Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
20-04-2024 20:19
General
-
Target
2a5fbbb9305976c9ccb1cfd3280d67d299003c58d85c9afc142e0d64213c3bea.exe
-
Size
1.2MB
-
MD5
3054d6b50fa20563cdac3e8f3879afc9
-
SHA1
aab0db34b3f0c3912872b7c4a4c8c82ed127393d
-
SHA256
2a5fbbb9305976c9ccb1cfd3280d67d299003c58d85c9afc142e0d64213c3bea
-
SHA512
5f41b918d84a6f4c76f1c23d8b1d65319d5d0c423355275f7fa4c7c187ff7a47740e37425cbdc7898c2c7af81377b20472d7b3346fd1983381e7a145a884afff
-
SSDEEP
24576:gyYB1XWl1uTw5eKK4VzNRCURNW1WNKTRx+A9RGqlEyEYY:nYjIeKK4VJRC0o1WglNE
Malware Config
Extracted
redline
trush
77.91.124.82:19071
-
auth_value
c13814867cde8193679cd0cad2d774be
Extracted
amadey
3.89
http://77.91.68.52
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
-
url_paths
/mac/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload 4 IoCs
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Detects executables containing SQL queries to confidential data stores. Observed in infostealers 4 IoCs
-
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 2 IoCs
-
Detects executables packed with ConfuserEx Mod 1 IoCs
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 4 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 14 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a5fbbb9305976c9ccb1cfd3280d67d299003c58d85c9afc142e0d64213c3bea.exe"C:\Users\Admin\AppData\Local\Temp\2a5fbbb9305976c9ccb1cfd3280d67d299003c58d85c9afc142e0d64213c3bea.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0496335.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0496335.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9864428.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9864428.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6994770.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6994770.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q9605826.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q9605826.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r3873207.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r3873207.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 5407⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 1366⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7705913.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7705913.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1365⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t1555293.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t1555293.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u7064660.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\u7064660.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:N"5⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:R" /E5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3932 -ip 39321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3360 -ip 33601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1208 -ip 12081⤵
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0496335.exeFilesize
1.0MB
MD5e95335fbfb0443027c4c438f6b6fd4c0
SHA1ebcad9c2180c6fb7f70acafca4d53b9301bb90bc
SHA2561f38f0b40a7f46723bc3a4aee6f772fbacbf253a86d489f4fc73d1cad63b1c96
SHA512fce8d7f05ce26c1232559de77696973cc88b700b46be95aa1c6a53b1d2e017f0f48e1ba398598ffc0f3cdc02483cad22c48b7aab368913d8651915cdf76df957
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\t1555293.exeFilesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9864428.exeFilesize
867KB
MD57384031483f19afd77a2b122d0482941
SHA1b884f001268527ff5ebb464a0f6d81659eac1b5e
SHA25602eb6e7d044aedc63de3200022733fb8cc39da3369dc21111fa62afb64d092e6
SHA512e17f26eb49c249de91b76deff7125ae86f8bf909056940c978368ea466cd4051248c7a5d80a845d6370676ac3a20ec917dc8fa5e8c1ab3cb3923a02e306a4ed4
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s7705913.exeFilesize
1.0MB
MD58068345317a8275d6c40f76bb1dd5fe1
SHA142e69f613c8981d3d6de36c5b958aa3a820c9590
SHA256b7dcdb3e3ac824a16b8b56bca0d5c76bc17cb6460c973194fb0e09b1f1707630
SHA5125f9486bc12e10227abda1e8c80920084f4c1530cfcd5e377ea49c3d03e99dc5958a679d866bc573398b6a9b2ceb929012f93fd5e25be6cfbd8a11883a534f711
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6994770.exeFilesize
475KB
MD5beb5b94e2ee44d9e7c25e2e5a4002e8c
SHA1275e4b66e56662b79b20f064b4bdc330a5397d97
SHA2567644aa389273bc7400478b8be7be1f6755ada6c489ef757d2071ba6b29845233
SHA512686e9556ee174dd4f7ea40b99a436db4ab4e8eda06998ae2f01a05c7324877011f80704252995a89a52401958a3b9c014673664f187924343169f006042c72d5
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\q9605826.exeFilesize
11KB
MD5256541c79ebd537a8cfc6f7787a03205
SHA15ce13e898d5fbdf25295c5f94e1a6197e7362030
SHA256e585d958c3e06f068d612e8bee2618222fadd4da63a98d58869242c9e5faf0ff
SHA5123267ef7a2598216f827c6f7f0e3da6ec8f99acddfd9a6cd711e8b8cbbe2ef19083fcf03da7619d780044a0cd6cc8a8bc668455fe799fba86fe942fe03e2eee83
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r3873207.exeFilesize
1.0MB
MD57006f4633e856d4f7902c4512919a23f
SHA1569d98afd89bd7a13d96bbf9279c9cabbe8137ce
SHA25680b202014080de3be4ff56032cfa8c6ef158b1d543e40b84df8f322a70663467
SHA512791168bfc6e68ee0e2b584639a31cdade02193014feb0503d81d86252cae655bb2dc3dd6bc0cadaf0f8e3b98d1e3fb456ac7ee89205258898b7a931f19d26c8c
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
memory/3360-35-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3360-36-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3360-37-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3360-39-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4452-31-0x00007FF9727E0000-0x00007FF9732A1000-memory.dmpFilesize
10.8MB
-
memory/4452-29-0x00007FF9727E0000-0x00007FF9732A1000-memory.dmpFilesize
10.8MB
-
memory/4452-28-0x0000000000240000-0x000000000024A000-memory.dmpFilesize
40KB
-
memory/4852-60-0x0000000002DA0000-0x0000000002DB0000-memory.dmpFilesize
64KB
-
memory/4852-45-0x0000000074070000-0x0000000074820000-memory.dmpFilesize
7.7MB
-
memory/4852-55-0x0000000005980000-0x0000000005F98000-memory.dmpFilesize
6.1MB
-
memory/4852-56-0x0000000005470000-0x000000000557A000-memory.dmpFilesize
1.0MB
-
memory/4852-43-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4852-61-0x0000000005360000-0x0000000005372000-memory.dmpFilesize
72KB
-
memory/4852-44-0x0000000002DB0000-0x0000000002DB6000-memory.dmpFilesize
24KB
-
memory/4852-67-0x00000000053C0000-0x00000000053FC000-memory.dmpFilesize
240KB
-
memory/4852-75-0x0000000005400000-0x000000000544C000-memory.dmpFilesize
304KB
-
memory/4852-76-0x0000000074070000-0x0000000074820000-memory.dmpFilesize
7.7MB
-
memory/4852-79-0x0000000002DA0000-0x0000000002DB0000-memory.dmpFilesize
64KB