Analysis
-
max time kernel
147s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
31/03/2023, 22:59
General
-
Target
ad83202a050044e3a3047b920bedc5681e365e0d0ed097e76b59eeb568774aef.exe
-
Size
1001KB
-
MD5
8ad264e7033bc6dc1caf34e77dc5850b
-
SHA1
bd248062367485e5760178d105b36fc9aa854f68
-
SHA256
ad83202a050044e3a3047b920bedc5681e365e0d0ed097e76b59eeb568774aef
-
SHA512
2d65cb4657a917b3ac72fae57119a7b97af87aed3c039da9fe7d9af19e9af2e2144f60ffe771bc1c5cba9e8782ffca36d4e5a7c4bfe661d80f34937eb06d0458
-
SSDEEP
24576:8y+RoOgo6wZ+Jmy7ZkJ6DOJpXY0vcXlv/SOgRvvdP/k+C+I:r+RojoJ+xSiuprcovdHK+
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
lift
176.113.115.145:4125
-
auth_value
94f33c242a83de9dcc729e29ec435dfb
Extracted
amadey
3.69
193.233.20.36/joomla/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad83202a050044e3a3047b920bedc5681e365e0d0ed097e76b59eeb568774aef.exe"C:\Users\Admin\AppData\Local\Temp\ad83202a050044e3a3047b920bedc5681e365e0d0ed097e76b59eeb568774aef.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3158.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3158.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9097.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap9097.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9152.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap9152.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2638.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2638.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9280Ac.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9280Ac.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 10846⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w92VD14.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w92VD14.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 13485⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xcWoX28.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xcWoX28.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y94UT60.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y94UT60.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c5d2db5804" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c5d2db5804" /P "Admin:R" /E5⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2124 -ip 21241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1216 -ip 12161⤵
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD51e44fe46128c49a52758a3b3960f4c7f
SHA1b650963722f0f5554e5de5e81d60ebfb14a233b8
SHA2562be809a316661e52b4364e04b92678d235534077e80d9b7bc1bf5367dc5c8860
SHA5126f94fa813a1b889f9edcbf6e672be38c2ed2fe7f5c394b5a72888713ce7fa54b8ad91b6ee953b8e9c8266f77f0a3ca7464879502aa1ac9352c4e448f77410d62
-
Filesize
236KB
MD51e44fe46128c49a52758a3b3960f4c7f
SHA1b650963722f0f5554e5de5e81d60ebfb14a233b8
SHA2562be809a316661e52b4364e04b92678d235534077e80d9b7bc1bf5367dc5c8860
SHA5126f94fa813a1b889f9edcbf6e672be38c2ed2fe7f5c394b5a72888713ce7fa54b8ad91b6ee953b8e9c8266f77f0a3ca7464879502aa1ac9352c4e448f77410d62
-
Filesize
818KB
MD5683cb3d72e89b5de3b912098dc4194af
SHA1403a44fb37c336bc75d02d55e91d338edd5d49d3
SHA2562a7776b081b357d3c2918463d7be63a2c0ad9e43fd95669622b13746c205a9de
SHA51220544bd20beb5919262ec3fc1c3e4fa05d74cdab4ff3a5c400685eddca932c3243c8e98d46bbc3c5a9ff676ddfdad10460ea01c2beb2e4bc841e85bcbcb9dea0
-
Filesize
818KB
MD5683cb3d72e89b5de3b912098dc4194af
SHA1403a44fb37c336bc75d02d55e91d338edd5d49d3
SHA2562a7776b081b357d3c2918463d7be63a2c0ad9e43fd95669622b13746c205a9de
SHA51220544bd20beb5919262ec3fc1c3e4fa05d74cdab4ff3a5c400685eddca932c3243c8e98d46bbc3c5a9ff676ddfdad10460ea01c2beb2e4bc841e85bcbcb9dea0
-
Filesize
175KB
MD5464877ec983106d3c229f36799e46c4d
SHA14e380eff6156527e5bdfa1c827724c7b6029086a
SHA256cc6344629f370933e3938a403e4f7d546d4594510f9cc89dbb47a8f583764d66
SHA5126ec43e6f8321665ea92ac81d3af35228de79b9edaf12c4fb5027a4a10b68dfea661fc68027a5aab203e98b166305b474a4a99ccc732064a29ff42a64b668270d
-
Filesize
175KB
MD5464877ec983106d3c229f36799e46c4d
SHA14e380eff6156527e5bdfa1c827724c7b6029086a
SHA256cc6344629f370933e3938a403e4f7d546d4594510f9cc89dbb47a8f583764d66
SHA5126ec43e6f8321665ea92ac81d3af35228de79b9edaf12c4fb5027a4a10b68dfea661fc68027a5aab203e98b166305b474a4a99ccc732064a29ff42a64b668270d
-
Filesize
676KB
MD5a8c7587ddc6ae87f9e2097c326b9df0c
SHA17351ea312f8d46ab09d4b1d89f750502fe1cf2ba
SHA2564b02154fc60ac2bc6bd706123415591baf57a7d9cd89943f3a3a5d648aa00ccd
SHA512e2f53b943d5836813ebccae5129fb53d65735f736c27711935fbe5f25e1021a96e1c5b10fbeedd004fa95ec375933743c2ec614ef70c37e2cc06f5791ed6def6
-
Filesize
676KB
MD5a8c7587ddc6ae87f9e2097c326b9df0c
SHA17351ea312f8d46ab09d4b1d89f750502fe1cf2ba
SHA2564b02154fc60ac2bc6bd706123415591baf57a7d9cd89943f3a3a5d648aa00ccd
SHA512e2f53b943d5836813ebccae5129fb53d65735f736c27711935fbe5f25e1021a96e1c5b10fbeedd004fa95ec375933743c2ec614ef70c37e2cc06f5791ed6def6
-
Filesize
319KB
MD59a6d03a979219d557a1b533b82558d1c
SHA17f28a999ecafa64891e0df11d3ac1a2f87938f70
SHA2562b8306c417c9be6faaf3ad24c41d3c63d16e0fc342f172489e5ddfb3929087d2
SHA512babf8b50c9a19f18761e8e809aff9b2ffdd79fdb5a0662c1c18c024027c5aadfdc69dc9d073039ac58e7ce38039e2ff16430cdd70feb32d59cac3c6766d17d2b
-
Filesize
319KB
MD59a6d03a979219d557a1b533b82558d1c
SHA17f28a999ecafa64891e0df11d3ac1a2f87938f70
SHA2562b8306c417c9be6faaf3ad24c41d3c63d16e0fc342f172489e5ddfb3929087d2
SHA512babf8b50c9a19f18761e8e809aff9b2ffdd79fdb5a0662c1c18c024027c5aadfdc69dc9d073039ac58e7ce38039e2ff16430cdd70feb32d59cac3c6766d17d2b
-
Filesize
335KB
MD50157cf11c2c3cbefb31f8f95e15b96e2
SHA192ab0f68f728902efb7ea3026bb1684ae0a624b2
SHA2569824b898604f5dd811f405b93dd70e097c195100da0659de54d76f93943f2877
SHA512abbfbc5272fcb1a69c22a5e8062ff217567d951ff8f9230010cdb95c3f1ce9445bb4eef14e214f99246077e0f2be18db663a7c2f489bf6b7a48954542f4b9a97
-
Filesize
335KB
MD50157cf11c2c3cbefb31f8f95e15b96e2
SHA192ab0f68f728902efb7ea3026bb1684ae0a624b2
SHA2569824b898604f5dd811f405b93dd70e097c195100da0659de54d76f93943f2877
SHA512abbfbc5272fcb1a69c22a5e8062ff217567d951ff8f9230010cdb95c3f1ce9445bb4eef14e214f99246077e0f2be18db663a7c2f489bf6b7a48954542f4b9a97
-
Filesize
11KB
MD53231266976651a33cb39033aac1573af
SHA1508667878efa5a065dab6021de41e35af64ebf1e
SHA2562cb9e8b66626ced0c6dc5666d91a592344162fa84b2c4901b9632db379b23b0b
SHA51247126a55dda1e2dbc2c9a4a44ba4f5dcd4e40bca0cd2b2da6cddd794d7962371562903d8f2c26dc37768f04164d411c2ea798bbb9181829d85fb8d9f4aca2662
-
Filesize
11KB
MD53231266976651a33cb39033aac1573af
SHA1508667878efa5a065dab6021de41e35af64ebf1e
SHA2562cb9e8b66626ced0c6dc5666d91a592344162fa84b2c4901b9632db379b23b0b
SHA51247126a55dda1e2dbc2c9a4a44ba4f5dcd4e40bca0cd2b2da6cddd794d7962371562903d8f2c26dc37768f04164d411c2ea798bbb9181829d85fb8d9f4aca2662
-
Filesize
260KB
MD5f8d3b4eeb3b9fcf1dbfe7b8c73a7b1c3
SHA1d4e6d37394fa2279ce7631fb1b7b53d34d7c7e72
SHA256ad13a32546b925cf7fae2226e0d3e4313579541d08e7c8882091e3478de1ffd3
SHA512414a3275c6c1ece925543b1cd32a7ef29bcac24a7429c1c133ccf9699cf6dee8fe494cdf2e2bfb61f2da9082efdb451c5f7333a03e20155364148849f67a99ec
-
Filesize
260KB
MD5f8d3b4eeb3b9fcf1dbfe7b8c73a7b1c3
SHA1d4e6d37394fa2279ce7631fb1b7b53d34d7c7e72
SHA256ad13a32546b925cf7fae2226e0d3e4313579541d08e7c8882091e3478de1ffd3
SHA512414a3275c6c1ece925543b1cd32a7ef29bcac24a7429c1c133ccf9699cf6dee8fe494cdf2e2bfb61f2da9082efdb451c5f7333a03e20155364148849f67a99ec
-
Filesize
236KB
MD51e44fe46128c49a52758a3b3960f4c7f
SHA1b650963722f0f5554e5de5e81d60ebfb14a233b8
SHA2562be809a316661e52b4364e04b92678d235534077e80d9b7bc1bf5367dc5c8860
SHA5126f94fa813a1b889f9edcbf6e672be38c2ed2fe7f5c394b5a72888713ce7fa54b8ad91b6ee953b8e9c8266f77f0a3ca7464879502aa1ac9352c4e448f77410d62
-
Filesize
236KB
MD51e44fe46128c49a52758a3b3960f4c7f
SHA1b650963722f0f5554e5de5e81d60ebfb14a233b8
SHA2562be809a316661e52b4364e04b92678d235534077e80d9b7bc1bf5367dc5c8860
SHA5126f94fa813a1b889f9edcbf6e672be38c2ed2fe7f5c394b5a72888713ce7fa54b8ad91b6ee953b8e9c8266f77f0a3ca7464879502aa1ac9352c4e448f77410d62
-
Filesize
236KB
MD51e44fe46128c49a52758a3b3960f4c7f
SHA1b650963722f0f5554e5de5e81d60ebfb14a233b8
SHA2562be809a316661e52b4364e04b92678d235534077e80d9b7bc1bf5367dc5c8860
SHA5126f94fa813a1b889f9edcbf6e672be38c2ed2fe7f5c394b5a72888713ce7fa54b8ad91b6ee953b8e9c8266f77f0a3ca7464879502aa1ac9352c4e448f77410d62
-
Filesize
236KB
MD51e44fe46128c49a52758a3b3960f4c7f
SHA1b650963722f0f5554e5de5e81d60ebfb14a233b8
SHA2562be809a316661e52b4364e04b92678d235534077e80d9b7bc1bf5367dc5c8860
SHA5126f94fa813a1b889f9edcbf6e672be38c2ed2fe7f5c394b5a72888713ce7fa54b8ad91b6ee953b8e9c8266f77f0a3ca7464879502aa1ac9352c4e448f77410d62
-
Filesize
236KB
MD51e44fe46128c49a52758a3b3960f4c7f
SHA1b650963722f0f5554e5de5e81d60ebfb14a233b8
SHA2562be809a316661e52b4364e04b92678d235534077e80d9b7bc1bf5367dc5c8860
SHA5126f94fa813a1b889f9edcbf6e672be38c2ed2fe7f5c394b5a72888713ce7fa54b8ad91b6ee953b8e9c8266f77f0a3ca7464879502aa1ac9352c4e448f77410d62
-
Filesize
89KB
MD56a4c2f2b6e1bbce94b4d00e91e690d0d
SHA1f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57
SHA2568b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f
SHA5128c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01
-
Filesize
89KB
MD56a4c2f2b6e1bbce94b4d00e91e690d0d
SHA1f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57
SHA2568b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f
SHA5128c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01
-
Filesize
89KB
MD56a4c2f2b6e1bbce94b4d00e91e690d0d
SHA1f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57
SHA2568b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f
SHA5128c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
708KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
708KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
180KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.3MB
-
Filesize
40KB