amadey | 26cabcdd33a8abd03a49eb569b96d672ed5e50e1362afc51ed20e04281809416

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 02:10 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

26cabcdd33a8abd03a49eb569b96d672ed5e50e1362afc51ed20e04281809416.exe
Size

1.1MB
MD5

abff76c10ad30f8a3be163c6b5de547e
SHA1

3a37763595a5955501507cb54d764ddaf2eff0f5
SHA256

26cabcdd33a8abd03a49eb569b96d672ed5e50e1362afc51ed20e04281809416
SHA512

c3078b1ef4f2041816d4e97af0ce898474f6846fa1962df7f844743ac032c32620ddbcb4f976ffed50ff6e096091c8463c9314d221aae31fce123ce27e74ff9f
SSDEEP

24576:+yHDLx7z0rtxZutw5csN8FHjA5vB5iBJuIUQ3PKrI:NjLxcrtGt9seBJfB

Score

10^/10

amadey healer redline 9c0adb discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

http://193.3.19.154

Attributes

install_dir
cb7ae701b3
install_file
oneetx.exe
strings_key
23b27c80db2465a8e1dc15491b69b82f
url_paths
/store/games/index.php

rc4.plain

1
006700e5a2ab05704bbb0c589b88924d

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3048-28-0x00000000021E0000-0x00000000021FA000-memory.dmp	healer
behavioral1/memory/3048-30-0x0000000002370000-0x0000000002388000-memory.dmp	healer
behavioral1/memory/3048-31-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3048-58-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3048-56-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3048-54-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3048-52-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3048-50-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3048-48-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3048-46-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3048-44-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3048-42-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3048-40-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3048-38-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3048-36-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3048-34-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3048-33-0x0000000002370000-0x0000000002383000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	180440890.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	180440890.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	180440890.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	247626322.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	247626322.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	247626322.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	180440890.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	180440890.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	180440890.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	247626322.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	247626322.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/4904-112-0x0000000002550000-0x000000000258C000-memory.dmp	family_redline
behavioral1/memory/4904-113-0x0000000004A40000-0x0000000004A7A000-memory.dmp	family_redline
behavioral1/memory/4904-119-0x0000000004A40000-0x0000000004A75000-memory.dmp	family_redline
behavioral1/memory/4904-117-0x0000000004A40000-0x0000000004A75000-memory.dmp	family_redline
behavioral1/memory/4904-115-0x0000000004A40000-0x0000000004A75000-memory.dmp	family_redline
behavioral1/memory/4904-114-0x0000000004A40000-0x0000000004A75000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	387406390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

