Overview
overview
10Static
static
30b4bb67302...ca.exe
windows10-2004-x64
90f6ce02639...df.exe
windows10-2004-x64
101089300575...d7.exe
windows10-2004-x64
1010f472a1b5...37.exe
windows10-2004-x64
188abd9448...8c.exe
windows10-2004-x64
101b3c0e5797...06.exe
windows10-2004-x64
102590c6aee0...47.exe
windows7-x64
32590c6aee0...47.exe
windows10-2004-x64
102faa75c50b...6d.exe
windows7-x64
32faa75c50b...6d.exe
windows10-2004-x64
103bb8a790f7...4e.exe
windows7-x64
33bb8a790f7...4e.exe
windows10-2004-x64
103c35dfb6ea...cb.exe
windows10-2004-x64
103df74027fe...88.exe
windows10-2004-x64
1040fbde6d35...71.exe
windows10-2004-x64
106ade7d6ec7...80.exe
windows10-2004-x64
107abba1ebb5...9b.exe
windows7-x64
37abba1ebb5...9b.exe
windows10-2004-x64
10855fd4cf22...dc.exe
windows10-2004-x64
10a6d0e60e46...99.exe
windows10-2004-x64
10b46951fdb5...f7.exe
windows7-x64
3b46951fdb5...f7.exe
windows10-2004-x64
10bccb41d4cd...17.exe
windows10-2004-x64
10c726b1e0ec...ab.exe
windows10-2004-x64
10c8c3182273...54.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 18:05
Static task
static1
Behavioral task
behavioral1
Sample
0b4bb67302386646ed679bf7dbfd9e44d9c5eb985f2c043ef415113edb2b2eca.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
0f6ce02639d4d4caede8c3432a529ff995f9d50cbfec335bbe9dc19b8f5c9ddf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
10893005755e760cedfd88c67f168c3e2f1e26fafad63a929c1e953e718f49d7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
1b3c0e579787bcef84732f5265ff9b365cdc639dfb3b301ffbfb808167567506.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
2590c6aee0971ee73ddf13b31120ab5a7a7268c588bc55a8fe221b203913c447.exe
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
2590c6aee0971ee73ddf13b31120ab5a7a7268c588bc55a8fe221b203913c447.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
2faa75c50b323133e8cbf507e6a3a4846097090d2e2c1a5afb174f798ee42a6d.exe
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
2faa75c50b323133e8cbf507e6a3a4846097090d2e2c1a5afb174f798ee42a6d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
3bb8a790f7feb85fb0d0f7d2087ce3d7e4eb5577393162c735eec885b66a044e.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
3bb8a790f7feb85fb0d0f7d2087ce3d7e4eb5577393162c735eec885b66a044e.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
3df74027fece0dd6e6c9f46260e3c886ecbcfd4dce43ac64a90f1211d78fe588.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
40fbde6d35302d77db924d8a4db6569c23336d9205e82f12a82228cc100edb71.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
6ade7d6ec7a6381185b43d64ae2429ee9c4ee1ccf584c5bfe5887d96d03e3680.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
7abba1ebb59dafe06cecf717ad708d5d5e873cb2cd6cfa536b3cf5eef782c19b.exe
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
7abba1ebb59dafe06cecf717ad708d5d5e873cb2cd6cfa536b3cf5eef782c19b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
855fd4cf224283ecfadcbbde8f8bda52096a389946f6890fa83b09e26cea10dc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
b46951fdb517d60cd2516aa317646c027a36d6b4e159c8d97dea70549b3b00f7.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
b46951fdb517d60cd2516aa317646c027a36d6b4e159c8d97dea70549b3b00f7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
bccb41d4cd07f22dc7128aa361e7b2b43320ef072e11627fd143b376cdee0817.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral24
Sample
c726b1e0ec6fea88dec580a790bb738a4976fe2f076a838067ec66bc403054ab.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
c8c3182273e1f34a2e9b4a2afb39aa5e5fa9ae93368dd9487b95f7ca43f17d54.exe
Resource
win10v2004-20240426-en
General
-
Target
a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199.exe
-
Size
514KB
-
MD5
f7e21fe46471f2c2ed069aef315b7804
-
SHA1
dd6a5df8e71397f470e69c76f39d1c0cc9005028
-
SHA256
a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199
-
SHA512
0a7019ce31cadd53d2bc8034ae4d07e94efd48240077da373c914b86e16a9395e55d53721c5ebd383fa2bae16ae0ab95f8091f1f779f031d7dacf208e2b41fd6
