Analysis
-
max time kernel
111s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 05:55
Static task
static1
Behavioral task
behavioral1
Sample
06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe
Resource
win10v2004-20241007-en
General
-
Target
06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe
-
Size
1.3MB
-
MD5
2867e824bea79d05a860d52aac69b2ef
-
SHA1
6d2bbe99c0ea801bcd85794bfa461a6a474fa05c
-
SHA256
e23ed4794ead3f85c8b72475a27e5962b603225e3d64d0d11cb2852c25617dde
-
SHA512
0466b37a93ad3b417bd03be6dff224651576a5ec818dac079547fd6b16f2043d1c605f0947911737517e3afd23d6eaf330989d1d6cd05615e3548aa040de4c89
-
SSDEEP
24576:8yHgBb1qoty2PhRk86qpbNfNZhfEtoJlc10l8QfCzJ:rAd1BtHZRk8Pb9TVEtKc19T
Malware Config
Extracted
amadey
3.80
9c0adb
http://193.3.19.154
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
23b27c80db2465a8e1dc15491b69b82f
-
url_paths
/store/games/index.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 3 IoCs
resource yara_rule behavioral1/memory/3616-2152-0x0000000002430000-0x000000000243A000-memory.dmp healer behavioral1/files/0x0002000000022dc9-2157.dat healer behavioral1/memory/1152-2167-0x00000000008E0000-0x00000000008EA000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 1.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/4664-6466-0x0000000005740000-0x0000000005772000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 170382928.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 361103506.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 9 IoCs
pid Process 4404 iI024552.exe 2572 Fy476355.exe 3616 170382928.exe 1152 1.exe 212 242840271.exe 5672 361103506.exe 5984 oneetx.exe 4664 418229472.exe 6624 oneetx.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" iI024552.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" Fy476355.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 3692 212 WerFault.exe 90 756 4664 WerFault.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 418229472.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iI024552.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fy476355.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 170382928.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 242840271.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 361103506.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5196 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1152 1.exe 1152 1.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3616 170382928.exe Token: SeDebugPrivilege 212 242840271.exe Token: SeDebugPrivilege 1152 1.exe Token: SeDebugPrivilege 4664 418229472.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 3024 wrote to memory of 4404 3024 06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe 85 PID 3024 wrote to memory of 4404 3024 06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe 85 PID 3024 wrote to memory of 4404 3024 06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe 85 PID 4404 wrote to memory of 2572 4404 iI024552.exe 86 PID 4404 wrote to memory of 2572 4404 iI024552.exe 86 PID 4404 wrote to memory of 2572 4404 iI024552.exe 86 PID 2572 wrote to memory of 3616 2572 Fy476355.exe 87 PID 2572 wrote to memory of 3616 2572 Fy476355.exe 87 PID 2572 wrote to memory of 3616 2572 Fy476355.exe 87 PID 3616 wrote to memory of 1152 3616 170382928.exe 89 PID 3616 wrote to memory of 1152 3616 170382928.exe 89 PID 2572 wrote to memory of 212 2572 Fy476355.exe 90 PID 2572 wrote to memory of 212 2572 Fy476355.exe 90 PID 2572 wrote to memory of 212 2572 Fy476355.exe 90 PID 4404 wrote to memory of 5672 4404 iI024552.exe 98 PID 4404 wrote to memory of 5672 4404 iI024552.exe 98 PID 4404 wrote to memory of 5672 4404 iI024552.exe 98 PID 5672 wrote to memory of 5984 5672 361103506.exe 99 PID 5672 wrote to memory of 5984 5672 361103506.exe 99 PID 5672 wrote to memory of 5984 5672 361103506.exe 99 PID 3024 wrote to memory of 4664 3024 06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe 100 PID 3024 wrote to memory of 4664 3024 06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe 100 PID 3024 wrote to memory of 4664 3024 06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe 100 PID 5984 wrote to memory of 5196 5984 oneetx.exe 101 PID 5984 wrote to memory of 5196 5984 oneetx.exe 101 PID 5984 wrote to memory of 5196 5984 oneetx.exe 101 PID 5984 wrote to memory of 3472 5984 oneetx.exe 103 PID 5984 wrote to memory of 3472 5984 oneetx.exe 103 PID 5984 wrote to memory of 3472 5984 oneetx.exe 103 PID 3472 wrote to memory of 5968 3472 cmd.exe 105 PID 3472 wrote to memory of 5968 3472 cmd.exe 105 