Overview
overview
10Static
static
3062bf5eda9...2b.exe
windows10-2004-x64
1016b83c8926...86.exe
windows10-2004-x64
101d059ca891...d4.exe
windows10-2004-x64
1051d640efcf...44.exe
windows10-2004-x64
1068c37c8307...6a.exe
windows10-2004-x64
10764d92d88b...5f.exe
windows10-2004-x64
10853890cb43...68.exe
windows10-2004-x64
1094cb7f4064...ae.exe
windows10-2004-x64
10b37eb33077...f6.exe
windows10-2004-x64
10b813f799e9...17.exe
windows10-2004-x64
10c1a9af1ad6...d5.exe
windows10-2004-x64
10cc6d978c1f...21.exe
windows10-2004-x64
10cfdc6cd562...d3.exe
windows10-2004-x64
10e81854abc9...1a.exe
windows10-2004-x64
10eaef827c83...65.exe
windows7-x64
3eaef827c83...65.exe
windows10-2004-x64
10ed835b70d5...6c.exe
windows10-2004-x64
10f48c36cb91...ef.exe
windows10-2004-x64
10Analysis
-
max time kernel
147s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 08:13
Static task
static1
Behavioral task
behavioral1
Sample
062bf5eda95fa04c7146882ac1efb5ae43eaee0cd4c121db8c1c2edf9412932b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
16b83c892688e1869a75fcf88075e1a7a0983c284c41a7ff721e23cb6b9c9f86.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
51d640efcf425557c7e898a690d229994ff2fc0610138596398e8cdd60583244.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
764d92d88ba9348555a1351396433cb6b93afd1bc3dcf27a5a06c2bb7aed5c5f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
853890cb435781965f3dc9618397058d03c8d3e59706ede7d308b4afe12cbe68.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
94cb7f4064a3c804b1fa19c3f5dc17ae361ced8153e20bd02842c65e16d1e3ae.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
b37eb33077f476edc8499adec33a790467d8728ec752146ca687a56407fc5af6.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
b813f799e9c2f3b9ed25625bea968e14cbcad8bb1b3918ebcd79f631192ca017.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
c1a9af1ad640c504ed95e8f26021a55d127de1e35d0794f2bdaddd1451de08d5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral12
Sample
cc6d978c1f4f3ff1c9f85ac715299464b6b106c70aeb9adce32b6d355ba45721.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
e81854abc9bd7ae970c918e0839982609691e44919d3a96eee12840676c28e1a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
eaef827c83066a0c63b264b2910364be1a6d933a04f4d9f48d9610d9ea2cc465.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
eaef827c83066a0c63b264b2910364be1a6d933a04f4d9f48d9610d9ea2cc465.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
ed835b70d57f3901ebdd0814415cbc64776d5bb9ee43a7077c0894540d7dde6c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
f48c36cb917c3b50876b9e4240a3abaae73007be0713d0630ca8279bfae862ef.exe
Resource
win10v2004-20240226-en
General
-
Target
68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe
-
Size
514KB
-
MD5
805f458c4e4cafdc121c09022e7065a1
-
SHA1
a7876edbb4b0df6770d9de1b3eec3d10b9341f0b
-
SHA256
68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a
-
SHA512
49ae31bcc03ce37884dea632ae0e2f2b46a145d2fbf081f83ab9854aef849a6988a3bc614676f50c9ea2fa209fad269cec271fffaa08fdca610494aea4ecc840
-
SSDEEP
12288:6Mr+y90vfhcrO1YnhEibozGpgA5UcjKy+:8ykfOrcYloyaKKD
Malware Config
Extracted
amadey
3.85
http://77.91.68.3
-
install_dir
3ec1f323b5
-
install_file
danke.exe
-
strings_key
827021be90f1e85ab27949ea7e9347e8
-
url_paths
/home/love/index.php
Extracted
redline
grom
77.91.68.68:19071
-
auth_value
9ec3129bff410b89097d656d7abc33dc
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral5/files/0x000800000002341c-19.dat healer behavioral5/memory/3596-21-0x0000000000F70000-0x0000000000F7A000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1520981.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a1520981.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1520981.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1520981.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1520981.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1520981.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral5/files/0x0007000000023417-42.dat family_redline behavioral5/memory/3824-44-0x0000000000470000-0x00000000004A0000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation b7964864.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation danke.exe -
Executes dropped EXE 9 IoCs
pid Process 1804 v3918201.exe 1016 v8728502.exe 3596 a1520981.exe 5420 b7964864.exe 5400 danke.exe 5596 c5132843.exe 3824 d8390114.exe 5756 danke.exe 2224 danke.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1520981.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3918201.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v8728502.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c5132843.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c5132843.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c5132843.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5704 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3596 a1520981.exe 3596 a1520981.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3596 a1520981.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5420 b7964864.