Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 05:01
Static task
static1
General
-
Target
ac905f494d61f7d6ff8c29ec88c41cf5f11a5b318a1757a9f29c91d4e20f65ed.exe
-
Size
983KB
-
MD5
ea59dffe15d7ff6b0762a79a06550a95
-
SHA1
80116ac1b53e53565bd9ae35ba77afa2b25abb18
-
SHA256
ac905f494d61f7d6ff8c29ec88c41cf5f11a5b318a1757a9f29c91d4e20f65ed
-
SHA512
d91f97268b92ad454825846933ee3e37c7cce80474d3ceef3923779d7458a554759199c721123c42ca84b30aa95cef71092656436d598f66591a73bd21b47ee5
-
SSDEEP
12288:wMrky90K3N4Zw5vFiarN6rQuLRfMctep0E9hBLLFqBcfmn/Zd04hsdS6TG1DpXv1:EyFsqN6xpMzWEDS3I4+OpXvrJScZ5vx
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
amadey
3.70
47f88f
http://193.201.9.43
-
install_dir
595f021478
-
install_file
oneetx.exe
-
strings_key
4971eddfd380996ae21bea987102e417
-
url_paths
/plays/chapter/index.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 19 IoCs
resource yara_rule behavioral1/files/0x000b000000023b9c-19.dat healer behavioral1/memory/2216-22-0x0000000000C20000-0x0000000000C2A000-memory.dmp healer behavioral1/memory/624-29-0x00000000025A0000-0x00000000025BA000-memory.dmp healer behavioral1/memory/624-31-0x0000000004B80000-0x0000000004B98000-memory.dmp healer behavioral1/memory/624-32-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/624-39-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/624-57-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/624-55-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/624-54-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/624-51-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/624-49-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/624-47-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/624-45-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/624-43-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/624-41-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/624-37-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/624-59-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/624-35-0x0000000004B80000-0x0000000004B92000-memory.dmp healer behavioral1/memory/624-33-0x0000000004B80000-0x0000000004B92000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection bu426938.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" bu426938.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" bu426938.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" bu426938.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection az728542.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" az728542.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" az728542.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" az728542.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" bu426938.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" bu426938.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" az728542.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" az728542.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/1512-2211-0x0000000005400000-0x0000000005432000-memory.dmp family_redline behavioral1/files/0x000f000000023b94-2216.dat family_redline behavioral1/memory/6028-2224-0x0000000000980000-0x00000000009AE000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation cor2635.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation dwL95s17.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 10 IoCs
pid Process 3980 ki805966.exe 2416 ki893490.exe 2216 az728542.exe 624 bu426938.exe 1512 cor2635.exe 6028 1.exe 2744 dwL95s17.exe 5420 oneetx.exe 5592 oneetx.exe 6064 oneetx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" az728542.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features bu426938.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" bu426938.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ac905f494d61f7d6ff8c29ec88c41cf5f11a5b318a1757a9f29c91d4e20f65ed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ki805966.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ki893490.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5188 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3672 624 WerFault.exe 97 1364 1512 WerFault.exe 102 -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac905f494d61f7d6ff8c29ec88c41cf5f11a5b318a1757a9f29c91d4e20f65ed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki893490.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bu426938.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cor2635.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki805966.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dwL95s17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 376 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2216 az728542.exe 2216 az728542.exe 624 bu426938.exe 624 bu426938.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2216 az728542.exe Token: SeDebugPrivilege 624 bu426938.exe Token: SeDebugPrivilege 1512 cor2635.