Overview
overview
10Static
static
30b4bb67302...ca.exe
windows10-2004-x64
90f6ce02639...df.exe
windows10-2004-x64
101089300575...d7.exe
windows10-2004-x64
1010f472a1b5...37.exe
windows10-2004-x64
188abd9448...8c.exe
windows10-2004-x64
101b3c0e5797...06.exe
windows10-2004-x64
102590c6aee0...47.exe
windows7-x64
32590c6aee0...47.exe
windows10-2004-x64
102faa75c50b...6d.exe
windows7-x64
32faa75c50b...6d.exe
windows10-2004-x64
103bb8a790f7...4e.exe
windows7-x64
33bb8a790f7...4e.exe
windows10-2004-x64
103c35dfb6ea...cb.exe
windows10-2004-x64
103df74027fe...88.exe
windows10-2004-x64
1040fbde6d35...71.exe
windows10-2004-x64
106ade7d6ec7...80.exe
windows10-2004-x64
107abba1ebb5...9b.exe
windows7-x64
37abba1ebb5...9b.exe
windows10-2004-x64
10855fd4cf22...dc.exe
windows10-2004-x64
10a6d0e60e46...99.exe
windows10-2004-x64
10b46951fdb5...f7.exe
windows7-x64
3b46951fdb5...f7.exe
windows10-2004-x64
10bccb41d4cd...17.exe
windows10-2004-x64
10c726b1e0ec...ab.exe
windows10-2004-x64
10c8c3182273...54.exe
windows10-2004-x64
10Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 18:05
Static task
static1
Behavioral task
behavioral1
Sample
0b4bb67302386646ed679bf7dbfd9e44d9c5eb985f2c043ef415113edb2b2eca.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
0f6ce02639d4d4caede8c3432a529ff995f9d50cbfec335bbe9dc19b8f5c9ddf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
10893005755e760cedfd88c67f168c3e2f1e26fafad63a929c1e953e718f49d7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
1b3c0e579787bcef84732f5265ff9b365cdc639dfb3b301ffbfb808167567506.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
2590c6aee0971ee73ddf13b31120ab5a7a7268c588bc55a8fe221b203913c447.exe
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
2590c6aee0971ee73ddf13b31120ab5a7a7268c588bc55a8fe221b203913c447.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
2faa75c50b323133e8cbf507e6a3a4846097090d2e2c1a5afb174f798ee42a6d.exe
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
2faa75c50b323133e8cbf507e6a3a4846097090d2e2c1a5afb174f798ee42a6d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
3bb8a790f7feb85fb0d0f7d2087ce3d7e4eb5577393162c735eec885b66a044e.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
3bb8a790f7feb85fb0d0f7d2087ce3d7e4eb5577393162c735eec885b66a044e.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
3df74027fece0dd6e6c9f46260e3c886ecbcfd4dce43ac64a90f1211d78fe588.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
40fbde6d35302d77db924d8a4db6569c23336d9205e82f12a82228cc100edb71.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
6ade7d6ec7a6381185b43d64ae2429ee9c4ee1ccf584c5bfe5887d96d03e3680.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
7abba1ebb59dafe06cecf717ad708d5d5e873cb2cd6cfa536b3cf5eef782c19b.exe
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
7abba1ebb59dafe06cecf717ad708d5d5e873cb2cd6cfa536b3cf5eef782c19b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
855fd4cf224283ecfadcbbde8f8bda52096a389946f6890fa83b09e26cea10dc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
b46951fdb517d60cd2516aa317646c027a36d6b4e159c8d97dea70549b3b00f7.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
b46951fdb517d60cd2516aa317646c027a36d6b4e159c8d97dea70549b3b00f7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
bccb41d4cd07f22dc7128aa361e7b2b43320ef072e11627fd143b376cdee0817.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral24
Sample
c726b1e0ec6fea88dec580a790bb738a4976fe2f076a838067ec66bc403054ab.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
c8c3182273e1f34a2e9b4a2afb39aa5e5fa9ae93368dd9487b95f7ca43f17d54.exe
Resource
win10v2004-20240426-en
General
-
Target
3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe
-
Size
514KB
-
MD5
eeed819879e60a78356884c79cc1176d
-
SHA1
73182a6228fb1978bb85b750939e58083733dae4
-
SHA256
3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb
-
SHA512
