Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
31-03-2023 18:24
General
-
Target
e9a88b3c2dae69eabcf6c13fde4c3d4170017dad29ce5eec44fe124a6f7acc16.exe
-
Size
1000KB
-
MD5
4ebe9291c1a45098e1d6f265445c7390
-
SHA1
f07dfe3eafe4a1e1a0da91c6db243c034111cfa4
-
SHA256
e9a88b3c2dae69eabcf6c13fde4c3d4170017dad29ce5eec44fe124a6f7acc16
-
SHA512
700f15134288e8fbec22a0bf9715b431517efcee08a9f069f1d8cac3c8cc40f58c04fec894e570541afe6ce162c449f4670c72c58bae3633aece11c48bb2085a
-
SSDEEP
24576:8yXUENqe8hFUKj96SLxUM14tfV6NocgeYBYK:rXUENJ8hXLxr1M87J
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
lift
176.113.115.145:4125
-
auth_value
94f33c242a83de9dcc729e29ec435dfb
Extracted
amadey
3.69
193.233.20.36/joomla/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9a88b3c2dae69eabcf6c13fde4c3d4170017dad29ce5eec44fe124a6f7acc16.exe"C:\Users\Admin\AppData\Local\Temp\e9a88b3c2dae69eabcf6c13fde4c3d4170017dad29ce5eec44fe124a6f7acc16.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2669.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap2669.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6620.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap6620.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7336.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap7336.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7338.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz7338.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5371Bm.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5371Bm.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 10366⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w60yA01.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w60yA01.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 13365⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xvyDu05.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xvyDu05.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73yB26.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y73yB26.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c5d2db5804" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c5d2db5804" /P "Admin:R" /E5⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3756 -ip 37561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4784 -ip 47841⤵
-
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exeC:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5095125c27cce3701c8dbe18f7392c5a9
SHA14c062de15d461c2f971b29e28d214cd2f332c550
SHA256941675b23d0e2ef0890d14ae5ac5eec3241506028b2f3b6735afdf1b2e919db2
SHA5129b41d72aa54759ed38e0a3efc2e97a3bf45a73c4beb2cac8256566fb5aa0ae250271971d586b35a745e123f4480c637c2deca4b753e51539f00f05e0419d0e81
-
Filesize
236KB
MD5095125c27cce3701c8dbe18f7392c5a9
SHA14c062de15d461c2f971b29e28d214cd2f332c550
SHA256941675b23d0e2ef0890d14ae5ac5eec3241506028b2f3b6735afdf1b2e919db2
SHA5129b41d72aa54759ed38e0a3efc2e97a3bf45a73c4beb2cac8256566fb5aa0ae250271971d586b35a745e123f4480c637c2deca4b753e51539f00f05e0419d0e81
-
Filesize
816KB
MD5e12f95d3a8646c5371810768e5453816
SHA1dedcabc7c909c938b7626ffdecf42a09402116bb
SHA256bf88738c138edc55f1aa9b7d10ed3e48355133f59726b6a68c320c154c306a8c
