Overview

overview

10

Static

static

3

0ab8a515cd...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ab8a515cdb4712ce3998d283a8823109eb34efe7baff94938f3e60fd9f45b10.exe

  • Size

    1.1MB

  • MD5

    39cd5f8cd54bc4cc879b3fe565b38220

  • SHA1

    079ec0f55b38aec6471805e99102e7c9446b83e0

  • SHA256

    0ab8a515cdb4712ce3998d283a8823109eb34efe7baff94938f3e60fd9f45b10

  • SHA512

    7e2bbeda55698aafb5be3c8e2a2e6e2b5faa228d894056c1ed59a6f1f6a51299e334a78944b394901292bf882e4a8e8b1a0e74162002a2f31ee926fe16664969

  • SSDEEP

    24576:wy8IEDHJ0YrxtvEk9Rx6mUPdMA2NPWmOvFUMbA6dFps:3hEDXr/EY1OdM/PWmGA6dT

Score
10/10
amadeyredlinef9a925fugamaikadiscoveryevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maika

C2

185.161.248.75:4132

Attributes
  • auth_value

    33d7e882888973bf73e1c1c697a5cc73

Extracted

Family

amadey

Version

3.81

Botnet

f9a925

C2

http://77.91.124.20

Attributes
  • install_dir

    c3912af058

  • install_file

    oneetx.exe

  • strings_key

    0504ce46646b0dc397a3c30d6692ec75

  • url_paths

    /store/games/index.php

rc4.plain

Extracted

Family

redline

Botnet

fuga

C2

185.161.248.75:4132

Attributes
  • auth_value

    7c5144ad645deb9fa21680fdaee0d51f

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ab8a515cdb4712ce3998d283a8823109eb34efe7baff94938f3e60fd9f45b10.exe
    "C:\Users\Admin\AppData\Local\Temp\0ab8a515cdb4712ce3998d283a8823109eb34efe7baff94938f3e60fd9f45b10.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3744
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5742061.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5742061.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2608
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3153928.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3153928.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3236
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1166201.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1166201.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4844
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6531757.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6531757.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:768
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 928
            5⤵
            • Program crash
            PID:1880
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9019001.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9019001.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2164
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9019001.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9019001.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:920
          • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3672
            • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
              C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3548
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:4800
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2036
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:852
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "oneetx.exe" /P "Admin:N"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3400
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "oneetx.exe" /P "Admin:R" /E
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:228
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4488
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\c3912af058" /P "Admin:N"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4528
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\c3912af058" /P "Admin:R" /E
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4816
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9732876.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9732876.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9732876.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9732876.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3336
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 768 -ip 768
    1⤵
      PID:1640
    • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2364
      • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        2⤵
        • Executes dropped EXE
        PID:2024
      • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        2⤵
        • Executes dropped EXE
        PID:3612
    • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4872
      • C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
        2⤵
        • Executes dropped EXE
        PID:5088

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d9732876.exe.log
      Filesize

      425B

      MD5

      4eaca4566b22b01cd3bc115b9b0b2196

      SHA1

      e743e0792c19f71740416e7b3c061d9f1336bf94

      SHA256

      34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

      SHA512

      bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d9732876.exe
      Filesize

      902KB

      MD5

      01c7d5427a6c495976e68839aaf213c9

      SHA1

      db6fbd787d872b3665e0554dd160b65bd1244333

      SHA256

      b74a0a7039ed5ffa1059bdc7057f7b314b005763ba7be4acd8a6cd3a601ede50

      SHA512

      03febaba55f8cd4f141538e800115f7c600ddaf35f85dbb00dcfa86aabd4316e0e7e0416fa4049bf8e1be6a6199541e8ebb22464c768656a62a019ffc6234f95