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2100 wrote to memory of 3980 2100 ac905f494d61f7d6ff8c29ec88c41cf5f11a5b318a1757a9f29c91d4e20f65ed.exe 85 PID 2100 wrote to memory of 3980 2100 ac905f494d61f7d6ff8c29ec88c41cf5f11a5b318a1757a9f29c91d4e20f65ed.exe 85 PID 2100 wrote to memory of 3980 2100 ac905f494d61f7d6ff8c29ec88c41cf5f11a5b318a1757a9f29c91d4e20f65ed.exe 85 PID 3980 wrote to memory of 2416 3980 ki805966.exe 86 PID 3980 wrote to memory of 2416 3980 ki805966.exe 86 PID 3980 wrote to memory of 2416 3980 ki805966.exe 86 PID 2416 wrote to memory of 2216 2416 ki893490.exe 87 PID 2416 wrote to memory of 2216 2416 ki893490.exe 87 PID 2416 wrote to memory of 624 2416 ki893490.exe 97 PID 2416 wrote to memory of 624 2416 ki893490.exe 97 PID 2416 wrote to memory of 624 2416 ki893490.exe 97 PID 3980 wrote to memory of 1512 3980 ki805966.exe 102 PID 3980 wrote to memory of 1512 3980 ki805966.exe 102 PID 3980 wrote to memory of 1512 3980 ki805966.exe 102 PID 1512 wrote to memory of 6028 1512 cor2635.exe 103 PID 1512 wrote to memory of 6028 1512 cor2635.exe 103 PID 1512 wrote to memory of 6028 1512 cor2635.exe 103 PID 2100 wrote to memory of 2744 2100 ac905f494d61f7d6ff8c29ec88c41cf5f11a5b318a1757a9f29c91d4e20f65ed.exe 106 PID 2100 wrote to memory of 2744 2100 ac905f494d61f7d6ff8c29ec88c41cf5f11a5b318a1757a9f29c91d4e20f65ed.exe 106 PID 2100 wrote to memory of 2744 2100 ac905f494d61f7d6ff8c29ec88c41cf5f11a5b318a1757a9f29c91d4e20f65ed.exe 106 PID 2744 wrote to memory of 5420 2744 dwL95s17.exe 107 PID 2744 wrote to memory of 5420 2744 dwL95s17.exe 107 PID 2744 wrote to memory of 5420 2744 dwL95s17.exe 107 PID 5420 wrote to memory of 376 5420 oneetx.exe 108 PID 5420 wrote to memory of 376 5420 oneetx.exe 108 PID 5420 wrote to memory of 376 5420 oneetx.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac905f494d61f7d6ff8c29ec88c41cf5f11a5b318a1757a9f29c91d4e20f65ed.exe"C:\Users\Admin\AppData\Local\Temp\ac905f494d61f7d6ff8c29ec88c41cf5f11a5b318a1757a9f29c91d4e20f65ed.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki805966.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki805966.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki893490.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki893490.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\az728542.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\az728542.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu426938.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu426938.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 10845⤵
- Program crash
PID:3672
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cor2635.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cor2635.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 11964⤵
- Program crash
PID:1364
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dwL95s17.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dwL95s17.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5420 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:376
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 624 -ip 6241⤵PID:748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1512 -ip 15121⤵PID:6088
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
PID:5592
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
PID:6064
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:5188
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5ee1f5f0e1168ce5938997c932b4dcd27
SHA1b8c0928da3a41d579c19f44b9e1fef6014d06452
SHA256dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed
SHA512bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8
-
Filesize
800KB
MD5a45840db1defb5725cd6b20bf8987775
SHA17e651bbcb29ca5b0ae7c1eb255009133014fb703
SHA256d7efaa6517b34708e2b24f8293fea2505775e9ed00c29e5d35da3d64e3c68988
SHA512a305491d6163b88c0c4c7071315c6b0dbfd1351cd5931ac113e2fa7a28b23e6d39abd1a066fa579861f35a2fc739b7435d7daea6546f690161f4579e199c2f08
-
Filesize
438KB
MD5939ef834a92d1eab2394c3268f2eb823
SHA1b816a9b67a864e54f60faedb4fc5ae68647ba055
SHA25657a599bde64e30a6375905ba46551e40849a84bc8b7665d13c25ad2fb8315ed2
SHA512a4072de9656eaa80fa90e17305c5ea4b718cdf3274b672e953ca52eb03b40b97dd0d240ca5a1bfda90851f79edc0cefc61605f8854482bd667dd8b0f82842f10
-
Filesize
334KB
MD58ab9056b658c66ebf4480f636d2f2c8b
SHA19b1608687f3862afe2649f9ebcb530e97a068c90
SHA2563436b9ea6ea27c31cd9bf524fc8f687b36ef70fdfafb98d50d95789f010d2b1f
SHA512558e28f1f483ce06e0a9cded55e212a831589f8e43b3b2cde8f4e335766d740516bf81e5dd84baccb93232518919167a6541d618b23cab94e6acff3cb16c4a32
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
255KB
MD5cf43c4a437f14d63a6746db693d7b0b0
SHA1a822318159f576444ce36a67c1265d085c8bb410
SHA2569523633d55f4285771c00152a312e61938488303215b070e526398bb29e65c2f
SHA51276f673af4be9f9d6c631d63364f44b58dd8b297904841ca988eff5227044f387bcee9ece5823b992adeb817bb814381245ecfb50171cab05f3239bea4e610039
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1