Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 02:55
Static task
static1
Behavioral task
behavioral1
Sample
6dfa03761c2162f76a72e9103f72e906c41f73035f366b6f6e8362a3173d767e.exe
Resource
win10v2004-20241007-en
General
-
Target
6dfa03761c2162f76a72e9103f72e906c41f73035f366b6f6e8362a3173d767e.exe
-
Size
642KB
-
MD5
38f62c6d095bf12a7357fe2708f3f78f
-
SHA1
aa382775bc0eeb041534a138249be3ae9372bee0
-
SHA256
6dfa03761c2162f76a72e9103f72e906c41f73035f366b6f6e8362a3173d767e
-
SHA512
9d5cb02a341f429bef89d3ed2ba3edaba5975ad153844006f12256848833472f181b140187456c0a045efc2d9f7570bd29de94b302ad60df6beba62fa152d5f0
-
SSDEEP
12288:0Mrfy90CjMJmjbabqzFySqBheWt0ZgbHcX0DZ873IT:jyuJOWEFrJCDcX2uu
Malware Config
Extracted
amadey
3.86
88c8bb
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
lodka
77.91.124.156:19071
-
auth_value
76f99d6cc9332c02bb9728c3ba80d3a9
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b61-26.dat healer behavioral1/memory/1460-28-0x0000000000EE0000-0x0000000000EEA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a2477818.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a2477818.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a2477818.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a2477818.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a2477818.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a2477818.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b5a-49.dat family_redline behavioral1/memory/1036-51-0x00000000008B0000-0x00000000008E0000-memory.dmp family_redline -
Redline family
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation pdates.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation b7829199.exe -
Executes dropped EXE 10 IoCs
pid Process 924 v0499582.exe 3360 v8956037.exe 3780 v8309007.exe 1460 a2477818.exe 3600 b7829199.exe 2952 pdates.exe 2852 c3990377.exe 1036 d0679215.exe 1676 pdates.exe 2660 pdates.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a2477818.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6dfa03761c2162f76a72e9103f72e906c41f73035f366b6f6e8362a3173d767e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v0499582.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v8956037.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v8309007.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v8956037.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v8309007.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7829199.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c3990377.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0679215.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6dfa03761c2162f76a72e9103f72e906c41f73035f366b6f6e8362a3173d767e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v0499582.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c3990377.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c3990377.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c3990377.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3976 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1460 a2477818.exe 1460 a2477818.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1460 a2477818.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3600 b7829199.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 2308 wrote to memory of 924 2308 6dfa03761c2162f76a72e9103f72e906c41f73035f366b6f6e8362a3173d767e.exe 83 PID 2308 wrote to memory of 924 2308 6dfa03761c2162f76a72e9103f72e906c41f73035f366b6f6e8362a3173d767e.exe 83 PID 2308 wrote to memory of 924 2308 6dfa03761c2162f76a72e9103f72e906c41f73035f366b6f6e8362a3173d767e.exe 83 PID 924 wrote to memory of 3360 924 v0499582.exe 84 PID 924 wrote to memory of 3360 924 v0499582.exe 84 PID 924 wrote to memory of 3360 924 v0499582.exe 84 PID 3360 wrote to memory of 3780 3360 v8956037.exe 86 PID 3360 wrote to memory of 3780 3360 v8956037.exe 86 PID 3360 wrote to memory of 3780 3360 v8956037.exe 86 PID 3780 wrote to memory of 1460 3780 v8309007.exe 87 PID 3780 wrote to memory of 1460 3780 v8309007.exe 87 PID 3780 wrote to memory of 3600 3780 v8309007.exe 95 PID 3780 wrote to memory of 3600 3780 v8309007.exe 95 PID 3780 wrote to memory of 3600 3780 v8309007.exe 95 PID 3600 wrote to memory of 2952 3600 b7829199.exe 96 PID 3600 wrote to memory of 2952 3600 b7829199.exe 96 PID 3600 wrote to memory of 2952 3600 b7829199.exe 96 PID 3360 wrote to memory of 2852 3360 v8956037.exe 97 PID 3360 wrote to memory of 2852 3360 v8956037.exe 97 PID 3360 wrote to memory of 2852 3360 v8956037.exe 97 PID 924 wrote to memory of 1036 924 v0499582.exe 98 PID 924 wrote to memory of 1036 924 v0499582.exe 98 PID 924 wrote to memory of 1036 924 v0499582.exe 98 PID 2952 wrote to memory of 3976 2952 pdates.exe 99 PID 2952 wrote to memory of 3976 2952 pdates.exe 99 PID 2952 wrote to memory of 3976 2952 pdates.exe 99 PID 2952 wrote to memory of 1540 2952 pdates.exe 101 PID 2952 wrote to memory of 1540 2952 pdates.exe 101 PID 2952 wrote