Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 16:32
Static task
static1
Behavioral task
behavioral1
Sample
e6bbc186fed5adf0594150e939200ac62d2a5fa972eaa5bcba4da4e9c6ecf9ff.exe
Resource
win10v2004-20241007-en
General
-
Target
e6bbc186fed5adf0594150e939200ac62d2a5fa972eaa5bcba4da4e9c6ecf9ff.exe
-
Size
642KB
-
MD5
34074d5c5cd00ca3134915c79df914f7
-
SHA1
ad0d8874a03e73af5f7cc10828d505157538cb22
-
SHA256
e6bbc186fed5adf0594150e939200ac62d2a5fa972eaa5bcba4da4e9c6ecf9ff
-
SHA512
de6950fbd3719e73a18899fdce771a6ee18852d8e310faf8e0031b7c1faec91f8b3c91c300419d94998a87862b44b89e7340cbc60ff276b8c5bd1ea24e871807
-
SSDEEP
12288:5MrXy90nB4XJmWHWYcND6xMHZWoQ5xTj:iyHXJFHWYC0AIoCxTj
Malware Config
Extracted
amadey
3.86
88c8bb
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
lodka
77.91.124.156:19071
-
auth_value
76f99d6cc9332c02bb9728c3ba80d3a9
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral1/files/0x000b000000023b7e-26.dat healer behavioral1/memory/4740-28-0x0000000000400000-0x000000000040A000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a4538749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a4538749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a4538749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a4538749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a4538749.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a4538749.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x000a000000023b79-48.dat family_redline behavioral1/memory/3312-50-0x0000000000460000-0x0000000000490000-memory.dmp family_redline -
Redline family
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation b6891470.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation pdates.exe -
Executes dropped EXE 10 IoCs
pid Process 3728 v5327032.exe 4004 v6247435.exe 4532 v3103241.exe 4740 a4538749.exe 4424 b6891470.exe 1864 pdates.exe 4240 c4022260.exe 3312 d1720967.exe 1428 pdates.exe 2140 pdates.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a4538749.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v5327032.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" v6247435.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" v3103241.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e6bbc186fed5adf0594150e939200ac62d2a5fa972eaa5bcba4da4e9c6ecf9ff.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v5327032.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1720967.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v6247435.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b6891470.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language v3103241.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6bbc186fed5adf0594150e939200ac62d2a5fa972eaa5bcba4da4e9c6ecf9ff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pdates.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c4022260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c4022260.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c4022260.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c4022260.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3352 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4740 a4538749.exe 4740 a4538749.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4740 a4538749.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4424 b6891470.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 552 wrote to memory of 3728 552 e6bbc186fed5adf0594150e939200ac62d2a5fa972eaa5bcba4da4e9c6ecf9ff.exe 83 PID 552 wrote to memory of 3728 552 e6bbc186fed5adf0594150e939200ac62d2a5fa972eaa5bcba4da4e9c6ecf9ff.exe 83 PID 552 wrote to memory of 3728 552 e6bbc186fed5adf0594150e939200ac62d2a5fa972eaa5bcba4da4e9c6ecf9ff.exe 83 PID 3728 wrote to memory of 4004 3728 v5327032.exe 84 PID 3728 wrote to memory of 4004 3728 v5327032.exe 84 PID 3728 wrote to memory of 4004 3728 v5327032.exe 84 PID 4004 wrote to memory of 4532 4004 v6247435.exe 85 PID 4004 wrote to memory of 4532 4004 v6247435.exe 85 PID 4004 wrote to memory of 4532 4004 v6247435.exe 85 PID 4532 wrote to memory of 4740 4532 v3103241.exe 87 PID 4532 wrote to memory of 4740 4532 v3103241.exe 87 PID 4532 wrote to memory of 4424 4532 v3103241.exe 97 PID 4532 wrote to memory of 4424 4532 v3103241.exe 97 PID 4532 wrote to memory of 4424 4532 v3103241.exe 97 PID 4424 wrote to memory of 1864 4424 b6891470.exe 98 PID 4424 wrote to memory of 1864 4424 b6891470.exe 98 PID 4424 wrote to memory of 1864 4424 b6891470.exe 98 PID 4004 wrote to memory of 4240 4004 v6247435.exe 99 PID 4004 wrote to memory of 4240 4004 v6247435.exe 99 PID 4004 wrote to memory of 4240 4004 v6247435.exe 99 PID 1864 wrote to memory of 3352 1864 pdates.exe 100 PID 1864 wrote to memory of 3352 1864 pdates.exe 100 PID 1864 wrote to memory of 3352 1864 pdates.exe 100 PID 1864 wrote to memory of 736 1864 pdates.exe 102 PID 1864 wrote to memory of 736 1864 pdates.exe 102 PID 1864 wrote to memory of 736 1864 pdates.exe 102 PID 736 wrote to memory of 2216 736 cmd.exe 104 PID 736 