Overview
overview
10Static
static
3006388190d...bb.exe
windows10-2004-x64
100254882920...b5.exe
windows10-2004-x64
10059acceaf9...4e.exe
windows10-2004-x64
1023e52eabfc...16.exe
windows10-2004-x64
10346c48a087...17.exe
windows10-2004-x64
103a559db9fb...76.exe
windows10-2004-x64
103bd30de35b...fb.exe
windows10-2004-x64
104563b46d64...3c.exe
windows10-2004-x64
1045ab0e1069...0f.exe
windows10-2004-x64
10545f251975...f8.exe
windows10-2004-x64
105bd9b291d7...ab.exe
windows10-2004-x64
105e70f35516...00.exe
windows10-2004-x64
107348ee4e4e...6d.exe
windows10-2004-x64
108b460dc8cc...29.exe
windows10-2004-x64
10928c96df1b...ca.exe
windows10-2004-x64
10972fcfe587...1d.exe
windows10-2004-x64
10a025c0e619...2e.exe
windows10-2004-x64
10bc0667bb8d...75.exe
windows10-2004-x64
10cf82c35e0a...89.exe
windows10-2004-x64
10fbe2b19c30...62.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:20
Static task
static1
Behavioral task
behavioral1
Sample
006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
0254882920b8d79aa87aa48e3861241d6f50bc1856fc52906e5a574397e08db5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
059acceaf93bade47e21b541d454c4c6306be3c538a4c3830fc06ede130ec54e.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
23e52eabfc961f3968a8c831c24d36e0e9f098916b0ddf025ed159d3fc688616.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
3a559db9fbdf13125c1dec222cde0f982fe63820a3dda722db7b0f646fe80e76.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
3bd30de35b2caa677c1a1d8eeb9a0878d3c396425a4501d3fc280590146a7efb.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
4563b46d64120bf9833b2c3a8c333cb31977f9c75d32f836c04620dc0ce6623c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
45ab0e1069984eb278e72231ed9a1e178170792eecd79ef0661dac877d441d0f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
545f251975e0336438e45247d53ca978f9025138b2622d8fe2787d5dba9f28f8.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
5bd9b291d75af7da767ccfd9442e39fc2a36f83c84ba9416a78c62a54164b4ab.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
5e70f35516878f784c795b9bc0d243a75bde82267717162cdb1838a7e102b600.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
7348ee4e4ed1a5e949c6ba0b2c8eaee7bf5d5f120e8c79c61accf44a24e12c6d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral14
Sample
8b460dc8cc01a4935d8fd4d2c0274d449f186cacf64dabc12c6b9b32c1b3de29.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
928c96df1b710039ea2c9bfaae5a44e11457f6c8dc17854eced714c1eb97c2ca.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
a025c0e61987ac5dff969885b12ced5a1064ab0b0ae71e3751eb0331b3e6332e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
bc0667bb8d76b0eceab17620f9c43835fd5dbd1eebbf9f51744ad7e0c3852c75.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
cf82c35e0a5a0683a1f51d3806ea0eb39a59d81fd4fc110c9762ff99d4e3f389.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
fbe2b19c3005d09f35a016c06bae0f79aabf8a1d61a477834dca18d82cb3aa62.exe
Resource
win10v2004-20240508-en
General
-
Target
346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe
-
Size
812KB
-
MD5
269e4463c32ae30693d623724642b34b
-
SHA1
db7310a4b793e4889d18652788269847a4ca0551
-
SHA256
346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17
-
SHA512
c5c2084f0aa7e829307c0e592aa11d5030a92f83f8f7f955b92c478070b2cd1ca25f10f2adcf958b8a9315fa72305787f8bc18dfaad149c410943871fb410100
-
SSDEEP
12288:7MrIy90Y0bOk0fpuuupA7G7boeBnDjtYIFEIzKYQl3GiXhgnmUK0ct:Py90bgQKKHoefsXXGmnt
Malware Config
Extracted
amadey
3.87
59b440
http://77.91.68.18
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
-
url_paths
/nice/index.php
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" g2929203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" g2929203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" g2929203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" g2929203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" g2929203.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection g2929203.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral5/files/0x0007000000023425-74.dat family_redline behavioral5/memory/2240-75-0x00000000004D0000-0x0000000000500000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation h5781387.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation saves.exe -
Executes dropped EXE 9 IoCs
pid Process 5104 x6521883.exe 3788 x1483107.exe 3408 x3498497.exe 4328 g2929203.exe 2416 h5781387.exe 4448 saves.exe 2240 i3991898.exe 1836 saves.exe 3100 saves.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features g2929203.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" g2929203.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x6521883.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x1483107.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x3498497.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3640 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4328 g2929203.exe 4328 g2929203.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4328 g2929203.