Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 10:02
General
-
Target
9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4.exe
-
Size
903KB
-
MD5
56cbf85c17dc70913672f90b1f36fbfc
-
SHA1
205c818fd0e8d76ea21b3cd03704a2ae71f85a76
-
SHA256
9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4
-
SHA512
dbdde039478539be601d9bec0e9d88ed590f3c35ddf9e98eefe10affcf9dc7b809349741c4ef2ab740d0af6352dd0ce46412028b77a516a1ac6475bcb4c2c5db
-
SSDEEP
24576:byb2x0Hx9Isn62mKFE0e1PMGI4InO6fbWaqErse0mdbi:OU0Hx9ISMKFE0eZMlndbsezd
Malware Config
Extracted
amadey
3.87
59b440
http://77.91.68.18
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
-
url_paths
/nice/index.php
Extracted
redline
mrak
77.91.124.82:19071
-
auth_value
7d9a335ab5dfd42d374867c96fe25302
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4.exe"C:\Users\Admin\AppData\Local\Temp\9a7ee6b801d877ebe30af54c64afce444a041f28ac9cb08964f0d97a0fa17fe4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7112759.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7112759.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8185233.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8185233.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1483425.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1483425.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E7⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6024603.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6024603.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
822KB
MD50e9909e9fd5294ab652141221853b24c
SHA14385b57935cf20cefb551e76ed07f7b1b570a1ea
SHA256122f09b7df2071714e67c540ed9b44a34e4693254bd5c80d4aecc68ce4f457aa
SHA5122ad71e8837fcc072e85314e750fa6370d40fefb93f8338c944da7e75d9af9a2f4847e19df5f9398e31d076fe71d85d86ed7d9349cbace26a2a8d6b37ebb9c412
-
Filesize
331KB
MD5f728f659451c1e0feb0f699e074f20b1
SHA1192f0ec37208ca2eb609e94c363b1b8a5f25847f
SHA256768dd9a148a0ba170b2ff6beb9373e0bebd8905ca633e5472c941c9d55d712f2
SHA512e2bf3a0d2ca9a8005048340c2d04bea767b208bf7d248e6ec320dac493660e378d38065d6188a3b700456af20d21fa6af9122035025a2d0167e69d8f9d3d9d21
-
Filesize
337KB
MD5de17c1b707dacb39f3417d27ad096c21
SHA18a24d39ef5d2581f985b758265914f44ce932c4b
SHA2565216bd418236aedf2cdb7fdc56a0a7a806f67e69b030cf8591edc9514630fefa
SHA51292c1defb3a5fc57de7d4513bc1bd806c5bb0ff953ad7c3f2c18569e90c917cae8455351a3bdc05a7ec82623b4ebcd256137741645dfe8ce79be3767983f6219d
-
Filesize
174KB
MD548e594c677f7b1eb3409f6fea8013ad3
SHA147a6635597279b01be1b8c24ddf00206008c5c2f
SHA256889c7152986d17371dbadee509047f764986603450990994389a0d805238b1f8
SHA51251b3a83c8d822f5072ae735e6d1dca23787b1a43e3e043113293c265684c1760764749fe9c74a9cc2a3755784fecbd508c1aa2cb3635dc18297a97bcb03ae455
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB