Analysis
-
max time kernel
136s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
11-04-2023 11:56
General
-
Target
403c93b4504dc1589242f711190708b3d8b23a67adba757d6e9ebf0e636976d6.exe
-
Size
708KB
-
MD5
95368d1dbae85720641a0b521a04e6bc
-
SHA1
0d9f333f6e4de32f9357ecd6784d6713c4c28b6d
-
SHA256
403c93b4504dc1589242f711190708b3d8b23a67adba757d6e9ebf0e636976d6
-
SHA512
dabc157747b38b21860efd07f13a1572692d0ab62e8b1c8293881fd2368f288e8569c0e863cc85feffa636d5fdcb5dd9abb777567e513abac139645a438e1ebc
-
SSDEEP
12288:QMrLy90Pyj6jJTc5HgRFV8J4aGw69aABY/axQx4Ktjc/zQacWWu9XG0DZ7:LyD6lTc5HeFVmnGw69aABfxo4QjK9RGm
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
nahui
176.113.115.145:4125
-
auth_value
b9ed10946d21e28d58d0c72c535cde6f
Extracted
amadey
3.70
77.91.124.207/plays/chapter/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\403c93b4504dc1589242f711190708b3d8b23a67adba757d6e9ebf0e636976d6.exe"C:\Users\Admin\AppData\Local\Temp\403c93b4504dc1589242f711190708b3d8b23a67adba757d6e9ebf0e636976d6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZS4197.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZS4197.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidJ3258.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidJ3258.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it502006.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it502006.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr157266.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr157266.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 13405⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp028696.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp028696.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr388567.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr388567.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 232 -ip 2321⤵
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeFilesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeFilesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeFilesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeFilesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeFilesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr388567.exeFilesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr388567.exeFilesize
229KB
MD56c07711a17452b855149a95cda6fc830
SHA15b3252c2567de78f9ae68764d4e30511a509fdcc
SHA256eb7e8334a5323f858f1ea97079e958beeb846651b573edc073b29a481b891e9f
SHA512ade99076fc768feb8e6620fe2fd3d5bbf67254844be60ebebaeeb01a2a239e14ff74dfa74ff6f6cd1389351a6b529c5f5f8491b3382f8b57f8a524b7dd0f35e2
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZS4197.exeFilesize
525KB
MD542cca9e4a5961803348ab8d3c4cbfead
SHA1e2a8fe4c3f2940635e423897d36c66bd6d275056
SHA2567f3adfdd95f0eb90c1f83ee9bd3a597a88f486ee07cec7b70c2d771e499b746e
SHA51283ed6bc74a288ae0f732f6898459c9eabcc585f2c5f52777b41cd7019fdbf943caf9709f32b66e0834e40ffe136d13de0cd3288c2e2df7e90b49ba2a7a0b6511
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZS4197.exeFilesize
525KB
MD542cca9e4a5961803348ab8d3c4cbfead
SHA1e2a8fe4c3f2940635e423897d36c66bd6d275056
SHA2567f3adfdd95f0eb90c1f83ee9bd3a597a88f486ee07cec7b70c2d771e499b746e
SHA51283ed6bc74a288ae0f732f6898459c9eabcc585f2c5f52777b41cd7019fdbf943caf9709f32b66e0834e40ffe136d13de0cd3288c2e2df7e90b49ba2a7a0b6511
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp028696.exeFilesize
175KB
MD5b2e599dec0856d70ebb2ab2327ae6442
SHA1300323436b47ddafa78cb7e835deb1ab09f13698
SHA256b1470330cd560723c67ad42eb7e8c8137271c5a729cd08a81d3028e8bb2e1c43
SHA512c5092c0377c8d7aa8a1097d52e2b96df41ce9b1b9a72bf0c3a1f10c7c60ea5831bb2c535e144f1908f39f2b93017d69fd9f24272b0e706bacd5970e84e909065
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp028696.exeFilesize
175KB
MD5b2e599dec0856d70ebb2ab2327ae6442
SHA1300323436b47ddafa78cb7e835deb1ab09f13698
SHA256b1470330cd560723c67ad42eb7e8c8137271c5a729cd08a81d3028e8bb2e1c43
SHA512c5092c0377c8d7aa8a1097d52e2b96df41ce9b1b9a72bf0c3a1f10c7c60ea5831bb2c535e144f1908f39f2b93017d69fd9f24272b0e706bacd5970e84e909065
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidJ3258.exeFilesize
382KB
MD578c90b24711a4aaf78725c31bd861eb8
SHA1a9d60462a111af0fde6fee0080ffee2f06d2fb03
SHA256473360e3804387491f4bb8065727182dd2137906570b45c7db13deef3b3a471f
SHA5123cad44a6f2ad7727de99b44d135f1bfa9656963c57751a7e8cf94972f0b00564ac572d53cd1c67ad35abb759da50d36813a4c076825548e47c98199d27888b72
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidJ3258.exeFilesize
382KB
MD578c90b24711a4aaf78725c31bd861eb8
SHA1a9d60462a111af0fde6fee0080ffee2f06d2fb03
SHA256473360e3804387491f4bb8065727182dd2137906570b45c7db13deef3b3a471f
SHA5123cad44a6f2ad7727de99b44d135f1bfa9656963c57751a7e8cf94972f0b00564ac572d53cd1c67ad35abb759da50d36813a4c076825548e47c98199d27888b72
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it502006.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it502006.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr157266.exeFilesize
