Analysis
-
max time kernel
30s -
max time network
83s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2023 13:14
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230712-en
General
-
Target
tmp.exe
-
Size
6.8MB
-
MD5
4fcd70f4d036361d2fef09cf03932f7b
-
SHA1
b8c39838498676d95a267e8f9ee2bb59edb8e76e
-
SHA256
bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
-
SHA512
3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab
-
SSDEEP
98304:TBWqiL18HkxPnA8n+wuxT4NqP2ozzv68ZslF8QLkY52P:9RiSk9pnNuiiXi8mF7LkY52P
Malware Config
Extracted
amadey
3.80
45.15.156.208/jd9dd3Vw/index.php
second.amadgood.com/jd9dd3Vw/index.php
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/640-290-0x0000000000400000-0x000000000045A000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ taskhostclp.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ tmp.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ oneetx.exe -
Downloads MZ/PE file
-
.NET Reactor proctector 4 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/files/0x000600000002321d-178.dat net_reactor behavioral2/files/0x000600000002321d-192.dat net_reactor behavioral2/files/0x000600000002321d-193.dat net_reactor behavioral2/memory/2080-195-0x0000000000480000-0x00000000007F0000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion taskhostclp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion taskhostclp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oneetx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oneetx.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation tmp.exe Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 4 IoCs
pid Process 3268 oneetx.exe 2080 taskmask.exe 1232 taskhostclp.exe 4888 rdpcllp.exe -
resource yara_rule behavioral2/memory/388-133-0x0000000000C10000-0x0000000001306000-memory.dmp themida behavioral2/memory/388-138-0x0000000000C10000-0x0000000001306000-memory.dmp themida behavioral2/memory/388-139-0x0000000000C10000-0x0000000001306000-memory.dmp themida behavioral2/memory/388-140-0x0000000000C10000-0x0000000001306000-memory.dmp themida behavioral2/memory/388-141-0x0000000000C10000-0x0000000001306000-memory.dmp themida behavioral2/files/0x00080000000231f6-146.dat themida behavioral2/files/0x00080000000231f6-150.dat themida behavioral2/memory/388-151-0x0000000000C10000-0x0000000001306000-memory.dmp themida behavioral2/memory/3268-152-0x0000000000920000-0x0000000001016000-memory.dmp themida behavioral2/memory/3268-156-0x0000000000920000-0x0000000001016000-memory.dmp themida behavioral2/memory/3268-157-0x0000000000920000-0x0000000001016000-memory.dmp themida behavioral2/memory/3268-158-0x0000000000920000-0x0000000001016000-memory.dmp themida behavioral2/memory/3268-159-0x0000000000920000-0x0000000001016000-memory.dmp themida behavioral2/files/0x00080000000231f6-160.dat themida behavioral2/memory/3268-173-0x0000000000920000-0x0000000001016000-memory.dmp themida behavioral2/memory/3268-194-0x0000000000920000-0x0000000001016000-memory.dmp themida behavioral2/memory/3268-234-0x0000000000920000-0x0000000001016000-memory.dmp themida behavioral2/files/0x00080000000231f6-305.dat themida behavioral2/memory/4732-309-0x0000000000920000-0x0000000001016000-memory.dmp themida behavioral2/memory/3268-310-0x0000000000920000-0x0000000001016000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tmp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oneetx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostclp.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 388 tmp.exe 3268 oneetx.exe 1232 taskhostclp.