PID 3472 wrote to memory of 5968 3472 cmd.exe 105 PID 3472 wrote to memory of 5964 3472 cmd.exe 106 PID 3472 wrote to memory of 5964 3472 cmd.exe 106 PID 3472 wrote to memory of 5964 3472 cmd.exe 106 PID 3472 wrote to memory of 5560 3472 cmd.exe 107 PID 3472 wrote to memory of 5560 3472 cmd.exe 107 PID 3472 wrote to memory of 5560 3472 cmd.exe 107 PID 3472 wrote to memory of 6096 3472 cmd.exe 108 PID 3472 wrote to memory of 6096 3472 cmd.exe 108 PID 3472 wrote to memory of 6096 3472 cmd.exe 108 PID 3472 wrote to memory of 1216 3472 cmd.exe 109 PID 3472 wrote to memory of 1216 3472 cmd.exe 109 PID 3472 wrote to memory of 1216 3472 cmd.exe 109 PID 3472 wrote to memory of 5416 3472 cmd.exe 110 PID 3472 wrote to memory of 5416 3472 cmd.exe 110 PID 3472 wrote to memory of 5416 3472 cmd.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe"C:\Users\Admin\AppData\Local\Temp\06dc9deb6904c7dddab5c24f17c295208bd64aaaf186cbd7322160c02868345aN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iI024552.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Fy476355.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\170382928.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\242840271.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:212 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 12565⤵
- Program crash
PID:3692
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\361103506.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5672 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5984 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5196
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
- System Location Discovery: System Language Discovery
PID:5968
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"6⤵
- System Location Discovery: System Language Discovery
PID:5964
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E6⤵
- System Location Discovery: System Language Discovery
PID:5560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
- System Location Discovery: System Language Discovery
PID:6096
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"6⤵
- System Location Discovery: System Language Discovery
PID:1216
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E6⤵
- System Location Discovery: System Language Discovery
PID:5416
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\418229472.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 12523⤵
- Program crash
PID:756
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 212 -ip 2121⤵PID:4324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4664 -ip 46641⤵PID:6952
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:6624
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
538KB
MD585648d9d3c25a9cae3d60bba38357e3e
SHA1f319e778b59b4b81158f6433a9d19d0145472217
SHA256dd05dc35b6c6320abc834b7624bd557e4961aa1564de949f6bc0c386ff11f57f
SHA512cf8a4c68e50f17fd2000c11766656aa3a4162ea18a9cd51bb6027dae5604e3a48c1d555184cee656dc179a4a033fedcf78f04a5dff5fecadbf4ebd74e7341d15
-
Filesize
871KB
MD5827ccbc4c11603646f8a3c69172e8a45
SHA12017a8048034862c7e92e2d3ece454ed3e927779
SHA256525e8d353a3ec8dca403c848bb02e2f0f9cbbdc041f5ab6c7ff85aa2f14f0b67
SHA512f32bf5eb824031eff1a497961cc6a3ad4de9eddab3944eadbefdd1d0e6f87f6a7abb4ab9794d96fc8f771ad60c9347cfe7ac3f44d74b04021ddcdaa5d28fa207
-
Filesize
204KB
MD5c09473f87c87e6bd0ebab611067875bb
SHA1b42294e8ce5804dec65735d142a4a29e8a861cd6
SHA256d7e3a6c78044fb393ebbc9d262dbe7609eb07acff787d6b43f96dc8107d287d1
SHA512c3ddb62d12a1d0ee584815faecf616e8a3884d8b13ed9f832308fbf57ebb770c2b1dd7df38d32da4ee072eb8d61bfc9b37607cf37e1b52dccb1a986c247476a6
-
Filesize
699KB
MD5fbd51d7e7ef4b74311ada32235dad4a3
SHA1cd77bc5d2d0c52f65ee8ca49e413fc04436a0951
SHA25618a2596e9e9421902f25d1f2ff4b591f1489d8a716842c295b18c4bc5342abe6
SHA5128aabcdbb6cfa9fd24c0f3dd92b48d6eaedbf5625dfc819d7d065db795e4104facaf2126401e39df235107c9ec697fdbf4895d50f8d7c8231ac4b514e4a50af95
-
Filesize
300KB
MD5f6d59c97a0ed988291f29786087dc183
SHA1b441493c234cb87c634ba56b170372ab7c6ae6e3
SHA2568b77e63aa6736150639ebd0fd474f9c6fcf6cc7a4e6795e92e888b2ce52a14cb
SHA5128ac6b127cec2616e637fef0bff71cc2360c48e3690958c66c9233844792276d912b8cfce0f63834b20d9a94fd2cadca9b0ced8846ec474686d91b3d402f21ea2
-
Filesize
478KB
MD5cd22ce939659072b194a1fa34ad136e3
SHA1e6fe1c548efc7fae64a6a6569ed4747df39999b8
SHA256cb90776180a118ffd70a5e77dfcb25217e04ba16fc0813436d15b68dc1f63240
SHA51270a29db233981f5800c9130626371bfee55973175e25b86a9f74832d03a38d47ee0e7d58e63e13e8410010062442334649a5c7f23f8c7391a36d2d2ab0dbeeaf
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91