to memory of 1540 2952 pdates.exe 101 PID 1540 wrote to memory of 1724 1540 cmd.exe 103 PID 1540 wrote to memory of 1724 1540 cmd.exe 103 PID 1540 wrote to memory of 1724 1540 cmd.exe 103 PID 1540 wrote to memory of 2364 1540 cmd.exe 104 PID 1540 wrote to memory of 2364 1540 cmd.exe 104 PID 1540 wrote to memory of 2364 1540 cmd.exe 104 PID 1540 wrote to memory of 956 1540 cmd.exe 105 PID 1540 wrote to memory of 956 1540 cmd.exe 105 PID 1540 wrote to memory of 956 1540 cmd.exe 105 PID 1540 wrote to memory of 1280 1540 cmd.exe 106 PID 1540 wrote to memory of 1280 1540 cmd.exe 106 PID 1540 wrote to memory of 1280 1540 cmd.exe 106 PID 1540 wrote to memory of 888 1540 cmd.exe 107 PID 1540 wrote to memory of 888 1540 cmd.exe 107 PID 1540 wrote to memory of 888 1540 cmd.exe 107 PID 1540 wrote to memory of 4876 1540 cmd.exe 108 PID 1540 wrote to memory of 4876 1540 cmd.exe 108 PID 1540 wrote to memory of 4876 1540 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dfa03761c2162f76a72e9103f72e906c41f73035f366b6f6e8362a3173d767e.exe"C:\Users\Admin\AppData\Local\Temp\6dfa03761c2162f76a72e9103f72e906c41f73035f366b6f6e8362a3173d767e.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0499582.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0499582.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8956037.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8956037.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8309007.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8309007.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2477818.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2477818.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7829199.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7829199.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3976
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
- System Location Discovery: System Language Discovery
PID:1724
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:N"8⤵
- System Location Discovery: System Language Discovery
PID:2364
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:R" /E8⤵
- System Location Discovery: System Language Discovery
PID:956
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
- System Location Discovery: System Language Discovery
PID:1280
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:N"8⤵
- System Location Discovery: System Language Discovery
PID:888
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:R" /E8⤵
- System Location Discovery: System Language Discovery
PID:4876
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3990377.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3990377.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
PID:2852
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0679215.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0679215.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1036
-
-
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:1676
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:2660
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
514KB
MD51b7354131e73fddc587994e6fe0604fb
SHA1ff9d88ffec4110f50eebbc0988ec70daf7bf3335
SHA256d9a30438a78115866dc8a795e6bd56141bd57e75c2c6fb3127929748acfb2415
SHA51256afc91497eba0e2a7fe1d9aca53d31ab976b7e7fa1444cf060e329e3116a7461a7fee7dc1cc8d7291d1201e236c2472aa59a82d40cc2e40ff4194967ae03d51
-
Filesize
173KB
MD50c7e5febbcc3e718b953c98bf2b34c1f
SHA14a16ecdaa2100ba434043310f5789d6c38c7b953
SHA2569f4ed3936f1e5b7e6f8b8f6c4f6f947cfcf3e527a5b50b75bb3b44dfde7095bb
SHA512959616f0620fa4331c9d5e7bc775fb96f8fc14e9d7984404160b1881d53190faf64820db7a2bdf6f09bb876077963c9abe0a2d040e33bd72b736969772c4b2a9
-
Filesize
359KB
MD5365b442831832cc42449c3d48de94555
SHA1383cd043c6993ae32c942a49d437b4b86153c105
SHA2563f05b5a2ecebd4736d53ec232dd62139c2e806d7be3f4a366d338792cbc7465a
SHA512af0be494d2876f0f4e50d9ecfa88bcaa29b901085fbf884e5e1bf836fc150f6f3eab046f23178203cd40e48a4d96585cb8e8932c83841e2477f3578cd1480fcb
-
Filesize
38KB
MD537370104cb3c614196c730d3c9855edb
SHA193b7c88a76c9289dbec4d8f1fb83a59489f4a162
SHA256aa1f5c6073e9c9c4d92db60bc15cb62df567a2a4a1b240e8d0e88abcaeac1ff3
SHA512e5f6ba7099d6fbbc0910af7bc63a05caddcb2be8a1dfd515060a5e252b946d098d1fb3c271d292a37ae51ecca1e8d006c6a8e9e1c2ac7c9d5aac5a3ebfcb610a
-
Filesize
234KB
MD53195a44e77acb04f97b937f001286f15
SHA1e8eb176f6e719d5c38ac8fda7634fa9279413b22
SHA256bf4908ab8657589eef9de77e5ab34d576d4d7e9c58f9c12f618d53657933e4f9
SHA512f494e2cfe093aadc64d39548bcf4cac1003e42bbb193f2a92fc87480cb9e91eb399749ab3380a7d12ef91bfb4bc43c145ed75d8e328e519557ed7d9fa2ed9580
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
229KB
MD50b6e5715282a535cb917ce60481e379b
SHA180140bb76a09fe22a8dd5acb279d2ad59c468680
SHA256fdbffc3924e0a99b39c392cd635b04607647e41d64f3dd6de11976a2fafcc1ef
SHA512d7e3ea8168eacf193e2dc9304b0dc86f615abe1d5013eaabb423cde0fbc6144ab223fde468a8c71361ddda87e2b882e154ef94ddbfc0ff0eec751c2bc23447cc