Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
06/05/2023, 15:37
General
-
Target
e2887f7aa8f1414494e1811d62cd429e26d5dffb94f2bef873203a4db4c4b473.exe
-
Size
492KB
-
MD5
84b31f0ba80b863b961aa8285a590d48
-
SHA1
81bd5efa86dc9f307560d6df6d60f3eda99fb2cc
-
SHA256
e2887f7aa8f1414494e1811d62cd429e26d5dffb94f2bef873203a4db4c4b473
-
SHA512
b63fd87240e827d627f3b3931329fdb4bebefd6b1b03a095fc3fa6269e218515ecb3193cb8ad51b42bf12a83b2928c96dff4ccea64301c680ca7c6746b59c355
-
SSDEEP
12288:bMr8y90i+gO2bSfpf0t1I8TJgRlqV7dbbPAXiwBq:HyzbUMt11iEVRAXiwBq
Malware Config
Extracted
redline
luna
217.196.96.101:4132
-
auth_value
3372be6f6fa192ff878fa6fe9be73f6e
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2887f7aa8f1414494e1811d62cd429e26d5dffb94f2bef873203a4db4c4b473.exe"C:\Users\Admin\AppData\Local\Temp\e2887f7aa8f1414494e1811d62cd429e26d5dffb94f2bef873203a4db4c4b473.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1868160.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1868160.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2293581.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2293581.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3044276.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3044276.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6685049.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s6685049.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230KB
MD59de946e9d62788b6b17b3ad1186cda37
SHA1c9a2f236bbe76d40236594c13165cfcd73721476
SHA256eeac15c5d420e9be61a9ffdbba51da2081edb515b3d99ad8d174385c105990b9
SHA5124782b9095fedf5f1b27e440d71b6f1721157215e58910dd7bc9933e459e6e0518df9523daf91fc574efc583f9ffcad0e349de714ead8e25572cc7ba24310d400
-
Filesize
230KB
MD59de946e9d62788b6b17b3ad1186cda37
SHA1c9a2f236bbe76d40236594c13165cfcd73721476
SHA256eeac15c5d420e9be61a9ffdbba51da2081edb515b3d99ad8d174385c105990b9
SHA5124782b9095fedf5f1b27e440d71b6f1721157215e58910dd7bc9933e459e6e0518df9523daf91fc574efc583f9ffcad0e349de714ead8e25572cc7ba24310d400
-
Filesize
230KB
MD59de946e9d62788b6b17b3ad1186cda37
SHA1c9a2f236bbe76d40236594c13165cfcd73721476
SHA256eeac15c5d420e9be61a9ffdbba51da2081edb515b3d99ad8d174385c105990b9
SHA5124782b9095fedf5f1b27e440d71b6f1721157215e58910dd7bc9933e459e6e0518df9523daf91fc574efc583f9ffcad0e349de714ead8e25572cc7ba24310d400
-
Filesize
230KB
MD59de946e9d62788b6b17b3ad1186cda37
SHA1c9a2f236bbe76d40236594c13165cfcd73721476
SHA256eeac15c5d420e9be61a9ffdbba51da2081edb515b3d99ad8d174385c105990b9
SHA5124782b9095fedf5f1b27e440d71b6f1721157215e58910dd7bc9933e459e6e0518df9523daf91fc574efc583f9ffcad0e349de714ead8e25572cc7ba24310d400
-
Filesize
230KB
MD59de946e9d62788b6b17b3ad1186cda37
SHA1c9a2f236bbe76d40236594c13165cfcd73721476