SHA512d311cfd5260ccc6e97922ce94aabd3bbbe1cc601e6039da65ed4c54fb1414981f9093fc574d5312216ff6a97c0f911cc85fb64dfc6fb27ef75ddb23ab1036a04
-
Filesize
816KB
MD5e12f95d3a8646c5371810768e5453816
SHA1dedcabc7c909c938b7626ffdecf42a09402116bb
SHA256bf88738c138edc55f1aa9b7d10ed3e48355133f59726b6a68c320c154c306a8c
SHA512d311cfd5260ccc6e97922ce94aabd3bbbe1cc601e6039da65ed4c54fb1414981f9093fc574d5312216ff6a97c0f911cc85fb64dfc6fb27ef75ddb23ab1036a04
-
Filesize
175KB
MD58500d678d0d37a82cd7eb21fdfabc850
SHA137d5d3056e0788f4283582414fe9c28731a930a4
SHA2566f7279ae2491cc2dfd8dea0293515c524311fde60ccad0143a9a2cce4412968d
SHA51221f32210c07b9acfe2b66e184ef3b8e71be53e6858ed7e04320b3ce84a7c8619fb7432591b5e9de78588dd1f52653c87940afc0cffe8add346c78f10233137a9
-
Filesize
175KB
MD58500d678d0d37a82cd7eb21fdfabc850
SHA137d5d3056e0788f4283582414fe9c28731a930a4
SHA2566f7279ae2491cc2dfd8dea0293515c524311fde60ccad0143a9a2cce4412968d
SHA51221f32210c07b9acfe2b66e184ef3b8e71be53e6858ed7e04320b3ce84a7c8619fb7432591b5e9de78588dd1f52653c87940afc0cffe8add346c78f10233137a9
-
Filesize
674KB
MD583929dedc4f67c14cc71a07cf3c659a2
SHA1f4fb025e57bee31cf68f44aefbe7dd2fce6f9974
SHA256255c08e68f5fa58cb7b98b5ae17d8c6a8bcae7cb0d9d9c47bfebf56cee799ec7
SHA5120fe99dbf32d0490cfe3cb96b4f76f230c16b65ac895ce452ea23ec6f8aa7885b8c314690a33278452c9fd335db6d8ec134501df587e6345f200d9e4fff9a61df
-
Filesize
674KB
MD583929dedc4f67c14cc71a07cf3c659a2
SHA1f4fb025e57bee31cf68f44aefbe7dd2fce6f9974
SHA256255c08e68f5fa58cb7b98b5ae17d8c6a8bcae7cb0d9d9c47bfebf56cee799ec7
SHA5120fe99dbf32d0490cfe3cb96b4f76f230c16b65ac895ce452ea23ec6f8aa7885b8c314690a33278452c9fd335db6d8ec134501df587e6345f200d9e4fff9a61df
-
Filesize
318KB
MD560a1ada988f13269e99b6e70f627824a
SHA1d8ce6f10f3be50b72a6b4ad3f6107c2d118cd521
SHA2566663d55d5055f4b453d9be4df67314da48e902f4c24e25084f735d8b3c227e46
SHA51280fe8474d0b17d3a01c0124ef4f09c9144132940ecde455bc95c6986a0b2fa60aad581858a855315171fa7246026d6d744f623ef322c7e294b1e2bad19445626
-
Filesize
318KB
MD560a1ada988f13269e99b6e70f627824a
SHA1d8ce6f10f3be50b72a6b4ad3f6107c2d118cd521
SHA2566663d55d5055f4b453d9be4df67314da48e902f4c24e25084f735d8b3c227e46
SHA51280fe8474d0b17d3a01c0124ef4f09c9144132940ecde455bc95c6986a0b2fa60aad581858a855315171fa7246026d6d744f623ef322c7e294b1e2bad19445626
-
Filesize
333KB
MD51f3004e2604e47e85e4c392617b2db8b
SHA139e6bbec6d2101b17be17a78988b8662c4acc85d
SHA2565abf17d3fd724c89822d52768526a709cde47d7c293c42d34ba9586f8bafdb40
SHA51258dc0a0fa66386e25dd6c8e400b23b25fd9216cac48f7e3961387b692584ced5b0148d240bd581f8222ec8e2c9a760523a0bb6f69557fe4d3dc0d77b6e4c73ff
-
Filesize
333KB
MD51f3004e2604e47e85e4c392617b2db8b
SHA139e6bbec6d2101b17be17a78988b8662c4acc85d
SHA2565abf17d3fd724c89822d52768526a709cde47d7c293c42d34ba9586f8bafdb40
SHA51258dc0a0fa66386e25dd6c8e400b23b25fd9216cac48f7e3961387b692584ced5b0148d240bd581f8222ec8e2c9a760523a0bb6f69557fe4d3dc0d77b6e4c73ff
-
Filesize
11KB
MD55822f0db10603bd99ae49f08a5873b6d
SHA1e1622554eb30fd148d78f9840fc29ffc10ac8c86
SHA256aaa795220ae84c64323278dbbeffd2f6e59abb6a94a7ca500c87252c706c362f
SHA512ffb3db5a6f5e70414b691314c37a68a607e6ad04425b6684bcf633f8cb2a0e0f96de700f17efb90078818edf6dfae346ec60e953403409eccb66c48f1fd5721f
-