-
SSDEEP
12288:fMrLy90LKDglCRXwYt1wZvidrr2fIfvZVHex:MybklLYvOvqWIZI
Malware Config
Extracted
amadey
3.86
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
lande
77.91.124.84:19071
-
auth_value
9fa41701c47df37786234f3373f21208
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral20/files/0x0008000000023441-20.dat healer behavioral20/memory/1732-22-0x00000000009B0000-0x00000000009BA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a8862651.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a8862651.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a8862651.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a8862651.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a8862651.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a8862651.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral20/files/0x000700000002343b-42.dat family_redline behavioral20/memory/4608-44-0x0000000000C30000-0x0000000000C60000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation b8953925.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation pdates.exe -
Executes dropped EXE 9 IoCs
pid Process 2672 v3586754.exe 224 v0583191.exe 1732 a8862651.exe 2068 b8953925.exe 2280 pdates.exe 2372 c7221463.exe 4608 d5562257.exe 2636 pdates.exe 3024 pdates.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a8862651.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3586754.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v0583191.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c7221463.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c7221463.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c7221463.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4276 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1732 a8862651.exe 1732 a8862651.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1732 a8862651.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1196 wrote to memory of 2672 1196 a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199.exe 84 PID 1196 wrote to memory of 2672 1196 a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199.exe 84 PID 1196 wrote to memory of 2672 1196 a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199.exe 84 PID 2672 wrote to memory of 224 2672 v3586754.exe 85 PID 2672 wrote to memory of 224 2672 v3586754.exe 85 PID 2672 wrote to memory of 224 2672 v3586754.exe 85 PID 224 wrote to memory of 1732 224 v0583191.exe 86 PID 224 wrote to memory of 1732 224 v0583191.exe 86 PID 224 wrote to memory of 2068 224 v0583191.exe 97 PID 224 wrote to memory of 2068 224 v0583191.exe 97 PID 224 wrote to memory of 2068 224 v0583191.exe 97 PID 2068 wrote to memory of 2280 2068 b8953925.exe 98 PID 2068 wrote to memory of 2280 2068 b8953925.exe 98 PID 2068 wrote to memory of 2280 2068 b8953925.exe 98 PID 2672 wrote to memory of 2372 2672 v3586754.exe 99 PID 2672 wrote to memory of 2372 2672 v3586754.exe 99 PID 2672 wrote to memory of 2372 2672 v3586754.exe 99 PID 2280 wrote to memory of 4276 2280 pdates.exe 100 PID 2280 wrote to memory of 4276 2280 pdates.exe 100 PID 2280 wrote to memory of 4276 2280 pdates.exe 100 PID 2280 wrote to memory of 4508 2280 pdates.exe 102 PID 2280 wrote to memory of 4508 2280 pdates.exe 102 PID 2280 wrote to memory of 4508 2280 pdates.exe 102 PID 4508 wrote to memory of 1052 4508 cmd.exe 104 PID 4508 wrote to memory of 1052 4508 cmd.exe 104 PID 4508 wrote to memory of 1052 4508 cmd.exe 104 PID 4508 wrote to memory of 848 4508 cmd.exe 105 PID 4508 wrote to memory of 848 4508 cmd.exe 105 PID 4508 wrote to memory of 848 4508 cmd.exe 105 PID 4508 wrote to memory of 4492 4508 cmd.exe 106 PID 4508 wrote to memory of 4492 4508 cmd.exe 106 PID 4508 wrote to memory of 4492 4508 cmd.exe 106 PID 4508 wrote to memory of 3452 4508 cmd.exe 107 PID 4508 wrote to memory of 3452 4508 cmd.exe 107 PID 4508 wrote to memory of 3452 4508 cmd.exe 107 PID 4508 