Overview
overview
10Static
static
3006388190d...bb.exe
windows10-2004-x64
100254882920...b5.exe
windows10-2004-x64
10059acceaf9...4e.exe
windows10-2004-x64
1023e52eabfc...16.exe
windows10-2004-x64
10346c48a087...17.exe
windows10-2004-x64
103a559db9fb...76.exe
windows10-2004-x64
103bd30de35b...fb.exe
windows10-2004-x64
104563b46d64...3c.exe
windows10-2004-x64
1045ab0e1069...0f.exe
windows10-2004-x64
10545f251975...f8.exe
windows10-2004-x64
105bd9b291d7...ab.exe
windows10-2004-x64
105e70f35516...00.exe
windows10-2004-x64
107348ee4e4e...6d.exe
windows10-2004-x64
108b460dc8cc...29.exe
windows10-2004-x64
10928c96df1b...ca.exe
windows10-2004-x64
10972fcfe587...1d.exe
windows10-2004-x64
10a025c0e619...2e.exe
windows10-2004-x64
10bc0667bb8d...75.exe
windows10-2004-x64
10cf82c35e0a...89.exe
windows10-2004-x64
10fbe2b19c30...62.exe
windows10-2004-x64
10Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:20
Static task
static1
Behavioral task
behavioral1
Sample
006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
0254882920b8d79aa87aa48e3861241d6f50bc1856fc52906e5a574397e08db5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
3a559db9fbdf13125c1dec222cde0f982fe63820a3dda722db7b0f646fe80e76.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
3bd30de35b2caa677c1a1d8eeb9a0878d3c396425a4501d3fc280590146a7efb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
4563b46d64120bf9833b2c3a8c333cb31977f9c75d32f836c04620dc0ce6623c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
45ab0e1069984eb278e72231ed9a1e178170792eecd79ef0661dac877d441d0f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
5bd9b291d75af7da767ccfd9442e39fc2a36f83c84ba9416a78c62a54164b4ab.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
5e70f35516878f784c795b9bc0d243a75bde82267717162cdb1838a7e102b600.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
7348ee4e4ed1a5e949c6ba0b2c8eaee7bf5d5f120e8c79c61accf44a24e12c6d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
a025c0e61987ac5dff969885b12ced5a1064ab0b0ae71e3751eb0331b3e6332e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
cf82c35e0a5a0683a1f51d3806ea0eb39a59d81fd4fc110c9762ff99d4e3f389.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62.exe
Resource
win10v2004-20240508-en
General
-
Target
bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75.exe
-
Size
662KB
-
MD5
c693bd5e0c62bb8c0044d52c931c31c8
-
SHA1
1693df1c3dff75041377f4480a6a54ead046f278
-
SHA256
bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75
-
SHA512
097c0fc5b6b02889a4f67601a653fd8d4a2b1d574b6b6cbf2004b934eb02ab571236dea6322a4fcedaa5a5281abc08a17d62403bd4f56ed0b199d28b189c9d55
-
SSDEEP
12288:ZMr+y90FaweLM0qcVycy0YlxW0U20+ba9lK1NDlawUX3vPDr:vyW4M1cVZ0W4eiNDlawYPH
Malware Config
Extracted
amadey
3.87
59b440
http://77.91.68.18
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
-
url_paths
/nice/index.php
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral18/files/0x0008000000023448-26.dat healer behavioral18/memory/932-28-0x0000000000FE0000-0x0000000000FEA000-memory.dmp healer -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a1942204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a1942204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a1942204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a1942204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a1942204.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a1942204.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral18/files/0x0007000000023443-46.dat family_redline behavioral18/memory/2944-48-0x0000000000960000-0x0000000000990000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation c1358817.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation saves.exe -
Executes dropped EXE 10 IoCs
pid Process 4460 v9624893.exe 1080 v6904757.exe 3340 v5959911.exe 932 a1942204.exe 3168 b5272880.exe 5040 c1358817.exe 964 saves.exe 2944 d3979825.exe 2972 saves.exe 1120 saves.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a1942204.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v9624893.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v6904757.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v5959911.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1448 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4084 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 932 a1942204.exe 932 a1942204.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 932 a1942204.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 1564 wrote to memory of 4460 1564 bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75.exe 83 PID 1564 wrote to memory of 4460 1564 bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75.exe 83 PID 1564 wrote to memory of 4460 1564 bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75.exe 83 PID 4460 wrote to memory of 1080 4460 v9624893.exe 85 PID 4460 wrote to memory of 1080 4460 v9624893.exe 85 PID 4460 wrote to memory of 1080 4460 v9624893.exe 85 PID 1080 wrote to memory of 3340 1080 v6904757.exe 86 PID 1080 wrote to memory of 3340 1080 v6904757.exe 86 PID 1080 wrote to memory of 3340 1080 v6904757.exe 86 PID 3340 wrote to memory of 932 3340 v5959911.exe 87 PID 3340 wrote to memory of 932 3340 v5959911.exe 87 PID 3340 wrote to memory of 3168 3340 v5959911.exe 95 PID 3340 wrote to memory of 3168 3340 v5959911.exe 95 PID 1080 wrote to memory of 5040 1080 v6904757.exe 97 PID 1080 wrote to memory of 5040 1080 v6904757.exe 97 PID 1080 wrote to memory of 5040 1080 v6904757.exe 97 PID 5040 wrote to memory of 964 5040 c1358817.exe 98 PID 5040 wrote to memory of 964 5040 c1358817.exe 98 PID 5040 wrote to memory of 964 5040 c1358817.exe 98 PID 4460 wrote to memory of 2944 4460 v9624893.exe 99 PID 4460 wrote to memory of 2944 4460 v9624893.exe 99 PID 4460 wrote to memory of 2944 4460 v9624893.exe 99 PID 964 wrote to memory of 4084 964 saves.exe 100 PID 964 wrote to memory of 4084 964 saves.exe 100 PID 964 wrote to memory of 4084 964 saves.exe 100 PID 964 wrote to memory of 4372 964 saves.exe 101 PID 964 wrote to memory of 4372 964 saves.exe 101 PID 964 wrote to memory of 4372 964 saves.exe 101 PID 4372 wrote to memory of 4976 4372 cmd.exe 104 PID 4372 wrote to memory of 4976 4372 cmd.exe 104 PID 4372 wrote to memory of 4976 4372 cmd.exe 104 PID 4372 wrote to memory of 4424 4372 cmd.exe 105 PID 4372 wrote to memory of 4424 4372 cmd.exe 105 PID 4372 wrote to memory of 4424 4372 cmd.exe 105 PID 4372 wrote to memory of 1688 4372 cmd.exe 106 PID 4372 wrote to memory of 1688 4372 cmd.exe 106 PID 4372 wrote to memory of 1688 4372 cmd.exe 106 PID 4372 wrote to memory of 928 4372 cmd.exe 107 PID 4372 wrote to memory of 928 4372 cmd.exe 107 PID 4372 wrote to memory of 928 4372 cmd.exe 107 PID 4372 wrote to memory of 2232 4372 cmd.exe 108 PID 4372 wrote to memory of 2232 4372 cmd.exe 108 PID 4372 wrote to memory of 2232 4372 cmd.exe 108 PID 4372 wrote to memory of 3280 4372 cmd.exe 109 PID 4372 wrote to memory of 3280 4372 cmd.exe 109 PID 4372 wrote to memory of 3280 4372 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75.exe"C:\Users\Admin\AppData\Local\Temp\bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9624893.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9624893.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6904757.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6904757.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5959911.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5959911.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1942204.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1942204.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5272880.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5272880.exe5⤵