ec81ffafd04adfeb3849df9b2fc7f501b652124b0d3d40c2adef0f53a95fa17385a955ddc5f6598893572ae8e3a067cc80f7ae5a2600f5ce1514395b7e83a8bf
-
SSDEEP
12288:gMrDy90VStL+T5sUZjdKCjNhbdg9f23ulFmoU61Z/d0Z/+mxQz:zyAcIHH5r4rmj4W+m0
Malware Config
Extracted
amadey
3.86
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
lande
77.91.124.84:19071
-
auth_value
9fa41701c47df37786234f3373f21208
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral13/files/0x0008000000023439-19.dat healer behavioral13/memory/4412-22-0x0000000000BB0000-0x0000000000BBA000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a4363599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a4363599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a4363599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a4363599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a4363599.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a4363599.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral13/files/0x0007000000023433-41.dat family_redline behavioral13/memory/5036-44-0x0000000000030000-0x0000000000060000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation b6605019.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation pdates.exe -
Executes dropped EXE 9 IoCs
pid Process 4752 v3816692.exe 4800 v6658097.exe 4412 a4363599.exe 4960 b6605019.exe 4528 pdates.exe 4764 c6160134.exe 5036 d2143977.exe 60 pdates.exe 1068 pdates.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a4363599.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v6658097.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3816692.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c6160134.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c6160134.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c6160134.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2128 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4412 a4363599.exe 4412 a4363599.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4412 a4363599.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 3328 wrote to memory of 4752 3328 3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe 84 PID 3328 wrote to memory of 4752 3328 3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe 84 PID 3328 wrote to memory of 4752 3328 3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe 84 PID 4752 wrote to memory of 4800 4752 v3816692.exe 85 PID 4752 wrote to memory of 4800 4752 v3816692.exe 85 PID 4752 wrote to memory of 4800 4752 v3816692.exe 85 PID 4800 wrote to memory of 4412 4800 v6658097.exe 86 PID 4800 wrote to memory of 4412 4800 v6658097.exe 86 PID 4800 wrote to memory of 4960 4800 v6658097.exe 91 PID 4800 wrote to memory of 4960 4800 v6658097.exe 91 PID 4800 wrote to memory of 4960 4800 v6658097.exe 91 PID 4960 wrote to memory of 4528 4960 b6605019.exe 92 PID 4960 wrote to memory of 4528 4960 b6605019.exe 92 PID 4960 wrote to memory of 4528 4960 b6605019.exe 92 PID 4752 wrote to memory of 4764 4752 v3816692.exe 93 PID 4752 wrote to memory of 4764 4752 v3816692.exe 93 PID 4752 wrote to memory of 4764 4752 v3816692.exe 93 PID 4528 wrote to memory of 2128 4528 pdates.exe 94 PID 4528 wrote to memory of 2128 4528 pdates.exe 94 PID 4528 wrote to memory of 2128 4528 pdates.exe 94 PID 4528 wrote to memory of 1036 4528 pdates.exe 96 PID 4528 wrote to memory of 1036 4528 pdates.exe 96 PID 4528 wrote to memory of 1036 4528 pdates.exe 96 PID 1036 wrote to memory of 1264 1036 cmd.exe 98 PID 1036 wrote to memory of 1264 1036 cmd.exe 98 PID 1036 wrote to memory of 1264 1036 cmd.exe 98 PID 1036 wrote to memory of 5072 1036 cmd.exe 99 PID 1036 wrote to memory of 5072 1036 cmd.exe 99 PID 1036 wrote to memory of 5072 1036 cmd.exe 99 PID 1036 wrote to memory of 3380 1036 cmd.exe 100 PID 1036 wrote to memory of 3380 1036 cmd.exe 100 PID 1036 wrote to memory of 3380 1036 cmd.exe 100 PID 1036 wrote to memory of 1912 1036 cmd.exe 101 PID 1036 wrote to memory of 1912 1036 cmd.exe 101 PID 1036 wrote to memory of 1912 1036 