Overview
overview
10Static
static
30805913f50...13.exe
windows10-2004-x64
1011eba51293...3a.exe
windows10-2004-x64
1017a0568b20...3a.exe
windows10-2004-x64
10346c46bc82...26.exe
windows10-2004-x64
104867af9d5d...1f.exe
windows10-2004-x64
105f2f269e1f...9a.exe
windows10-2004-x64
1064e73ef21d...a1.exe
windows10-2004-x64
107c556f6f80...61.exe
windows10-2004-x64
108c970cc94c...d3.exe
windows10-2004-x64
109296923f57...24.exe
windows10-2004-x64
10ae96a881fd...69.exe
windows10-2004-x64
10b150b2b6ed...d5.exe
windows10-2004-x64
10c1b0ce286b...51.exe
windows10-2004-x64
10c1d1b117a2...35.exe
windows10-2004-x64
10d876400b35...04.exe
windows10-2004-x64
10eb3bd6af82...52.exe
windows10-2004-x64
10eb7c2e9dc2...28.exe
windows10-2004-x64
10ed2eb0d5dc...bf.exe
windows10-2004-x64
10fc2a396813...13.exe
windows10-2004-x64
10fd4ce916b7...90.exe
windows10-2004-x64
10Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:47
Static task
static1
Behavioral task
behavioral1
Sample
0805913f5039b1097cf6d0b178560036e0b99e52f86b3990bf7bd4b663d15513.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
11eba512939d3d17bcd0d5543f3a05dac69c96858fbb7120b8802814391c413a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
17a0568b2023370d14f35371e9d7c372589b91d4098eecace76d78c9a7587d3a.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
346c46bc8283ae44fe76d91bebdf5c933515cb6b55b0e4f1dd25ca7a64a0a726.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
5f2f269e1f9905fb92ad987badd2a5b73d7a44e072d374b4e040c95e30b5c69a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
64e73ef21d2b9d5819334be729f07ac670e6fa83111bc1b666abffc261bc2da1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
7c556f6f80bf250c2ce70d007250b6906c79d457969a75a3f17dc9885daf8761.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
8c970cc94c6aab0b503af6d60e60f5c6c870576c82be9233ab884894899a97d3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
9296923f571779b37e571b296a597c9c5eb71a0a616bfd3ddab9f7d20c509c24.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
ae96a881fddd0471c5a462a0b27848d72c34ba866c6061e0f84ab3a1097a7a69.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
b150b2b6edd507299c5ac9c6a165df425596a5b2a6f78c7ee7594e3f19a28fd5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
c1b0ce286b7a31d1ab1a8fca661afccb95aaaf56a8fa6b4a311da0a284b09351.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
d876400b35d912e211572e1acd02738c757f24f8adf82ea7ac3ce91f74c8e404.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
eb3bd6af828d49516b571018684b6f164a7f79bb71c38674e37a085ab5813352.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
eb7c2e9dc2416d5168ea11cdee85ea662e4aa32921edbe521787e1a7dcc79228.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
ed2eb0d5dcf8c04d4b8381812154164abb842db1d4f3059e6d7d12293004ffbf.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
fc2a3968133c3c96ae55dfdd56ca5b4dd51ed30658a98d55193b96e1533f4013.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
fd4ce916b77ccd6023667af48e2052df3bebb66cde59b34f1002b2799e6a4890.exe
Resource
win10v2004-20240508-en
General
-
Target
c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe
-
Size
812KB
-
MD5
f5f40df358fb020b709a87b5ed4ec4d3
-
SHA1
7a1412af73b32c7c9a61007863b57f50570645b2
-
SHA256
c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435
-
SHA512
f45fd35998f15a6204494bb8e99391571f35e6e4867e56bf78a818062c75942eea2a63cf93df732f7ed0d6eaf79d49e4a165b1b6ad62df994550e57a1125d3ba
-
SSDEEP
12288:AMrsy90fafIyG5ojpCh/IL7ElM0kHP5/rmMsj+IgMcFLzZp1/9mOh8++OM:cyMojpCh/+7C4xrmMi+I4Fpr/kOh8D3
Malware Config
Extracted
amadey
3.87
59b440
http://77.91.68.18
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
-
url_paths
/nice/index.php