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2080 set thread context of 640 2080 taskmask.exe 108 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4332 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 388 tmp.exe 388 tmp.exe 3268 oneetx.exe 3268 oneetx.exe 4888 rdpcllp.exe 4888 rdpcllp.exe 4888 rdpcllp.exe 4888 rdpcllp.exe 2080 taskmask.exe 2080 taskmask.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2080 taskmask.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 388 tmp.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 388 wrote to memory of 3268 388 tmp.exe 86 PID 388 wrote to memory of 3268 388 tmp.exe 86 PID 388 wrote to memory of 3268 388 tmp.exe 86 PID 3268 wrote to memory of 4332 3268 oneetx.exe 87 PID 3268 wrote to memory of 4332 3268 oneetx.exe 87 PID 3268 wrote to memory of 4332 3268 oneetx.exe 87 PID 3268 wrote to memory of 3396 3268 oneetx.exe 89 PID 3268 wrote to memory of 3396 3268 oneetx.exe 89 PID 3268 wrote to memory of 3396 3268 oneetx.exe 89 PID 3396 wrote to memory of 4032 3396 cmd.exe 91 PID 3396 wrote to memory of 4032 3396 cmd.exe 91 PID 3396 wrote to memory of 4032 3396 cmd.exe 91 PID 3396 wrote to memory of 2540 3396 cmd.exe 92 PID 3396 wrote to memory of 2540 3396 cmd.exe 92 PID 3396 wrote to memory of 2540 3396 cmd.exe 92 PID 3396 wrote to memory of 3560 3396 cmd.exe 93 PID 3396 wrote to memory of 3560 3396 cmd.exe 93 PID 3396 wrote to memory of 3560 3396 cmd.exe 93 PID 3396 wrote to memory of 2656 3396 cmd.exe 96 PID 3396 wrote to memory of 2656 3396 cmd.exe 96 PID 3396 wrote to memory of 2656 3396 cmd.exe 96 PID 3396 wrote to memory of 2216 3396 cmd.exe 97 PID 3396 wrote to memory of 2216 3396 cmd.exe 97 PID 3396 wrote to memory of 2216 3396 cmd.exe 97 PID 3396 wrote to memory of 1248 3396 cmd.exe 98 PID 3396 wrote to memory of 1248 3396 cmd.exe 98 PID 3396 wrote to memory of 1248 3396 cmd.exe 98 PID 3268 wrote to memory of 2080 3268 oneetx.exe 101 PID 3268 wrote to memory of 2080 3268 oneetx.exe 101 PID 3268 wrote to memory of 2080 3268 oneetx.exe 101 PID 3268 wrote to memory of 1232 3268 oneetx.exe 103 PID 3268 wrote to memory of 1232 3268 oneetx.exe 103 PID 3268 wrote to memory of 4888 3268 oneetx.exe 106 PID 3268 wrote to memory of 4888 3268 oneetx.exe 106 PID 2080 wrote to memory of 2440 2080 taskmask.exe 107 PID 2080 wrote to memory of 2440 2080 taskmask.exe 107 PID 2080 wrote to memory of 2440 2080 taskmask.exe 107 PID 2080 wrote to memory of 640 2080 taskmask.exe 108 PID 2080 wrote to memory of 640 2080 taskmask.exe 108 PID 2080 wrote to memory of 640 2080 taskmask.exe 108 PID 2080 wrote to memory of 640 2080 taskmask.exe 108 PID 2080 wrote to memory of 640 2080 taskmask.exe 108 PID 2080 wrote to memory of 640 2080 taskmask.exe 108 PID 2080 wrote to memory of 640 2080 taskmask.exe 108 PID 2080 wrote to memory of 640 2080 taskmask.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F3⤵
- Creates scheduled task(s)
PID:4332
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:4032
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"4⤵PID:2540
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E4⤵PID:3560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:2656
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\eb0f58bce7" /P "Admin:N"4⤵PID:2216
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\eb0f58bce7" /P "Admin:R" /E4⤵PID:1248
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe"C:\Users\Admin\AppData\Local\Temp\1000120001\taskmask.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"4⤵PID:2440
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"4⤵PID:640
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe"C:\Users\Admin\AppData\Local\Temp\1000121001\taskhostclp.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1232 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵PID:4032
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe"C:\Users\Admin\AppData\Local\Temp\1000122101\rdpcllp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4888
-
-
-
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exeC:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe1⤵PID:4732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5126db18bbcf58a186b422970c57e4dbf
SHA197246ee3686052bb9e1142ac789b421b1bb067cc
SHA25685693616d48b2266134fccd7197503d7da7d317c318016ea0f988c414a10e756
SHA51259a58b17323329286bfc85d410fb7d269f6df82d05fc603871ac4f3440e4cf36e5e4f3a5f19a410fa7f9b4c23785bf38440396e847bb1d87611c2551a12fbca6
-
Filesize
3.4MB
MD5126db18bbcf58a186b422970c57e4dbf
SHA197246ee3686052bb9e1142ac789b421b1bb067cc
SHA25685693616d48b2266134fccd7197503d7da7d317c318016ea0f988c414a10e756
SHA51259a58b17323329286bfc85d410fb7d269f6df82d05fc603871ac4f3440e4cf36e5e4f3a5f19a410fa7f9b4c23785bf38440396e847bb1d87611c2551a12fbca6
-
Filesize
3.4MB
MD5126db18bbcf58a186b422970c57e4dbf
SHA197246ee3686052bb9e1142ac789b421b1bb067cc
SHA25685693616d48b2266134fccd7197503d7da7d317c318016ea0f988c414a10e756
SHA51259a58b17323329286bfc85d410fb7d269f6df82d05fc603871ac4f3440e4cf36e5e4f3a5f19a410fa7f9b4c23785bf38440396e847bb1d87611c2551a12fbca6
-
Filesize
3.2MB
MD54472444218925ed8fd4982f141af1978
SHA1101ff99cec2f571002915f23290d495671967db3
SHA256613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c
SHA512b2255bced17a9cf9ab8afb461cea7005d2df77984f3122609d82d9a2f7f5ec3ca23ee8f20f609e60937db134ef721bf90fd759ddbe4df9acbf6216d8d2e15cff
-
Filesize
3.2MB
MD54472444218925ed8fd4982f141af1978
SHA1101ff99cec2f571002915f23290d495671967db3
SHA256613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c
SHA512b2255bced17a9cf9ab8afb461cea7005d2df77984f3122609d82d9a2f7f5ec3ca23ee8f20f609e60937db134ef721bf90fd759ddbe4df9acbf6216d8d2e15cff
-
Filesize
3.2MB
MD54472444218925ed8fd4982f141af1978
SHA1101ff99cec2f571002915f23290d495671967db3
SHA256613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c
SHA512b2255bced17a9cf9ab8afb461cea7005d2df77984f3122609d82d9a2f7f5ec3ca23ee8f20f609e60937db134ef721bf90fd759ddbe4df9acbf6216d8d2e15cff
-
Filesize
10.5MB
MD578e97779f936b06a8c4c96240b7bc85b
SHA1c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2
-
Filesize
10.5MB
MD578e97779f936b06a8c4c96240b7bc85b
SHA1c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2
-
Filesize
10.5MB
MD578e97779f936b06a8c4c96240b7bc85b
SHA1c005df8a050723df4127a429b00b9e1ac489c3ff
SHA256f4edf7a7d5dba93cbf95ed6b266b64579544676b1f09a27fa487d3c95700eadc
SHA512cda792eeb136f3d9a4136c4d7a38056835a01d1bad31e4d12f5381a3fdb86b24b7b1690c77c10f8244806b6316be07c78d1ffa4886ecf0a133b1d57d319f08d2
-
Filesize
76KB
MD513afd022074f6b0381a1dfb9e6a3cd92
SHA138ac9850d10a3f631aa7238035f004891bc5cc25
SHA256b7620ad43d277acfc0d91d28723be3595275a395b2ecaa9535893f2da7559038
SHA51201c1c7f0c417b48eaf54d24d60a0db4b2674221548568bf6c91f58549d49fa784a5026b747812f5d9e1e464c31972b7cba7f244e8ba78e1ed4b6d19b669f7322
-
Filesize
6.8MB
MD54fcd70f4d036361d2fef09cf03932f7b
SHA1b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA5123bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab
-
Filesize
6.8MB
MD54fcd70f4d036361d2fef09cf03932f7b
SHA1b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA5123bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab
-
Filesize
6.8MB
MD54fcd70f4d036361d2fef09cf03932f7b
SHA1b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA5123bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab
-
Filesize
6.8MB
MD54fcd70f4d036361d2fef09cf03932f7b
SHA1b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA5123bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab