Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 09:42
General
-
Target
30323f682e6a32aa6d849428448a5ebd9b9590ee3a331da4fd2f5934b4c13818.exe
-
Size
1.0MB
-
MD5
8ca2e2b6df85b28cc622787bdd25971c
-
SHA1
c6694cda5bba6ce87b6433a180dde1c90f6f22bb
-
SHA256
30323f682e6a32aa6d849428448a5ebd9b9590ee3a331da4fd2f5934b4c13818
-
SHA512
a3b689b8deee65b87390a5bbb312eb188cac6485f1f485b98d0016f7180adec0db4c0e6e7aa8066c1c82925ee6257df4f221f16f61e67a358395d6ff019125f8
-
SSDEEP
24576:0ycblCljSywWSdCPVlvVqUIv/jzwvvAL9:DcblsjSyGdCPVlvUU2/HwHA
Malware Config
Extracted
redline
gruha
77.91.124.55:19071
-
auth_value
2f4cf2e668a540e64775b27535cc6892
Extracted
amadey
3.89
04d170
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Extracted
amadey
3.89
daf753
http://77.91.68.78
-
install_dir
cb378487cf
-
install_file
legota.exe
-
strings_key
f3785cbeef2013b6724eed349fd316ba
-
url_paths
/help/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Mystic stealer payload 3 IoCs
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Mystic
Mystic is an infostealer written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 18 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\30323f682e6a32aa6d849428448a5ebd9b9590ee3a331da4fd2f5934b4c13818.exe"C:\Users\Admin\AppData\Local\Temp\30323f682e6a32aa6d849428448a5ebd9b9590ee3a331da4fd2f5934b4c13818.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5955212.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5955212.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3893199.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3893199.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0412229.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0412229.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6680487.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6680487.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7404994.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7404994.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9294861.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9294861.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1567⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2634145.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2634145.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1366⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7025584.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7025584.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0608339.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0608339.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:R" /E6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0869032.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0869032.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1852 -ip 18521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4516 -ip 45161⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD525d5248a5ad44231735e67ac18009d63
SHA18f95abb73587b14e916a8930a896e7e4cc9ee684
SHA256051fc08c6e91f51067f5a6061a0a50fba4a0fe20ef07eafd061c743c5781ef0a
SHA512d590b86603537dd414c4b9e87f552a1b61fd46a201e7624b0dd5f70cab38032afde0354ce0a47d2868c6e508e508d20815320a10770d0fb722895eb035beec70
-
Filesize
972KB
MD504beb9f495034e4d9df89f11b1d4c1d1
SHA1ebf13b9b85f6f186222dab7de5ef37df8fd19f0a
SHA256a189299869b7c6143bb1a5f6b53447400757f76ff6618e9fefae5987a9dcb9fe
SHA5124b66e5b930776734396466b3360d64c2387fa983d919a50df818636af5791797ea0ec2e2e694bfd11dafe28c79e707906013a79403016a69ebd7397b6727ff5e
-
Filesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
Filesize
789KB
MD51d11abec72557c8b0388f8230e11e4d4
SHA12377c5bf858cdca42367baf3e640dbbce514d6f1
SHA256d7dc4234985318324cb1b9ccac14a02438e45596fd269957f21d1ce4c4730914
SHA5121b07db0e08d8f74ff7d6edab0fd076a4af37f1ad4b26832e048d3988c6ffe7d640f68c8b1407bfaabcec295ef347c17ed0bb8f31522567d323aef94859dc4f38
-
Filesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
Filesize
606KB
MD50854ada23a417a62022095e9a8e83119
SHA1ab7be11512a46c282599094b9cee8746967db2e6
SHA256f43be19e10a069c0ba0ecdea733c1f6a84dbe6a0a3d81b51d6e36168e7562d90
SHA512258cf5aa5a1555e8b8bfae6214336708f82e825337f12db728cd55eb48d1b7eb893f06b9ee78658926160caedfb2d40c03c7e76adccfb44b059a7bda24de175a
-
Filesize
390KB
MD584906a7a28bd18f27fd4347b3fc2a327
SHA1facfb2ab031afd940dddc98287c9bd954edc1cfc
SHA256f684c0abc3ce7c67d394c02485cf9d9ca27296ad98d91cc7cfc2f593b84c498a
SHA51271d28d9235b38eec8fe2989d2297a76fc089445be3e0e1f7f6685f1b8d88ebc4b93393cbf7773673d764b6f88aa541b9b3c453eed36623c7f64859096977f45e
-
Filesize
335KB
MD528c0c502af27f1ad2796bf861346d4c0
SHA168cbc3501838be07c67013599385c6750337d8ab
SHA256fd2aa21a54bba01d5274f2807d398b82ec0ee42d24ee98435eeb820c71a45287
SHA5120b7652d3ff7c6783a6746623550d156e79e0ae1ce123ab75467cef23f356899368b6c1bd218c7f944e342d8e4080a5c262f607c8c897bcb57518a625af8d5a5a
-
Filesize
11KB
MD534e777d726d9ace8ff94fef89c94425f
SHA1b9c48c06eceda0a113e80325a3d9a3edd71df79b
SHA256eceab4e67ae35fd59df582b5eec58110c2168ce99b78717be9b956422930eed8
SHA51267de061e9ae8a1a675c4e212c9f8e898281fab4c21f958bb242a77378e7e0a1238b93771094c942b0cb1c96f28071c1c5722a87dbe14baba94ed65cb8e1f649e
-
Filesize
356KB
MD53535c5260fe707c5f0ffef7c54a5f189
SHA15a81af0753fc190a5e57211db267c7566d2053d7
SHA25692988ebd8dad0647fb682ab4a619e3d4b99c0e055b249dca4b066bc9518d1ee0
SHA512609938930f896653a173502080df67e128dbdf57386fd0afafe200dde1fe7dd91d14fc5bf1bbc0e8fd2f28fa1a0c1b1e221ed1de7672b9789405255a6fe41ec4
-
Filesize
40KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
160KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB