Overview
overview
10Static
static
72260e01650...fc.exe
windows10-2004-x64
1024b96bca46...df.exe
windows10-2004-x64
102590c6aee0...47.exe
windows7-x64
32590c6aee0...47.exe
windows10-2004-x64
102a4e0bfefe...ad.exe
windows10-2004-x64
1030b28fbbc6...6a.exe
windows10-2004-x64
1045405e3261...66.exe
windows10-2004-x64
104daea23a41...5a.exe
windows10-2004-x64
106568836094...3d.exe
windows10-2004-x64
1072a27ce3ad...a5.exe
windows10-2004-x64
107ba9a39823...5d.exe
windows10-2004-x64
107f181e671c...fc.exe
windows7-x64
37f181e671c...fc.exe
windows10-2004-x64
108a74314c35...5a.exe
windows10-2004-x64
7ae6ddd393a...d7.exe
windows10-2004-x64
10b2402bf5ca...fa.exe
windows10-2004-x64
10c39e49cedb...e5.exe
windows7-x64
7c39e49cedb...e5.exe
windows10-2004-x64
7cd321830f5...bc.exe
windows10-2004-x64
10cfcca94dd6...6e.exe
windows10-2004-x64
10dfa156ac28...ff.exe
windows10-2004-x64
10f25337a343...56.exe
windows10-2004-x64
10f5d16598bf...16.exe
windows7-x64
10f5d16598bf...16.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 14:40
Behavioral task
behavioral1
Sample
2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
2590c6aee0971ee73ddf13b31120ab5a7a7268c588bc55a8fe221b203913c447.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
2590c6aee0971ee73ddf13b31120ab5a7a7268c588bc55a8fe221b203913c447.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
2a4e0bfefe7b6b2a94d46c408fe05d1682392c66666138b8b0c32e028bf15aad.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
30b28fbbc6f9f8aa27776aa07f15f77a8fe9829ca5ded9e75d26ca377674a46a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
45405e326148ce7f80326893b92fe8efe62819ee5465fdc13767a76472e21566.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
4daea23a41245608877f956cf37370e6533344758835349d21470fee22792f5a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
6568836094de3a32f9c325ced189bb981eb0cf8f4492e1b8b901ef52879c063d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
72a27ce3ad4f2daa863374d24914b9bdd41f5b34e08b440b9988fd847de7a3a5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
7ba9a3982314fb26523fd5988b2b520e3a32094566503b3706d39e88d9a9b35d.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
7f181e671ca7e88969b8dbb65e5906d2d04178a6bfb5756591ea3bc12c4809fc.exe
Resource
win7-20240221-en
Behavioral task
behavioral13
Sample
7f181e671ca7e88969b8dbb65e5906d2d04178a6bfb5756591ea3bc12c4809fc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
ae6ddd393a98c003c8da6717e815e71c83f5a3b75783ce55e2793d35c51a9ad7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
b2402bf5ca4c67871f6519e689231078532c147c35500668d062dec52e27e9fa.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
c39e49cedba79cf37944568e6b8975f59cf50c3ee02bad2cb56a9047b12fcee5.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
c39e49cedba79cf37944568e6b8975f59cf50c3ee02bad2cb56a9047b12fcee5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
cd321830f55d58d1391cb6f68bd887e31a7e1c0da19880caac02e0804afeb9bc.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
cfcca94dd6bef9e4222fd6347d090711d60251b7718a2a4955753cd95d8e9a6e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
dfa156ac28a140cde5b62ac7d594d1000da526091fd584c8e8caa96c692a5bff.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral22
Sample
f25337a343c26cdecd99eb7f095938fd24fb233463a8af3fa69acc5201eed956.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
f5d16598bff76b7aeece243b4478a48e666bbf1a2adb20f2684cefe2f7d06616.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
f5d16598bff76b7aeece243b4478a48e666bbf1a2adb20f2684cefe2f7d06616.exe
Resource
win10v2004-20240508-en
General
-
Target
2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe
-
Size
514KB
-
MD5
ad9443ce5e431e8295fd202f57cf1d6d
-
SHA1
