wrote to memory of 3780 2088 2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe 115 PID 2088 wrote to memory of 3780 2088 2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe 115
Processes
-
C:\Users\Admin\AppData\Local\Temp\2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe"C:\Users\Admin\AppData\Local\Temp\2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F6⤵
- Creates scheduled task(s)
PID:4056
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1688
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:N"7⤵PID:1580
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:R" /E7⤵PID:2232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1984
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:N"7⤵PID:3280
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:R" /E7⤵PID:1980
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4516
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exe2⤵
- Executes dropped EXE
PID:3780
-
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:2612
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:1820
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5647971d0cadf19b3146ed9825e2e2791
SHA125435c9b63194809b1ddff2ea49f68336fa16673
SHA25648b9794032771dfe78fc2c2b15e43e4b0a43143a6d6d5f3cea6e64dbcb976a76
SHA51224aa9c1d3252a641cf4b4e74ba77d4fcf7a2d8023a71981ab514f0f9cc73bb387e54743dc2c4a17799b71608785292a0399e4c9a891479dcea18ad829b426b20
-
Filesize
359KB
MD5061c406e23341bbcb1ff5e1801849cb3
SHA17ec3197388a3543dc54a754b526a21a74de567c3
SHA256ae86041c8e819499d71e4c6acc7674c2aa2d49c8bcf4772c06fdcabc12acf52a
SHA512176444ce621ff202d78fd397690322fa00d124b7ee51a6ef2cce205e5adc08205db4f4b30f866e8cb8132ef72e83462128cf4d124eeaf8c1d5992e5c18e98adb
-
Filesize
36KB
MD5ce02f9d79dea88099619df5cb1312f35
SHA13c1679bf6d2ad4436f65458e679c66f79d6ae50f
SHA256855b0ca776047364d7a3d31a44d746dd673f3d6435723e4a5093a1b757584f54
SHA5126ace95a26369b298fe1b9cefdccea26cb2253a11c829836a51b47b9218fa291586aa6ebb652830d44c0a97b7d1e2caac43a93cad02c5182be21d537322db555d
-
Filesize
234KB
MD576dddeb11de090d98b3d9edc3df979fe
SHA11400ec7994433f280da5b1d84c12d62d8c19702c
SHA256e13221cfa4276e8a340f3f13212b1fef45770843a843192a8387bbd99143938f
SHA51235384efa7caf27758daeb5d6f9a3f84c422116b77abed1e0bb0e978366cadaf2fc0d7fe15b1bb98bfe398c1eab3fb32eb9e3e1a582f5097a6779b4e2ab80f9c5
-
Filesize
13KB
MD53a21e5d379f54add2172d6948ca4e597
SHA1f2480642965b7c7a804ad8c62d7a623a815b1b02
SHA2562db95b60ef54ddb759464792be2f8a007214003a75cbca2de2a12f6d512900d8
SHA512010b8ac0ec852bbdc5e14f7409fecc81451c197281c1aff63df0acc98f46628151ce2dfabde6bde01e3c1e6b3c031637efee72edd44365afa78bafeaf63dda19
-
Filesize
225KB
MD54dcc519d9075200e24e18d1eb479b00e
SHA193a9cd97d0d7c6c98903391297530577e1228451
SHA256503f3735fdd75fa98e846ffc940735d1bc0f8c89c60de01dbcb852432d37e834
SHA512b1494415d70a3bfbabbd26361b68858c3c785121ec49b6c054e0487c5bb1dac33e8e8c0cc404b39b598b4b8458c48795ff9efab1d0bf60dabe50ba41bd6f8423