Analysis
-
max time kernel
132s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
22-05-2024 18:20
General
-
Target
006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb.exe
-
Size
1.0MB
-
MD5
db869d62f5f8401076718a70f48e586e
-
SHA1
424352327fdb3f8795505b26e11c856479aa493f
-
SHA256
006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb
-
SHA512
ce1e660929575deacaad46b9e52945d26a4a748e25d8bca28932493e43d67a683d5d917b53f171465d31488816b6ab9f7eebac67b723e085fb340644bd8b69c9
-
SSDEEP
24576:py5vrzFyTGc619B8SQEQasoju6DojiYiZnkClrK:cBPwTGc8nxPhZRZnkq
Malware Config
Extracted
amadey
3.89
fb0fb8
http://77.91.68.52
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
-
url_paths
/mac/index.php
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper 1 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb.exe"C:\Users\Admin\AppData\Local\Temp\006388190d560f779193db075f918251d361e2b4d3964e52b02340d13f027cbb.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2659523.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2659523.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2727565.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2727565.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0654747.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0654747.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6790140.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6790140.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1360990.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1360990.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 5527⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4295390.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4295390.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F8⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"9⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:N"9⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:R" /E9⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"9⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"9⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E9⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8216773.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8216773.exe5⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4020 -ip 40201⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
836KB
MD5a540d41f4170487ff29efb26404a666d
SHA128b5ba1040eda234c4334a976d00ae356512485d
SHA2566c1eb8e10013afe3d1332b19a07549f15099a0b4c8216248a5d3f109173c728b
SHA512f57dd8b899ac5b05a879ed02c71d94453b617252bed29c820ac753697c351a96ac31221e798f86015cd3b6639b38185339686693a55dc8b1298bf0230d81c1a8
-
Filesize
606KB
MD51c514a4baabea74ed855fcbd5c81fd0f
SHA1e2d447c0a5b108ee783b3628134d2ebb54211a1c
SHA2564303f079f488faaab40e67a5da959503e0f34480be9f9d5497dd6a84640fa45a
SHA51295113ceb793eac5214ff5e5539bd32e1a335d721bc052e3a0c0d1d05f37f16fbb7b5fd6511a86d568f7e76ebf980507e8c6531564d827e84e0d743ba2d28bb3d
-
Filesize
424KB
MD55e939336744cc1ca7c326acd817b9cbd
SHA1d11cf08a9630cdbb2c98b6f4a645f3cc56b6008f
SHA25677c30326c817a747d38caf56e6d01c13be2056debe10be70617af1a12a15831b
SHA512b0a84737a660f80fb7e08afcff50753f5b84a7f575d681a1be599a23780de026f1574d5ae2f999a29507ba05cf9725320073e922437c4df1c4133c4d34b6ab24
-
Filesize
176KB
MD5d88e3b43da0d1c09a99ab842c2d2bfe6
SHA1272696386bcd61a9e08b7a06a90845f12bb4958b
SHA256b52c869d6ef71ad7990ff2d9a57dc407fd5fa2803a8773d0370055614ec1345f
SHA5129cc4d0b52cf44935e8ea6d6dc8be5b8644c010d146d08cb98b915d58d286b6689170df8084291039a0bf409474c3a96850242e514b2c1183a1af63f70d5cb362
-
Filesize
268KB
MD57136162ef2592358fe37200250184cca
SHA14c02c65f24fd145f8c7d0b2ae02f1399153eb8f7
SHA25653894a0210489cf341910d7fd82413bfccf557796c2f823d4fca6711b4812b1f
SHA512a3b5744127325752baaef907bf1d8377fcaa1f9dde50ff0ea75c1fb94d79734cdc55423257e076004a69ddb20fcc7ec29a642b0a5bf694fef7d9ce9de84832a5
-
Filesize
126KB
MD55c674cc90bd4867f466fec5b977263a7
SHA10f98429978ca843ac6bfed21ee05936015f5d628
SHA256ee4de150ce2bc17e0e47dc0825469ff00138c057562657b54ca45dbbba4c1961
SHA512862378fba4aa7bc5ccbb7ec2a425ef853031e7255fdc6c723a0be8c569fe9120954b8ca52c9a7108d9c34146dfc6cf682bf4d29d0ba9ff63e284605cd6cbc610
-
Filesize
222KB
MD54dfb81d60b9ad24be9d08894f6a3effd
SHA1a28474cf67d54735630afa7d523860c1846a61bc
SHA2564469d03e30861b2c39c4d162c1c884eec5e2185aab92bb65c5dcad12ebbd817e
SHA512764470cecfe284c5e0eb5abeb03b6626e122c75837439b2e73a365d7f6b14d5a14c10104e1d9fce129c264b60c9c8451a89e43ee034f4fcf6c9da68c2b0585eb
-
Filesize
40KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB