Overview
overview
10Static
static
30b4bb67302...ca.exe
windows10-2004-x64
90f6ce02639...df.exe
windows10-2004-x64
101089300575...d7.exe
windows10-2004-x64
1010f472a1b5...37.exe
windows10-2004-x64
188abd9448...8c.exe
windows10-2004-x64
101b3c0e5797...06.exe
windows10-2004-x64
102590c6aee0...47.exe
windows7-x64
32590c6aee0...47.exe
windows10-2004-x64
102faa75c50b...6d.exe
windows7-x64
32faa75c50b...6d.exe
windows10-2004-x64
103bb8a790f7...4e.exe
windows7-x64
33bb8a790f7...4e.exe
windows10-2004-x64
103c35dfb6ea...cb.exe
windows10-2004-x64
103df74027fe...88.exe
windows10-2004-x64
1040fbde6d35...71.exe
windows10-2004-x64
106ade7d6ec7...80.exe
windows10-2004-x64
107abba1ebb5...9b.exe
windows7-x64
37abba1ebb5...9b.exe
windows10-2004-x64
10855fd4cf22...dc.exe
windows10-2004-x64
10a6d0e60e46...99.exe
windows10-2004-x64
10b46951fdb5...f7.exe
windows7-x64
3b46951fdb5...f7.exe
windows10-2004-x64
10bccb41d4cd...17.exe
windows10-2004-x64
10c726b1e0ec...ab.exe
windows10-2004-x64
10c8c3182273...54.exe
windows10-2004-x64
10Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 18:05
Static task
static1
Behavioral task
behavioral1
Sample
0b4bb67302386646ed679bf7dbfd9e44d9c5eb985f2c043ef415113edb2b2eca.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
0f6ce02639d4d4caede8c3432a529ff995f9d50cbfec335bbe9dc19b8f5c9ddf.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
10893005755e760cedfd88c67f168c3e2f1e26fafad63a929c1e953e718f49d7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
10f472a1b5799a09ae60fd901a10125c8eed6220bdbed49cfa301962e7972837.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
1b3c0e579787bcef84732f5265ff9b365cdc639dfb3b301ffbfb808167567506.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
2590c6aee0971ee73ddf13b31120ab5a7a7268c588bc55a8fe221b203913c447.exe
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
2590c6aee0971ee73ddf13b31120ab5a7a7268c588bc55a8fe221b203913c447.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
2faa75c50b323133e8cbf507e6a3a4846097090d2e2c1a5afb174f798ee42a6d.exe
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
2faa75c50b323133e8cbf507e6a3a4846097090d2e2c1a5afb174f798ee42a6d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
3bb8a790f7feb85fb0d0f7d2087ce3d7e4eb5577393162c735eec885b66a044e.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
3bb8a790f7feb85fb0d0f7d2087ce3d7e4eb5577393162c735eec885b66a044e.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
3c35dfb6ea626f1c886ef4aa2783e8564f7331e639f222d5e208b3a6840a2bcb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
3df74027fece0dd6e6c9f46260e3c886ecbcfd4dce43ac64a90f1211d78fe588.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
40fbde6d35302d77db924d8a4db6569c23336d9205e82f12a82228cc100edb71.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
6ade7d6ec7a6381185b43d64ae2429ee9c4ee1ccf584c5bfe5887d96d03e3680.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
7abba1ebb59dafe06cecf717ad708d5d5e873cb2cd6cfa536b3cf5eef782c19b.exe
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
7abba1ebb59dafe06cecf717ad708d5d5e873cb2cd6cfa536b3cf5eef782c19b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
855fd4cf224283ecfadcbbde8f8bda52096a389946f6890fa83b09e26cea10dc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
b46951fdb517d60cd2516aa317646c027a36d6b4e159c8d97dea70549b3b00f7.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
b46951fdb517d60cd2516aa317646c027a36d6b4e159c8d97dea70549b3b00f7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
bccb41d4cd07f22dc7128aa361e7b2b43320ef072e11627fd143b376cdee0817.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral24
Sample
c726b1e0ec6fea88dec580a790bb738a4976fe2f076a838067ec66bc403054ab.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
c8c3182273e1f34a2e9b4a2afb39aa5e5fa9ae93368dd9487b95f7ca43f17d54.exe
Resource
win10v2004-20240426-en
General
-
Target
188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c.exe
-
Size
390KB
-
MD5
f8cfb1df4bcb4f9f8b7b9d0708e16d69
-
SHA1
93755a42eacd228ef291a3136a1394593c678faa
-
SHA256
188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c
-
SHA512
12b8522f261a7e3d0b91a41cfbf93b80bd10ffde1f8b53c548e8aafcca765cd92f511b71d05a298b7712e9f30b3cf81eced8ffe73ebee48b3230d5402cdf3f68
-
SSDEEP
6144:KQy+bnr+lp0yN90QE4JX36Yol3tvc630ZEnOOZ38ow6db8IEw2+ogF1AmoTMJrTH:0MrFy9003obIE3dwooI+c1AlTM0Mq8X
Malware Config
Extracted
amadey
3.86
http://5.42.92.67
-
install_dir
ebb444342c
-
install_file
legola.exe
-
strings_key
5680b049188ecacbfa57b1b29c2f35a7
-
url_paths
/norm/index.php
Extracted
redline
krast
77.91.68.68:19071
-
auth_value
9059ea331e4599de3746df73ccb24514
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral5/files/0x0008000000023624-12.dat healer behavioral5/memory/1924-15-0x0000000000940000-0x000000000094A000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection p6024513.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" p6024513.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" p6024513.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" p6024513.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" p6024513.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" p6024513.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral5/files/0x0007000000023622-31.dat family_redline behavioral5/memory/928-33-0x0000000000290000-0x00000000002C0000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation r3281945.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation legola.exe -
Executes dropped EXE 7 IoCs
pid Process 396 z8834784.exe 1924 p6024513.exe 2772 r3281945.exe 2148 legola.exe 928 t4703666.exe 968 legola.exe 4160 legola.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" p6024513.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z8834784.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2164 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1924 p6024513.exe 1924 p6024513.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1924 p6024513.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4196 wrote to memory of 396 4196 188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c.exe 89 PID 4196 wrote to memory of 396 4196 188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c.exe 89 PID 4196 wrote to memory of 396 4196 188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c.exe 89 PID 396 wrote to memory of 1924 396 z8834784.exe 91 PID 396 wrote to memory of 1924 396 z8834784.exe 91 PID 396 wrote to memory of 2772 396 z8834784.exe 98 PID 396 wrote to memory of 2772 396 z8834784.exe 98 PID 396 wrote to memory of 2772 396 z8834784.exe 98 PID 2772 wrote to memory of 2148 2772 r3281945.exe 99 PID 2772 wrote to memory of 2148 2772 r3281945.exe 99 PID 2772 wrote to memory of 2148 2772 r3281945.exe 99 PID 4196 wrote to memory of 928 4196 188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c.exe 100 PID 4196 wrote to memory of 928 4196 188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c.exe 100 PID 4196 wrote to memory of 928 4196 188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c.exe 100 PID 2148 wrote to memory of 2164 2148 legola.exe 101 PID 2148 wrote to memory of 2164 2148 legola.exe 101 PID 2148 wrote to memory of 2164 2148 legola.exe 101 PID 2148 wrote to memory of 868 2148 legola.exe 102 PID 2148 wrote to memory of 868 2148 legola.exe 102 PID 2148 wrote to memory of 868 2148 legola.exe 102 PID 868 wrote to memory of 4492 868 cmd.exe 105 