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1336 wrote to memory of 1804 1336 68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe 84 PID 1336 wrote to memory of 1804 1336 68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe 84 PID 1336 wrote to memory of 1804 1336 68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe 84 PID 1804 wrote to memory of 1016 1804 v3918201.exe 85 PID 1804 wrote to memory of 1016 1804 v3918201.exe 85 PID 1804 wrote to memory of 1016 1804 v3918201.exe 85 PID 1016 wrote to memory of 3596 1016 v8728502.exe 86 PID 1016 wrote to memory of 3596 1016 v8728502.exe 86 PID 1016 wrote to memory of 5420 1016 v8728502.exe 94 PID 1016 wrote to memory of 5420 1016 v8728502.exe 94 PID 1016 wrote to memory of 5420 1016 v8728502.exe 94 PID 5420 wrote to memory of 5400 5420 b7964864.exe 95 PID 5420 wrote to memory of 5400 5420 b7964864.exe 95 PID 5420 wrote to memory of 5400 5420 b7964864.exe 95 PID 1804 wrote to memory of 5596 1804 v3918201.exe 96 PID 1804 wrote to memory of 5596 1804 v3918201.exe 96 PID 1804 wrote to memory of 5596 1804 v3918201.exe 96 PID 5400 wrote to memory of 5704 5400 danke.exe 97 PID 5400 wrote to memory of 5704 5400 danke.exe 97 PID 5400 wrote to memory of 5704 5400 danke.exe 97 PID 5400 wrote to memory of 2292 5400 danke.exe 99 PID 5400 wrote to memory of 2292 5400 danke.exe 99 PID 5400 wrote to memory of 2292 5400 danke.exe 99 PID 2292 wrote to memory of 492 2292 cmd.exe 101 PID 2292 wrote to memory of 492 2292 cmd.exe 101 PID 2292 wrote to memory of 492 2292 cmd.exe 101 PID 2292 wrote to memory of 2024 2292 cmd.exe 102 PID 2292 wrote to memory of 2024 2292 cmd.exe 102 PID 2292 wrote to memory of 2024 2292 cmd.exe 102 PID 2292 wrote to memory of 4216 2292 cmd.exe 103 PID 2292 wrote to memory of 4216 2292 cmd.exe 103 PID 2292 wrote to memory of 4216 2292 cmd.exe 103 PID 2292 wrote to memory of 1924 2292 cmd.exe 104 PID 2292 wrote to memory of 1924 2292 cmd.exe 104 PID 2292 wrote to memory of 1924 2292 cmd.exe 104 PID 2292 wrote to memory of 5132 2292 cmd.exe 105 PID 2292 wrote to memory of 5132 2292 cmd.exe 105 PID 2292 wrote to memory of 5132 2292 cmd.exe 105 PID 2292 wrote to memory of 460 2292 cmd.exe 106 PID 2292 wrote to memory of 460 2292 cmd.exe 106 PID 2292 wrote to memory of 460 2292 cmd.exe 106 PID 1336 wrote to memory of 3824 1336 68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe 110 PID 1336 wrote to memory of 3824 1336 68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe 110 PID 1336 wrote to memory of 3824 1336 68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe"C:\Users\Admin\AppData\Local\Temp\68c37c83076969c58d0363958646c7804b3b22fd50f04aa720bc28b07793816a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3918201.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3918201.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8728502.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8728502.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1520981.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1520981.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7964864.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7964864.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5420 -
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5400 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F6⤵
- Creates scheduled task(s)
PID:5704
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:492
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"7⤵PID:2024
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E7⤵PID:4216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:1924
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"7⤵PID:5132
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E7⤵PID:460
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5132843.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5132843.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5596
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8390114.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8390114.exe2⤵
- Executes dropped EXE
PID:3824
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:5756
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:2224
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173KB
MD58057a194266577b4c40a403b7132883d
SHA148e608a3d8318d958ff39e6d86c92300f25697b9
SHA25697ffdc0bcd30df2761422c722ec2b0cbd18671e1e76aa4fc3e4074869c6cd644
SHA512b49ec55343454f6e1ca92c7b5617ab73465d9953750757b51d78f40468d3aa1314e4f2ff567a348331bbf3111e3d7f9a642a7935b0d7e1d91fc35bcda1694ea6
-
Filesize
359KB
MD56e73bdbfa5d08ebf1d73023e9ee727dc
SHA1b9ee6a750155a8c2642b5bf3437fda9007678507
SHA256609302e9708f446dc5473b29cacf3c8e4187ad07ea6c88850f242573287ab897
SHA5121277e15f9c2e89d70209034f19533481c9576603e00dedb10867197b1ace4fdf99104b950d8b464010dd3e564cbfdc41fed20f5b06cab637156852ecd05f9d7e
-
Filesize
33KB
MD5e4310852aa5e6ffcec01b7a96a99f8d3
SHA19061a6968a4c1d86c6c566306067507bbb9a3e5c
SHA256242c37b2da275f6caf39aee903155e18501a605549ee169cb0a9086f23fa6250
SHA512ec96f4c0008a67bed43278dd18e28c599e52ff75645377afa7292c4223329ed543f303160ac565d32e155a6df1ed084352d78c786d44c00d23a7dadade9bd614
-
Filesize
235KB
MD57e1c0acf0982e20ee5997894b1883c97
SHA185725fed96c43bdf60406f80227d08694c86a72b
SHA256e0977088957e4b9c31b6b71eb74f47c24b020d3ab8378b8fedf317a4aa03e2fa
SHA512c0385b7b09d6f892a22485bcde9a5779182e34b4ada86e89387556a0631e35f89e816c49537a0acee712e8da896b98a1f229dcfbbfaaa0395508bbd7e7130040
-
Filesize
11KB
MD51064c8e873b8ef7b683a5228cbc88b8b
SHA118fd3ab0f542ae640f158b5ac20615c4b1940699
SHA256cad5902d256fd6e9f3a64166925193a0ffbe66db4ec317b38bb76050f3367787
SHA512db04baf087525ab2c23221a977d970ea6c280975c94895d007f676af4ed66b9787c0ab23cf2282046504ef40cf7e936dbd6b57a777f4039ebaf6de17f0fd327d
-
Filesize
228KB
MD5e520652f2d0117c0399e40ecdd867ef2
SHA1efdc1c767bb298ecad98b0c88e4e0e960559e23c
SHA25672b1c2d3c1dc93b72614111d2a82ac0573112f98c20dd78ccb292860c1ccb8e0
SHA512060d151bfc6576b6c87def2260c34a90c17d9d3b3384cba446fad221c6994e0989f61ae25b00450384f24813b3014027f391b6d4e829baeb0ab1af891a41bbc6