299KB
MD5136a403524a4cdec66a3efa9d3f394c4
SHA138c534b899d5ac378eee069881eb06a66c1f4196
SHA256ca674bdbe3d673eb027552c5e37fb50e11b00d8b4f29eab1984353d43ea791e3
SHA5125c6340213c2b3b0e215843fc30d58a1b53cc4a1934d888fe673db5faae85cf2e8e6622aa6bef292f2f47bdc2e451b46f237ad7895d985de34aec98b01ac58ffe
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr157266.exeFilesize
299KB
MD5136a403524a4cdec66a3efa9d3f394c4
SHA138c534b899d5ac378eee069881eb06a66c1f4196
SHA256ca674bdbe3d673eb027552c5e37fb50e11b00d8b4f29eab1984353d43ea791e3
SHA5125c6340213c2b3b0e215843fc30d58a1b53cc4a1934d888fe673db5faae85cf2e8e6622aa6bef292f2f47bdc2e451b46f237ad7895d985de34aec98b01ac58ffe
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD54061d8dd5006b99d06fa208c0063dfcf
SHA138e7df8d8e631f3e9b227df3b9326d187e18cce5
SHA256b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0
SHA51271de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD54061d8dd5006b99d06fa208c0063dfcf
SHA138e7df8d8e631f3e9b227df3b9326d187e18cce5
SHA256b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0
SHA51271de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD54061d8dd5006b99d06fa208c0063dfcf
SHA138e7df8d8e631f3e9b227df3b9326d187e18cce5
SHA256b380dd44db67571959bc5f04a5d9c1ec51e48c0617c59e7c4bcbf794a90320f0
SHA51271de12e3bcf0ff4996b71587d971f0b4e378397ffac22be28d4e41c7c865a85bbcff62cfa7bdfa6e18d19971205bf0021939ac49dec42daa749d4ac9f7e70314
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
memory/232-204-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-224-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-178-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-180-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-182-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-184-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-186-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-188-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-190-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-192-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-194-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-196-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-198-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-200-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-202-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-174-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-206-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-208-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-210-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-212-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-214-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-216-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-218-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-220-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-222-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-176-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-226-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-1069-0x0000000005220000-0x0000000005838000-memory.dmpFilesize
6.1MB
-
memory/232-1070-0x00000000058A0000-0x00000000059AA000-memory.dmpFilesize
1.0MB
-
memory/232-1071-0x00000000059E0000-0x00000000059F2000-memory.dmpFilesize
72KB
-
memory/232-1072-0x0000000005A00000-0x0000000005A3C000-memory.dmpFilesize
240KB
-
memory/232-1073-0x00000000024A0000-0x00000000024B0000-memory.dmpFilesize
64KB
-
memory/232-1075-0x0000000005CF0000-0x0000000005D82000-memory.dmpFilesize
584KB
-
memory/232-1076-0x0000000005D90000-0x0000000005DF6000-memory.dmpFilesize
408KB
-
memory/232-1077-0x00000000066F0000-0x00000000068B2000-memory.dmpFilesize
1.8MB
-
memory/232-1078-0x00000000068D0000-0x0000000006DFC000-memory.dmpFilesize
5.2MB
-
memory/232-1079-0x00000000024A0000-0x00000000024B0000-memory.dmpFilesize
64KB
-
memory/232-1080-0x0000000006F40000-0x0000000006FB6000-memory.dmpFilesize
472KB
-
memory/232-1081-0x0000000006FD0000-0x0000000007020000-memory.dmpFilesize
320KB
-
memory/232-172-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-170-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-168-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-164-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-166-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-163-0x00000000050A0000-0x00000000050DF000-memory.dmpFilesize
252KB
-
memory/232-162-0x0000000004AB0000-0x0000000005054000-memory.dmpFilesize
5.6MB
-
memory/232-161-0x00000000024A0000-0x00000000024B0000-memory.dmpFilesize
64KB
-
memory/232-160-0x0000000000740000-0x000000000078B000-memory.dmpFilesize
300KB
-
memory/2924-1087-0x0000000000EE0000-0x0000000000F12000-memory.dmpFilesize
200KB
-
memory/2924-1088-0x00000000057D0000-0x00000000057E0000-memory.dmpFilesize
64KB
-
memory/4900-154-0x0000000000AA0000-0x0000000000AAA000-memory.dmpFilesize
40KB