Analysis
-
max time kernel
146s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
02/04/2023, 19:49
General
-
Target
b371fc1218db76332061cb54302b03617e15d3bf9f76c9c901537c6840d72d72.exe
-
Size
1003KB
-
MD5
d8a0cc013ced2a622ec5b8b5dda192bf
-
SHA1
06a4bba01f4159a8acbecdebbc17caf061e26235
-
SHA256
b371fc1218db76332061cb54302b03617e15d3bf9f76c9c901537c6840d72d72
-
SHA512
7c8ecff394474098368bc1892f5126117bd1651fcb7e7244970a97b2f41154cb386ca9607f48e7e79404a25e7cc476c987c26b694443bee66eb14ffb37f33dce
-
SSDEEP
24576:MymKrDOyyaAfF4NwEYuwa3wjZBq1TNNe4+44km25voUB:7mOvAf+NwqwaOq1Bo4wkjRo
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
nord
176.113.115.145:4125
-
auth_value
ebb7d38cdbd7c83cf6363ef3feb3a530
Extracted
amadey
3.69
193.233.20.29/games/category/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 8 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b371fc1218db76332061cb54302b03617e15d3bf9f76c9c901537c6840d72d72.exe"C:\Users\Admin\AppData\Local\Temp\b371fc1218db76332061cb54302b03617e15d3bf9f76c9c901537c6840d72d72.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina0669.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina0669.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina0831.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina0831.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9470.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina9470.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu797679.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu797679.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2869.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cor2869.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 10646⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dnM34s87.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dnM34s87.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 13285⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en264260.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\en264260.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge139271.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ge139271.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\550693dc87" /P "Admin:N"&&CACLS "..\550693dc87" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\550693dc87" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\550693dc87" /P "Admin:R" /E5⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2352 -ip 23521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3180 -ip 31801⤵
-
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exeC:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD560fa9d908a954160fcd53d58476997a2
SHA169ab22b15fa895625be12ee605fea6a1af923c53
SHA256b05fd2e2e90f2444eec09fc3fef679e35c3787866090e0fe19d538089ba59637
SHA512b2f7d5cd2b4ecb5508df67fb74c4ffaf9d3dba67b13dd8910a3ba7b9c16e651a7b3ffbe2b2ad032d1dfd4d7d808354f1f0f1ebbdd7ef18f8d3bd0386cb3e2c67
-
Filesize
236KB
MD560fa9d908a954160fcd53d58476997a2
SHA169ab22b15fa895625be12ee605fea6a1af923c53
SHA256b05fd2e2e90f2444eec09fc3fef679e35c3787866090e0fe19d538089ba59637
SHA512b2f7d5cd2b4ecb5508df67fb74c4ffaf9d3dba67b13dd8910a3ba7b9c16e651a7b3ffbe2b2ad032d1dfd4d7d808354f1f0f1ebbdd7ef18f8d3bd0386cb3e2c67
-
Filesize
236KB
MD560fa9d908a954160fcd53d58476997a2
SHA169ab22b15fa895625be12ee605fea6a1af923c53
