Analysis
-
max time kernel
139s -
max time network
121s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
24-03-2023 08:10
General
-
Target
ebb121c74dc1e433561031722dfc9969637345a36a3c74a3c3f426208dbe36cb.exe
-
Size
1011KB
-
MD5
141e330c19943735dd230cf31f180200
-
SHA1
ea7de87d63d80570d7407d94f5b62f7d41deacf0
-
SHA256
ebb121c74dc1e433561031722dfc9969637345a36a3c74a3c3f426208dbe36cb
-
SHA512
640e8e13ecaf1e4075bf40afb7ed66fd85c709ab3757c23efc9c3c7260d59d016839580ef1b2e6e2d3ccae9e0af7ba316141a89885921faed5488d18869d9178
-
SSDEEP
24576:ryt/WWFrJNYlAZmxVaxq73jbke/shXKFQ3YTmuh:e11rTYlNxVa63NsgFnT
Malware Config
Extracted
redline
down
193.233.20.31:4125
-
auth_value
12c31a90c72f5efae8c053a0bd339381
Extracted
redline
roxi
193.233.20.31:4125
-
auth_value
9d8be78c896acc3cf8b8a6637a221376
Extracted
amadey
3.68
31.41.244.200/games/category/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Executes dropped EXE 11 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 50 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ebb121c74dc1e433561031722dfc9969637345a36a3c74a3c3f426208dbe36cb.exe"C:\Users\Admin\AppData\Local\Temp\ebb121c74dc1e433561031722dfc9969637345a36a3c74a3c3f426208dbe36cb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino0394.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino0394.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2736.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kino2736.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6846.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kino6846.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4536.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bus4536.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2752.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2752.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dOq26s63.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dOq26s63.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en428743.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en428743.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge510490.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge510490.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "metafor.exe" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "metafor.exe" /P "Admin:R" /E5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5975271bda" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5975271bda" /P "Admin:R" /E5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeC:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exeC:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
226KB
MD58627ebe3777cc777ed2a14b907162224
SHA106eeed93eb3094f9d0b13ac4a6936f7088fbbdaa
SHA256319b22945beeb7424fe6db1e9953ad5f2dc12cbba2fe24e599c3deda678893bb
SHA5129de429300c95d52452caeb80c9d44ff72714f017319e416649c2100f882c394f5ab9f3876cc68d338f4b5a3cd58337defff9405be64c87d078edd0d86259c845
-
Filesize
828KB
MD5cdd3cdca135d6c9858204c3a6d5f18cb
SHA1b8251f461d64d4582d28328d8367fcaff7b4c54d
SHA256b780bbdd017a17df2a1048479dab7b34936b33087d8c86a346677c383cb74018
SHA5124c4ec41aea225c968b59816bccd826f2037de8241c1233db68573072f774ae40066ccd92c3b65942fd4b156b28ffabcb573e897cb6cbcc81f76cd143e16efade
-
Filesize
828KB
MD5cdd3cdca135d6c9858204c3a6d5f18cb
SHA1b8251f461d64d4582d28328d8367fcaff7b4c54d
SHA256b780bbdd017a17df2a1048479dab7b34936b33087d8c86a346677c383cb74018