Filesize
11KB
MD55822f0db10603bd99ae49f08a5873b6d
SHA1e1622554eb30fd148d78f9840fc29ffc10ac8c86
SHA256aaa795220ae84c64323278dbbeffd2f6e59abb6a94a7ca500c87252c706c362f
SHA512ffb3db5a6f5e70414b691314c37a68a607e6ad04425b6684bcf633f8cb2a0e0f96de700f17efb90078818edf6dfae346ec60e953403409eccb66c48f1fd5721f
-
Filesize
259KB
MD52fadfb6d160cc3356a4a38d141dc35bd
SHA1c1c71b2a9c0bed1123aa15475632d443dd6a1a88
SHA256763d7409ca70b97330c27c966b88deab826c4bb8dcb5a4d770aaeb1eed9767d7
SHA512c2c449bd36a43529eec2822b93fea945f78ae21af1944bbf3fc327bd022273297ac675f8518f39f336428faa48e8bc465ead26e8b524bf0fdf3fa130adbfc7d8
-
Filesize
259KB
MD52fadfb6d160cc3356a4a38d141dc35bd
SHA1c1c71b2a9c0bed1123aa15475632d443dd6a1a88
SHA256763d7409ca70b97330c27c966b88deab826c4bb8dcb5a4d770aaeb1eed9767d7
SHA512c2c449bd36a43529eec2822b93fea945f78ae21af1944bbf3fc327bd022273297ac675f8518f39f336428faa48e8bc465ead26e8b524bf0fdf3fa130adbfc7d8
-
Filesize
236KB
MD5095125c27cce3701c8dbe18f7392c5a9
SHA14c062de15d461c2f971b29e28d214cd2f332c550
SHA256941675b23d0e2ef0890d14ae5ac5eec3241506028b2f3b6735afdf1b2e919db2
SHA5129b41d72aa54759ed38e0a3efc2e97a3bf45a73c4beb2cac8256566fb5aa0ae250271971d586b35a745e123f4480c637c2deca4b753e51539f00f05e0419d0e81
-
Filesize
236KB
MD5095125c27cce3701c8dbe18f7392c5a9
SHA14c062de15d461c2f971b29e28d214cd2f332c550
SHA256941675b23d0e2ef0890d14ae5ac5eec3241506028b2f3b6735afdf1b2e919db2
SHA5129b41d72aa54759ed38e0a3efc2e97a3bf45a73c4beb2cac8256566fb5aa0ae250271971d586b35a745e123f4480c637c2deca4b753e51539f00f05e0419d0e81
-
Filesize
236KB
MD5095125c27cce3701c8dbe18f7392c5a9
SHA14c062de15d461c2f971b29e28d214cd2f332c550
SHA256941675b23d0e2ef0890d14ae5ac5eec3241506028b2f3b6735afdf1b2e919db2
SHA5129b41d72aa54759ed38e0a3efc2e97a3bf45a73c4beb2cac8256566fb5aa0ae250271971d586b35a745e123f4480c637c2deca4b753e51539f00f05e0419d0e81
-
Filesize
236KB
MD5095125c27cce3701c8dbe18f7392c5a9
SHA14c062de15d461c2f971b29e28d214cd2f332c550
SHA256941675b23d0e2ef0890d14ae5ac5eec3241506028b2f3b6735afdf1b2e919db2
SHA5129b41d72aa54759ed38e0a3efc2e97a3bf45a73c4beb2cac8256566fb5aa0ae250271971d586b35a745e123f4480c637c2deca4b753e51539f00f05e0419d0e81
-
Filesize
89KB
MD56a4c2f2b6e1bbce94b4d00e91e690d0d
SHA1f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57
SHA2568b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f
SHA5128c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01
-
Filesize
89KB
MD56a4c2f2b6e1bbce94b4d00e91e690d0d
SHA1f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57
SHA2568b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f
SHA5128c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01
-
Filesize
89KB
MD56a4c2f2b6e1bbce94b4d00e91e690d0d
SHA1f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57
SHA2568b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f
SHA5128c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
72KB
-
Filesize
180KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
708KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
708KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
252KB
-
Filesize
64KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
252KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
200KB