pid	Process
760	BJ880413.exe
4584	ER412421.exe
4332	HA145086.exe
3048	180440890.exe
1136	247626322.exe
2404	387406390.exe
1864	oneetx.exe
4904	414630403.exe
1344	oneetx.exe
1100	oneetx.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	180440890.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	247626322.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	180440890.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	26cabcdd33a8abd03a49eb569b96d672ed5e50e1362afc51ed20e04281809416.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	BJ880413.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ER412421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	HA145086.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3872	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2720	1136	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26cabcdd33a8abd03a49eb569b96d672ed5e50e1362afc51ed20e04281809416.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BJ880413.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	387406390.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	180440890.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	414630403.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ER412421.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HA145086.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	247626322.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3048	180440890.exe
3048	180440890.exe
1136	247626322.exe
1136	247626322.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	180440890.exe
Token: SeDebugPrivilege	1136	247626322.exe
Token: SeDebugPrivilege	4904	414630403.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2404	387406390.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 760	3952	26cabcdd33a8abd03a49eb569b96d672ed5e50e1362afc51ed20e04281809416.exe	83
PID 3952 wrote to memory of 760	3952	26cabcdd33a8abd03a49eb569b96d672ed5e50e1362afc51ed20e04281809416.exe	83
PID 3952 wrote to memory of 760	3952	26cabcdd33a8abd03a49eb569b96d672ed5e50e1362afc51ed20e04281809416.exe	83
PID 760 wrote to memory of 4584	760	BJ880413.exe	84
PID 760 wrote to memory of 4584	760	BJ880413.exe	84
PID 760 wrote to memory of 4584	760	BJ880413.exe	84
PID 4584 wrote to memory of 4332	4584	ER412421.exe	86
PID 4584 wrote to memory of 4332	4584	ER412421.exe	86
PID 4584 wrote to memory of 4332	4584	ER412421.exe	86
PID 4332 wrote to memory of 3048	4332	HA145086.exe	88
PID 4332 wrote to memory of 3048	4332	HA145086.exe	88
PID 4332 wrote to memory of 3048	4332	HA145086.exe	88
PID 4332 wrote to memory of 1136	4332	HA145086.exe	94
PID 4332 wrote to memory of 1136	4332	HA145086.exe	94
PID 4332 wrote to memory of 1136	4332	HA145086.exe	94
PID 4584 wrote to memory of 2404	4584	ER412421.exe	98
PID 4584 wrote to memory of 2404	4584	ER412421.exe	98
PID 4584 wrote to memory of 2404	4584	ER412421.exe	98
PID 2404 wrote to memory of 1864	2404	387406390.exe	99
PID 2404 wrote to memory of 1864	2404	387406390.exe	99
PID 2404 wrote to memory of 1864	2404	387406390.exe	99
PID 760 wrote to memory of 4904	760	BJ880413.exe	100
PID 760 wrote to memory of 4904	760	BJ880413.exe	100
PID 760 wrote to memory of 4904	760	BJ880413.exe	100
PID 1864 wrote to memory of 2068	1864	oneetx.exe	101
PID 1864 wrote to memory of 2068	1864	oneetx.exe	101
PID 1864 wrote to memory of 2068	1864	oneetx.exe	101
PID 1864 wrote to memory of 2348	1864	oneetx.exe	103
PID 1864 wrote to memory of 2348	1864	oneetx.exe	103
PID 1864 wrote to memory of 2348	1864	oneetx.exe	103
PID 2348 wrote to memory of 2980	2348	cmd.exe	105
PID 2348 wrote to memory of 2980	2348	cmd.exe	105
PID 2348 wrote to memory of 2980	2348	cmd.exe	105
PID 2348 wrote to memory of 1484	2348	cmd.exe	106
PID 2348 wrote to memory of 1484	2348	cmd.exe	106
PID 2348 wrote to memory of 1484	2348	cmd.exe	106
PID 2348 wrote to memory of 4188	2348	cmd.exe	107
PID 2348 wrote to memory of 4188	2348	cmd.exe	107
PID 2348 wrote to memory of 4188	2348	cmd.exe	107
PID 2348 wrote to memory of 844	2348	cmd.exe	108
PID 2348 wrote to memory of 844	2348	cmd.exe	108
PID 2348 wrote to memory of 844	2348	cmd.exe	108
PID 2348 wrote to memory of 548	2348	cmd.exe	109
PID 2348 wrote to memory of 548	2348	cmd.exe	109
PID 2348 wrote to memory of 548	2348	cmd.exe	109
PID 2348 wrote to memory of 4704	2348	cmd.exe	110
PID 2348 wrote to memory of 4704	2348	cmd.exe	110
PID 2348 wrote to memory of 4704	2348	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\26cabcdd33a8abd03a49eb569b96d672ed5e50e1362afc51ed20e04281809416.exe
"C:\Users\Admin\AppData\Local\Temp\26cabcdd33a8abd03a49eb569b96d672ed5e50e1362afc51ed20e04281809416.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BJ880413.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BJ880413.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ER412421.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ER412421.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HA145086.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HA145086.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4332
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\180440890.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\180440890.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\247626322.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\247626322.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 1084
        6⤵
        Program crash
        
        PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\387406390.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\387406390.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1864
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2068
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:N"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb7ae701b3" /P "Admin:R" /E
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4704
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\414630403.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\414630403.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1136 -ip 1136
1⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1344

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:1100

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3872

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

71.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.31.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

75.117.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

75.117.19.2.in-addr.arpa

IN PTR

Response

75.117.19.2.in-addr.arpa

IN PTR

a2-19-117-75deploystaticakamaitechnologiescom
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

88.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.210.23.2.in-addr.arpa

IN PTR

Response

88.210.23.2.in-addr.arpa

IN PTR

a2-23-210-88deploystaticakamaitechnologiescom
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response

193.3.19.154:80

oneetx.exe

260 B
5
185.161.248.143:38452

414630403.exe

260 B
5
185.161.248.143:38452

414630403.exe

260 B
5
185.161.248.143:38452

414630403.exe

260 B
5
193.3.19.154:80

oneetx.exe

260 B
5
185.161.248.143:38452

414630403.exe

260 B
5
193.3.19.154:80

oneetx.exe

260 B
5
185.161.248.143:38452

414630403.exe

260 B
5
193.3.19.154:80

oneetx.exe

260 B
5
185.161.248.143:38452

414630403.exe

260 B
5

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

71.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

71.31.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

75.117.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

75.117.19.2.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

88.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

88.210.23.2.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BJ880413.exe

Filesize
939KB

MD5
0b4e69f37a7d7cd393f5c6c2dca3348c

SHA1
798351dff925f796b688ffe950c146bf777e9e8e

SHA256
a4546d44db7cfc0a38db7d44eec48837ca7b20fa59082edb4f0cca92a252749a

SHA512
1aae3e3527cf6fd710f31ef50dcc761401558a553f513b2ab5df7e2e25418bde29e1191bd2f2306ccd914108429c265eee00289476332822992af671df5ee9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\414630403.exe