SHA5124c4ec41aea225c968b59816bccd826f2037de8241c1233db68573072f774ae40066ccd92c3b65942fd4b156b28ffabcb573e897cb6cbcc81f76cd143e16efade
-
Filesize
175KB
MD530bf410db5f6c05f0dee763f5a0fe5b7
SHA11f4187925e1af163603a12bb116e869f8f137455
SHA256d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178
SHA5125edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de
-
Filesize
175KB
MD530bf410db5f6c05f0dee763f5a0fe5b7
SHA11f4187925e1af163603a12bb116e869f8f137455
SHA256d1f5b4b1ee5703bf94f9c1bee60e91463db4c28beeb7510ea7ceba9fab4b1178
SHA5125edc65f5e5278af8731174dbdc70a8a5efddf1ee756df1accead04f1490b90eb05b25a1eaaba49d1f274aeff4de0bc02ec79f220ea99bc5383e2890ed4f211de
-
Filesize
686KB
MD539405880a1dc796a241e5ff2564065b2
SHA177dcfcf55e74de2c72057678595819d910ebe9c0
SHA2560383afa8e77b413c781b4b6d6f39037477a83367817c88bd2a721b9bf2273d5c
SHA51255098b22826eb50eb3fbfb566183a56c83df8c751235db6a660b93f91cbe4e1e8c87de1be6a79e7691b53922f1fd8674d884fdbcff788725f5fc62f6678a435f
-
Filesize
686KB
MD539405880a1dc796a241e5ff2564065b2
SHA177dcfcf55e74de2c72057678595819d910ebe9c0
SHA2560383afa8e77b413c781b4b6d6f39037477a83367817c88bd2a721b9bf2273d5c
SHA51255098b22826eb50eb3fbfb566183a56c83df8c751235db6a660b93f91cbe4e1e8c87de1be6a79e7691b53922f1fd8674d884fdbcff788725f5fc62f6678a435f
-
Filesize
355KB
MD5ef5875d98db70136678f30b6e71860dd
SHA1bf03e2c335e8fefd39150c7f2d291181ac9bcbcb
SHA25665b07cabb3116c43921aff52e758e07bbdbfdcb2f44dfc2ca1a1473b983da136
SHA5128525c861f619b6ac0d7d7cea9ba49952396a5f347e7ca64ddb05909d1405df509b212e3a237dab609e7cc930e354f8ff89529ad160618b2623e49cacd8125b14
-
Filesize
355KB
MD5ef5875d98db70136678f30b6e71860dd
SHA1bf03e2c335e8fefd39150c7f2d291181ac9bcbcb
SHA25665b07cabb3116c43921aff52e758e07bbdbfdcb2f44dfc2ca1a1473b983da136
SHA5128525c861f619b6ac0d7d7cea9ba49952396a5f347e7ca64ddb05909d1405df509b212e3a237dab609e7cc930e354f8ff89529ad160618b2623e49cacd8125b14
-
Filesize
340KB
MD5e79c01a42dd23669b46b4e1c1b2d3f79
SHA1ed054ca9949de98c41fc2972bc0db3a619962623
SHA256b40da0bf7ec350203731301798250b5a58e767270c6b93bafa12ee6af3bd63c7
SHA5127ad1a7613cd304c4a135891d5fa7731c1201512c578b9801f6114a1b9e471bcdb4606ea12552ae1e1012437dbdaaf31306ce03d7a2dfa122acbbead985256693
-
Filesize
340KB
MD5e79c01a42dd23669b46b4e1c1b2d3f79
SHA1ed054ca9949de98c41fc2972bc0db3a619962623
SHA256b40da0bf7ec350203731301798250b5a58e767270c6b93bafa12ee6af3bd63c7
SHA5127ad1a7613cd304c4a135891d5fa7731c1201512c578b9801f6114a1b9e471bcdb4606ea12552ae1e1012437dbdaaf31306ce03d7a2dfa122acbbead985256693
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
298KB
MD5f8421f8ff741a711403dd8cda5c8f6a2
SHA1d9a873d46f08d2bb28372b71b770286c9b762347
SHA2561e9b88d7800550733837d110f2e2a6eed8318d68eb6e84686e0f5e4e747d4d14
SHA5125b1833228d9a2cd9fd2003fca2798f7d76666bb017647421d0dea76bf1f615632588c15f31f183488d23d2396e9f78dbbd61adf49618d59ca76bed5358428f94
-
Filesize
298KB
MD5f8421f8ff741a711403dd8cda5c8f6a2
SHA1d9a873d46f08d2bb28372b71b770286c9b762347
SHA2561e9b88d7800550733837d110f2e2a6eed8318d68eb6e84686e0f5e4e747d4d14
SHA5125b1833228d9a2cd9fd2003fca2798f7d76666bb017647421d0dea76bf1f615632588c15f31f183488d23d2396e9f78dbbd61adf49618d59ca76bed5358428f94
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
300KB
-
Filesize
280KB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.0MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
39.5MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
39.5MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
180KB
-
Filesize
5.0MB
-
Filesize
104KB