Overview

overview

10

Static

static

3

2e13e9a0be...2N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2024, 11:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e13e9a0be4d0a3676821aa9399cb8ec3771d87624abb4914d34859c25e785d2N.exe

  • Size

    1.1MB

  • MD5

    335989aa404696143c4faef1f7536be0

  • SHA1

    df6089bddb6f9249c2c5707a3f715bf8cc20b648

  • SHA256

    2e13e9a0be4d0a3676821aa9399cb8ec3771d87624abb4914d34859c25e785d2

  • SHA512

    6021c1499f2be4f9885321c2fd00bc32a12c00312385d5f5bd11228f2ae77778d7d44c7244362a4daa294cdbb9782d15a5d5f0665dc2590d1bf73606acb3956f

  • SSDEEP

    24576:0yigj1BmLrEl5fUyMqYWAepSSydarz5mmOF70sfMEhUv:D1HmLeaiQShz5uF70skEa

Score
10/10
amadeyhealerredline47f88fladamaxidiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lada

C2

185.161.248.90:4125

Attributes
  • auth_value

    0b3678897547fedafe314eda5a2015ba

Extracted

Family

amadey

Version

3.70

Botnet

47f88f

C2

http://193.201.9.43

Attributes
  • install_dir

    595f021478

  • install_file

    oneetx.exe

  • strings_key

    4971eddfd380996ae21bea987102e417

  • url_paths

    /plays/chapter/index.php

rc4.plain

Extracted

Family

redline

Botnet

maxi

C2

185.161.248.90:4125

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 19 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e13e9a0be4d0a3676821aa9399cb8ec3771d87624abb4914d34859c25e785d2N.exe
    "C:\Users\Admin\AppData\Local\Temp\2e13e9a0be4d0a3676821aa9399cb8ec3771d87624abb4914d34859c25e785d2N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki944383.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki944383.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4260
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki275218.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki275218.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4552
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki298710.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki298710.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5040
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az884841.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az884841.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4288
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu653250.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu653250.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:212
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 1084
              6⤵
              • Program crash
              PID:3004
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor5510.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor5510.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3744
          • C:\Windows\Temp\1.exe
            "C:\Windows\Temp\1.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:760
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 1524
            5⤵
            • Program crash
            PID:2920
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgu19s62.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgu19s62.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:740
        • C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
          "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe" /F
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:8
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ft249710.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ft249710.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4364
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 212 -ip 212
    1⤵
      PID:4736
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3744 -ip 3744
      1⤵
        PID:1340
      • C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
        C:\Users\Admin\AppData\Local\Temp\595f021478\oneetx.exe
        1⤵
        • Executes dropped EXE
        PID:3612

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      2
      T1562.001

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ft249710.exe
        Filesize

        168KB

        MD5

        f3f0110dd728ebd7a2e20609f3b7ff33

        SHA1

        9e846ddfc4e53793c77a8b74395ed1c1c73da027

        SHA256

        f7dbb53256eb8a1896925f31a12ef486afea188abd1ff3b67ae7325e5e756751

        SHA512

        81da25c6e399a6f312473b567541a72cb9a7907dec4a572af2e3b44fe8ff37465a06652b8cf903e152518f518b16a5055c598f34dd96306aa1b620d0b0a0bc4f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki944383.exe
        Filesize

        983KB

        MD5

        6e2e30287c9b1cefc85a4e32e64beeb8

        SHA1

        a90574129b131331ba979669caf0ab373ca37fd1

        SHA256

        c7b501136eccb3c7203de900e736543afca970b9304c0584d265d01f4f16d743

        SHA512

        a1178d0058f112c3aaf56159475abe04c13b5e766f0fdae6e7ddc3e47701bd62d4db251cefbf60badbfc32e19ab010997942f8741ddfc76ab780a23d7169b3e8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgu19s62.exe
        Filesize

        229KB

        MD5

        ee1f5f0e1168ce5938997c932b4dcd27

        SHA1

        b8c0928da3a41d579c19f44b9e1fef6014d06452

        SHA256

        dea01b17d6e06c3bdf6f5387faa77a788ce9726a3110db90294b2e207b3d51ed

        SHA512

        bacc2d22b71bc5bc73c0699aaf4e2271effa4fe47c3ac63f3ee3ae3385d963eb6f93db082a9530d75d5c6f13884f30b0375d41badfe540f31ef747003a36c0a8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki275218.exe
        Filesize

        800KB

        MD5

        7d743ff92e977a83f3077b5000f89bcc

        SHA1

        f2d2f76c27332856cc9544d26c60b09db5416871

        SHA256

        080694ad340c4ac49c6a3181cc206de8a3efb4f9e3d9f3c86ad90a0434b04fa8

        SHA512

        523b30ee89ebf6a4270d3c4b80625c213e8edd51e35b30ed4c74dabef8cab5205a68ca3ce45356600d0daa25712d1c4123b997f995c386001406beb0c793db80

