Overview

overview

10

Static

static

3

0bbde9df88...20.exe

windows10-2004-x64

10

14381f89f8...62.exe

windows10-2004-x64

10

1c09c6faad...a0.exe

windows7-x64

3

1c09c6faad...a0.exe

windows10-2004-x64

10

1c8308039a...16.exe

windows7-x64

3

1c8308039a...16.exe

windows10-2004-x64

10

1fe4c883d2...6d.exe

windows10-2004-x64

10

234b8aa959...d8.exe

windows10-2004-x64

10

410e72302d...e8.exe

windows7-x64

3

410e72302d...e8.exe

windows10-2004-x64

10

4431aa7413...8c.exe

windows7-x64

3

4431aa7413...8c.exe

windows10-2004-x64

10

68f997d58c...e5.exe

windows10-2004-x64

10

812ce70322...27.exe

windows10-2004-x64

10

88a3f8285d...ab.exe

windows10-2004-x64

10

90fdeaf3f0...a8.exe

windows7-x64

3

90fdeaf3f0...a8.exe

windows10-2004-x64

10

9d92aedf9d...9d.exe

windows7-x64

3

9d92aedf9d...9d.exe

windows10-2004-x64

10

9ff2fb6bb8...32.exe

windows10-2004-x64

10

ac4e2e3d9d...dd.exe

windows7-x64

3

ac4e2e3d9d...dd.exe

windows10-2004-x64

10

b62483116d...b6.exe

windows10-2004-x64

10

c901122f00...70.exe

windows10-2004-x64

10

cfda8adb75...7f.exe

windows10-2004-x64

10

dfe8591c80...49.exe

windows10-2004-x64

10

f5659ff4e2...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5.exe

  • Size

    540KB

  • MD5

    3a43d1c96176e1bcf74d3c2263044759

  • SHA1

    9107fc9c7479bf1c4ddeffc52518583917603b95

  • SHA256

    68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5

  • SHA512

    74197247630636db39089573b49beb6daecef1834e9b4c69e7a7a560e3f7f0a8e3ab3fa591c6a4baaed4d397173c4b8e686daccd923482575ed90bdc582849f3

  • SSDEEP

    12288:cMrsy90R6ibrrpOS4kHIMBz9NMdgCOKoRF2ePk5:wyZibxOS44IaTCYJ+

Score
10/10
amadeyredline59b440mrakevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5.exe
    "C:\Users\Admin\AppData\Local\Temp\68f997d58c29b69df287c5fd2f99eed5b4f71419dba25fbff2ad5132610109e5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8203061.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8203061.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1935351.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1935351.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2324
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5355103.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5355103.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3164
        • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
          "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3520
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:1008
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:908
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:1000
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "saves.exe" /P "Admin:N"
                6⤵
                  PID:4412
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "saves.exe" /P "Admin:R" /E
                  6⤵
                    PID:4508
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:3748
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\b40d11255d" /P "Admin:N"
                      6⤵
                        PID:1960
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\b40d11255d" /P "Admin:R" /E
                        6⤵
                          PID:2552
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5208464.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5208464.exe
                  2⤵
                  • Executes dropped EXE
                  PID:4024
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:3912
                • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                  C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                  1⤵
                  • Executes dropped EXE
                  PID:2840

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i5208464.exe
                  Filesize

                  174KB

                  MD5

                  83d201fab8d323c26aebf61f4edab894

                  SHA1

                  0951a1c6ef9d8ea2f2a38f0b1e5d51faa55432b8

                  SHA256

                  549b21b8653360d2f6b749eb2358e58a996a35c8f85bde4d7740296bd0bc5e33

                  SHA512

                  a4a7c3ece46c6d33214d56f08d8a9d214f312b6d3f6c6bb90012a917eca56387c0645fdda94778eed3049a0e3f6cf7c499de7f3d6218dffceee565ee4c38afca

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8203061.exe
                  Filesize

                  384KB

                  MD5

                  c0f7a5d560b531fd3bab55cc63236a23

                  SHA1

                  9c5a14c3967d7ad535a733918c790906e210cc1c

                  SHA256

                  858e0c098977fc7da667404bce45320ad01b73848fcb411a64bb482b15c28881

                  SHA512

                  e7179ca343d9a56085b8eade536be7abfb7662436d13aaddcc21e020b5319a893b4c248092d5e07d91a2acec0ee7648f8615ea34179294603f00ff475321a2ab

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1935351.exe
                  Filesize

                  202KB

                  MD5

                  ed3eafff4705be9e483b93379ff54f8f

                  SHA1

                  6b16c88ae0157be7649469ec2baa13193af8f2b7

                  SHA256

                  91e35f49cdd48b97c1c6bacc5d2ee7a1c84e29facb1d9b5d3d2e84e3a8759626

                  SHA512

                  f8e02531f40468ed632b562e439d150d7949d5fe0e6355414dd1701d491283daf6f38ad73782eee71d8db53975916f6e8d57edf0ce95e27a41f5869a65f5f7d0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h5355103.exe
                  Filesize

                  337KB

                  MD5

                  251aa9e034465b49c7aeabaa9e675211

                  SHA1

                  c415e234bf8ff36c6e24e9b4c84247399e49b674

                  SHA256

                  3089ab919d4f5b5942e0beb13d3209fd34e783d0658b0170a14642078fb5775f

                  SHA512

                  c04cff04f0b32e0013fe50ff88acbad93f75feeff8e14096b24ba4420604617d118deec656f4a899e7ef6bdbc9357d7cf8510fdfe0ea12f102adebc0a9398abe

                  Download Submit

                • memory/2324-39-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-32-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-18-0x0000000074680000-0x0000000074E30000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2324-19-0x0000000004BF0000-0x0000000005194000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/2324-20-0x0000000002540000-0x000000000255C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/2324-21-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-24-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-48-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-47-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-44-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-43-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-40-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-16-0x00000000022B0000-0x00000000022CE000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/2324-36-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-35-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-17-0x0000000074680000-0x0000000074E30000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2324-30-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-28-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-26-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-22-0x0000000002540000-0x0000000002556000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/2324-49-0x000000007468E000-0x000000007468F000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2324-51-0x0000000074680000-0x0000000074E30000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2324-15-0x0000000074680000-0x0000000074E30000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/2324-14-0x000000007468E000-0x000000007468F000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4024-67-0x0000000000DD0000-0x0000000000E00000-memory.dmp

                  Filesize

                  192KB

                  Download

                • memory/4024-68-0x0000000002FC0000-0x0000000002FC6000-memory.dmp

                  Filesize

                  24KB

                  Download

                • memory/4024-69-0x0000000005D00000-0x0000000006318000-memory.dmp

                  Filesize

                  6.1MB

                  Download

                • memory/4024-70-0x0000000005820000-0x000000000592A000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/4024-71-0x0000000005750000-0x0000000005762000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/4024-72-0x00000000057B0000-0x00000000057EC000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/4024-73-0x0000000005930000-0x000000000597C000-memory.dmp

                  Filesize

                  304KB

                  Download