Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
06-11-2024 07:53
General
-
Target
dc74708df8924525b2e8b97f7402243a71ad8fb11abea3a3447690cbf556299d.exe
-
Size
1.0MB
-
MD5
abb94ac801105b64ce0e2a2185b2344b
-
SHA1
a80698d0647d9e625d1d8d2e2fcbb19f9f82158a
-
SHA256
dc74708df8924525b2e8b97f7402243a71ad8fb11abea3a3447690cbf556299d
-
SHA512
302ef92bc34ed6bc09ad577fd424507e1235f73cfbae34b01d598d7fdeedb80a276daad8b81eaf9ae698711b745e5b71127efb63dedd5b9bc7dd34342da853bb
-
SSDEEP
24576:2ylAvVuDBTZIF7XjghkT37omKfUT2zSJnryPJ5ve4tYc:F6vkZIF7skXSx2Jnsny
Malware Config
Extracted
amadey
3.70
b50502
http://77.91.124.207
-
install_dir
595f021478
-
install_file
oneetx.exe
-
strings_key
6e3d32d239380a49b6f83128fe71ea01
-
url_paths
/plays/chapter/index.php
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Detects Healer an antivirus disabler dropper 19 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 19 IoCs
-
Redline family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Windows security modification 2 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 28 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc74708df8924525b2e8b97f7402243a71ad8fb11abea3a3447690cbf556299d.exe"C:\Users\Admin\AppData\Local\Temp\dc74708df8924525b2e8b97f7402243a71ad8fb11abea3a3447690cbf556299d.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina5146.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina5146.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina4208.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina4208.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5734.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina5734.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az771125.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az771125.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu835791.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu835791.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 7046⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 7646⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 8566⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 9726⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 9846⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 9486⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 12046⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 12246⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 13126⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 6927⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 10047⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 10727⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 10807⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 11127⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 10047⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 11207⤵
- Program crash
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F7⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 9927⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 8007⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 7687⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 9887⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 14367⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 10807⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 14167⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 17166⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 7566⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor8794.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor8794.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 10805⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ddn48s00.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ddn48s00.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1540 -ip 15401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1540 -ip 15401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1540 -ip 15401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1540 -ip 15401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1540 -ip 15401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1540 -ip 15401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1540 -ip 15401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1540 -ip 15401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1540 -ip 15401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1540 -ip 15401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4992 -ip 49921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1540 -ip 15401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4992 -ip 49921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4992 -ip 49921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4992 -ip 49921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4992 -ip 49921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4992 -ip 49921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4992 -ip 49921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4992 -ip 49921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4992 -ip 49921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4992 -ip 49921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4992 -ip 49921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4992 -ip 49921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4880 -ip 48801⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4992 -ip 49921⤵
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 2162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 5312 -ip 53121⤵
-
C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exeC:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 3122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 6120 -ip 61201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4992 -ip 49921⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
920KB
MD57225da0080072d0b025fefd5e8a8db7b
SHA173c9eefc3597f171ff7a0f1870f46f694bab8de2
SHA2560d1f9534a931f37c02622cb4dce0fc3d88956df5d246a001ff317faddf94e0ca
SHA51270fedf95c7b0ad1dc20e35d8f362d2dab48e89b95e1a708ca6b7c511324428309fd9e7a69de99e70dd40d26040fe86fc8516ca0a5fb49860cc5ba0b26604c0aa
-
Filesize
298KB
MD51b496161177a197f08c50a9422684a41
SHA17c319d557994dea0b4b16fa4f12db9081f722957
SHA2564e6af3e52fc63d3d4aa297d9e42cc73775f444d3c6cc22cd28f954f568b7712f
SHA5122c2e52b379d1713932b3a306dd3092a20cb104eaf0d18a238f59262ce496ca13b3a263b6ff502596cd2d164d1fb5f29411a369b7e27a3be5086172d7b2ccfdc3
-
Filesize
588KB
MD5b320beb0120847b5b435d5f943b5abcb
SHA10caaaa348a0b2dadf84593cab25222fded589d14
SHA25672c2e53a1325b7487e3cf9e4d2e361aac8b241be02f06017c86f9b2767a154f7
SHA5129d5fc261653e52b3a91679f4544c3a2c30ae391a903d3eec64512107d1d639ea8e642946c39ede2df473332cc6f1c48ee91553b3efa504186fa7c6f84b34b63e
-
Filesize
239KB
MD5d7334a72cf45d92f59388d5c8d4e52a2
SHA1b476064a6c29157b08f5e6e1dda598c6cbaa556f
SHA256236ef03f394f50034e40dd2274c53b6f97946b6d43ee6d49e819a183b2e5f23a
SHA512cdfded6b86989ec455f111549dd6e9adddd263557a6b08728928cc4d0ae956c6a7e6531b7f91f0428ed166d7afd3063d7b64b4fef94ba65bca49e3c94cfcd65a
-
Filesize
315KB
MD562a3c3439c5de1bfedf62b39b215a0a2
SHA1e2aa4c014f8c4af80ec72e83c593fdc136577665
SHA256930bd058bd2700ab3d33819bc2980f81bb7dfb23d8b670a81d9bc9ffd0a726a3
SHA512c5b1708ca46e87fd8a47dc16184f81fe1a3ed1a6fb45b4b00b9088126b29f783cc5fc4140e6ed2ff6ab5c38d95530ffce1c0ccf594566a55d288506f3b904c76
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
231KB
MD527d46213f24b50b85930d758e983dcbd
SHA1f2271208cbc2a0fa43bb26c7ebcf1775b10ee53a
SHA2567bb18f7c0b2597b3f9b0359894960deafb4ddf0f4f71c03ad88d7ca2742ffeff
SHA51261ede5ede75f1d84d63731f13ab0477c09e710fcf6e1868b5a671d4f600bcdf13d824f1078abebf443b18ccbb19aebed603373fe6d8c42f0dcc2b0d65e4a5128
-
Filesize
672KB
-
Filesize
40KB
-
Filesize
680KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
5.6MB
-
Filesize
680KB
-
Filesize
672KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
280KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
272KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB