Analysis
-
max time kernel
126s -
max time network
94s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
11/04/2023, 09:40
General
-
Target
b34011b2d9af19f01ca51cc19623308c672ba4a1b37420e9dddd2a0933bd6af3.exe
-
Size
844KB
-
MD5
5e06a3607e156e419f3117cab6632f22
-
SHA1
68b0ff842a1d64d164ffe955daafadda7040f202
-
SHA256
b34011b2d9af19f01ca51cc19623308c672ba4a1b37420e9dddd2a0933bd6af3
-
SHA512
8ac9cffade9f8c2682bc920d9f59ea816db1dd150f0378385caf56de3425709d26bfbe370eb8fc21efd3172eed4466bcd1b53c7556eafedc426f82e09b2c3dcd
-
SSDEEP
24576:Jy70DfaCZH5IbJEroR5rKnH8VGA0lMQUqSYvF/VQ72:87AfhZZCpRZzB0GQU/mw
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
nahui
176.113.115.145:4125
-
auth_value
b9ed10946d21e28d58d0c72c535cde6f
Extracted
amadey
3.70
77.91.124.207/plays/chapter/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b34011b2d9af19f01ca51cc19623308c672ba4a1b37420e9dddd2a0933bd6af3.exe"C:\Users\Admin\AppData\Local\Temp\b34011b2d9af19f01ca51cc19623308c672ba4a1b37420e9dddd2a0933bd6af3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un216899.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un216899.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un456237.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un456237.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr459144.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr459144.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu972788.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu972788.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk983978.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk983978.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si074052.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si074052.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
Filesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
Filesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
Filesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
Filesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
Filesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
Filesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
Filesize
661KB
MD590c9c58cede488696165afaaa91923bf
SHA104b200f88df1593ccb99c2e921ec833afa4d405d
SHA2563f0a4e5dc26e762370699b3232b1e3a460332a5e3bccc91987c6c4d5a017a93c
SHA51269e48eafaaba735166da7f1c17963de9942c29566f5817a0ad60dff403002298729f151f8781cbef60bd9ad542f605265abe3171cbe82367c3133b5b08f6b818
-
Filesize
661KB
MD590c9c58cede488696165afaaa91923bf
SHA104b200f88df1593ccb99c2e921ec833afa4d405d
SHA2563f0a4e5dc26e762370699b3232b1e3a460332a5e3bccc91987c6c4d5a017a93c
SHA51269e48eafaaba735166da7f1c17963de9942c29566f5817a0ad60dff403002298729f151f8781cbef60bd9ad542f605265abe3171cbe82367c3133b5b08f6b818
-
Filesize
175KB
MD5b2e599dec0856d70ebb2ab2327ae6442
SHA1300323436b47ddafa78cb7e835deb1ab09f13698
SHA256b1470330cd560723c67ad42eb7e8c8137271c5a729cd08a81d3028e8bb2e1c43
SHA512c5092c0377c8d7aa8a1097d52e2b96df41ce9b1b9a72bf0c3a1f10c7c60ea5831bb2c535e144f1908f39f2b93017d69fd9f24272b0e706bacd5970e84e909065
-
Filesize
175KB
MD5b2e599dec0856d70ebb2ab2327ae6442
SHA1300323436b47ddafa78cb7e835deb1ab09f13698
SHA256b1470330cd560723c67ad42eb7e8c8137271c5a729cd08a81d3028e8bb2e1c43
SHA512c5092c0377c8d7aa8a1097d52e2b96df41ce9b1b9a72bf0c3a1f10c7c60ea5831bb2c535e144f1908f39f2b93017d69fd9f24272b0e706bacd5970e84e909065
-
Filesize
519KB
MD5e8f4e9ca2bb2415422b8995cdbf38889
SHA1c966da142e6a7d8df11c242eaf2fe9db6b42d8f4
SHA25629c1b841513e272c2ddd85da1916ae988d5a44768378816165c57cb42633fb48
SHA5126a3b1a4157497f2ec979b6eeb226604f322ba98ecd851910ee8a10d25d7618f59255b3c1cecaef8c39c566ea4d44b57af55fc7f97018dfc56d9c61f53657f445
-
Filesize
519KB
MD5e8f4e9ca2bb2415422b8995cdbf38889
SHA1c966da142e6a7d8df11c242eaf2fe9db6b42d8f4
SHA25629c1b841513e272c2ddd85da1916ae988d5a44768378816165c57cb42633fb48
SHA5126a3b1a4157497f2ec979b6eeb226604f322ba98ecd851910ee8a10d25d7618f59255b3c1cecaef8c39c566ea4d44b57af55fc7f97018dfc56d9c61f53657f445
-
Filesize
239KB
MD5d41422749d6ab3ceb8270133b0b23075
SHA1ae5bc7df9e154deb6ea40eeec0c55813dc81ba50
SHA256979f49123b7f53c1d2c83c214e2be61beef05d30a262ff751fb5755e9010c944
SHA5125ab8a020af087743d8ec2982a74dca146fd08fe9637b72cd30ecb3d0cf3d05c8e28f5b5a758440ad4e19f19da16bed001571f3204126b31ca8cdb2ce925d0f44
-
Filesize
239KB
MD5d41422749d6ab3ceb8270133b0b23075
SHA1ae5bc7df9e154deb6ea40eeec0c55813dc81ba50
SHA256979f49123b7f53c1d2c83c214e2be61beef05d30a262ff751fb5755e9010c944
SHA5125ab8a020af087743d8ec2982a74dca146fd08fe9637b72cd30ecb3d0cf3d05c8e28f5b5a758440ad4e19f19da16bed001571f3204126b31ca8cdb2ce925d0f44
-
Filesize
299KB
MD50751bf80bc8a2a3dc886b9b38d736821
SHA12712ae1f9d49d06265cb3005743255d00177f373
SHA256d661b01bb0cc2ddde05864ecea76c53cf334584ec3512426b2731e66ff2520ff
SHA5121976ef3fe535eea0f413328ca0a265cf49da22f3a9604f08e9f0e0b109e13a4d25e19f5e10222badf39a4857a3f37bb641a0c8834cbab3deb5a85afda87d912f
-
Filesize
299KB
MD50751bf80bc8a2a3dc886b9b38d736821
SHA12712ae1f9d49d06265cb3005743255d00177f373
SHA256d661b01bb0cc2ddde05864ecea76c53cf334584ec3512426b2731e66ff2520ff
SHA5121976ef3fe535eea0f413328ca0a265cf49da22f3a9604f08e9f0e0b109e13a4d25e19f5e10222badf39a4857a3f37bb641a0c8834cbab3deb5a85afda87d912f
-
Filesize
89KB
MD54061d8dd5006b99d06fa208c0063dfcf
SHA138e7df8d8e631f3e9b227df3b9326d187e18cce5
SHA256b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0
SHA51271de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314
-
Filesize
89KB
MD54061d8dd5006b99d06fa208c0063dfcf
SHA138e7df8d8e631f3e9b227df3b9326d187e18cce5
SHA256b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0
SHA51271de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
89KB
MD54061d8dd5006b99d06fa208c0063dfcf
SHA138e7df8d8e631f3e9b227df3b9326d187e18cce5
SHA256b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0
SHA51271de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314
-
Filesize
5.0MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
680KB
-
Filesize
680KB
-
Filesize
180KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.0MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
272KB
-
Filesize
280KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
320KB