Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
08-05-2023 23:39
General
-
Target
90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e.exe
-
Size
238KB
-
MD5
c23d62c9166ae248fe9fe078328182f9
-
SHA1
ce684054121205b1cd7befc016644680fd5b29d5
-
SHA256
90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
-
SHA512
1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57
-
SSDEEP
6144:qZOKsgHE8srZb6sbJ42UqQqcuFCXogRNEFWa0:RpBJuqsuFCXogRNI0
Malware Config
Extracted
amadey
3.70
tadogem.com/dF30Hn4m/index.php
Extracted
redline
135.181.11.39:21717
-
auth_value
8371c94cfa5b9230afb9ccb73536d331
Extracted
systembc
65.21.119.52:4277
localhost.exchange:4277
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e.exe"C:\Users\Admin\AppData\Local\Temp\90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\1000030050\cl.exe"C:\Users\Admin\AppData\Roaming\1000030050\cl.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1000031000\st.exe"C:\Users\Admin\AppData\Roaming\1000031000\st.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 4884⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000032060\sc64.dll, rundll3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000032060\sc64.dll, rundll4⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 228 -ip 2281⤵
-
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\805025096232Filesize
79KB
MD504ab3b6d87fc93dff7df3107f9540f7f
SHA1197bf0d178d402a00529b77d6052cd0afd6a5edb
SHA256a1e8a46e6eb533f95ec61950b08bce2e357f504c37be89d764510998fcc80567
SHA51295f9220ffa00cfaf841503c167b617ca310d077b40776df65737d135a193d378885005ea1b797aaeeed280039f7ee978aa78ab1c74ccc7277225c1a5bbed82f5
-
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exeFilesize
238KB
MD5c23d62c9166ae248fe9fe078328182f9
SHA1ce684054121205b1cd7befc016644680fd5b29d5
SHA25690fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA5121f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57
-
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exeFilesize
238KB
MD5c23d62c9166ae248fe9fe078328182f9
SHA1ce684054121205b1cd7befc016644680fd5b29d5
SHA25690fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA5121f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57
-
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exeFilesize
238KB
MD5c23d62c9166ae248fe9fe078328182f9
SHA1ce684054121205b1cd7befc016644680fd5b29d5
SHA25690fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA5121f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57
-
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exeFilesize
238KB
MD5c23d62c9166ae248fe9fe078328182f9
SHA1ce684054121205b1cd7befc016644680fd5b29d5
SHA25690fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA5121f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57
-
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exeFilesize
238KB
MD5c23d62c9166ae248fe9fe078328182f9
SHA1ce684054121205b1cd7befc016644680fd5b29d5
SHA25690fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA5121f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57
-
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exeFilesize
238KB
MD5c23d62c9166ae248fe9fe078328182f9
SHA1ce684054121205b1cd7befc016644680fd5b29d5
SHA25690fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA5121f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57
-
C:\Users\Admin\AppData\Roaming\1000030050\cl.exeFilesize
62KB
MD50436a997ac0d9b0e59354b723080b22f
SHA11743b0f3eeef2e229f849a2260636a827986ecb1
SHA256f51788dde2e0fbf0393486b3f09c35b00c903d37ceaa1a7ed77f24a8cf89046a
SHA51280f588c802f105d17ebda303ffa27afa6f14dc4c240db8f3038477172fa247c8502a36516c4e727831707bc4368550baf05501f0f9d02007f660fd15908186c8
-
C:\Users\Admin\AppData\Roaming\1000030050\cl.exeFilesize
62KB
MD50436a997ac0d9b0e59354b723080b22f
SHA11743b0f3eeef2e229f849a2260636a827986ecb1
SHA256f51788dde2e0fbf0393486b3f09c35b00c903d37ceaa1a7ed77f24a8cf89046a