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5742061.exe
      Filesize

      749KB

      MD5

      7324e733d1b978631a2149a031b5f148

      SHA1

      e04452c9c715c827bd1924fe134efe9c30d0f85c

      SHA256

      72be3aeffbf688d43f027b0d55f8078a1cfb6bb957cdeae8478c7c34e401416e

      SHA512

      ff1bf4430708c872212ff6e095a1792f33f2062d49a8c104b6bf2778ee35119b7b314f62f4a1bbf285f9cb2103ef573503aaccdbdce7d64afac56385299fb66f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9019001.exe
      Filesize

      962KB

      MD5

      8969883b17ec6ea5d15edd685ffd23f9

      SHA1

      41dab7b1779c32aecae39e1bb7f346e6bf1d13f9

      SHA256

      b81ed3fc2262e48a613c3cc01a138d723bdb82ee0a2c6a3a33ad9288cd2f92e5

      SHA512

      0723af9ef3173e777ea682999851d521945da3b0fa18f5d45bdb698dc9b54273f7e2612658928f02c9a69c620ec2bacab3d17a32a5c0aa744df05153f9765ea5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3153928.exe
      Filesize

      305KB

      MD5

      e870d56a1c155dae420e1bb46a8b6746

      SHA1

      d1d335f099dec931c70b74c342e0ad420ae26d5e

      SHA256

      4cedbc5c130420ba8d82c2b7df27507074a667a9df7c1bd594f38906fc0f344e

      SHA512

      57d6ce67e1574b37db957654103006e8ee616f7253d0942713802e784e2be6d49ba0e0dcd4274868dee4991a22f3916dbdd419412f09e8e152fd78843bad4ad8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1166201.exe
      Filesize

      183KB

      MD5

      d18dd7e957d8eab39abe21eefd498331

      SHA1

      2d7b11252dbb1ed8cefff8d63d447b0f697a0060

      SHA256

      57f8f54609021997865fed724894ad76b78b39a48a51b47a1d97a92eb836c440

      SHA512

      c383080be8f9fbb5fd313204cc47ca9ecca8b6148362aa5ef76c219217971184472d0c4be2f1d7e9c9fbee561079b34357346507ddb882d779b06741a5ad0581

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6531757.exe
      Filesize

      145KB

      MD5

      eb7aa6277b7893ed88202a49a2f48c6e

      SHA1

      da6a7212ef6c2cf51ccc8eb3fe3e34fd73bbc298

      SHA256

      d1e96adefc5fb55c69ac390e3a7b15eb9ed2f5c9658722996f83a676ea36ca06

      SHA512

      f2c83583e4fc64fac1b8f9c44051eeb1489560f33be94565dbabff0b61d149fa9bb1854dbcd834f19de615f4c1146e36581a3c439ddaebd595f7e68167b17398

      Download Submit

    • memory/768-56-0x0000000000FC0000-0x0000000000FEA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/920-61-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/920-66-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/920-64-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/2164-60-0x0000000000A30000-0x0000000000B28000-memory.dmp

      Filesize

      992KB

      Download

    • memory/2948-70-0x0000000000A70000-0x0000000000B58000-memory.dmp

      Filesize

      928KB

      Download

    • memory/3336-84-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/3336-88-0x0000000005780000-0x0000000005D98000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3336-89-0x0000000005300000-0x000000000540A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3336-90-0x0000000005240000-0x0000000005252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3336-91-0x00000000052A0000-0x00000000052DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3336-92-0x0000000005410000-0x000000000545C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3548-98-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/3548-96-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/3548-99-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/3612-106-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/4844-45-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4844-24-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4844-25-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4844-27-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4844-29-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4844-31-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4844-33-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4844-35-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4844-37-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4844-41-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4844-43-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4844-47-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4844-49-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4844-51-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4844-39-0x0000000004F50000-0x0000000004F66000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4844-23-0x0000000004F50000-0x0000000004F6C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4844-22-0x0000000004940000-0x0000000004EE4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4844-21-0x00000000023E0000-0x00000000023FE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5088-110-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download