Analysis
-
max time kernel
149s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 00:28
Static task
static1
General
-
Target
58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe
-
Size
837KB
-
MD5
0a1d949c985fca40eb22659ee299efc1
-
SHA1
4e407adf07954fd9db0952b1b7e2681df19f87d6
-
SHA256
58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66
-
SHA512
17a13d508f97ba5256fb34adcd6439b773652b615a012260c166fe936415102a63cb4023293bb4a5a1691afcc7cc06df124afa61a617eb790128ad36061bb9b7
-
SSDEEP
12288:mMrQy90ond5EuaJRrl/TQaYbT8EoMcAInvXwWBesi3AUHCPWvXuffVq:eyz5daJRR/0nTjP7Invt0fO7f9q
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
amadey
3.70
47f88f
http://193.201.9.43
-
install_dir
595f021478
-
install_file
oneetx.exe
-
strings_key
4971eddfd380996ae21bea987102e417
-
url_paths
/plays/chapter/index.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 18 IoCs
resource yara_rule behavioral1/memory/4652-19-0x0000000002440000-0x000000000245A000-memory.dmp healer behavioral1/memory/4652-20-0x00000000004F0000-0x00000000005F0000-memory.dmp healer behavioral1/memory/4652-22-0x00000000024F0000-0x0000000002508000-memory.dmp healer behavioral1/memory/4652-24-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4652-50-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4652-48-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4652-46-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4652-44-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4652-42-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4652-40-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4652-38-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4652-36-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4652-34-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4652-30-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4652-28-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4652-26-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4652-23-0x00000000024F0000-0x0000000002502000-memory.dmp healer behavioral1/memory/4652-32-0x00000000024F0000-0x0000000002502000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" pr793287.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection pr793287.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" pr793287.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" pr793287.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" pr793287.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" pr793287.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/3732-2205-0x0000000005410000-0x0000000005442000-memory.dmp family_redline behavioral1/files/0x000a000000023ccc-2210.dat family_redline behavioral1/memory/4464-2218-0x00000000008D0000-0x00000000008FE000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation oneetx.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation qu784126.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation si029103.exe -
Executes dropped EXE 8 IoCs
pid Process 4924 un557601.exe 4652 pr793287.exe 3732 qu784126.exe 4464 1.exe 2260 si029103.exe 4404 oneetx.exe 372 oneetx.exe 1532 oneetx.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features pr793287.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" pr793287.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" un557601.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2884 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 1388 4652 WerFault.exe 88 1192 3732 WerFault.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language un557601.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pr793287.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qu784126.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language si029103.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 956 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4652 pr793287.exe 4652 pr793287.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4652 pr793287.exe Token: SeDebugPrivilege 3732 qu784126.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2260 si029103.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4796 wrote to memory of 4924 4796 58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe 87 PID 4796 wrote to memory of 4924 4796 58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe 87 PID 4796 wrote to memory of 4924 4796 58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe 87 PID 4924 wrote to memory of 4652 4924 un557601.exe 88 PID 4924 wrote to memory of 4652 4924 un557601.exe 88 PID 4924 wrote to memory of 4652 4924 un557601.exe 88 PID 4924 wrote to memory of 3732 4924 un557601.exe 100 PID 4924 wrote to memory of 3732 4924 un557601.exe 100 PID 4924 wrote to memory of 3732 4924 un557601.exe 100 PID 3732 wrote to memory of 4464 3732 qu784126.exe 103 PID 3732 wrote to memory of 4464 3732 qu784126.exe 103 PID 3732 wrote to memory of 4464 3732 qu784126.exe 103 PID 4796 wrote to memory of 2260 4796 58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe 106 PID 4796 wrote to memory of 2260 4796 58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe 106 PID 4796 wrote to memory of 2260 4796 58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe 106 PID 2260 wrote to memory of 4404 2260 si029103.exe 107 PID 2260 wrote to memory of 4404 2260 si029103.exe 107 PID 2260 wrote to memory of 4404 2260 si029103.exe 107 PID 4404 wrote to memory of 956 4404 oneetx.exe 108 PID 4404 wrote to memory of 956 4404 oneetx.exe 108 PID 4404 wrote to memory of 956 4404 oneetx.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe"C:\Users\Admin\AppData\Local\Temp\58bc8c265e2c543d9f972ac3751a25a133826041361ed8ec9aa9f62861377a66.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un557601.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr793287.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 10844⤵
- Program crash
PID:1388
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu784126.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 15204⤵
- Program crash
PID:1192
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si029103.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:956
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4652 -ip 46521⤵PID:4368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3732 -ip 37321⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
PID:372
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
PID:1532
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:2884
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5ee1f5f0e1168ce5938997c932b4dcd27
SHA1b8c0928da3a41d579c19f44b9e1fef6014d06452
SHA256dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed
SHA512bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8
-
Filesize
655KB
MD58582f3894b937a7d67f0d16aabee049c
SHA155318ea11a85a78d84dac2215f2082a7c5dfa7f8
SHA256d1008ec070dd176afa659c4b8e4873ee8dc57fd87c885b32eb8c3ff855990474
SHA512d6a9b8ad2bdc1f42bf716dc2cddc08f03e7edcaf93c322d32f7af88d14a6b07005dbf6c7b66347eddcdd3e9b392a01746014996bc83c33e2d431ac93de62a6b3
-
Filesize
255KB
MD5fd2647385d09d8d08898f42855587530
SHA153db344d786b5cc72115ad4e9f65338ccde2a36e
SHA256718b1a008f42ecd30322ae330fe55cd9a0f8e703dddfc9395ba788ab66ef8119
SHA5127f86133b1819e5fc76b48baebffb97c8f174a843e8ba75c86ae2d4f83765c421b81a8ee79ad68cafd5c6241cc9e31f7c668055df2d007e788c593912e2a62ac2
-
Filesize
438KB
MD59478db3f85ecae95a19d891116f4fba7
SHA1f6456e962c76592151dbc92aeff835aa26dc3bbe
SHA256d94d1c5b103a575159a8f1eb9e479d99ed3cdd505b528c7aec959ffdc8aa6586
SHA512d66319f2318e37c2a57d767a644b83e68fdc8dd735733d6d81391a22d021c660e5b95d5790a100220e771fc9ae4f1d768ead574cf631da606de8c83abde0f312
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1