Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 07:20
Static task
static1
Behavioral task
behavioral1
Sample
04039b10f21e5541098a3844fb34657b1c629e240f7690015e863e31ad3b816a.exe
Resource
win10v2004-20241007-en
General
-
Target
04039b10f21e5541098a3844fb34657b1c629e240f7690015e863e31ad3b816a.exe
-
Size
636KB
-
MD5
49e178a4e58eb5a35ef6cb6e916ac242
-
SHA1
b09941c3e03b3077641bf42fccb21f746a2b9f82
-
SHA256
04039b10f21e5541098a3844fb34657b1c629e240f7690015e863e31ad3b816a
-
SHA512
1e0ef63db7d748e1fc2a9d918ea488ade0b526b6803db4c9c52488899f8c1b457e8c04cc6a21a4350b68e607c47c36adbada64d029b155f642dcfbabc71b4e87
-
SSDEEP
12288:TMrvy90QJktJ732M46pHXju7vbK43zUjE/mHaPW9AZS1KveoHdWvBYMX8qET:gyfJ2oeCzbj3gjAmHaO9A6VJYMX8j
Malware Config
Extracted
amadey
3.86
88c8bb
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
lodka
77.91.124.156:19071
-
auth_value
76f99d6cc9332c02bb9728c3ba80d3a9
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023cb8-26.dat healer behavioral1/memory/868-28-0x0000000000570000-0x000000000057A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a7543469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a7543469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a7543469.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a7543469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a7543469.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a7543469.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cb3-48.dat family_redline behavioral1/memory/440-50-0x00000000004F0000-0x0000000000520000-memory.dmp family_redline -
Redline family
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation b8780675.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation pdates.exe -
Executes dropped EXE 10 IoCs
pid Process 2532 v3317787.exe 212 v0467120.exe 2108 v4048091.exe 868 a7543469.exe 4420 b8780675.exe 2100 pdates.exe 1692 c2184120.exe 440 d0337151.exe 3436 pdates.exe 2820 pdates.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7543469.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 04039b10f21e5541098a3844fb34657b1c629e240f7690015e863e31ad3b816a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v3317787.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v0467120.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v4048091.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v4048091.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0337151.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04039b10f21e5541098a3844fb34657b1c629e240f7690015e863e31ad3b816a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v3317787.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v0467120.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c2184120.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b8780675.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c2184120.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c2184120.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c2184120.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2312 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 868 a7543469.exe 868 a7543469.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 868 a7543469.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4420 b8780675.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 4992 wrote to memory of 2532 4992 04039b10f21e5541098a3844fb34657b1c629e240f7690015e863e31ad3b816a.exe 83 PID 4992 wrote to memory of 2532 4992 04039b10f21e5541098a3844fb34657b1c629e240f7690015e863e31ad3b816a.exe 83 PID 4992 wrote to memory of 2532 4992 04039b10f21e5541098a3844fb34657b1c629e240f7690015e863e31ad3b816a.exe 83 PID 2532 wrote to memory of 212 2532 v3317787.exe 84 PID 2532 wrote to memory of 212 2532 v3317787.exe 84 PID 2532 wrote to memory of 212 2532 v3317787.exe 84 PID 212 wrote to memory of 2108 212 v0467120.exe 85 PID 212 wrote to memory of 2108 212 v0467120.exe 85 PID 212 wrote to memory of 2108 212 v0467120.exe 85 PID 2108 wrote to memory of 868 2108 v4048091.exe 86 PID 2108 wrote to memory of 868 2108 v4048091.exe 86 PID 2108 wrote to memory of 4420 2108 v4048091.exe 98 PID 2108 wrote to memory of 4420 2108 v4048091.exe 98 PID 2108 wrote to memory of 4420 2108 v4048091.exe 98 PID 4420 wrote to memory of 2100 4420 b8780675.exe 99 PID 4420 wrote to memory of 2100 4420 b8780675.exe 99 PID 4420 wrote to memory of 2100 4420 b8780675.exe 99 PID 212 wrote to memory of 1692 212 v0467120.exe 100 PID 212 wrote to memory of 1692 212 v0467120.exe 100 PID 212 wrote to memory of 1692 212 v0467120.exe 100 PID 2100 wrote to memory of 2312 2100 pdates.exe 101 PID 2100 wrote to memory of 2312 2100 pdates.exe 101 PID 2100 wrote to memory of 2312 2100 pdates.exe 101 PID 2100 wrote to memory of 4300 2100 pdates.exe 103 PID 2100 wrote to memory of 4300 2100 pdates.exe 103 PID 2100 wrote to memory of 4300 2100 pdates.exe 103 PID 4300 wrote to memory of 1476 4300 cmd.exe 105 PID 4300 wrote to memory of 1476 4300 cmd.exe 105 PID 4300 wrote