SHA256b05fd2e2e90f2444eec09fc3fef679e35c3787866090e0fe19d538089ba59637
SHA512b2f7d5cd2b4ecb5508df67fb74c4ffaf9d3dba67b13dd8910a3ba7b9c16e651a7b3ffbe2b2ad032d1dfd4d7d808354f1f0f1ebbdd7ef18f8d3bd0386cb3e2c67
-
Filesize
236KB
MD560fa9d908a954160fcd53d58476997a2
SHA169ab22b15fa895625be12ee605fea6a1af923c53
SHA256b05fd2e2e90f2444eec09fc3fef679e35c3787866090e0fe19d538089ba59637
SHA512b2f7d5cd2b4ecb5508df67fb74c4ffaf9d3dba67b13dd8910a3ba7b9c16e651a7b3ffbe2b2ad032d1dfd4d7d808354f1f0f1ebbdd7ef18f8d3bd0386cb3e2c67
-
Filesize
236KB
MD560fa9d908a954160fcd53d58476997a2
SHA169ab22b15fa895625be12ee605fea6a1af923c53
SHA256b05fd2e2e90f2444eec09fc3fef679e35c3787866090e0fe19d538089ba59637
SHA512b2f7d5cd2b4ecb5508df67fb74c4ffaf9d3dba67b13dd8910a3ba7b9c16e651a7b3ffbe2b2ad032d1dfd4d7d808354f1f0f1ebbdd7ef18f8d3bd0386cb3e2c67
-
Filesize
236KB
MD560fa9d908a954160fcd53d58476997a2
SHA169ab22b15fa895625be12ee605fea6a1af923c53
SHA256b05fd2e2e90f2444eec09fc3fef679e35c3787866090e0fe19d538089ba59637
SHA512b2f7d5cd2b4ecb5508df67fb74c4ffaf9d3dba67b13dd8910a3ba7b9c16e651a7b3ffbe2b2ad032d1dfd4d7d808354f1f0f1ebbdd7ef18f8d3bd0386cb3e2c67
-
Filesize
821KB
MD57f9b825eb539eb810bed7e74a949d6f0
SHA1e7edf2667b9d394c67671e20bea135588bb9f42a
SHA256b160d232bc3230519d0e659f6404a1b7f05a790651bccc29ca68f94f17cb9b5d
SHA51205c5a9a9d9dba1a3a7a9484241f46fb354fc5674308733f311eefc07888c124f380a30f48532a1afee1a457fdb8bb62347353e2b5e7e7515ba0a288d5e419dbd
-
Filesize
821KB
MD57f9b825eb539eb810bed7e74a949d6f0
SHA1e7edf2667b9d394c67671e20bea135588bb9f42a
SHA256b160d232bc3230519d0e659f6404a1b7f05a790651bccc29ca68f94f17cb9b5d
SHA51205c5a9a9d9dba1a3a7a9484241f46fb354fc5674308733f311eefc07888c124f380a30f48532a1afee1a457fdb8bb62347353e2b5e7e7515ba0a288d5e419dbd
-
Filesize
175KB
MD5c2289d3fc49c5baf6840cc36fcc3b0a7
SHA1745945d4b35168f8bb59a2ad954830d14bf72926
SHA256388728feb41c88a6dafb3e504a9dc1cf87352ca4d754175662d03ef75649746d
SHA51239f478e644ebdfb1b2c78fe7f8d5ea6a839463b1cb7cbbdc748f7f9c62c4836b37f4bc8977af712def6cde0c68551cd664f7eaf11205d78f8b67f57b6f204c8e
-
Filesize
175KB
MD5c2289d3fc49c5baf6840cc36fcc3b0a7
SHA1745945d4b35168f8bb59a2ad954830d14bf72926
SHA256388728feb41c88a6dafb3e504a9dc1cf87352ca4d754175662d03ef75649746d
SHA51239f478e644ebdfb1b2c78fe7f8d5ea6a839463b1cb7cbbdc748f7f9c62c4836b37f4bc8977af712def6cde0c68551cd664f7eaf11205d78f8b67f57b6f204c8e
-
Filesize
679KB
MD58e056046e03d0f942780c4ea94378664
SHA19608aa6c35bbbe4df191e08958d5d23784e42f72
SHA256b6eb92aa452b1c7e114dca52fa575d935f7ae49ea48232c4b595a2066682a7b7
SHA512ff470528d7a759c1a8f473dafa2d604686c6e9c0447f506155c2068aa5e9997ea4bca6916cb164a6393fc4dc3fcf9ccd6ff86ba185ebf3dbafbb55a277a63511
-
Filesize
679KB
MD58e056046e03d0f942780c4ea94378664
SHA19608aa6c35bbbe4df191e08958d5d23784e42f72
SHA256b6eb92aa452b1c7e114dca52fa575d935f7ae49ea48232c4b595a2066682a7b7
SHA512ff470528d7a759c1a8f473dafa2d604686c6e9c0447f506155c2068aa5e9997ea4bca6916cb164a6393fc4dc3fcf9ccd6ff86ba185ebf3dbafbb55a277a63511
-
Filesize
353KB
MD5574053cb04d15de4c575baa87f8431c8
SHA175e5fabff276765e2fad5f1ffcecea882a9fe801
SHA256f663883c3adc16601854ff3e0027afcf2210d9cdb89c92550961486658785c9e
SHA512464c6cde472c9dcf53dd30e81f0ed1353c14c3262fa04f027371e7edb2d9a898b13efd6b8d9df6c9832dff0499f15311b5259f8d738f337ae78b89c6b4b49219
-
Filesize
353KB
MD5574053cb04d15de4c575baa87f8431c8