cmd.exe 101 PID 1036 wrote to memory of 5040 1036 cmd.exe 102 PID 1036 wrote to memory of 5040 1036 cmd.exe 102 PID 1036 wrote to memory of 5040 1036 cmd.exe 102 PID 1036 wrote to memory of 1436 1036 cmd.exe 103 PID 1036 wrote to memory of 1436 1036 cmd.exe 103 PID 1036 wrote to memory of 1436 1036 cmd.exe 103 PID 3328 wrote to memory of 5036 3328 3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe 106 PID 3328 wrote to memory of 5036 3328 3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe 106 PID 3328 wrote to memory of 5036 3328 3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe"C:\Users\Admin\AppData\Local\Temp\3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3816692.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3816692.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6658097.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6658097.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4363599.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4363599.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6605019.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6605019.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F6⤵
- Creates scheduled task(s)
PID:2128
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1264
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:N"7⤵PID:5072
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:R" /E7⤵PID:3380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1912
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:N"7⤵PID:5040
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:R" /E7⤵PID:1436
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6160134.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6160134.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4764
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2143977.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d2143977.exe2⤵
- Executes dropped EXE
PID:5036
-
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:60
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:1068
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173KB
MD5be04131e5c943ce76c2d7847eaef95fb
SHA1c666d45e6e783b1cb17db34ee9af1f617eb619f0
SHA25607213b72374699180e7103779b2cba5f6dabf50cabb5ef1a81b4b8dd83eb0d22
SHA512da4540c962c0927eac1e87edd3d26e86f75f4c35c500af831500db016428ac7ddd1c9d5e21d8862573e65ff0f62e2f036dc3e71acb40e389c69a29dbc554d1a6
-
Filesize
359KB
MD5ab84a7fef0caeb68f511121cbc9ffae1
SHA1cd0a9c0596113087560401ecbca21b1f5f55b4d8
SHA2567a30bd87b7a7d682da38acb034023d1f204b4f74ced6d72785d5d382bb37eb93
SHA512e58c78744fdd86c499321f298f1ac268bd88c609b2d5137f969cc03d91abca6dfe5b05d74d02cfe285c137ac4133920f97accda01590ccf85fd1b12a69668983
-
Filesize
36KB
MD5996c24a00b8e77f5c4663d51deba3a6c
SHA1d264d4d0a9cde9e8a45a894dc192f13f67a0e1c9
SHA256f5a90f1e21d5d790f3439f0837a9b3b30ce40a643c8526e4123b66f2272c89c8
SHA5127c81a60cb5bd634ec674e3ac0dd524381de2dd04e7cf94ca9161e825413c97ef4cac28737ba1fcfc0ce552ce808a40d21d1b48991781b841d44c6f1dbfc0223a
-
Filesize
234KB
MD53ebcea8b46533e3d8c377ee900c9b9d1
SHA17d256d4b11b3ff3cbd1f39e9b7bc6e4127d7bd73
SHA256da464857a6799d31b068fe355271ad32b20afa56197d19ca46c5bc52430ddade
SHA512f03a1e3a28bb4e0f67a10e1edb334cca46c14f07567b4ba3e197266474f9b8d866b2c72001afcb38ecb0c6a7415ea252a8379b6c5d4d0f3592cd980d6105f7dc
-
Filesize
13KB
MD53812aad89facf3b8621bff1de3c7f37e
SHA1db31b1c5ac5a9d9348a1b995020fe1409f15702c
SHA25633333db88c1e465ddaf2bede26cb9425688f0734af3f1ee5062d66e0245a5cf4
SHA512658e7dbf03e480cb9def3b78ab64dc5d4b8ad8ae593e1c4162264bf7da5fccd6a3229ec7c2cb30ab2323fc6c3ad6eb39ae716a6d8ce33b506e16a4147dcd133a
-
Filesize
225KB
MD514e80394c417efeead794dbdf18d49f3
SHA1bbc5ccc061429163cf9be2b7894ec9e5df62ffae
SHA2564195e63b8247e1d77e22e8669cc0afb64658c6681d43c3a735fec73311eee837
SHA5126b28a7dd61f5cdc71f59a7c235621a50566583fce75e6493148c2a2f143ecbfc6c5fdd7a64066598fdb4d4945cf9c14569612cc7949a9911f8b3bb126ba1221f