wrote to memory of 2216 736 cmd.exe 104 PID 736 wrote to memory of 2216 736 cmd.exe 104 PID 736 wrote to memory of 1332 736 cmd.exe 105 PID 736 wrote to memory of 1332 736 cmd.exe 105 PID 736 wrote to memory of 1332 736 cmd.exe 105 PID 736 wrote to memory of 2088 736 cmd.exe 106 PID 736 wrote to memory of 2088 736 cmd.exe 106 PID 736 wrote to memory of 2088 736 cmd.exe 106 PID 736 wrote to memory of 1716 736 cmd.exe 107 PID 736 wrote to memory of 1716 736 cmd.exe 107 PID 736 wrote to memory of 1716 736 cmd.exe 107 PID 736 wrote to memory of 3004 736 cmd.exe 108 PID 736 wrote to memory of 3004 736 cmd.exe 108 PID 736 wrote to memory of 3004 736 cmd.exe 108 PID 736 wrote to memory of 3336 736 cmd.exe 109 PID 736 wrote to memory of 3336 736 cmd.exe 109 PID 736 wrote to memory of 3336 736 cmd.exe 109 PID 3728 wrote to memory of 3312 3728 v5327032.exe 119 PID 3728 wrote to memory of 3312 3728 v5327032.exe 119 PID 3728 wrote to memory of 3312 3728 v5327032.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6bbc186fed5adf0594150e939200ac62d2a5fa972eaa5bcba4da4e9c6ecf9ff.exe"C:\Users\Admin\AppData\Local\Temp\e6bbc186fed5adf0594150e939200ac62d2a5fa972eaa5bcba4da4e9c6ecf9ff.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5327032.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5327032.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6247435.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6247435.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3103241.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3103241.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4538749.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4538749.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6891470.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6891470.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3352
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
- System Location Discovery: System Language Discovery
PID:2216
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:N"8⤵
- System Location Discovery: System Language Discovery
PID:1332
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:R" /E8⤵
- System Location Discovery: System Language Discovery
PID:2088
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
- System Location Discovery: System Language Discovery
PID:1716
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:N"8⤵
- System Location Discovery: System Language Discovery
PID:3004
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:R" /E8⤵
- System Location Discovery: System Language Discovery
PID:3336
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4022260.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4022260.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
PID:4240
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1720967.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1720967.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3312
-
-
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:1428
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
PID:2140
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
515KB
MD5231df38636fb4ddc33b1b9d8bcb72d42
SHA1ed4cacaa212e712ec44d68f0dc1c5d68f8e79ebf
SHA256fe938fc800d31995001d7fe9fa41beee4b9a0464ab8b7e1f5871b665b8f31f2d
SHA5125dec40510c180f09ce7b2b1b9ea9225c53889695861df6c62a4c5331a574aae51c104e68018493781bd6b2b88d0b168bacf3758db5d0f64f06052d5f0f604656
-
Filesize
173KB
MD5a5191c43ccae6e8cfe9f533ad8f7ce42
SHA1b632e78833effa836af15a1dc45912936fa31151
SHA256992a2145accb7ad49ac130d78ce8c23b60266b55b08d05e6620782be41329814
SHA512304d77e2702e77a6f72bf444c5c6a318c17d600e21003ba358d46a82003612ff968dd165d626bf14c8773624a45a42e95530bc1c0d46f9a09b80f0eb20485eec
-
Filesize
359KB
MD5faee10de9f3bacf52e9002e4089e6043
SHA1c382fcccda46a162700ceba9362ae4bcee205701
SHA2568f1777fb850c600a3f599a34647b6b4b9c7ff04f195f4596e763ec669d23ae2f
SHA512d2e80bcda958763a2568fd9a5e636829e5bc8408b550642456ad39f1bd15549fcb1b21b3c93d26522710a26ec5f8ee07e365786e4702b1d2d9d389cab1483851
-
Filesize
38KB
MD5b937898cfb9877bf2169044fd115d2fc
SHA1e520d0f8d5f19e4f762b31aa553ad3b6786d1f6f
SHA256a39c60fcf5263ad90eff1f2808e79d650e786d006b1d6c5f061a1870b9a13533
SHA51272365d13f79f93808247c24c2cf0bc33fbde74f1c5c7f2b1b675f555eeb2d139ff689289a12035a2180b8b1cb2472b9ae215e3ab714d0e8093693c3796a9703d
-
Filesize
234KB
MD56cdee1ab93cf033e99f91966ca74baee
SHA118968d9f904a1ea43671f54bdbb93d369abe6ebd
SHA2561382ea724d392de396a147de055f68da2f088e2f3de6f9010ffafac20060233d
SHA512f87dadf2cc48432bb2c4361d2d0b66099268aa071a4a0150048ad3ae2ee393eab19bc19ad031b837e069f15d862db10a2f458326ede567ab891c15c7aaba8ccd
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
229KB
MD52fd0a8cd3ac2549ad54614373e534ce2
SHA1f7f1c9928e85f740d855a533375c5d1e5ffea0a0
SHA256eb4d6321c7b83200cfb2dce848cc957d5570540a0ac7316a80651191d29eee4f
SHA5129d7903f6695aa902558251d4f1d221691208c889c9972d68ef3f4cf66c1fe74ed971090bbf6814f9cb6ce161af47de108cdcbd19a8864d051b210deebbaed70d