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cor5510.exe
        Filesize

        438KB

        MD5

        03c002b4a8368a7f10a3fcbef3b82d65

        SHA1

        f0109179bdeff558aa74b5335064ef89340844fa

        SHA256

        2973b43b83a7a6c0290cd23a212c5c047df7dea8ff81908abc830fc15f74f724

        SHA512

        b2d576ca806f9e049fc2556ae60bdb3122712cb4a199a7d4338830842158c3a6f1c5fe81fc361ce2598f61544658e6092865ea8f9fd258a0ea734b047cc6dd89

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki298710.exe
        Filesize

        333KB

        MD5

        92207e361ec42f32d5b3927a0224ca84

        SHA1

        76089adace1a2018fc127f9d372aeec59e41043b

        SHA256

        40dec182f0b61b1ffcd43ce326ca42730e7d5c42066ffecf9aa228201b60c9a1

        SHA512

        46f00edd36b1704c2895cc8ee16aa1a1c338793b052b9800cfd7f36297da03646199cdcac5c2fd80901a6d57c9cde2c306594613518b39ac278476e1c43abfa0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az884841.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu653250.exe
        Filesize

        254KB

        MD5

        d505a59abab043e584725a5e0a71295b

        SHA1

        42972ced982a24c462e522490e5d973a6809fb9e

        SHA256

        0aa0ed9db477f48e725e71f1212c814f3d068a06095c10adc2277a17e983ebc7

        SHA512

        d431612948d0d63dc281c5afce0f37c3a2b20950fa0a52306bafe767a9e257b55cc56603d433275a5233e13b12f8f93d759ccf6da4755b2304796837126da080

        Download Submit

      • C:\Windows\Temp\1.exe
        Filesize

        168KB

        MD5

        03728fed675bcde5256342183b1d6f27

        SHA1

        d13eace7d3d92f93756504b274777cc269b222a2

        SHA256

        f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0

        SHA512

        6e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1

        Download Submit

      • memory/212-50-0x0000000002550000-0x0000000002562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/212-42-0x0000000002550000-0x0000000002562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/212-44-0x0000000002550000-0x0000000002562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/212-62-0x0000000002550000-0x0000000002562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/212-60-0x0000000002550000-0x0000000002562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/212-58-0x0000000002550000-0x0000000002562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/212-56-0x0000000002550000-0x0000000002562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/212-54-0x0000000002550000-0x0000000002562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/212-52-0x0000000002550000-0x0000000002562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/212-34-0x00000000023A0000-0x00000000023BA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/212-48-0x0000000002550000-0x0000000002562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/212-46-0x0000000002550000-0x0000000002562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/212-40-0x0000000002550000-0x0000000002562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/212-37-0x0000000002550000-0x0000000002562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/212-64-0x0000000002550000-0x0000000002562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/212-39-0x0000000002550000-0x0000000002562000-memory.dmp

        Filesize

        72KB

        Download

      • memory/212-65-0x0000000000400000-0x00000000004AF000-memory.dmp

        Filesize

        700KB

        Download

      • memory/212-67-0x0000000000400000-0x00000000004AF000-memory.dmp

        Filesize

        700KB

        Download

      • memory/212-35-0x0000000004C50000-0x00000000051F4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/212-36-0x0000000002550000-0x0000000002568000-memory.dmp

        Filesize

        96KB

        Download

      • memory/760-2230-0x0000000004D20000-0x0000000004D26000-memory.dmp

        Filesize

        24KB

        Download

      • memory/760-2229-0x0000000000540000-0x000000000056E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/760-2239-0x00000000050B0000-0x00000000050FC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/760-2231-0x00000000054B0000-0x0000000005AC8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/760-2234-0x0000000004F20000-0x0000000004F5C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/760-2233-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/760-2232-0x0000000004FA0000-0x00000000050AA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3744-73-0x0000000004C00000-0x0000000004C66000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3744-96-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-94-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-91-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-89-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-87-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-81-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-79-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-107-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-103-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-85-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-97-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-99-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-101-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-105-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-83-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-77-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-72-0x0000000002460000-0x00000000024C8000-memory.dmp

        Filesize

        416KB

        Download

      • memory/3744-75-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-74-0x0000000004C00000-0x0000000004C60000-memory.dmp

        Filesize

        384KB

        Download

      • memory/3744-2216-0x0000000005400000-0x0000000005432000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4288-28-0x0000000000640000-0x000000000064A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4364-2253-0x0000000000AC0000-0x0000000000AF0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4364-2254-0x00000000052E0000-0x00000000052E6000-memory.dmp

        Filesize

        24KB

        Download