Overview
overview
10Static
static
300dc3a43dd...78.exe
windows10-2004-x64
10061669c83b...c0.exe
windows10-2004-x64
100cc30df7f6...35.exe
windows10-2004-x64
101b26ae68f4...45.exe
windows10-2004-x64
103b9256f691...90.exe
windows7-x64
33b9256f691...90.exe
windows10-2004-x64
103ddd80ba69...8c.exe
windows7-x64
33ddd80ba69...8c.exe
windows10-2004-x64
103ff55c48fd...c7.exe
windows10-2004-x64
1050be51fdd5...4b.exe
windows10-2004-x64
10565e580e21...f4.exe
windows7-x64
1565e580e21...f4.exe
windows10-2004-x64
15f157bb7f5...80.exe
windows10-2004-x64
106c066f3c43...19.exe
windows10-2004-x64
108355a17b5f...ac.exe
windows10-2004-x64
109a3f5d3f84...b2.exe
windows10-2004-x64
10ae66f2f071...07.exe
windows10-2004-x64
10b0fef95ff5...7c.exe
windows10-2004-x64
10b11b1b57a3...06.exe
windows10-2004-x64
10cd9de412cd...04.exe
windows7-x64
10cd9de412cd...04.exe
windows10-2004-x64
10db84115968...f3.exe
windows10-2004-x64
10dce60a71ca...cc.exe
windows10-2004-x64
f5bf417643...17.exe
windows7-x64
3f5bf417643...17.exe
windows10-2004-x64
10Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 15:13
Static task
static1
Behavioral task
behavioral1
Sample
00dc3a43dda255a61bd370ebbf0fc0431112da3c176a205489b4a2113c396878.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
061669c83be149e85a977dfd41981b6115bf335e8f5bf4a2c696247dbf3999c0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
0cc30df7f6ff94fab7858c7361a84798ffe5198fda1df8e7320f4e14124fd535.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
1b26ae68f4d9a6a0bfd1a8c92489c6dcdb1a4e6ca483442c2b307329cdfb9345.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
3b9256f691d67ac85ae3172971e615fc85a2927279e384650e0e5d73e6201d90.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
3ddd80ba692516ca1977cdf6eb25ad59de7b9e87f447a412e2468a77ad1bbd8c.exe
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
3ddd80ba692516ca1977cdf6eb25ad59de7b9e87f447a412e2468a77ad1bbd8c.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
3ff55c48fddf370349ae0853c3e33d313791cbfb7239e43b70ad977035a132c7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
50be51fdd59dbf4ac078600bca6c8481f0e5baf0010085e6e0ce8d763e87da4b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
565e580e2113d8503456c9416021bb7200f7fedadd8020c6d19340c32be7e1f4.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
565e580e2113d8503456c9416021bb7200f7fedadd8020c6d19340c32be7e1f4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
6c066f3c43054e87d83f1b9983162f080d1fb4f01c5d81ac389dad5406dc5119.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
8355a17b5fec607c779bf1f01bc6596fc82dd876042977ec7aba895db3f1faac.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
9a3f5d3f84858840f8bdd8879b66a6c1ccb772e507f7f09dfe1c5a88e2d33db2.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
b0fef95ff5abebcb9510c61f55646bd6731822877d3e350e98dcbd957727547c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
b11b1b57a3bb5f7ea58bd5b191ab3813432fcc41e7f4e321fa61b848d8c86606.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
cd9de412cda28c677351594338bc352dbcafb8652328624f624263b71bac3604.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
dce60a71ca88a61a579b58be67a969e9f1f6620feaff4c7102883b680d0162cc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
f5bf4176434a177447cba0b0c44a2aa84c6964ac958276a5f3d28429824e6a17.exe
Resource
win7-20231129-en
General
-
Target
ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707.exe
-
Size
390KB
-
MD5
bb002c60488c5ef7e62f582fbc73646f
-
SHA1
0e67525e9d135927871ab92f6db6dd936b7e1b92
-
SHA256
ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707
-
SHA512
73d5f57444de77b0e4d52d9bb18dc58c3e715a69669412ada51dc7e978a1890db92f8257e014f3b774c2e25b9bb41bb175ed992e807a4c1afea6aa5944bebc74
-
SSDEEP
6144:KNy+bnr+zp0yN90QE79p5+F4wAg0rKWKc5Fu048imlYLPrB:rMr3y90NQ4KCHKPolYLPrB
Malware Config
Extracted
amadey
3.86
http://5.42.92.67
-
install_dir
ebb444342c
-
install_file
legola.exe
-
strings_key
5680b049188ecacbfa57b1b29c2f35a7
-
url_paths
/norm/index.php
Extracted
redline
lande
77.91.124.84:19071
-
auth_value
9fa41701c47df37786234f3373f21208
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral17/files/0x0008000000023436-13.dat healer behavioral17/memory/3196-14-0x0000000000780000-0x000000000078A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" p8160324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" p8160324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" p8160324.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection p8160324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" p8160324.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" p8160324.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral17/files/0x0007000000023434-31.dat family_redline behavioral17/memory/1928-33-0x0000000000CD0000-0x0000000000D00000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation legola.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation r7057128.exe -
Executes dropped EXE 7 IoCs