PID 868 wrote to memory of 4492 868 cmd.exe 105 PID 868 wrote to memory of 4492 868 cmd.exe 105 PID 868 wrote to memory of 4728 868 cmd.exe 106 PID 868 wrote to memory of 4728 868 cmd.exe 106 PID 868 wrote to memory of 4728 868 cmd.exe 106 PID 868 wrote to memory of 824 868 cmd.exe 107 PID 868 wrote to memory of 824 868 cmd.exe 107 PID 868 wrote to memory of 824 868 cmd.exe 107 PID 868 wrote to memory of 1604 868 cmd.exe 108 PID 868 wrote to memory of 1604 868 cmd.exe 108 PID 868 wrote to memory of 1604 868 cmd.exe 108 PID 868 wrote to memory of 740 868 cmd.exe 109 PID 868 wrote to memory of 740 868 cmd.exe 109 PID 868 wrote to memory of 740 868 cmd.exe 109 PID 868 wrote to memory of 3176 868 cmd.exe 110 PID 868 wrote to memory of 3176 868 cmd.exe 110 PID 868 wrote to memory of 3176 868 cmd.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c.exe"C:\Users\Admin\AppData\Local\Temp\188abd944862b0218c2c1eb1ca15b896c802801a2127e4abb847bc5ba1a2eb8c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8834784.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8834784.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6024513.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6024513.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3281945.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3281945.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F5⤵
- Creates scheduled task(s)
PID:2164
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4492
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legola.exe" /P "Admin:N"6⤵PID:4728
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legola.exe" /P "Admin:R" /E6⤵PID:824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:1604
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\ebb444342c" /P "Admin:N"6⤵PID:740
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\ebb444342c" /P "Admin:R" /E6⤵PID:3176
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4703666.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4703666.exe2⤵
- Executes dropped EXE
PID:928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4744,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:81⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exeC:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe1⤵
- Executes dropped EXE
PID:968
-
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exeC:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe1⤵
- Executes dropped EXE
PID:4160
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173KB
MD592896756339664edd69e086829234514
SHA1b3b9f861a5fa36bb344d5c52391d3ff0cae9de5b
SHA256dfce1ccb0f6ba325e07ab39dd9280e2610f4adfe1857583df952671a4448e6be
SHA51247808b5c0c81769d29786a7cb30838261d7eaa9173f9f945d69f00a70b426afde307756d26c1eeea3688f6ea0076c703e0be1b2040f18199fd0b7466ab979b25
-
Filesize
234KB
MD5fabbcd6d7c76d9310107813b06225a8d
SHA10e797be42bb783a6c897d9ea7c0f16c897eb33a3
SHA25695a6babc911300f9cebcbb8bd2cfabb550b74da7e6098500aa8bbf8b6a29bcf4
SHA512a4ec410d28a284002f113abec2f7e46d7c27acca834e73a74f4b259ec4d7cc23da54d6ca8fd01ad9b5d693579a916654612f8da6c582c6ab496a99cb9c382091
-
Filesize
11KB
MD58049e71888ff041f4fa1afce82cc1dd6
SHA1057a9a55a81dae9428d7023f11dabfb2d2b8095f
SHA256479076695d105e53b0116565376c01af1a216c2f4a62389f9eef696b78c0dda6
SHA512570b943be0eee0482f7af50a617b9e5978b3c578c24acf79c1c88297389949c98c8e1afed6a7e8513899cb5986c3700d79332170bba712a771ce739191acbebb
-
Filesize
223KB
MD5ce6eb063a96f68056943450f2cb130bd
SHA1aa9b744dc8e5bf692babe6251a8e576841884cc8
SHA2561dfb1add3b793558718e67479b5765bdaab5eb23fe5395e1ad75a263cc2fbf8f
SHA512d78670ff1bc408ad96dcff1f357859167aaec9b01666e238643c1a799e368a791d617de78784d880120d56600e31ababb9aa8810f5cb7dc5e57e0686bbf0a554