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" g8871577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" g8871577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" g8871577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" g8871577.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection g8871577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" g8871577.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral14/files/0x000700000002343a-73.dat family_redline behavioral14/memory/2404-75-0x0000000000220000-0x0000000000250000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation h4096492.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation saves.exe -
Executes dropped EXE 10 IoCs
pid Process 2684 x1387297.exe 5200 x2122202.exe 1372 x8979577.exe 4212 g8871577.exe 5400 h4096492.exe 3400 saves.exe 2404 i5613002.exe 1692 saves.exe 1048 saves.exe 4520 saves.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features g8871577.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" g8871577.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" x1387297.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" x2122202.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" x8979577.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3280 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4212 g8871577.exe 4212 g8871577.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4212 g8871577.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 4444 wrote to memory of 2684 4444 c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe 83 PID 4444 wrote to memory of 2684 4444 c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe 83 PID 4444 wrote to memory of 2684 4444 c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe 83 PID 2684 wrote to memory of 5200 2684 x1387297.exe 84 PID 2684 wrote to memory of 5200 2684 x1387297.exe 84 PID 2684 wrote to memory of 5200 2684 x1387297.exe 84 PID 5200 wrote to memory of 1372 5200 x2122202.exe 85 PID 5200 wrote to memory of 1372 5200 x2122202.exe 85 PID 5200 wrote to memory of 1372 5200 x2122202.exe 85 PID 1372 wrote to memory of 4212 1372 x8979577.exe 86 PID 1372 wrote to memory of 4212 1372 x8979577.exe 86 PID 1372 wrote to memory of 4212 1372 x8979577.exe 86 PID 1372 wrote to memory of 5400 1372 x8979577.exe 97 PID 1372 wrote to memory of 5400 1372 x8979577.exe 97 PID 1372 wrote to memory of 5400 1372 x8979577.exe 97 PID 5400 wrote to memory of 3400 5400 h4096492.exe 98 PID 5400 wrote to memory of 3400 5400 h4096492.exe 98 PID 5400 wrote to memory of 3400 5400 h4096492.exe 98 PID 5200 wrote to memory of 2404 5200 x2122202.exe 99 PID 5200 wrote to memory of 2404 5200 x2122202.exe 99 PID 5200 wrote to memory of 2404 5200 x2122202.exe 99 PID 3400 wrote to memory of 3280 3400 saves.exe 100 PID 3400 wrote to memory of 3280 3400 saves.exe 100 PID 3400 wrote to memory of 3280 3400 saves.exe 100 PID 3400 wrote to memory of 1444 3400 saves.exe 102 PID 3400 wrote to memory of 1444 3400 saves.exe 102 PID 3400 wrote to memory of 1444 3400 saves.exe 102 PID 1444 wrote to memory of 3404 1444 cmd.exe 105 PID 1444 wrote to memory of 3404 1444 cmd.exe 105 PID 1444 wrote to memory of 3404 1444 cmd.exe 105 PID 1444 wrote to memory of 3460 1444 cmd.exe 106 PID 1444 wrote to memory of 3460 1444 cmd.exe 106 PID 1444 wrote to memory of 3460 1444 cmd.exe 106 PID 1444 wrote to memory of 4380 1444 cmd.exe 107 PID 1444 wrote to memory of 4380 1444 cmd.exe 107 PID 1444 wrote to memory of 4380 1444 cmd.exe 107 PID 1444 wrote to memory of 4676 1444 cmd.exe 109 PID 1444 wrote to memory of 4676 1444 cmd.exe 109 PID 1444 wrote to memory of 4676 1444 cmd.exe 109 PID 1444 wrote to memory of 720 1444 cmd.exe 110 PID 1444 wrote to memory of 720 1444 cmd.exe 110 PID 1444 wrote to memory of 720 1444 cmd.exe 110 PID 1444 wrote to memory of 2304 1444 cmd.exe 111 PID 1444 wrote to memory of 2304 1444 cmd.exe 111 PID 1444 wrote to memory of 2304 1444 cmd.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe"C:\Users\Admin\AppData\Local\Temp\c1d1b117a294542d27caa4ebc382b5fc76b02e11a9e65fa6db0a33433cb6e435.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1387297.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1387297.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2122202.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2122202.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5200 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8979577.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8979577.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8871577.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8871577.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4096492.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4096492.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5400 -
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F7⤵
- Creates scheduled task(s)
PID:3280
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:3404
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"8⤵PID:3460
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E8⤵PID:4380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4676
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"8⤵PID:720
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E8⤵PID:2304
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5613002.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5613002.exe4⤵
- Executes dropped EXE
PID:2404
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:1692
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:1048
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:4520
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
706KB
MD5522fdd513a2e5654aaa1a86d8e877b19
SHA1b36b076c3e4bea5f683ed6fd65e0f56f59fd4703
SHA256fab11a184d850740e499a941bbd192c2ae7a487a63a67ea2f0a7c0a45aef14fa
SHA512174fd0cc19fcb878a7035aece12c2e9ddaef1a0137ad601b73bad309a98db421543e86f1bb6f581e515605582c75c0b7b8fa6c02df629bc184b7db137627c612
-
Filesize
540KB
MD51a745ab8cfd599fc9c392009aacafbaa
SHA19f522b3692ba9e2c5833a1c5e5f45c198692c4b8
SHA256f24e88d400df87994bf16d3edc7036915254a98ac02cdb85d7a7daf8338f8075
SHA51228d810a014daad02f78d71706f3cf9c74ae1945f98636e31f3752c16a11df0f92171208e42c44de5a6c082e56699f9f01a7c733e9c511e521af7c6445894b21a
-
Filesize
173KB
MD57864b1aff2c27dd1452aa65fa83b545a
SHA1ebb0d7fe16ffdd7dc3c90ee61f42120d8479b9a1
SHA25654ad7fb552b2eac93cd95105cf40c2a1b1a219733c536c11ba93ea8d8dee8985
SHA512cc573f625b4bf617287ea94d1ee686dbe243589107c9803b72c4f38469692bd4481277bdcca08987be0c14c705ac08e5f2e58b4c4b0832957b32b9e71a4d6525
-
Filesize
384KB
MD5ea910a7ec0183340f8856c5895f0e75e
SHA16ab28ea7b498b01c81b0ddaf623aa44c4324ae5b
SHA25681d51185b167aca1b95751beab6f801780af97c16ed63046b5011dbcfd51267e
SHA512ce64f7d346ee014e005cf07dead2d2252fac07204579031215e5ba4fa09a93cd55fab5fc9feb502a2cbfa6b7fb3c32b0da77b136e513de342636af7c8ecc2f2f
-
Filesize
185KB
MD59ac79fd58e2092e7d6d33c9798339513
SHA198023b23d8675ae3f8f09ead186d86b04e49f03d
SHA256b76bbfc7392e271c95f11f70e4d21d0a15a03458f6828e88257a037f5b6ea66c
SHA512ed99e76bd60a67fa6db1f91a7cb3ae6883fb23e48da47c4ed09b1b7067a87be7043a3a59671e5302ec37ce22d6e7c394deb799afe93bc79fe85016969575cc57
-
Filesize
335KB
MD5d25095eecf2b86ee32bec8020907f858
SHA1b07bf66a028e6c769e314ac6e06a12f62aa30e12
SHA2567411f1a815a2b183c3759a3282b05c17f23324cb320a1190719c5ca136329d19
SHA51261725e00b4fc3a0158b3228ce48933b33a13e122ae418bc30dfbc6a99b522978cafc3cb7e4a5e1899780abbba0b720eaaff50bf7790d224d100b2660253e0127