Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
10-05-2023 07:15
General
-
Target
b4ea30b9c83ada809e282bd25b344ea0fa77e16b177ca90174a614c4e778e355.exe
-
Size
490KB
-
MD5
5ab12005ee7248962cb63d09d6444574
-
SHA1
27c90c6d0c87026927b8d8aff14f19df3f828034
-
SHA256
b4ea30b9c83ada809e282bd25b344ea0fa77e16b177ca90174a614c4e778e355
-
SHA512
49e88b71dcbf93f557a00c0ad0ea25574e4471819a13a0965c58e8525a04888538a0bedad3107d3badd7a39bbf89c08548c105bbc8bb633406263110d5368465
-
SSDEEP
12288:4Mrpy90RPEHglJo5c1u31/TME9/Zu+9Htw4xH/EvgvY:ByqPCjXhTFhZu+9C+E
Malware Config
Extracted
redline
lurfa
217.196.96.102:4132
-
auth_value
f6c26c2a5c6c25ae5b2e9abf31f6341d
Extracted
amadey
3.70
212.113.119.255/joomla/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4ea30b9c83ada809e282bd25b344ea0fa77e16b177ca90174a614c4e778e355.exe"C:\Users\Admin\AppData\Local\Temp\b4ea30b9c83ada809e282bd25b344ea0fa77e16b177ca90174a614c4e778e355.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5923015.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5923015.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4695150.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o4695150.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2584891.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2584891.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2459321.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s2459321.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD5530a729feb2c93cdb4a424776981c94c
SHA11114726efe626a4eb20f7e3cd1798db7ca751f65
SHA2569a907f54117629836c888ea7fe975a08388b33bda0c4dc594d222d2010c963dc
SHA512d8c9d5f0634c314afc942063a47a45370259378ebbf29aa4c13150be90a7abd5ee58c94d198e66284d67cc87278ad10eb891dd909553623fd232ab021e735193
-
Filesize
232KB
MD5530a729feb2c93cdb4a424776981c94c
SHA11114726efe626a4eb20f7e3cd1798db7ca751f65
SHA2569a907f54117629836c888ea7fe975a08388b33bda0c4dc594d222d2010c963dc
SHA512d8c9d5f0634c314afc942063a47a45370259378ebbf29aa4c13150be90a7abd5ee58c94d198e66284d67cc87278ad10eb891dd909553623fd232ab021e735193
-
Filesize
232KB
MD5530a729feb2c93cdb4a424776981c94c
SHA11114726efe626a4eb20f7e3cd1798db7ca751f65
SHA2569a907f54117629836c888ea7fe975a08388b33bda0c4dc594d222d2010c963dc
SHA512d8c9d5f0634c314afc942063a47a45370259378ebbf29aa4c13150be90a7abd5ee58c94d198e66284d67cc87278ad10eb891dd909553623fd232ab021e735193
-
Filesize
232KB
MD5530a729feb2c93cdb4a424776981c94c
SHA11114726efe626a4eb20f7e3cd1798db7ca751f65
SHA2569a907f54117629836c888ea7fe975a08388b33bda0c4dc594d222d2010c963dc
SHA512d8c9d5f0634c314afc942063a47a45370259378ebbf29aa4c13150be90a7abd5ee58c94d198e66284d67cc87278ad10eb891dd909553623fd232ab021e735193
-
Filesize
232KB
MD5530a729feb2c93cdb4a424776981c94c
SHA11114726efe626a4eb20f7e3cd1798db7ca751f65
SHA2569a907f54117629836c888ea7fe975a08388b33bda0c4dc594d222d2010c963dc
SHA512d8c9d5f0634c314afc942063a47a45370259378ebbf29aa4c13150be90a7abd5ee58c94d198e66284d67cc87278ad10eb891dd909553623fd232ab021e735193
-
Filesize
232KB
MD5530a729feb2c93cdb4a424776981c94c
SHA11114726efe626a4eb20f7e3cd1798db7ca751f65
SHA2569a907f54117629836c888ea7fe975a08388b33bda0c4dc594d222d2010c963dc
SHA512d8c9d5f0634c314afc942063a47a45370259378ebbf29aa4c13150be90a7abd5ee58c94d198e66284d67cc87278ad10eb891dd909553623fd232ab021e735193
-
Filesize
232KB
MD5530a729feb2c93cdb4a424776981c94c
SHA11114726efe626a4eb20f7e3cd1798db7ca751f65
SHA2569a907f54117629836c888ea7fe975a08388b33bda0c4dc594d222d2010c963dc
SHA512d8c9d5f0634c314afc942063a47a45370259378ebbf29aa4c13150be90a7abd5ee58c94d198e66284d67cc87278ad10eb891dd909553623fd232ab021e735193
-
Filesize
307KB
MD587c0a1d6cbef8a62c6b308827a7e23d0
SHA1094467b18b915e7233c2412ea3a4063c62d6e95b
SHA25620f094e91ba248342d49280ea5f9d8ed1bdea74a14f1945c4fde00972741a2c4
SHA5124dbd0c3361f32c841487bf466cff31615645e9a75707013c88264c72c52067370962ffba30f6bcdc0158a34b3b3366ed2021ea682a7d801ba273ee3453e25652
-
Filesize
307KB
MD587c0a1d6cbef8a62c6b308827a7e23d0
SHA1094467b18b915e7233c2412ea3a4063c62d6e95b
SHA25620f094e91ba248342d49280ea5f9d8ed1bdea74a14f1945c4fde00972741a2c4
SHA5124dbd0c3361f32c841487bf466cff31615645e9a75707013c88264c72c52067370962ffba30f6bcdc0158a34b3b3366ed2021ea682a7d801ba273ee3453e25652
-
Filesize
182KB
MD5fd03f165f2a74ffe3f1fe7ff72bb810a
SHA12a55ad2397a5824ee7493a34b20815e95a19baeb
SHA2568055008e7f656e1039d1af9e623070142481f1956a0dc17183883dc7b204f78b
SHA512385afd21d5af13205fa43823b5324dbb00d858afdf8fcae53d11a1828f0dc7a5d2f4324067577fceedd4a774120c7fbfe53f75d6630b329ea608a9c952192394
-
Filesize
182KB
MD5fd03f165f2a74ffe3f1fe7ff72bb810a
SHA12a55ad2397a5824ee7493a34b20815e95a19baeb
SHA2568055008e7f656e1039d1af9e623070142481f1956a0dc17183883dc7b204f78b
SHA512385afd21d5af13205fa43823b5324dbb00d858afdf8fcae53d11a1828f0dc7a5d2f4324067577fceedd4a774120c7fbfe53f75d6630b329ea608a9c952192394
-
Filesize
168KB
MD5f9c63fa697b6e29322f49a7a080b2ba1
SHA1c1b0ebd4c31938fe0532c249c771b7a6b3aa6d61
SHA256d7dd8a5a7250c50faddc45d3b094e93ecf020274cbb1d3dcf592bcfebe812b3e
SHA5122deaa33c76a73004dd950971f3cf5c3114296f625002e15a80bd5cdc9a6822c61a49705b233298a1a9d907fb5047b4817fa99b63683a5f27054a7f48e4a5c1b7
-
Filesize
168KB
MD5f9c63fa697b6e29322f49a7a080b2ba1
SHA1c1b0ebd4c31938fe0532c249c771b7a6b3aa6d61
SHA256d7dd8a5a7250c50faddc45d3b094e93ecf020274cbb1d3dcf592bcfebe812b3e
SHA5122deaa33c76a73004dd950971f3cf5c3114296f625002e15a80bd5cdc9a6822c61a49705b233298a1a9d907fb5047b4817fa99b63683a5f27054a7f48e4a5c1b7
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
89KB
MD573df88d68a4f5e066784d462788cf695
SHA1e4bfed336848d0b622fa464d40cf4bd9222aab3f
SHA256f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f
SHA51264c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
184KB