SHA175e5fabff276765e2fad5f1ffcecea882a9fe801
SHA256f663883c3adc16601854ff3e0027afcf2210d9cdb89c92550961486658785c9e
SHA512464c6cde472c9dcf53dd30e81f0ed1353c14c3262fa04f027371e7edb2d9a898b13efd6b8d9df6c9832dff0499f15311b5259f8d738f337ae78b89c6b4b49219
-
Filesize
336KB
MD535f057eecbe1901e56eb141a1689ea45
SHA12cc98ceb187dac55ed41088ad018af1f05fd0b35
SHA256d7014bf1e782697032c449bb255227cb7a8a3d73d10957cd50a09dc64e9226e6
SHA5123644627c6f36ecabdea393b83f53abcadfad3aa5fe80598825c3eb8c8e8b0b2708ec5be93ed589889ea57569f31d13a0d5605ae049818fcf360b51971c37232f
-
Filesize
336KB
MD535f057eecbe1901e56eb141a1689ea45
SHA12cc98ceb187dac55ed41088ad018af1f05fd0b35
SHA256d7014bf1e782697032c449bb255227cb7a8a3d73d10957cd50a09dc64e9226e6
SHA5123644627c6f36ecabdea393b83f53abcadfad3aa5fe80598825c3eb8c8e8b0b2708ec5be93ed589889ea57569f31d13a0d5605ae049818fcf360b51971c37232f
-
Filesize
13KB
MD57bf2d4905d3e8af3dd33ec6459bee103
SHA17d3cdaea72898d2335bfb600d03f6f485d52698f
SHA256c6b5901f4a617bf54dd74b8ae67eb27e396090e2df8ab9751fdf03b6a5185494
SHA512d9301ee79ef91e2a4ae4e3d5339eaaf29e845eea45cb97504a6d83aa766c11ff35ac49065770cf54ea7ae3afe43e747db8d6ef94991b611856afd94dc0eda2c6
-
Filesize
13KB
MD57bf2d4905d3e8af3dd33ec6459bee103
SHA17d3cdaea72898d2335bfb600d03f6f485d52698f
SHA256c6b5901f4a617bf54dd74b8ae67eb27e396090e2df8ab9751fdf03b6a5185494
SHA512d9301ee79ef91e2a4ae4e3d5339eaaf29e845eea45cb97504a6d83aa766c11ff35ac49065770cf54ea7ae3afe43e747db8d6ef94991b611856afd94dc0eda2c6
-
Filesize
294KB
MD5eac57a3e99e344936925213bb8b4138f
SHA159c653d755d4fd90a5da34d0859a11c2aaeca5f3
SHA25667f45bbde0f9010853e97cb36a18ac5869f170709c2b8b1886b6a8423c7b4b1d
SHA5129bc6b54b2c806cbd874176e292c236e760dcffb8b696f19dcfdf27554aae371f6790abc87e5c4b4aeed4393bd30f353c6b3844a84f7f25e98596c602563576f3
-
Filesize
294KB
MD5eac57a3e99e344936925213bb8b4138f
SHA159c653d755d4fd90a5da34d0859a11c2aaeca5f3
SHA25667f45bbde0f9010853e97cb36a18ac5869f170709c2b8b1886b6a8423c7b4b1d
SHA5129bc6b54b2c806cbd874176e292c236e760dcffb8b696f19dcfdf27554aae371f6790abc87e5c4b4aeed4393bd30f353c6b3844a84f7f25e98596c602563576f3
-
Filesize
89KB
MD59e9f6b48159690d4916e38b26d8f92cb
SHA12016224921b0791d3de7d897a520d5d35eb84f34
SHA2567705d3dc3b110aff6fd74fec7d343af5e49a0b7f696c231cc199ffaa6bf07053
SHA5125737c8b7cb3f0a2657ad57811458be04c9852374e9a30b8c25be3bc777e74c2d6b5a8ec07f122b0b79989a25c464d507495b8c9850ba7c52d2104e3adae3dbf4
-
Filesize
89KB
MD59e9f6b48159690d4916e38b26d8f92cb
SHA12016224921b0791d3de7d897a520d5d35eb84f34
SHA2567705d3dc3b110aff6fd74fec7d343af5e49a0b7f696c231cc199ffaa6bf07053
SHA5125737c8b7cb3f0a2657ad57811458be04c9852374e9a30b8c25be3bc777e74c2d6b5a8ec07f122b0b79989a25c464d507495b8c9850ba7c52d2104e3adae3dbf4
-
Filesize
89KB
MD59e9f6b48159690d4916e38b26d8f92cb
SHA12016224921b0791d3de7d897a520d5d35eb84f34
SHA2567705d3dc3b110aff6fd74fec7d343af5e49a0b7f696c231cc199ffaa6bf07053
SHA5125737c8b7cb3f0a2657ad57811458be04c9852374e9a30b8c25be3bc777e74c2d6b5a8ec07f122b0b79989a25c464d507495b8c9850ba7c52d2104e3adae3dbf4
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
4.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
4.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
180KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
64KB
-
Filesize
252KB
-
Filesize
300KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
40KB