wrote to memory of 3372 4508 cmd.exe 108 PID 4508 wrote to memory of 3372 4508 cmd.exe 108 PID 4508 wrote to memory of 3372 4508 cmd.exe 108 PID 4508 wrote to memory of 1996 4508 cmd.exe 109 PID 4508 wrote to memory of 1996 4508 cmd.exe 109 PID 4508 wrote to memory of 1996 4508 cmd.exe 109 PID 1196 wrote to memory of 4608 1196 a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199.exe 114 PID 1196 wrote to memory of 4608 1196 a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199.exe 114 PID 1196 wrote to memory of 4608 1196 a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199.exe"C:\Users\Admin\AppData\Local\Temp\a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3586754.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3586754.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0583191.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0583191.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8862651.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8862651.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8953925.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8953925.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F6⤵
- Creates scheduled task(s)
PID:4276
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1052
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:N"7⤵PID:848
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:R" /E7⤵PID:4492
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:3452
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:N"7⤵PID:3372
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:R" /E7⤵PID:1996
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7221463.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7221463.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2372
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5562257.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5562257.exe2⤵
- Executes dropped EXE
PID:4608
-
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:2636
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:3024
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173KB
MD5dd1b74d72e67cd28e02b713caa05cd7f
SHA102286dcf5d2539e63754bd5a56ee0953841afda8
SHA256562ee5ce9c7b451285a96cffe1f7428b556334bf295af063e6955d31f1eb4470
SHA512c8883f6fcd2673e48dee8503374833a4ec7fcf13cb42973c2fba691979f04992839642ceb16272ab6274edfe2aace8b5ac624679aaf57eed721b74ee752613f4
-
Filesize
359KB
MD5a98b1aee60c9293eabf6ba711aae5e96
SHA16573a0977e8cde85cf914e7e376eea4ca5668606
SHA2560e6d7f7ff55818ac5bf366f2e957793f82661203f1b7412ec047e41d38d1e854
SHA5128d31d93243f4873555a1a55433563fc3bf92936b38699485b926aa6a4beb28f1a1d6efda1b62294b1143128d3b13c80093fc56397fccef3c1e2d9fe9dd623bcb
-
Filesize
36KB
MD5a6d4c00a349bb3d0526f26bfe72c9bcd
SHA17cd634b68818146282dd8eb3294840ca2045f669
SHA2564769f9625dffff062609fbefc3dd946c173cff9b2eec343f8f9512e4300e0826
SHA512a0b89dcfae8d4072f3562a80eb1b83a31f3b7c22c37fdc77681bd010c9962a8e798210d46c6af110f66c47313d48afe27a220fecb45f4c42ca417f466602e4fb
-
Filesize
234KB
MD534cc0804c3666c5778836863e11ebde8
SHA15d5c4709f92cdafa8e45d6c1103db993d8572ed8
SHA256dd9a03ed05e0ebe313b7d9afe5ad05fc5f818989efa4bb335b47bf9acdfb5b42
SHA5126ad265aa04b181fc3f37290cab648801f4fabd3f47e647994dd4eea3aebfd61f756d1ce12110a21b4f41ba8a4b3216b0339732d410f963fde3758d1d4aed6002
-
Filesize
12KB
MD5e3f66fef21fa2c33ecb7ee8b38167083
SHA16bea6eaa6c71590aacd5a56b2393f8f8dec7aad9
SHA256d87bafa19ea183158a9651bfd9f5c0470d090809cad9016ab81ca87a98f09e43
SHA512b3d5e22e6ec85c589982f1e3423bfbe610be32bd5063de49a00595224b403bf32ca530f7b5e70d3286bee837b690d1c781e4fe35b58738897fe3a10249c92cd6
-
Filesize
225KB
MD5f1a07eabecfbbf04548b08631dbed1cf
SHA1b6e90a72e3aeaedeabd206065b36fde14f5bb939
SHA256398d014293a7a2412e7d5e0fdb08a97a1674ff1c5f5a6a46b8e4ee2e0869c2c0
SHA51256b1f02bc4c5e778095cafa6b4c5ad3150448278bffeabc900fd0b7e39a12462b2c571ebbf3201614df296378c062144d79e36e034f86377ff4b1d2cb31e80b4