to memory of 1476 4300 cmd.exe 105 PID 4300 wrote to memory of 3868 4300 cmd.exe 106 PID 4300 wrote to memory of 3868 4300 cmd.exe 106 PID 4300 wrote to memory of 3868 4300 cmd.exe 106 PID 4300 wrote to memory of 4216 4300 cmd.exe 107 PID 4300 wrote to memory of 4216 4300 cmd.exe 107 PID 4300 wrote to memory of 4216 4300 cmd.exe 107 PID 4300 wrote to memory of 3332 4300 cmd.exe 108 PID 4300 wrote to memory of 3332 4300 cmd.exe 108 PID 4300 wrote to memory of 3332 4300 cmd.exe 108 PID 4300 wrote to memory of 1896 4300 cmd.exe 109 PID 4300 wrote to memory of 1896 4300 cmd.exe 109 PID 4300 wrote to memory of 1896 4300 cmd.exe 109 PID 4300 wrote to memory of 1560 4300 cmd.exe 110 PID 4300 wrote to memory of 1560 4300 cmd.exe 110 PID 4300 wrote to memory of 1560 4300 cmd.exe 110 PID 2532 wrote to memory of 440 2532 v3317787.exe 120 PID 2532 wrote to memory of 440 2532 v3317787.exe 120 PID 2532 wrote to memory of 440 2532 v3317787.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\04039b10f21e5541098a3844fb34657b1c629e240f7690015e863e31ad3b816a.exe"C:\Users\Admin\AppData\Local\Temp\04039b10f21e5541098a3844fb34657b1c629e240f7690015e863e31ad3b816a.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3317787.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3317787.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0467120.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0467120.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4048091.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4048091.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7543469.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7543469.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8780675.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8780675.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2312
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
- System Location Discovery: System Language Discovery
PID:1476
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:N"8⤵
- System Location Discovery: System Language Discovery
PID:3868
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:R" /E8⤵
- System Location Discovery: System Language Discovery
PID:4216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
- System Location Discovery: System Language Discovery
PID:3332
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:N"8⤵
- System Location Discovery: System Language Discovery
PID:1896
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:R" /E8⤵
- System Location Discovery: System Language Discovery
PID:1560
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2184120.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2184120.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
PID:1692
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0337151.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0337151.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:440
-
-
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:3436
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:2820
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
515KB
MD5db4e1dfe8930ed5dccea001711c63d56
SHA14299c7f13791e3bc1141baebccd429a33cb4c52b
SHA25647581331a3131785f2583c6170f53a35d25c19732eb5ec8449b9ca355ec52359
SHA51204374db2ff32f6ea53cd6bd0bd4df6e334c9e1a6e88b6b87b685a7f1ea4930794aa8cf6c558a2ae51e1e047b000166867e189cd670716a1b7df3248fb800e16b
-
Filesize
173KB
MD5e50a56a1dcd439b82a33cb5ef19faa26
SHA1878219900dd930fb5b8112cdcc320424fbd6efaa
SHA256c1874fde88e314e01d4d735743c745c314e0b0da18a3030ceadb41a42bc71560
SHA512e1a02fba9a94fa4c1c9fdb453330bbe863b339dd9a89395758c97530c4c8d71017c05bd96d732328022de8b39d9c654b60da1372b78881a9e0b828b1688ca64a
-
Filesize
359KB
MD5b09196c0549952ee80f333769629a6a1
SHA10f5c040303f9b1b65a982b661f3b0f28d1033449
SHA256727c9678bb0d8dcb496134d76e2f86821a6b48655916059e55581167aec1585f
SHA51254ade6891e2744e4689f5445f316ca71e1af6ccf5c9ef1d3a06a52c537149117eaecf1c30bd28db1520aa29b0d247a0ce8924b7af28537c6223b1d9c9f9bb00b
-
Filesize
38KB
MD54593cb95ac0ed500e8b3fcf42ca05b0d
SHA10e8da3433df6cbfd84baf99ddd466bf467268f5a
SHA256cfd40a03e68cdd3abf91f7504425938bf78e43709c796d1e49ebada39fac47bb
SHA512b03f9bee3f79810f7693eb59216e43be0cc3222456f1542287f8d40999d878d94aa848e29d78d4fca1e17d64c7d9750accd9ab26cea6829b911ed5fdbea173e2
-
Filesize
234KB
MD5ff02a3ad0bc5f2f970fd25e7a8410b60
SHA14f0183d91e4033d918a37852b3cf8bec28ef3330
SHA256d66ad29951bea00fa8f80206b751979ca9f6a6d25a85dce64daca2b0ecc3e62b
SHA5124ecd6f584288a5c092b154fe97bfd233637892c2941972dfe6ddbd9d3241cc7cf2d10f4a477d7ec50cf5dd628d73c2a9bd6419d66b99c84bbc4ffb4e8d0e80cd
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
229KB
MD566894387d7059239ea36fd5d983b03f5
SHA1a2362c009491b74456083aa6d3c33c2ba5804f4c
SHA256342baf6837b394c2f5c4ea5c0aa870b4a96cab165c4e9dec93ab73062769616e
SHA51204d2041c30a43d189d8bf71dfd6d11a22c213169f30e3c91d4d1e376fd59de554566fe53016e7e21b3a3a5a3940ddb6be7c81f565b8b1a63dfc2f76bcb16e13d