330ab81f8d5d8360f11e9e15f6829608c3ed666e
-
SHA256
2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc
-
SHA512
d6bfaf96f61d6055c4e368f22542ba85d8d9c77d652480195953db43eced505a7102d5b10d79842e76483f90b1bbfa22a0d2fd6d0a423166efc8c585c3f665fb
-
SSDEEP
12288:NMrby90ooS9jGwyQikPj16mcXt3Q+snYfeplV3:GyOSTJj143Q7nmebh
Malware Config
Extracted
amadey
3.86
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
lande
77.91.124.84:19071
-
auth_value
9fa41701c47df37786234f3373f21208
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x00080000000233ea-19.dat healer behavioral1/memory/544-21-0x00000000005C0000-0x00000000005CA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a0410470.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a0410470.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a0410470.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a0410470.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a0410470.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a0410470.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x00070000000233e5-43.dat family_redline behavioral1/memory/3324-45-0x00000000006F0000-0x0000000000720000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation b0689294.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation pdates.exe -
Executes dropped EXE 9 IoCs
pid Process 2996 v1715175.exe 844 v5470627.exe 544 a0410470.exe 5020 b0689294.exe 2840 pdates.exe 1956 c1053362.exe 768 pdates.exe 3324 d7760520.exe 3996 pdates.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a0410470.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v1715175.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v5470627.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c1053362.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c1053362.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c1053362.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4176 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 544 a0410470.exe 544 a0410470.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 544 a0410470.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 3032 wrote to memory of 2996 3032 2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe 81 PID 3032 wrote to memory of 2996 3032 2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe 81 PID 3032 wrote to memory of 2996 3032 2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe 81 PID 2996 wrote to memory of 844 2996 v1715175.exe 82 PID 2996 wrote to memory of 844 2996 v1715175.exe 82 PID 2996 wrote to memory of 844 2996 v1715175.exe 82 PID 844 wrote to memory of 544 844 v5470627.exe 83 PID 844 wrote to memory of 544 844 v5470627.exe 83 PID 844 wrote to memory of 5020 844 v5470627.exe 86 PID 844 wrote to memory of 5020 844 v5470627.exe 86 PID 844 wrote to memory of 5020 844 v5470627.exe 86 PID 5020 wrote to memory of 2840 5020 b0689294.exe 87 PID 5020 wrote to memory of 2840 5020 b0689294.exe 87 PID 5020 wrote to memory of 2840 5020 b0689294.exe 87 PID 2996 wrote to memory of 1956 2996 v1715175.exe 88 PID 2996 wrote to memory of 1956 2996 v1715175.exe 88 PID 2996 wrote to memory of 1956 2996 v1715175.exe 88 PID 2840 wrote to memory of 4176 2840 pdates.exe 89 PID 2840 wrote to memory of 4176 2840 pdates.exe 89 PID 2840 wrote to memory of 4176 2840 pdates.exe 89 PID 2840 wrote to memory of 4832 2840 pdates.exe 91 PID 2840 wrote to memory of 4832 2840 pdates.exe 91 PID 2840 wrote to memory of 4832 2840 pdates.exe 91 PID 4832 wrote to memory of 5104 4832 cmd.exe 93 PID 4832 wrote to memory of 5104 4832 cmd.exe 93 PID 4832 wrote to memory of 5104 4832 cmd.exe 93 PID 4832 wrote to memory of 4512 4832 cmd.exe 94 PID 4832 wrote to memory of 4512 4832 cmd.exe 94 PID 4832 wrote to memory of 4512 4832 cmd.exe 94 