pid Process 1944 z4575459.exe 3196 p8160324.exe 624 r7057128.exe 2052 legola.exe 1928 t4774635.exe 3220 legola.exe 2672 legola.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" p8160324.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z4575459.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 852 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3196 p8160324.exe 3196 p8160324.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3196 p8160324.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4924 wrote to memory of 1944 4924 ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707.exe 83 PID 4924 wrote to memory of 1944 4924 ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707.exe 83 PID 4924 wrote to memory of 1944 4924 ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707.exe 83 PID 1944 wrote to memory of 3196 1944 z4575459.exe 85 PID 1944 wrote to memory of 3196 1944 z4575459.exe 85 PID 1944 wrote to memory of 624 1944 z4575459.exe 89 PID 1944 wrote to memory of 624 1944 z4575459.exe 89 PID 1944 wrote to memory of 624 1944 z4575459.exe 89 PID 624 wrote to memory of 2052 624 r7057128.exe 90 PID 624 wrote to memory of 2052 624 r7057128.exe 90 PID 624 wrote to memory of 2052 624 r7057128.exe 90 PID 4924 wrote to memory of 1928 4924 ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707.exe 91 PID 4924 wrote to memory of 1928 4924 ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707.exe 91 PID 4924 wrote to memory of 1928 4924 ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707.exe 91 PID 2052 wrote to memory of 852 2052 legola.exe 92 PID 2052 wrote to memory of 852 2052 legola.exe 92 PID 2052 wrote to memory of 852 2052 legola.exe 92 PID 2052 wrote to memory of 3440 2052 legola.exe 93 PID 2052 wrote to memory of 3440 2052 legola.exe 93 PID 2052 wrote to memory of 3440 2052 legola.exe 93 PID 3440 wrote to memory of 4184 3440 cmd.exe 96 PID 3440 wrote to memory of 4184 3440 cmd.exe 96 PID 3440 wrote to memory of 4184 3440 cmd.exe 96 PID 3440 wrote to memory of 5088 3440 cmd.exe 97 PID 3440 wrote to memory of 5088 3440 cmd.exe 97 PID 3440 wrote to memory of 5088 3440 cmd.exe 97 PID 3440 wrote to memory of 324 3440 cmd.exe 98 PID 3440 wrote to memory of 324 3440 cmd.exe 98 PID 3440 wrote to memory of 324 3440 cmd.exe 98 PID 3440 wrote to memory of 4072 3440 cmd.exe 99 PID 3440 wrote to memory of 4072 3440 cmd.exe 99 PID 3440 wrote to memory of 4072 3440 cmd.exe 99 PID 3440 wrote to memory of 4032 3440 cmd.exe 100 PID 3440 wrote to memory of 4032 3440 cmd.exe 100 PID 3440 wrote to memory of 4032 3440 cmd.exe 100 PID 3440 wrote to memory of 4300 3440 cmd.exe 101 PID 3440 wrote to memory of 4300 3440 cmd.exe 101 PID 3440 wrote to memory of 4300 3440 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707.exe"C:\Users\Admin\AppData\Local\Temp\ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4575459.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4575459.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8160324.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8160324.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3196
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7057128.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7057128.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F5⤵
- Creates scheduled task(s)
PID:852
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4184
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legola.exe" /P "Admin:N"6⤵PID:5088
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legola.exe" /P "Admin:R" /E6⤵PID:324
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4072
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\ebb444342c" /P "Admin:N"6⤵PID:4032
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\ebb444342c" /P "Admin:R" /E6⤵PID:4300
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4774635.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4774635.exe2⤵
- Executes dropped EXE
PID:1928
-
-
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exeC:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe1⤵
- Executes dropped EXE
PID:3220
-
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exeC:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe1⤵
- Executes dropped EXE
PID:2672
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD5a286f244579be57765882ea235a52ffe
SHA1183bc33000f31407601c78381178d6ed4a760a2b
SHA2562b26e1de50aa576e5fe5d4ae2226b82f388722cc467ece0443cfa91aa5008185
SHA5129d084800d3551fbc9360ac6298baac3d33286a23d27ac84a1a9ee35f6cc0252a1d7c56ffe6e090eccd1a944656e80b3201d1a358796217cdca9961ad4497cc3f
-
Filesize
234KB
MD50fcf9bd4753b93185be2b31f52161be6
SHA121bae7d8090d81e8d411bc12cdac0b5f7476b5e2
SHA25660769b17ad4bb4c6b3e44a8f222ca21f33b6167fe61ffd06e148a0d0235ab596
SHA512a8415967a72b9012cd09822aeb9280e396704637a3298738c8b1093c9f552357c04bef3760fe62e7471539357cf41653f64d6f58559f918d8ed2d28494c67f9c
-
Filesize
13KB
MD562e08f66fca3b5fc9a3f6624a38fd20f
SHA16f3b427d87e4f8c045e24a280c597fec9ab4c42c
SHA2567059693aa2a0f89fb51d5de5c77c53340bd48e33895c28f8dcc604521dffbfa5
SHA512d8566437800709c1e40da61eb7bfee0debd61a6f7c9331ed7929f6cf8ce30709b90903a235543d4a1d78dab99e5f6bed70695ce3b238b94392bb6f346a53387d
-
Filesize
224KB
MD5ed853abe6e4d7338966e053579ab227b
SHA1e298af34158e3658d74e21d4edaf08b6ea63cb2d
SHA25600f8ae6daf2664fb85f5d2d593d937617fa0e41c0e00108aa6a876f834b5ee3b
SHA51242fc5e8f4d1c19be33618499db1a8c8230a95293d91ef37e0df235c8bd55d77b57e5bf380ec4a748084546eb3c599f4f08f83528f6e550803bb3b891d15c025b