Filesize
342KB

MD5
e7aa79c4fc76e04838c7516ea7ba1909

SHA1
56476495f572c248cd391fe586f59e3d5063797b

SHA256
a42f23f999ec739d1a98857eecf90257adc714dc0b28c09d159fa7ccc624cf91

SHA512
ad88c6f3c448c2c30431fc16212dd351c993496c51229e1b7297adf001ea9fd22e60634c348082de0da282303cbdca8a67936a7adeabc8a428f54fec4bc75f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ER412421.exe

Filesize
585KB

MD5
5c2cc519e30b9d3c466fa79a3ee90b15

SHA1
b1bf04642bbf88dd3b450a052b710fc7c395985c

SHA256
6972460186d28588b9e2fd0634d31c9af42845d8179152568e9cf0a24821cc0f

SHA512
859ae2c9f1c878edf8e36fe03c52bb5babe557003124ac96b25b6c0de9e40c9efd082bdc914eaf9871bc66992b02cdffc995a4a667a748aff0559f6bbed47f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\387406390.exe

Filesize
204KB

MD5
1304f384653e08ae497008ff13498608

SHA1
d9a76ed63d74d4217c5027757cb9a7a0d0093080

SHA256
2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa

SHA512
4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\HA145086.exe

Filesize
414KB

MD5
1ce5f4ad1033b89a823bf30a01ae8cba

SHA1
dfa57826aa6d516d2ff3ad1830f7c79fe0842dde

SHA256
2c8d1ec843d6259412e6586f36b4c4265831308d537852ef1fe3979289b62d04

SHA512
a6eb8cb0c65b4a86d4f31feb3dcbe707f49dffddbf49eeb566bcd5056d0f098bee3e26b1385d9dafb0a5902010dbf40812afb87b6de0fd1c2e2c0f9a83461e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\180440890.exe

Filesize
175KB

MD5
a165b5f6b0a4bdf808b71de57bf9347d

SHA1
39a7b301e819e386c162a47e046fa384bb5ab437

SHA256
68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

SHA512
3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\247626322.exe

Filesize
258KB

MD5
594c8f84fcd0d1653a21ec2ed636146b

SHA1
8257bd1fa151df7e0d3fdb67fd1a43aed8e03254

SHA256
ce60d97982929fd3fcb47f3ccf2518f08cebf147898b0657e6ce3638ae395f91

SHA512
8c7f1e85aeb8a4e4ed75f49160bb5586819bfc2c7795fbf4c8610f1ccfba35ae4c249c4fa74f7891c8396320ae60a16ad641c1ca15ce06e3c6f7c5a90ba74a88

Download Submit
memory/1136-94-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1136-92-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3048-38-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3048-30-0x0000000002370000-0x0000000002388000-memory.dmp

Filesize
96KB

Download
memory/3048-52-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3048-50-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3048-48-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3048-46-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3048-44-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3048-42-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3048-40-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3048-56-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3048-36-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3048-34-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3048-33-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3048-58-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3048-31-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3048-54-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3048-29-0x0000000004D00000-0x00000000052A4000-memory.dmp

Filesize
5.6MB

Download
memory/3048-28-0x00000000021E0000-0x00000000021FA000-memory.dmp

Filesize
104KB

Download
memory/4904-112-0x0000000002550000-0x000000000258C000-memory.dmp

Filesize
240KB

Download
memory/4904-113-0x0000000004A40000-0x0000000004A7A000-memory.dmp

Filesize
232KB

Download
memory/4904-119-0x0000000004A40000-0x0000000004A75000-memory.dmp

Filesize
212KB

Download
memory/4904-117-0x0000000004A40000-0x0000000004A75000-memory.dmp

Filesize
212KB

Download
memory/4904-115-0x0000000004A40000-0x0000000004A75000-memory.dmp

Filesize
212KB

Download
memory/4904-114-0x0000000004A40000-0x0000000004A75000-memory.dmp

Filesize
212KB

Download
memory/4904-906-0x00000000075D0000-0x0000000007BE8000-memory.dmp

Filesize
6.1MB

Download
memory/4904-907-0x0000000007BF0000-0x0000000007C02000-memory.dmp

Filesize
72KB

Download
memory/4904-908-0x0000000007C10000-0x0000000007D1A000-memory.dmp

Filesize
1.0MB

Download
memory/4904-909-0x0000000007D30000-0x0000000007D6C000-memory.dmp

Filesize
240KB

Download
memory/4904-910-0x0000000002480000-0x00000000024CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.