PID 4832 wrote to memory of 2396 4832 cmd.exe 95 PID 4832 wrote to memory of 2396 4832 cmd.exe 95 PID 4832 wrote to memory of 2396 4832 cmd.exe 95 PID 4832 wrote to memory of 2420 4832 cmd.exe 96 PID 4832 wrote to memory of 2420 4832 cmd.exe 96 PID 4832 wrote to memory of 2420 4832 cmd.exe 96 PID 4832 wrote to memory of 3304 4832 cmd.exe 97 PID 4832 wrote to memory of 3304 4832 cmd.exe 97 PID 4832 wrote to memory of 3304 4832 cmd.exe 97 PID 4832 wrote to memory of 4948 4832 cmd.exe 98 PID 4832 wrote to memory of 4948 4832 cmd.exe 98 PID 4832 wrote to memory of 4948 4832 cmd.exe 98 PID 3032 wrote to memory of 3324 3032 2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe 102 PID 3032 wrote to memory of 3324 3032 2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe 102 PID 3032 wrote to memory of 3324 3032 2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe"C:\Users\Admin\AppData\Local\Temp\2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F6⤵
- Creates scheduled task(s)
PID:4176
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:5104
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:N"7⤵PID:4512
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:R" /E7⤵PID:2396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:2420
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:N"7⤵PID:3304
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:R" /E7⤵PID:4948
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1956
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exe2⤵
- Executes dropped EXE
PID:3324
-
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:768
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:3996
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request48.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request122.10.44.20.in-addr.arpaIN PTRResponse
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
156 B 3
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5647971d0cadf19b3146ed9825e2e2791
SHA125435c9b63194809b1ddff2ea49f68336fa16673
SHA25648b9794032771dfe78fc2c2b15e43e4b0a43143a6d6d5f3cea6e64dbcb976a76
SHA51224aa9c1d3252a641cf4b4e74ba77d4fcf7a2d8023a71981ab514f0f9cc73bb387e54743dc2c4a17799b71608785292a0399e4c9a891479dcea18ad829b426b20
-
Filesize
359KB
MD5061c406e23341bbcb1ff5e1801849cb3
SHA17ec3197388a3543dc54a754b526a21a74de567c3
SHA256ae86041c8e819499d71e4c6acc7674c2aa2d49c8bcf4772c06fdcabc12acf52a
SHA512176444ce621ff202d78fd397690322fa00d124b7ee51a6ef2cce205e5adc08205db4f4b30f866e8cb8132ef72e83462128cf4d124eeaf8c1d5992e5c18e98adb
-
Filesize
36KB
MD5ce02f9d79dea88099619df5cb1312f35
SHA13c1679bf6d2ad4436f65458e679c66f79d6ae50f
SHA256855b0ca776047364d7a3d31a44d746dd673f3d6435723e4a5093a1b757584f54
SHA5126ace95a26369b298fe1b9cefdccea26cb2253a11c829836a51b47b9218fa291586aa6ebb652830d44c0a97b7d1e2caac43a93cad02c5182be21d537322db555d
-
Filesize
234KB
MD576dddeb11de090d98b3d9edc3df979fe
SHA11400ec7994433f280da5b1d84c12d62d8c19702c
SHA256e13221cfa4276e8a340f3f13212b1fef45770843a843192a8387bbd99143938f
SHA51235384efa7caf27758daeb5d6f9a3f84c422116b77abed1e0bb0e978366cadaf2fc0d7fe15b1bb98bfe398c1eab3fb32eb9e3e1a582f5097a6779b4e2ab80f9c5
-
Filesize
13KB
MD53a21e5d379f54add2172d6948ca4e597
SHA1f2480642965b7c7a804ad8c62d7a623a815b1b02
SHA2562db95b60ef54ddb759464792be2f8a007214003a75cbca2de2a12f6d512900d8
SHA512010b8ac0ec852bbdc5e14f7409fecc81451c197281c1aff63df0acc98f46628151ce2dfabde6bde01e3c1e6b3c031637efee72edd44365afa78bafeaf63dda19
-
Filesize
225KB
MD54dcc519d9075200e24e18d1eb479b00e
SHA193a9cd97d0d7c6c98903391297530577e1228451
SHA256503f3735fdd75fa98e846ffc940735d1bc0f8c89c60de01dbcb852432d37e834
SHA512b1494415d70a3bfbabbd26361b68858c3c785121ec49b6c054e0487c5bb1dac33e8e8c0cc404b39b598b4b8458c48795ff9efab1d0bf60dabe50ba41bd6f8423