Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:47

General

  • Target

    4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f.exe

  • Size

    582KB

  • MD5

    d65b8e601b5fdb8b40ea6d22fd7e47eb

  • SHA1

    e17ef0d987c09976de4825f1a21113b6924a580b

  • SHA256

    4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f

  • SHA512

    7978421c2c01dc1a1a4cea13772b526dbc69f6b46dd5c2b5e4ab4dd6768edde078f0b1a2816097bfa9e4bdbd5f94b2187cc322511001025364fad40cc034590a

  • SSDEEP

    12288:FMrxy90Ydrzg5EyOuXQCRKR0EXVp7lM1aoxCTKx:EyFdvCEyuCRKaE3l7oGo

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detect Mystic stealer payload 1 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f.exe
    "C:\Users\Admin\AppData\Local\Temp\4867af9d5dda04a5ea012b876f663ee94f708e52fd230c829517d4b2b83e9d1f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6645628.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6645628.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2030303.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2030303.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2754109.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2754109.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3972
          • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
            "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4256
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:5056
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3088
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:2776
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "saves.exe" /P "Admin:N"
                  7⤵
                    PID:224
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "saves.exe" /P "Admin:R" /E
                    7⤵
                      PID:1000
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:3160
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\b40d11255d" /P "Admin:N"
                        7⤵
                          PID:4144
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\b40d11255d" /P "Admin:R" /E
                          7⤵
                            PID:4548
                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8139848.exe
                      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8139848.exe
                      4⤵
                      • Executes dropped EXE
                      PID:1324
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4654949.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4654949.exe
                    3⤵
                    • Executes dropped EXE
                    PID:4856
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4480
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4812
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:5076

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6645628.exe

                Filesize

                476KB

                MD5

                92d0c1adfbccf38ea2b0a631797109aa

                SHA1

                dadaa1c64b467ee8027d9c6b3e328500ee825379

                SHA256

                de353fac66278087f9f82f2aaace88ed4d71659667e0261b2615aab07ab65398

                SHA512

                033d48450bb0951909ec96c4b01ff1e2f22491ea7d36fe7a08a17deed81fbc02a5e342ea2118fa392531eea31b9f2d4e0657e36841758df1b754e474db98bfe4

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n4654949.exe

                Filesize

                174KB

                MD5

                d932b8153ba48e4255771c0b47754b68

                SHA1

                1b4ffde1dca1b9377620351043a23c64ce483716

                SHA256

                3b835ea5b8a5848009af9f9f09cabb70137311a6d0c6cc1b840208c2314ab5ec

                SHA512

                c509259a62830e4062e5e4096025d0c06c172a8d34524e91e4761a425766552d589f238e14fda30841c44bfa7cb60b5f3b0acd45af3639fcb5bdbffae13ea664

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y2030303.exe

                Filesize

                320KB

                MD5

                6839028e751b165c664579a8c900e75e

                SHA1

                c3a05176e6e6750df151a5341c921ad94d5453aa

                SHA256

                f18ff27b7feeb7cb2948a7d7d87d26494c0c9c20f93fb656e65114059706834d

                SHA512

                d23ee0c0890cb4351b7f598803ced52e47f5c59415ed9c7e2f6cfaab475acbc5e5021f4ad73bd821ed2cdefa5cc80567d98e00b6afd7f5c0f2117871668d6a54

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2754109.exe

                Filesize

                338KB

                MD5

                b1d77a302b5e35899d19395298d9b8a9

                SHA1

                90877c27b65cce64342540f92df92472286777ea

                SHA256

                91fba7b3ba1df00d33f363e8bd4b190dd4a1fc8c2da7f801d0fee5da3f02efd2

                SHA512

                84bdd2179e590b5f18105641342b184e9e383c4b6e202b17a8ad9ec8b771929dca525ec513a1b539145599350f12546eb3674e44d89058a8f73ff3c4c078f027

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8139848.exe

                Filesize

                140KB

                MD5

                f2ea9cf6f1c1a8aa515b020b50d8ebaa

                SHA1

                e9b200bd584ba7f6665d1ca73dc99a57c66cb702

                SHA256

                87601b2bd8e3c8c0d8f5189001c0a2c625f8703defffd53b92ef99e88c67fd42

                SHA512

                e871b7d195ecdad3a357dc445cb4f658da13bcb79cd199d20f0df09d01cd52a37179436f3f1d3907c820fa159c368c776893bb0b9484b9931d36f1670b84643e

              • memory/4856-36-0x0000000000610000-0x0000000000640000-memory.dmp

                Filesize

                192KB

              • memory/4856-37-0x0000000002900000-0x0000000002906000-memory.dmp

                Filesize

                24KB

              • memory/4856-38-0x0000000005780000-0x0000000005D98000-memory.dmp

                Filesize

                6.1MB

              • memory/4856-40-0x0000000004FC0000-0x0000000004FD2000-memory.dmp

                Filesize

                72KB

              • memory/4856-39-0x0000000005270000-0x000000000537A000-memory.dmp

                Filesize

                1.0MB

              • memory/4856-41-0x0000000005160000-0x000000000519C000-memory.dmp

                Filesize

                240KB

              • memory/4856-42-0x00000000051A0000-0x00000000051EC000-memory.dmp

                Filesize

                304KB