SHA51280f588c802f105d17ebda303ffa27afa6f14dc4c240db8f3038477172fa247c8502a36516c4e727831707bc4368550baf05501f0f9d02007f660fd15908186c8
-
C:\Users\Admin\AppData\Roaming\1000030050\cl.exeFilesize
62KB
MD50436a997ac0d9b0e59354b723080b22f
SHA11743b0f3eeef2e229f849a2260636a827986ecb1
SHA256f51788dde2e0fbf0393486b3f09c35b00c903d37ceaa1a7ed77f24a8cf89046a
SHA51280f588c802f105d17ebda303ffa27afa6f14dc4c240db8f3038477172fa247c8502a36516c4e727831707bc4368550baf05501f0f9d02007f660fd15908186c8
-
C:\Users\Admin\AppData\Roaming\1000031000\st.exeFilesize
315KB
MD54ea7503e4cd02c1dfd3bad789b836e66
SHA1f7d24808af406843b848e1cd0fe2f208f8d2710f
SHA25607954037eb4c5c354870eb6139994ff42005300cfe1f089472af671156d63982
SHA51276f6937d8f0dd66988ababfeb1c93051999930ab5a26a0e884d6c563df6788dfcde3b7ddda58a56711cd9d4b23b705e6a549ee7c6fe14db7c6ba2853e537430d
-
C:\Users\Admin\AppData\Roaming\1000031000\st.exeFilesize
315KB
MD54ea7503e4cd02c1dfd3bad789b836e66
SHA1f7d24808af406843b848e1cd0fe2f208f8d2710f
SHA25607954037eb4c5c354870eb6139994ff42005300cfe1f089472af671156d63982
SHA51276f6937d8f0dd66988ababfeb1c93051999930ab5a26a0e884d6c563df6788dfcde3b7ddda58a56711cd9d4b23b705e6a549ee7c6fe14db7c6ba2853e537430d
-
C:\Users\Admin\AppData\Roaming\1000031000\st.exeFilesize
315KB
MD54ea7503e4cd02c1dfd3bad789b836e66
SHA1f7d24808af406843b848e1cd0fe2f208f8d2710f
SHA25607954037eb4c5c354870eb6139994ff42005300cfe1f089472af671156d63982
SHA51276f6937d8f0dd66988ababfeb1c93051999930ab5a26a0e884d6c563df6788dfcde3b7ddda58a56711cd9d4b23b705e6a549ee7c6fe14db7c6ba2853e537430d
-
C:\Users\Admin\AppData\Roaming\1000032060\sc64.dllFilesize
17KB
MD54c09e8e3a1d837f125ea9f9c0c2c5380
SHA10221f489cdef441afad424b5954d07b432d0b8e8
SHA25644d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0
-
C:\Users\Admin\AppData\Roaming\1000032060\sc64.dllFilesize
17KB
MD54c09e8e3a1d837f125ea9f9c0c2c5380
SHA10221f489cdef441afad424b5954d07b432d0b8e8
SHA25644d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0
-
C:\Users\Admin\AppData\Roaming\1000032060\sc64.dllFilesize
17KB
MD54c09e8e3a1d837f125ea9f9c0c2c5380
SHA10221f489cdef441afad424b5954d07b432d0b8e8
SHA25644d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0
-
C:\Users\Admin\AppData\Roaming\1000032060\sc64.dllFilesize
17KB
MD54c09e8e3a1d837f125ea9f9c0c2c5380
SHA10221f489cdef441afad424b5954d07b432d0b8e8
SHA25644d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0
-
C:\Users\Admin\AppData\Roaming\d3ed71f752c04f\cred64.dllFilesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
memory/4112-251-0x0000000005560000-0x0000000005570000-memory.dmpFilesize
64KB
-
memory/4112-234-0x0000000005560000-0x0000000005570000-memory.dmpFilesize
64KB
-
memory/4112-176-0x0000000000BD0000-0x0000000000BE2000-memory.dmpFilesize
72KB
-
memory/4596-215-0x000000000A180000-0x000000000A28A000-memory.dmpFilesize
1.0MB
-
memory/4596-221-0x000000000A4B0000-0x000000000A516000-memory.dmpFilesize
408KB
-
memory/4596-222-0x000000000B650000-0x000000000BBF4000-memory.dmpFilesize
5.6MB
-
memory/4596-223-0x0000000002720000-0x0000000002730000-memory.dmpFilesize
64KB
-
memory/4596-224-0x000000000B400000-0x000000000B5C2000-memory.dmpFilesize
1.8MB
-
memory/4596-225-0x000000000C130000-0x000000000C65C000-memory.dmpFilesize
5.2MB
-
memory/4596-220-0x000000000A550000-0x000000000A5E2000-memory.dmpFilesize
584KB
-
memory/4596-231-0x000000000BD50000-0x000000000BDA0000-memory.dmpFilesize
320KB
-
memory/4596-219-0x000000000A430000-0x000000000A4A6000-memory.dmpFilesize
472KB
-
memory/4596-218-0x0000000002720000-0x0000000002730000-memory.dmpFilesize
64KB
-
memory/4596-217-0x000000000A110000-0x000000000A14C000-memory.dmpFilesize
240KB
-
memory/4596-216-0x000000000A0B0000-0x000000000A0C2000-memory.dmpFilesize
72KB
-
memory/4596-214-0x000000000A680000-0x000000000AC98000-memory.dmpFilesize
6.1MB
-
memory/4596-197-0x0000000000720000-0x000000000074E000-memory.dmpFilesize
184KB