Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:38

General

  • Target

    d73983a05531434ce8059cbecd66902874ebb8b890a3d571cf7d1a5b9808c76c.exe

  • Size

    1.2MB

  • MD5

    7c470fc200e97e4dbe58df22d2b3b0ae

  • SHA1

    a82caca7cf70347719d24a83a1a4f0964af3934b

  • SHA256

    d73983a05531434ce8059cbecd66902874ebb8b890a3d571cf7d1a5b9808c76c

  • SHA512

    a32dc2628bd6887040ce6b529705cc33f58814a03b2bc7ef232f98f3a0239762c58d0c54e97eaa890ab7b4adc372d08f68b80bedbe1f39c552bea97e480d4f91

  • SSDEEP

    24576:4ymuTV0Vt0N93LcJod7N0KatjE5qkZgN4jlP32O8LmBWvfa4D:/xiV83LJ50KatjEQ0gNwVYLj

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d73983a05531434ce8059cbecd66902874ebb8b890a3d571cf7d1a5b9808c76c.exe
    "C:\Users\Admin\AppData\Local\Temp\d73983a05531434ce8059cbecd66902874ebb8b890a3d571cf7d1a5b9808c76c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3884
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1820529.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1820529.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9731337.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9731337.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3620
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3767253.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3767253.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2420
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l0442347.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l0442347.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:448
            • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
              "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4648
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
                7⤵
                • Creates scheduled task(s)
                PID:4536
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:3636
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                    PID:2292
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "saves.exe" /P "Admin:N"
                    8⤵
                      PID:2084
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "saves.exe" /P "Admin:R" /E
                      8⤵
                        PID:4840
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        8⤵
                          PID:2956
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\b40d11255d" /P "Admin:N"
                          8⤵
                            PID:2684
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "..\b40d11255d" /P "Admin:R" /E
                            8⤵
                              PID:5040
                      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4051209.exe
                        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4051209.exe
                        5⤵
                        • Executes dropped EXE
                        PID:1008
                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3545799.exe
                      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3545799.exe
                      4⤵
                      • Executes dropped EXE
                      PID:5048
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2656
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:2876
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1448

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1820529.exe

                Filesize

                1.1MB

                MD5

                ac706689fcab1334fc46024e8c2ebdd0

                SHA1

                a6dcc21b6d95ba8de7baee8442c6844dd45f1260

                SHA256

                62d9ddaac380510a322e45a834758aaec5b4d2e1e1586b6a89812dc7f3b5ce84

                SHA512

                b9d0d69dd455b8f1259421a1f2d88b2c5489ca942fd8b0ec3f51b50ebf80d8076dab5e537e8065c34c4bf3334e584cede5b7b5c0f9a089d68e07b131f06b81da

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9731337.exe

                Filesize

                475KB

                MD5

                d6fa81fc20e34b39e388ff3df31295df

                SHA1

                23fc75371aa1f265e3348e3e144ff7c3ab03ed6f

                SHA256

                86bc86fdb529a359e5c480123fc1f78d11ef3ed1cd1f992b21df207801e61652

                SHA512

                42ad5bcf2697519a0bf9637f50dd7772f7065bf50be20de2429ddb25d9ef5591751e093ab6f2635eec8c6daf9cfe1c37bd04ed3aa57d819fc2fbe2ebb1a5eff4

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n3545799.exe

                Filesize

                173KB

                MD5

                9ecc8711e79e42477941b45746924960

                SHA1

                b1825c427c5fdcd2d0c4159a26281fb99e234e48

                SHA256

                e958e82f2c80e146e7678d3e5a0b46ebc1b0694e8c69800e5d189763742f9b3d

                SHA512

                f3dca6dc8f07128be6f368c387c5d3270136238da6743aa6b55802e9e41a03a744ff87326733d492ac5235776b08d720b7ca123652617b497a277f131fc06638

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3767253.exe

                Filesize

                319KB

                MD5

                23cfabd647c21e50fc721a51ed50a163

                SHA1

                9293c7a0a8c7eba5c256704c9f34a9788fee7b91

                SHA256

                8208499fe4c7c10b41488f15b9b32f0c52778f144622b16aa69c4d48607a7df6

                SHA512

                17ccec6b6564526f2599f57bc5ae37fd60960d73adc8edef0d65b403522d69c8d7d7d0c1a8c213de005d0740892ae5f2a52860146c2c7b8f19f99939f0c9b13a

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l0442347.exe

                Filesize

                336KB

                MD5

                4250c417d53e11684702917a98518fcc

                SHA1

                cd4948ee0bb5952aaac90912b58d4210c3932d65

                SHA256

                d011bc125e0520ae99400ac87ac34eb14936531005483b3c41b33abf847f11c7

                SHA512

                1e1642d12d9fe62fc5d6411b2d0e2bf174a5a667c43ae926a0642bbcc41399d54f57954a28fb43241cb8dde703127148f3a078187ecedbf28f188b7bd67581a2

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m4051209.exe

                Filesize

                141KB

                MD5

                1b89576d0d95b0a7e641acacb8e59737

                SHA1

                3b75958e4f880cbbc765a750f03eaa7f90209540

                SHA256

                ecec341c3136b9fd6603b286b1334419d8bd92cd1cea1b8311786eb485482923

                SHA512

                389e3ebf1e23115617d9242f88f3e7903d067200598e8aae08686028530bcb4adf94798b32c2e225e34e4b27fc2cf74c2940dc489178f841833d211ed4f46748

              • memory/5048-43-0x0000000000D30000-0x0000000000D60000-memory.dmp

                Filesize

                192KB

              • memory/5048-44-0x0000000005690000-0x0000000005696000-memory.dmp

                Filesize

                24KB

              • memory/5048-45-0x0000000005DE0000-0x00000000063F8000-memory.dmp

                Filesize

                6.1MB

              • memory/5048-46-0x00000000058D0000-0x00000000059DA000-memory.dmp

                Filesize

                1.0MB

              • memory/5048-47-0x00000000057F0000-0x0000000005802000-memory.dmp

                Filesize

                72KB

              • memory/5048-48-0x0000000005850000-0x000000000588C000-memory.dmp

                Filesize

                240KB

              • memory/5048-49-0x00000000059E0000-0x0000000005A2C000-memory.dmp

                Filesize

                304KB