- Executes dropped EXE
PID:3168
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1358817.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1358817.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F6⤵
- Creates scheduled task(s)
PID:4084
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4976
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"7⤵PID:4424
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E7⤵PID:1688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:928
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"7⤵PID:2232
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E7⤵PID:3280
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3979825.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3979825.exe3⤵
- Executes dropped EXE
PID:2944
-
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:2972
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:1120
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1448
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
537KB
MD5f163f33762bb175df46c575b1eaa9a7d
SHA1ba2d86a4f0b2a467667d00b4799f30f7b8003f28
SHA256ee53cdd7be7322f2b3eb33f7f8938d2a760362c626426364e08ee9790f6322bd
SHA5125158d33f26296f5e336335044eff647ec69793c3b4d6d2002be07c520182d57dfe569f84e0cff7d983f192aed2cb3661990a887a6cd29fa441aea11a47dc2946
-
Filesize
174KB
MD54c101c485b1926795eb0d70b6a9e9ed1
SHA17576dd0ecd843e446cf8e7bba75fbdc9182a9d75
SHA25651ba385595a1b4f87bf5c37f18e3a25bd4d27af71a48c60e13d8862f470c7f80
SHA5123a3f3f49160136bd3f12796ccd7657a31facf2ef7c433bab33d015e65284dc77c13e6b5594216b377d8fef074bfa8276a8ca998e7f51baefde35c6af4f806cab
-
Filesize
382KB
MD536fa8bc6881cee303abbcff92a0bf14d
SHA18e997700876c0503f6eec15145a396eb636bdf27
SHA256c1a046bc951a8086d5ba9059da1d753d2b917d6e8e38df2f8952a4d6519c3cb3
SHA512125cf4a4ad5cb49e34cbae17383e8d9cc2c1d92e36645ab1806819f5f671a431d5bc05c6f551c08c61c44d711ca6434b25c35d08baecfd7e45e787ec827dcdcc
-
Filesize
337KB
MD597dd170743df5042fe5ef5e3e06bc476
SHA103da863b57c6b77a3184ff9b37f28c30fa2aab4c
SHA256fd411d052ba95ff51eb2248927e97722e02e61fe268752fa697f533a98262fc1
SHA512606363aacaa45aad3d0984c831f8fd459fedb4858f95a1c9ac8249eda46209c8ac6f7c96d7defbbf056547be0317339c2a76ab94b30265e91d21bf55c925a5aa
-
Filesize
157KB
MD591bb0d9bacc5d7ff01a023f7c22dbab2
SHA118f95e2fa890a79ed2e68165d38d28e877e33643
SHA25687f286aab15cc7ba9ff90a58e9684d712f3be81166a8553995537a6420c6a0af
SHA512e3423a28e1e8178cb12ef053817aab627f97ec9ac2e5525c6df2d0b8460d11456c3857c560cb1260711adf15cf82835a7e725378b256f9f08bf7c96e8dbebc89
-
Filesize
11KB
MD56636ec7aa9b2d3187ccfd61add9d8215
SHA11bdb29ac65279fb8f91ad3533452ddc4abf0b3c8
SHA25609453b3ce01f930d0f2e73564c1c269b2995a5a8322f1a846013a97d4f90be8b
SHA512826a0b8fa185aac5231d2156170f2a5e1e4f496f11e2d3d88c717d34d5fbad2fa423bbf51bc32340de8e914b9a9662ecdd6512d592821f64f8c8ee584bb49cb5
-
Filesize
35KB
MD55dc7502c78bf66e6b8da1de2761ccbe8
SHA1150b93273aa99f55bbd80ed87a07e02a98e6f52d
SHA256c697f552e2324ce902dd47ac0fa4a73b1c5f05af9061d6ee3117fc846ce1f54d
SHA5120b7173cde7a04d06cb832c17f589042a294d9f431cbd972bb4162ac518858f7742e4bdb6f7bf1364bd7ea58edf67705993833848cf37833634455277e0b294cd