amadey | dddec710759e113aef2a20c65157787d5c698dda7a4bc83aa5e245a253e4cc2a

Analysis

max time kernel
133s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dddec710759e113aef2a20c65157787d5c698dda7a4bc83aa5e245a253e4cc2a.exe
Size

490KB
MD5

3237ba9fc7003847b847b33f0f13883f
SHA1

932f9c16dd9fd4516c94e64e18a857d0eae609f9
SHA256

dddec710759e113aef2a20c65157787d5c698dda7a4bc83aa5e245a253e4cc2a
SHA512

003a86ec744b0291f94bf90e17d8d7a24382d5333b044111a4fb89e0a0f50ccf07898109b849ee5357bafd6a60a8e12b30679d0b1b71f46872bfc1c982f09564
SSDEEP

12288:hMr2y90QLn+IvW7M3NcneSRqNMSbysp4JRU:DyVLn+yweIqNMSbyf6

Score

10^/10

amadey redline lada discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

lada

217.196.96.101:4132

Attributes

auth_value
0b3678897547fedafe314eda5a2015ba

Extracted

Family

amadey

Version

3.70

212.113.119.255/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o5068372.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o5068372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o5068372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o5068372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o5068372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o5068372.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o5068372.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s2096480.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s2096480.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 5 IoCs

Processes:

z3425684.exeo5068372.exer6690312.exes2096480.exeoneetx.exe

pid process

2584 z3425684.exe
1228 o5068372.exe
2196 r6690312.exe
3200 s2096480.exe
4520 oneetx.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2584	z3425684.exe
1228	o5068372.exe
2196	r6690312.exe
3200	s2096480.exe
4520	oneetx.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

o5068372.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o5068372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o5068372.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dddec710759e113aef2a20c65157787d5c698dda7a4bc83aa5e245a253e4cc2a.exez3425684.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dddec710759e113aef2a20c65157787d5c698dda7a4bc83aa5e245a253e4cc2a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dddec710759e113aef2a20c65157787d5c698dda7a4bc83aa5e245a253e4cc2a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3425684.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3425684.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4416 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

o5068372.exer6690312.exe

pid process

1228 o5068372.exe
1228 o5068372.exe
2196 r6690312.exe
2196 r6690312.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

o5068372.exer6690312.exe

description pid process

Token: SeDebugPrivilege 1228 o5068372.exe
Token: SeDebugPrivilege 2196 r6690312.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

s2096480.exe

pid process

3200 s2096480.exe

pid	process
4416	schtasks.exe

pid	process
1228	o5068372.exe
1228	o5068372.exe
2196	r6690312.exe
2196	r6690312.exe

description	pid	process
Token: SeDebugPrivilege	1228	o5068372.exe
Token: SeDebugPrivilege	2196	r6690312.exe

pid	process
3200	s2096480.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

dddec710759e113aef2a20c65157787d5c698dda7a4bc83aa5e245a253e4cc2a.exez3425684.exes2096480.exeoneetx.exe

description	pid	process	target process
PID 3468 wrote to memory of 2584	3468	dddec710759e113aef2a20c65157787d5c698dda7a4bc83aa5e245a253e4cc2a.exe	z3425684.exe
PID 3468 wrote to memory of 2584	3468	dddec710759e113aef2a20c65157787d5c698dda7a4bc83aa5e245a253e4cc2a.exe	z3425684.exe
PID 3468 wrote to memory of 2584	3468	dddec710759e113aef2a20c65157787d5c698dda7a4bc83aa5e245a253e4cc2a.exe	z3425684.exe
PID 2584 wrote to memory of 1228	2584	z3425684.exe	o5068372.exe
PID 2584 wrote to memory of 1228	2584	z3425684.exe	o5068372.exe
PID 2584 wrote to memory of 1228	2584	z3425684.exe	o5068372.exe
PID 2584 wrote to memory of 2196	2584	z3425684.exe	r6690312.exe
PID 2584 wrote to memory of 2196	2584	z3425684.exe	r6690312.exe
PID 2584 wrote to memory of 2196	2584	z3425684.exe	r6690312.exe
PID 3468 wrote to memory of 3200	3468	dddec710759e113aef2a20c65157787d5c698dda7a4bc83aa5e245a253e4cc2a.exe	s2096480.exe
PID 3468 wrote to memory of 3200	3468	dddec710759e113aef2a20c65157787d5c698dda7a4bc83aa5e245a253e4cc2a.exe	s2096480.exe
PID 3468 wrote to memory of 3200	3468	dddec710759e113aef2a20c65157787d5c698dda7a4bc83aa5e245a253e4cc2a.exe	s2096480.exe
PID 3200 wrote to memory of 4520	3200	s2096480.exe	oneetx.exe
PID 3200 wrote to memory of 4520	3200	s2096480.exe	oneetx.exe
PID 3200 wrote to memory of 4520	3200	s2096480.exe	oneetx.exe
PID 4520 wrote to memory of 4416	4520	oneetx.exe	schtasks.exe
PID 4520 wrote to memory of 4416	4520	oneetx.exe	schtasks.exe
PID 4520 wrote to memory of 4416	4520	oneetx.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\dddec710759e113aef2a20c65157787d5c698dda7a4bc83aa5e245a253e4cc2a.exe
"C:\Users\Admin\AppData\Local\Temp\dddec710759e113aef2a20c65157787d5c698dda7a4bc83aa5e245a253e4cc2a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3425684.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3425684.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2584

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o5068372.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o5068372.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6690312.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6690312.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2096480.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2096480.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3200

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:4416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
231KB

MD5
7651f5413bdb2706ee7ca9543bf82335

SHA1
de98b466ba8a29869f40f02c38beb8ca69be0e30

SHA256
7cc4dd7ace8862bae328b37ea423be36259b2d8dff6c1f460a23849441b76b62

SHA512
500d183da55c31d7a35841f7372fffa028d7abd3e3869d1252dd10a84dc29e15dc9319204457ebdfc8e47d631b69ffedaa3917996a95bbf57311bb5c544c37f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
231KB

MD5
7651f5413bdb2706ee7ca9543bf82335

SHA1
de98b466ba8a29869f40f02c38beb8ca69be0e30

SHA256
7cc4dd7ace8862bae328b37ea423be36259b2d8dff6c1f460a23849441b76b62

SHA512
500d183da55c31d7a35841f7372fffa028d7abd3e3869d1252dd10a84dc29e15dc9319204457ebdfc8e47d631b69ffedaa3917996a95bbf57311bb5c544c37f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
231KB

MD5
7651f5413bdb2706ee7ca9543bf82335

SHA1
de98b466ba8a29869f40f02c38beb8ca69be0e30

SHA256
7cc4dd7ace8862bae328b37ea423be36259b2d8dff6c1f460a23849441b76b62

SHA512
500d183da55c31d7a35841f7372fffa028d7abd3e3869d1252dd10a84dc29e15dc9319204457ebdfc8e47d631b69ffedaa3917996a95bbf57311bb5c544c37f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2096480.exe
Filesize
231KB

MD5
7651f5413bdb2706ee7ca9543bf82335

SHA1
de98b466ba8a29869f40f02c38beb8ca69be0e30

SHA256
7cc4dd7ace8862bae328b37ea423be36259b2d8dff6c1f460a23849441b76b62

SHA512
500d183da55c31d7a35841f7372fffa028d7abd3e3869d1252dd10a84dc29e15dc9319204457ebdfc8e47d631b69ffedaa3917996a95bbf57311bb5c544c37f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2096480.exe
Filesize
231KB

MD5
7651f5413bdb2706ee7ca9543bf82335

SHA1
de98b466ba8a29869f40f02c38beb8ca69be0e30

SHA256
7cc4dd7ace8862bae328b37ea423be36259b2d8dff6c1f460a23849441b76b62

SHA512
500d183da55c31d7a35841f7372fffa028d7abd3e3869d1252dd10a84dc29e15dc9319204457ebdfc8e47d631b69ffedaa3917996a95bbf57311bb5c544c37f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3425684.exe
Filesize
307KB

MD5
d38d3b52efac9dc2443b86d830167fce

SHA1
5603c5a15643050c0f22fba128f888e9a01c6519

SHA256
d61a7773d3b454e7cda56e60c65ebc810e4578ec9c43993d2e7763e9e4f3cfe9

SHA512
1ca1a62b55a93ad9040134af145fad3759bd5dc811b607acf24ff880986d2906b07dcc4a2d1f671b62d82bc59bb1994ba34bdb8eadfbfd837c768680a08ad0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3425684.exe
Filesize
307KB

MD5
d38d3b52efac9dc2443b86d830167fce

SHA1
5603c5a15643050c0f22fba128f888e9a01c6519

SHA256
d61a7773d3b454e7cda56e60c65ebc810e4578ec9c43993d2e7763e9e4f3cfe9

SHA512
1ca1a62b55a93ad9040134af145fad3759bd5dc811b607acf24ff880986d2906b07dcc4a2d1f671b62d82bc59bb1994ba34bdb8eadfbfd837c768680a08ad0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o5068372.exe
Filesize
177KB

MD5
84666210ea1e4389f30188686d5e2d5c

SHA1
a9c4867b81e0745e9c192ccb261d7e82fc920e6d

SHA256
32927e6151a8bde86b42046463044622d6abcc19aa0f12f99daeafed3a14c308

SHA512
5452fb664e8e248146f0787207424658399cbb2378d2950f3e2daa6ce716b8dd1c6d5d938dd07d376182e3195a59be250bf1c930a5f32b550a497b1a6d047775

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o5068372.exe
Filesize
177KB

MD5
84666210ea1e4389f30188686d5e2d5c

SHA1
a9c4867b81e0745e9c192ccb261d7e82fc920e6d

SHA256
32927e6151a8bde86b42046463044622d6abcc19aa0f12f99daeafed3a14c308

SHA512
5452fb664e8e248146f0787207424658399cbb2378d2950f3e2daa6ce716b8dd1c6d5d938dd07d376182e3195a59be250bf1c930a5f32b550a497b1a6d047775

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6690312.exe
Filesize
168KB

MD5
41615401f15bc11d1455557c7447f369

SHA1
cf8c639ae8b9f9aa5f6d8ff0b0aa15ab19ee17f0

SHA256
1f7443270f577f14227c50e5dc5bed46be4e6d36cbdf07acfc9001bb3b3436a0

SHA512
88a9ddff446bfbb9159cb4e3e68157c8f73f52aa3fabd2fa069a59840beda1a8ca860e10571e3c62d97db1792ac4a61db708ca2afc63ca7f1aacb2a59e04b179

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6690312.exe
Filesize
168KB

MD5
41615401f15bc11d1455557c7447f369

SHA1
cf8c639ae8b9f9aa5f6d8ff0b0aa15ab19ee17f0

SHA256
1f7443270f577f14227c50e5dc5bed46be4e6d36cbdf07acfc9001bb3b3436a0

SHA512
88a9ddff446bfbb9159cb4e3e68157c8f73f52aa3fabd2fa069a59840beda1a8ca860e10571e3c62d97db1792ac4a61db708ca2afc63ca7f1aacb2a59e04b179

Download Submit
memory/1228-178-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/1228-175-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/1228-161-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/1228-163-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/1228-165-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/1228-167-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/1228-169-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/1228-171-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/1228-173-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/1228-151-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/1228-177-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/1228-157-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/1228-179-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/1228-153-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/1228-155-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/1228-147-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/1228-148-0x0000000004A50000-0x0000000004A60000-memory.dmp

Filesize
64KB

Download
memory/1228-159-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/1228-149-0x0000000004A60000-0x0000000005004000-memory.dmp

Filesize
5.6MB

Download
memory/1228-150-0x0000000004960000-0x0000000004972000-memory.dmp

Filesize
72KB

Download
memory/2196-186-0x0000000004DF0000-0x0000000004EFA000-memory.dmp

Filesize
1.0MB

Download
memory/2196-190-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/2196-191-0x0000000005A00000-0x0000000005A76000-memory.dmp

Filesize
472KB

Download
memory/2196-192-0x0000000005B20000-0x0000000005BB2000-memory.dmp

Filesize
584KB

Download
memory/2196-193-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/2196-194-0x0000000006080000-0x0000000006242000-memory.dmp

Filesize
1.8MB

Download
memory/2196-195-0x0000000008590000-0x0000000008ABC000-memory.dmp

Filesize
5.2MB

Download
memory/2196-196-0x00000000062F0000-0x0000000006340000-memory.dmp

Filesize
320KB

Download
memory/2196-189-0x0000000004D00000-0x0000000004D3C000-memory.dmp

Filesize
240KB

Download
memory/2196-188-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/2196-187-0x0000000004CE0000-0x0000000004CF2000-memory.dmp

Filesize
72KB

Download
memory/2196-185-0x0000000005300000-0x0000000005918000-memory.dmp

Filesize
6.1MB

Download
memory/2196-184-0x0000000000370000-0x00000000003A0000-memory.dmp

Filesize
192KB

Download