Overview
overview
10Static
static
31238663077...be.exe
windows10-2004-x64
102176dd1779...68.exe
windows10-2004-x64
1025c57e6714...48.exe
windows7-x64
1025c57e6714...48.exe
windows10-2004-x64
103931c3ca01...c1.exe
windows10-2004-x64
10611b640fd7...5e.exe
windows10-2004-x64
1061ec6f7f31...74.exe
windows10-2004-x64
106c15f1899d...ed.exe
windows10-2004-x64
1075997a0972...ce.exe
windows7-x64
375997a0972...ce.exe
windows10-2004-x64
107a4ee83882...ea.exe
windows10-2004-x64
107b22e6cc31...ce.exe
windows10-2004-x64
108a68d5e2ce...71.exe
windows10-2004-x64
109a72ed316b...b3.exe
windows10-2004-x64
10b2abc74f29...1f.exe
windows10-2004-x64
10b577c897b2...2b.exe
windows10-2004-x64
10ba5c9d840c...7b.exe
windows10-2004-x64
10ba769ab008...cb.exe
windows10-2004-x64
10be7c09289a...43.exe
windows10-2004-x64
10c29b675475...fe.exe
windows10-2004-x64
10f5875e99d2...63.exe
windows7-x64
3f5875e99d2...63.exe
windows10-2004-x64
10fd5bd6afc5...4f.exe
windows10-2004-x64
10Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 12:28
Static task
static1
Behavioral task
behavioral1
Sample
1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
3931c3ca01cc35353f3a071c6ef787511253396b8e24e12cdf7dbbe451ac80c1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
b2abc74f29ed52ec7d83d19dcdda578b75bfabfe3cb6be161acad9d570a9601f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
b577c897b2be38c4bed293104f5424d9cc6213dcbf6ee85b26b1d55373ce3f2b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
be7c09289a731533f9a2ca91d21b2f010905c445c8710ce84ae829cfe48d3343.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f.exe
Resource
win10v2004-20240508-en
General
-
Target
2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe
-
Size
515KB
-
MD5
11c22c7a24b8f0576c3470af1561a6e9
-
SHA1
47ba63be9cdf137c5356465791cca7e8d26048f9
-
SHA256
2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368
-
SHA512
acef19e6e351f779b034509e7eeff3eedebae468702c75c6b3a6c844b9024c84dffd25e768a8214df451fb33d094f979ad458bd0ad80d1a25bc312338b4d071e
-
SSDEEP
12288:AMrpy90pbhdTlggxZzkUrC7pfy4NHWisj53QEEXOsM0:ZyGzlgrUGPWjhQR
Malware Config
Extracted
amadey
3.85
http://77.91.68.3
-
install_dir
3ec1f323b5
-
install_file
danke.exe
-
strings_key
827021be90f1e85ab27949ea7e9347e8
-
url_paths
/home/love/index.php
Extracted
redline
news
77.91.68.68:19071
-
auth_value
99ba2ffe8d72ebe9fdc7e758c94db148
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral2/files/0x0008000000023433-20.dat healer behavioral2/memory/2436-21-0x0000000000DB0000-0x0000000000DBA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a5970039.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a5970039.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a5970039.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a5970039.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a5970039.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a5970039.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x000700000002342e-43.dat family_redline behavioral2/memory/540-45-0x00000000000D0000-0x0000000000100000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation b4024066.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation danke.exe -
Executes dropped EXE 9 IoCs
pid Process 4608 v5031831.exe 3760 v5473069.exe 2436 a5970039.exe 2300 b4024066.exe 3756 danke.exe 3224 c9593912.exe 540 d6125712.exe 1184 danke.exe 1988 danke.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5970039.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v5031831.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5473069.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c9593912.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c9593912.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c9593912.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4504 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2436 a5970039.exe 2436 a5970039.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2436 a5970039.