Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 05:22
Static task
static1
Behavioral task
behavioral1
Sample
2df510689e9be7c04c3f95e1230974be4509ceaff885d4c65b1ae087518d9a55.exe
Resource
win10v2004-20241007-en
General
-
Target
2df510689e9be7c04c3f95e1230974be4509ceaff885d4c65b1ae087518d9a55.exe
-
Size
641KB
-
MD5
8143a32705c3780f5d09c0ba2f0b9320
-
SHA1
b9976ef81dde152225887eb92bfc784896d669a7
-
SHA256
2df510689e9be7c04c3f95e1230974be4509ceaff885d4c65b1ae087518d9a55
-
SHA512
0cf36172060dc94dfecd8f11e0e83b5d28796e836a4b480c22ea22750d4e91819025286ab8ac13f3d503e8b0c4533d1ff62475fa0f736d8ed182869ad5db4a6d
-
SSDEEP
12288:zMriy90kLMhjzJkBAaO6lE1SYai6DM7MqlXAE52NwR:NyV03e5FRjimuEE5cwR
Malware Config
Extracted
amadey
3.86
88c8bb
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
gotad
77.91.124.84:19071
-
auth_value
3fb7c1f3fcf68bc377eae3f6f493a684
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023bc8-26.dat healer behavioral1/memory/880-28-0x0000000000370000-0x000000000037A000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a4945066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a4945066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a4945066.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a4945066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a4945066.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a4945066.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023bbd-50.dat family_redline behavioral1/memory/4616-52-0x0000000000610000-0x0000000000640000-memory.dmp family_redline -
Redline family
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation b7944221.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation pdates.exe -
Executes dropped EXE 11 IoCs
pid Process 4808 v4168104.exe 4304 v4309123.exe 4844 v9566648.exe 880 a4945066.exe 1140 b7944221.exe 2828 pdates.exe 4748 c2223483.exe 3732 pdates.exe 4616 d0573053.exe 3420 pdates.exe 4724 pdates.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a4945066.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2df510689e9be7c04c3f95e1230974be4509ceaff885d4c65b1ae087518d9a55.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v4168104.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v4309123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v9566648.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2df510689e9be7c04c3f95e1230974be4509ceaff885d4c65b1ae087518d9a55.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c2223483.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d0573053.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v4168104.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v4309123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v9566648.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7944221.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c2223483.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c2223483.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c2223483.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5076 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 880 a4945066.exe 880 a4945066.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 880 a4945066.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1140 b7944221.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 5084 wrote to memory of 4808 5084 2df510689e9be7c04c3f95e1230974be4509ceaff885d4c65b1ae087518d9a55.exe 83 PID 5084 wrote to memory of 4808 5084 2df510689e9be7c04c3f95e1230974be4509ceaff885d4c65b1ae087518d9a55.exe 83 PID 5084 wrote to memory of 4808 5084 2df510689e9be7c04c3f95e1230974be4509ceaff885d4c65b1ae087518d9a55.exe 83 PID 4808 wrote to memory of 4304 4808 v4168104.exe 84 PID 4808 wrote to memory of 4304 4808 v4168104.exe 84 PID 4808 wrote to memory of 4304 4808 v4168104.exe 84 PID 4304 wrote to memory of 4844 4304 v4309123.exe 86 PID 4304 wrote to memory of 4844 4304 v4309123.exe 86 PID 4304 wrote to memory of 4844 4304 v4309123.exe 86 PID 4844 wrote to memory of 880 4844 v9566648.exe 87 PID 4844 wrote to memory of 880 4844 v9566648.exe 87 PID 4844 wrote to memory of 1140 4844 v9566648.exe 95 PID 4844 wrote to memory of 1140 4844 v9566648.exe 95 PID 4844 wrote to memory of 1140 4844 v9566648.exe 95 PID 1140 wrote to memory of 2828 1140 b7944221.exe 96 PID 1140 wrote to memory of 2828 1140 b7944221.exe 96 PID 1140 wrote to memory of 2828 1140 b7944221.exe 96 PID 4304 wrote to memory of 4748 4304 v4309123.exe 97 PID 4304 wrote to memory of 4748 4304 v4309123.exe 97 PID 4304 wrote to memory of 4748 4304 v4309123.exe 97 PID 2828 wrote to memory of 5076 2828 pdates.exe 98 PID 2828 wrote to memory of 5076 2828 pdates.exe 98 PID 2828 wrote to memory of 5076 2828 pdates.exe 98 PID 2828 wrote to memory of 4300 2828 pdates.exe 100 PID 2828 wrote to memory of 4300 2828 pdates.exe 100 PID 2828 wrote to memory of 4300 2828 pdates.exe 100 PID 4300 wrote to memory of 3620 4300 cmd.exe 102 PID 4300 wrote to memory of 3620 4300 cmd.exe 102 PID 4300 wrote to memory of 3620 4300 cmd.exe 102 PID 4300 wrote to memory of 3756 4300 cmd.exe 103 PID 4300 wrote to memory of 3756 4300 cmd.exe 103 PID 4300 wrote to memory of 3756 4300 cmd.exe 103 PID 4300 wrote to memory of 2844 4300 cmd.exe 104 PID 4300 wrote to memory of 2844 4300 cmd.exe 104 PID 4300 wrote to memory of 2844 4300 cmd.exe 104 PID 4300 wrote to memory of 2792 4300 cmd.exe 105 PID 4300 wrote to memory of 2792 4300 cmd.exe 105 PID 4300 wrote to memory of 2792 4300 cmd.exe 105 PID 4300 wrote to memory of 3560 4300 cmd.exe 106 PID 4300 wrote to memory of 3560 4300 cmd.exe 106 PID 4300 wrote to memory of 3560 4300 cmd.exe 106 PID 4300 wrote to memory of 2968 4300 cmd.exe 107 PID 4300 wrote to memory of 2968 4300 cmd.exe 107 PID 4300 wrote to memory of 2968 4300 cmd.exe 107 PID 4808 wrote to memory of 4616 4808 v4168104.exe 114 PID 4808 wrote to memory of 4616 4808 v4168104.exe 114 PID 4808 wrote to memory of 4616 4808 v4168104.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\2df510689e9be7c04c3f95e1230974be4509ceaff885d4c65b1ae087518d9a55.exe"C:\Users\Admin\AppData\Local\Temp\2df510689e9be7c04c3f95e1230974be4509ceaff885d4c65b1ae087518d9a55.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4168104.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4168104.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4309123.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4309123.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9566648.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9566648.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4945066.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4945066.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7944221.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7944221.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5076
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
- System Location Discovery: System Language Discovery
PID:3620
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:N"8⤵
- System Location Discovery: System Language Discovery
PID:3756
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:R" /E8⤵
- System Location Discovery: System Language Discovery
PID:2844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:N"8⤵
- System Location Discovery: System Language Discovery
PID:3560
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:R" /E8⤵
- System Location Discovery: System Language Discovery
PID:2968
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2223483.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2223483.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
PID:4748
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0573053.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0573053.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4616
-
-
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:3732
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:3420
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:4724
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
514KB
MD5ca15e30f8de943f5d69ed6d111da0216
SHA1f25db5b99c099d94122506dc81a21e39fb2f9c00
SHA256d5db1ec53441432988a30d3624fb34b9d8621bd23c6cbc4e79c114295840a6a3
SHA512123a11b39f18edbf682b0bcc9923fc142bf27b9e347761c1dc0a980c2d69feaec8378966edc5804c07cc10c762eb87b42ab5fbf37affd36fa695f9104d2cdc25
-
Filesize
172KB
MD56c2b9e01db204c01fe03a95729bef5bf
SHA11bd1de54b53c56c3122755b8b41b5bc56121ede6
SHA256f1b521f252eed6b5ae6b96e80f3864821149d941b9ef717d86e7eafcc9fbb1fe
SHA5126e064cd8062cb9edc40fd31f8ec18d4ac8763a02908b0fd0d660bc0f029ea2f9014dcf647ed306d4036dae711bd0f48b7def407dcc16492b144f18792a30dc73
-
Filesize
359KB
MD561afc9978cc4bd517e969025cb78772b
SHA1f404d238495a948b60429fc41656254ea6eb3b45
SHA256cf12db760116f56ade7c36d0ab7df790b7f9f3918121ee302a03ac5a1a5bfc19
SHA5121e81492d1a712b42459cfba5d2363b34ff085be00ef495716bf3cb68e713508fed127db23cee4f860ab3f216f8c5a02f4c4dc22df9bda4ac079c864d82fb039b
-
Filesize
36KB
MD5b69693e1dee5bfab82e9dd2587edf751
SHA1045f63edb5f0a490070dc6145048bbbec314aa09
SHA256de145f74980e02864e353a4267611e4372d8119c9841ca944b94e0e011f9c88a
SHA512a7e26a674d5708e380340746f9b5b493e2387fdf0f87c1ce6009dc27a417702d6e06d5882026db1e77d67f84995c3c0ab2449277c81e03e807f433d2ed494a0e
-
Filesize
234KB
MD5d08fa3740f6875f6b500c56ab4a9dfce
SHA1179f3d2d60e76bcfad9c64fcb0323d2ad99130a9
SHA256e766d2fbf44f9287b33ab07c0b172dff73021d8e15bcf3a41f37a2b6dd509b7f
SHA5120c46f9f64265745e204b50fad1723c83699f8c0e27843c0797183154cf6e34ef6b1e07d10a49f4d8a4e1e8caac106b36bcfbd18ab0f7f22531cd7ef6b60ba4cf
-
Filesize
11KB
MD59b9318fccd42cafa15d80e4fac688772
SHA1266f07f2be81fb2b07ab82a4cffe39e9b314edcd
SHA2564f76b3061c523edc7df92d77b803a6621697885a794e46c97a3a170098d90379
SHA5129a7980d1b7d4b327c660055f8cd1611b33f875c64e3fb59afd4ccab431ba45da5006d276d40efdbec9a0331bdef6d5161798933abd8745d5e963c81f1515d971
-
Filesize
226KB
MD587fdde95ac6dad46b699015bad22f827
SHA161b354defa6b486ddd74a23f0cf5c1e85f57ab13
SHA2561e9fabf8c9171aa91e9f10006a4749759860a44141684adc39d0df8140ed7002
SHA512b06c53a8088065f6ef0d7d3825dee5172d95f22f4671b5f3059eb28128e658ef0532674c5dea628f2a7891ebccd2e1b7d5abaab7c36fd39c4ac0eb2a24036dc7