Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 05:14
Static task
static1
Behavioral task
behavioral1
Sample
234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe
Resource
win10v2004-20241007-en
General
-
Target
234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe
-
Size
1.2MB
-
MD5
2f689133cd22b0c65c246a32485c1a20
-
SHA1
54b3d0b1443720abb99633bcaf5c71601e5c2de8
-
SHA256
234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206
-
SHA512
cecefa581b08b486cb700920e73f36602120e9f290f2cf9bdb8a296a828de551dc1a9596464252642345d475dcdbf4e270543db601b8762232d279c247c3105f
-
SSDEEP
24576:+ycDNhhiP3AUmtQnt1rwWg/EEKWuMi6bv4/gW1WaJ6T:NcDrhiP3AVtAt1rDQrv4/J1R
Malware Config
Extracted
amadey
3.80
8c4642
http://193.201.9.240
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
c7c0f24aa6d8f611f5533809029a4795
-
url_paths
/live/games/index.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023c9b-26.dat healer behavioral1/memory/3248-28-0x0000000000EA0000-0x0000000000EAA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" az980630.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" az980630.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection az980630.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" az980630.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" az980630.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" az980630.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/3320-47-0x0000000002740000-0x000000000277C000-memory.dmp family_redline behavioral1/memory/3320-49-0x0000000004F40000-0x0000000004F7A000-memory.dmp family_redline behavioral1/memory/3320-59-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-113-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-111-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-109-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-107-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-105-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-103-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-101-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-99-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-95-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-93-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-91-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-89-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-87-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-85-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-83-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-81-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-79-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-77-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-75-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-73-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-71-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-69-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-67-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-65-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-63-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-61-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-57-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-55-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-97-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-53-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-51-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline behavioral1/memory/3320-50-0x0000000004F40000-0x0000000004F75000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation bu757899.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 9 IoCs
pid Process 3396 ki147456.exe 4408 ki826708.exe 368 ki096675.exe 3248 az980630.exe 520 bu757899.exe 5060 oneetx.exe 3320 dFr68t97.exe 1096 oneetx.exe 5440 oneetx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" az980630.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ki147456.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ki826708.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" ki096675.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki147456.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki826708.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ki096675.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bu757899.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dFr68t97.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5108 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3248 az980630.exe 3248 az980630.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3248 az980630.exe Token: SeDebugPrivilege 3320 dFr68t97.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 5028 wrote to memory of 3396 5028 234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe 84 PID 5028 wrote to memory of 3396 5028 234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe 84 PID 5028 wrote to memory of 3396 5028 234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe 84 PID 3396 wrote to memory of 4408 3396 ki147456.exe 86 PID 3396 wrote to memory of 4408 3396 ki147456.exe 86 PID 3396 wrote to memory of 4408 3396 ki147456.exe 86 PID 4408 wrote to memory of 368 4408 ki826708.exe 88 PID 4408 wrote to memory of 368 4408 ki826708.exe 88 PID 4408 wrote to memory of 368 4408 ki826708.exe 88 PID 368 wrote to memory of 3248 368 ki096675.exe 89 PID 368 wrote to memory of 3248 368 ki096675.exe 89 PID 368 wrote to memory of 520 368 ki096675.exe 98 PID 368 wrote to memory of 520 368 ki096675.exe 98 PID 368 wrote to memory of 520 368 ki096675.exe 98 PID 520 wrote to memory of 5060 520 bu757899.exe 100 PID 520 wrote to memory of 5060 520 bu757899.exe 100 PID 520 wrote to memory of 5060 520 bu757899.exe 100 PID 4408 wrote to memory of 3320 4408 ki826708.exe 101 PID 4408 wrote to memory of 3320 4408 ki826708.exe 101 PID 4408 wrote to memory of 3320 4408 ki826708.exe 101 PID 5060 wrote to memory of 5108 5060 oneetx.exe 102 PID 5060 wrote to memory of 5108 5060 oneetx.exe 102 PID 5060 wrote to memory of 5108 5060 oneetx.exe 102 PID 5060 wrote to memory of 4812 5060 oneetx.exe 103 PID 5060 wrote to memory of 4812 5060 oneetx.exe 103 PID 5060 wrote to memory of 4812 5060 oneetx.exe 103 PID 4812 wrote to memory of 3520 4812 cmd.exe 106 PID 4812 wrote to memory of 3520 4812 cmd.exe 106 PID 4812 wrote to memory of 3520 4812 cmd.exe 106 PID 4812 wrote to memory of 4660 4812 cmd.exe 107 PID 4812 wrote to memory of 4660 4812 cmd.exe 107 PID 4812 wrote to memory of 4660 4812 cmd.exe 107 PID 4812 wrote to memory of 4940 4812 cmd.exe 108 PID 4812 wrote to memory of 4940 4812 cmd.exe 108 PID 4812 wrote to memory of 4940 4812 cmd.exe 108 PID 4812 wrote to memory of 2620 4812 cmd.exe 109 PID 4812 wrote to memory of 2620 4812 cmd.exe 109 PID 4812 wrote to memory of 2620 4812 cmd.exe 109 PID 4812 wrote to memory of 2552 4812 cmd.exe 110 PID 4812 wrote to memory of 2552 4812 cmd.exe 110 PID 4812 wrote to memory of 2552 4812 cmd.exe 110 PID 4812 wrote to memory of 1688 4812 cmd.exe 111 PID 4812 wrote to memory of 1688 4812 cmd.exe 111 PID 4812 wrote to memory of 1688 4812 cmd.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe"C:\Users\Admin\AppData\Local\Temp\234d1b4d01870354f0a7a173da477d07c9b3eca7dd6c6fcd7a00827f4506c206.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki147456.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki147456.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki826708.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki826708.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki096675.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki096675.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az980630.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu757899.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu757899.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5108
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
- System Location Discovery: System Language Discovery
PID:3520
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"8⤵
- System Location Discovery: System Language Discovery
PID:4660
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E8⤵
- System Location Discovery: System Language Discovery
PID:4940
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
- System Location Discovery: System Language Discovery
PID:2620
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"8⤵
- System Location Discovery: System Language Discovery
PID:2552
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E8⤵
- System Location Discovery: System Language Discovery
PID:1688
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFr68t97.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dFr68t97.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3320
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:1096
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:5440
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
958KB
MD592ba6b1ba4db9332f38a46e7beda41d1
SHA10483aed0fac26bdc9509b81188a447fde3946d40
SHA2562eec4a855b269e916dd8b2f2466449951dc82d19a6c7b48e8c97ac98f3cb7be7
SHA512695119d0d0d1fc86caa9beb3dd45b0b587a6ba3d3e7de1af0945d03f76a45aca101a5d8dbd5dfa8bb72891c18e96248fc01c3f65b0fcda3431b8f47171bb191e
-
Filesize
632KB
MD5d1392db14b923002fd1bc30c316433df
SHA137057a65853e6020df7cf2e533c014c08cb36224
SHA2569d90a6954f2352bf655907802c0e9d9c29ec0dcb6a815ed7bfdde471c1cec5f5
SHA512223835090c2d9d5b0d2ce17262fbf43a33ee17d4467c71df956e41f8f2e735543ec7ff1470c21e2de55be059de3e5d4c70c90b6ba0d57825a4fec81c3603e7fa
-
Filesize
472KB
MD54abd086fdc3e51d9b6adeee3dbe2622f
SHA1a11efbfe0ef8c3b7099a48b593bacc53d3102e8c
SHA256d91c783916f5b5f59a5576fc4f9fc8de1485a8a17b048b96cfe2c7f0e10377b6
SHA51222eaa9be540f5a22f807bc91fa6d8e54634314188e41bacb7a6f222fecf94a64ac376519299b945c62ba40beffd256ed2b326ed541d33b3a853113f28739a1c8
-
Filesize
223KB
MD542a90a457c9a8625307705c3cd310b74
SHA1fba7936092a9e9696d0248114e1e0ee9c588e4dd
SHA2561c6883045456c8ee39a7d8367aeecbb59e9d5f097bcfc6d775096c84cf151a08
SHA51205f55030fbe20b3269b56713d3b4c05de23eac063439fa7b8c30d6fc0c0ae96710a5640113211dcff8a3121a0efc3e8652dedfe65e0c9b683d947bc3ea39a0e3
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
204KB
MD5d2622752e39ebe03e48351887e7ba2c7
SHA18377db1a7994b5101d4285126cbb2e8e7e4e82e3
SHA256c74dad9fa19bf79777746674fef33c0ad16d55c0e2ecf1991ceff3d8d7fa27c0
SHA512f8b3a3b666e27b5f945b4ad9e44c4eeb3e0a62ba171dcc4729480c85aa6fbcf784f8990dee1fd5020a86a3a802e204e2b1b77a622125bb78c70e551e0df4742c