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 4888 wrote to memory of 4608 4888 2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe 82 PID 4888 wrote to memory of 4608 4888 2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe 82 PID 4888 wrote to memory of 4608 4888 2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe 82 PID 4608 wrote to memory of 3760 4608 v5031831.exe 83 PID 4608 wrote to memory of 3760 4608 v5031831.exe 83 PID 4608 wrote to memory of 3760 4608 v5031831.exe 83 PID 3760 wrote to memory of 2436 3760 v5473069.exe 84 PID 3760 wrote to memory of 2436 3760 v5473069.exe 84 PID 3760 wrote to memory of 2300 3760 v5473069.exe 89 PID 3760 wrote to memory of 2300 3760 v5473069.exe 89 PID 3760 wrote to memory of 2300 3760 v5473069.exe 89 PID 2300 wrote to memory of 3756 2300 b4024066.exe 90 PID 2300 wrote to memory of 3756 2300 b4024066.exe 90 PID 2300 wrote to memory of 3756 2300 b4024066.exe 90 PID 4608 wrote to memory of 3224 4608 v5031831.exe 91 PID 4608 wrote to memory of 3224 4608 v5031831.exe 91 PID 4608 wrote to memory of 3224 4608 v5031831.exe 91 PID 4888 wrote to memory of 540 4888 2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe 92 PID 4888 wrote to memory of 540 4888 2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe 92 PID 4888 wrote to memory of 540 4888 2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe 92 PID 3756 wrote to memory of 4504 3756 danke.exe 93 PID 3756 wrote to memory of 4504 3756 danke.exe 93 PID 3756 wrote to memory of 4504 3756 danke.exe 93 PID 3756 wrote to memory of 676 3756 danke.exe 94 PID 3756 wrote to memory of 676 3756 danke.exe 94 PID 3756 wrote to memory of 676 3756 danke.exe 94 PID 676 wrote to memory of 1192 676 cmd.exe 97 PID 676 wrote to memory of 1192 676 cmd.exe 97 PID 676 wrote to memory of 1192 676 cmd.exe 97 PID 676 wrote to memory of 3240 676 cmd.exe 98 PID 676 wrote to memory of 3240 676 cmd.exe 98 PID 676 wrote to memory of 3240 676 cmd.exe 98 PID 676 wrote to memory of 3112 676 cmd.exe 99 PID 676 wrote to memory of 3112 676 cmd.exe 99 PID 676 wrote to memory of 3112 676 cmd.exe 99 PID 676 wrote to memory of 1828 676 cmd.exe 100 PID 676 wrote to memory of 1828 676 cmd.exe 100 PID 676 wrote to memory of 1828 676 cmd.exe 100 PID 676 wrote to memory of 2472 676 cmd.exe 101 PID 676 wrote to memory of 2472 676 cmd.exe 101 PID 676 wrote to memory of 2472 676 cmd.exe 101 PID 676 wrote to memory of 2480 676 cmd.exe 102 PID 676 wrote to memory of 2480 676 cmd.exe 102 PID 676 wrote to memory of 2480 676 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe"C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F6⤵
- Creates scheduled task(s)
PID:4504
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1192
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"7⤵PID:3240
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E7⤵PID:3112
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1828
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"7⤵PID:2472
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E7⤵PID:2480
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3224
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe2⤵
- Executes dropped EXE
PID:540
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:1184
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:1988
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD55857ee0726d73781a91d8e82eaa75062
SHA12af364ed6f7f7612b5c7fdff981d547d13518a1d
SHA2569b96fd6fb35d86dbf485be9d03649a67f4e19ec2eacf97b63c1ff5f71495ecc7
SHA51250468fa0a187a446ce3e58aaa2c59ec04f8df55a588a7ae75674976cff5acf1f3c92b27bbe431ebad7f8dbd0125d664f38bade9df34a7fb79c658c5ec27dceb2
-
Filesize
359KB
MD564914ff9bf5be388b673a4c159e81f0d
SHA1e50e480364a0efb07a0b3619a35706a338cec43d
SHA256d86e1af67ea1610cd582ea0dee48a2b98bc078d11b39de4f18e1df0e2b904d06
SHA512073712b4a0aa9be3e81d83aa8ed42366e4962b767846172b0e1b33a784d75776c62b703b324a126334aac3b787ba4f94aa592752ca9c98f3c3691649f5177b49
-
Filesize
34KB
MD528b567d6d377880e6336770aa32966c6
SHA144e450e5488cd710318a62c30ecd3c2b0e5ce405
SHA256970dc870f858c266ae0f4b8f2d1e8cdd971896b7ceba28f8edd18bd341b360b6
SHA5121d7bbc36c404de957393268d1fba3a547b8a1b7535cc6f444bcba8393259e24db8144aeb85b2ca0de1e95196eba7d7693e35e2c7319886d42e5b6515b81bf7d5
-
Filesize
235KB
MD547c57a08974e981716c8ebc94e73cef6
SHA1f3a2cc808f85bb7fc40c1814e76cf7ecbc3e76eb
SHA256c42d18d5dcc41dd560469e1c68b7955501ec3b2545ee8322a1f7dde7d7a90ad8
SHA512b6f25499399d4d5738e9b103fe1438705700236656d9242a62194228c69eb70945066fd829191d50e2d8f59aed12cc2bbb5e8daa7961864d81ccb1b8bf7e27e4
-
Filesize
13KB
MD5b9f7307f3344963173587f481cf79702
SHA1d1771c11330d7f05b465837268f1993d16a50ef9
SHA2563f1deb49ae3b7e8074b543490e6a24045c16a73102668c09729a4decb3260068
SHA512ef449c472223eddfd606b5035962564da2b3b47e46dd7bb796e8565f14349bc1edd9e716d4b288d65dda044d47f1ee527554d130f0de6b6cf4d78a1b2e0741f5
-
Filesize
230KB
MD5b4e48d49180a5de33de9a468850dd56d
SHA1a813b19d1b7ca147c0bf19394d85dbb5e68e2499
SHA256848b8ac51ed5492cc8dbf0db13d11166b3f40984d335c441ad0370fa1c6efaf4
SHA512aeba44dbea2fd4d2cd72139e1f3a02be121237909bce8eef15fa36c66903bcae2231c0cb527e3aece354b50412a8ebae4dcce8898b66c1608a7643a45f49905f