SHA256eeac15c5d420e9be61a9ffdbba51da2081edb515b3d99ad8d174385c105990b9
SHA5124782b9095fedf5f1b27e440d71b6f1721157215e58910dd7bc9933e459e6e0518df9523daf91fc574efc583f9ffcad0e349de714ead8e25572cc7ba24310d400
-
Filesize
230KB
MD59de946e9d62788b6b17b3ad1186cda37
SHA1c9a2f236bbe76d40236594c13165cfcd73721476
SHA256eeac15c5d420e9be61a9ffdbba51da2081edb515b3d99ad8d174385c105990b9
SHA5124782b9095fedf5f1b27e440d71b6f1721157215e58910dd7bc9933e459e6e0518df9523daf91fc574efc583f9ffcad0e349de714ead8e25572cc7ba24310d400
-
Filesize
230KB
MD59de946e9d62788b6b17b3ad1186cda37
SHA1c9a2f236bbe76d40236594c13165cfcd73721476
SHA256eeac15c5d420e9be61a9ffdbba51da2081edb515b3d99ad8d174385c105990b9
SHA5124782b9095fedf5f1b27e440d71b6f1721157215e58910dd7bc9933e459e6e0518df9523daf91fc574efc583f9ffcad0e349de714ead8e25572cc7ba24310d400
-
Filesize
309KB
MD5bac541a9e433aab727cbe7b12fd12def
SHA15ab1a4ded39bc8b13dcae4e65b428dd10ad8bacf
SHA2563efca9449a98600b374d08584722e5415cb801c7833d931788dc4e7fc51695b4
SHA512d351f890f98e270c70874d88bc908ab751b7678a84e59bc9a94617ff074db84219ba3b325f017a2cce474b80088d1cb1e5586d06c18cefbee94dbdbe60c10610
-
Filesize
309KB
MD5bac541a9e433aab727cbe7b12fd12def
SHA15ab1a4ded39bc8b13dcae4e65b428dd10ad8bacf
SHA2563efca9449a98600b374d08584722e5415cb801c7833d931788dc4e7fc51695b4
SHA512d351f890f98e270c70874d88bc908ab751b7678a84e59bc9a94617ff074db84219ba3b325f017a2cce474b80088d1cb1e5586d06c18cefbee94dbdbe60c10610
-
Filesize
176KB
MD52a02442fd8f21c08686be998a7399412
SHA1aa19bce0ae14dd95847421aaed4db0e50f134b28
SHA2561e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788
SHA512713ab1b145ce6fa3a0313aa776bc50565c9a4ffaf2976023aefd99614a6b7e3e4c6b3abf89187c3377f4dea0efcde5402118b8e9b87dd0af61f2973bf073beb1
-
Filesize
176KB
MD52a02442fd8f21c08686be998a7399412
SHA1aa19bce0ae14dd95847421aaed4db0e50f134b28
SHA2561e1525ffd32483cfc0f5e28d97ee9c7b19315acea9aa9380fd8f40002c232788
SHA512713ab1b145ce6fa3a0313aa776bc50565c9a4ffaf2976023aefd99614a6b7e3e4c6b3abf89187c3377f4dea0efcde5402118b8e9b87dd0af61f2973bf073beb1
-
Filesize
168KB
MD5c2d5990b6d39d440dbe883882aabc7fb
SHA1cb0dabecd6e3c7bfc1fb19ab5773be44b261ae6f
SHA256b1897addc29cd04c0ef916e171248c133eb7b4b74a66500678667b7a0ddd26de
SHA5121971d18d48648785b8a21483a06399e77ad2a7c7cca1ff3d09eabe239fecb9e54acc924f560b1c64ab4534d9cc1f7e52fe3e7c122a79c102e7ef03e29f86a56f
-
Filesize
168KB
MD5c2d5990b6d39d440dbe883882aabc7fb
SHA1cb0dabecd6e3c7bfc1fb19ab5773be44b261ae6f
SHA256b1897addc29cd04c0ef916e171248c133eb7b4b74a66500678667b7a0ddd26de
SHA5121971d18d48648785b8a21483a06399e77ad2a7c7cca1ff3d09eabe239fecb9e54acc924f560b1c64ab4534d9cc1f7e52fe3e7c122a79c102e7ef03e29f86a56f
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
5.2MB
-
Filesize
72KB
-
Filesize
192KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
64KB