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 4648 wrote to memory of 5104 4648 346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe 83 PID 4648 wrote to memory of 5104 4648 346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe 83 PID 4648 wrote to memory of 5104 4648 346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe 83 PID 5104 wrote to memory of 3788 5104 x6521883.exe 84 PID 5104 wrote to memory of 3788 5104 x6521883.exe 84 PID 5104 wrote to memory of 3788 5104 x6521883.exe 84 PID 3788 wrote to memory of 3408 3788 x1483107.exe 85 PID 3788 wrote to memory of 3408 3788 x1483107.exe 85 PID 3788 wrote to memory of 3408 3788 x1483107.exe 85 PID 3408 wrote to memory of 4328 3408 x3498497.exe 87 PID 3408 wrote to memory of 4328 3408 x3498497.exe 87 PID 3408 wrote to memory of 4328 3408 x3498497.exe 87 PID 3408 wrote to memory of 2416 3408 x3498497.exe 96 PID 3408 wrote to memory of 2416 3408 x3498497.exe 96 PID 3408 wrote to memory of 2416 3408 x3498497.exe 96 PID 2416 wrote to memory of 4448 2416 h5781387.exe 97 PID 2416 wrote to memory of 4448 2416 h5781387.exe 97 PID 2416 wrote to memory of 4448 2416 h5781387.exe 97 PID 3788 wrote to memory of 2240 3788 x1483107.exe 98 PID 3788 wrote to memory of 2240 3788 x1483107.exe 98 PID 3788 wrote to memory of 2240 3788 x1483107.exe 98 PID 4448 wrote to memory of 3640 4448 saves.exe 99 PID 4448 wrote to memory of 3640 4448 saves.exe 99 PID 4448 wrote to memory of 3640 4448 saves.exe 99 PID 4448 wrote to memory of 4964 4448 saves.exe 101 PID 4448 wrote to memory of 4964 4448 saves.exe 101 PID 4448 wrote to memory of 4964 4448 saves.exe 101 PID 4964 wrote to memory of 4216 4964 cmd.exe 103 PID 4964 wrote to memory of 4216 4964 cmd.exe 103 PID 4964 wrote to memory of 4216 4964 cmd.exe 103 PID 4964 wrote to memory of 3216 4964 cmd.exe 104 PID 4964 wrote to memory of 3216 4964 cmd.exe 104 PID 4964 wrote to memory of 3216 4964 cmd.exe 104 PID 4964 wrote to memory of 1292 4964 cmd.exe 105 PID 4964 wrote to memory of 1292 4964 cmd.exe 105 PID 4964 wrote to memory of 1292 4964 cmd.exe 105 PID 4964 wrote to memory of 3084 4964 cmd.exe 106 PID 4964 wrote to memory of 3084 4964 cmd.exe 106 PID 4964 wrote to memory of 3084 4964 cmd.exe 106 PID 4964 wrote to memory of 4944 4964 cmd.exe 107 PID 4964 wrote to memory of 4944 4964 cmd.exe 107 PID 4964 wrote to memory of 4944 4964 cmd.exe 107 PID 4964 wrote to memory of 4556 4964 cmd.exe 108 PID 4964 wrote to memory of 4556 4964 cmd.exe 108 PID 4964 wrote to memory of 4556 4964 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe"C:\Users\Admin\AppData\Local\Temp\346c48a0871c59620708e024ec279730125927376e659248d8497b58ee492d17.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6521883.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6521883.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1483107.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1483107.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3498497.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3498497.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2929203.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2929203.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5781387.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5781387.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F7⤵
- Creates scheduled task(s)
PID:3640
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4216
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"8⤵PID:3216
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E8⤵PID:1292
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:3084
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"8⤵PID:4944
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E8⤵PID:4556
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3991898.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3991898.exe4⤵
- Executes dropped EXE
PID:2240
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:1836
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:3100
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD50763ca1c64cc5d29bda07306722614f1
SHA103fcc80c7940a5accdcfa251f34c55c29d1d106b
SHA25680e0d62f51727fea8d0da497d30511ad149b5aa1c4944acd020637622c5007d5
SHA5121ef07fd2b285800e2ea2baaf0265773780bfe805e6fe65aa7af971b8c34763294d7337c02665effbe1ca40896b91dbb45e80a2a34067f80569b4551ae02d39b1
-
Filesize
540KB
MD522f55faf5ff2643f36c14db9e1393fe0
SHA17ac121a727716b98893c46082849c19e77fef19c
SHA2560e509f547462afe2a6b50ef6959775a804f7d440e7947d740414b1d8faab33c2
SHA512d21afa3a1262aa3bdefac5a1181f2941ecdb7424821cfb39c1585abd0a9b3942aa0a63928c9721c30243147500beb69bd2693c21f1599daa2d862065870616b5
-
Filesize
174KB
MD53849daffb54a3377df118d62a3d0664b
SHA18259badf722b829f45b9fcb922ef8f9ec9807432
SHA256b1b12942d01e8546de92bd179ccfea2ab3d9b41a6d298ac38a58aa6ad8a2ca47
SHA512c011e21d234471ae6948970c3d30fd01ec317b3631eb0be1e8a6ae500c86ae398c18851651ccdf00282e971f3dee0db0425e63d60b7133ecb68f7580f799846e
-
Filesize
384KB
MD55ad859e5a3f5efb77b2ebb1cd9f44306
SHA1d5e72cd705aed6cd9aa469751c0c94b491ddca34
SHA2566d673a2f9c6eeb183f37491c0df1762e32d622a40c90398bee1b48fb67187967
SHA512c4bfd90f2d88b0f8b123a182248c984ea7b12ecb2d2836cb02871f6bdcf422ed90e31e0640c5ee49972817cdbd85734e855b8572dc2780bf19aa9eeb360a56a4
-
Filesize
202KB
MD5b6b56abcc344ebc6e4433f6355c7d1e2
SHA100c122061ed50983ff09ab81214d955aa3225b4c
SHA256a286fe62701f48708c771eb642cb513c26792349bbe4a715032c526faa7e8acb
SHA5129b43e0b91a236a535290f2c16544386311f34380f34a595f903a752428a7d376b92caebe233710ff39a57be8b70157f4ec4cbae37965f3ada02fde134abd64de
-
Filesize
337KB
MD5e1d28aeb461c4abe2776d08dd0dc3f1e
SHA1d16c1a40884bb09e9c7c0413b7147a20a15149c4
SHA256f66f818625d84921192a7b530b800556486eb9767a58862a5beb93adfdc35fcf
SHA512cd0b20ec4472f9089ad0310fe664d1b4ea9db1b7b6480a3f41a4a5bc08d28fb535304b8e85abd5ff3a24192c643341b70b8597b2c43a40ae64ebf40af42a0fac