Analysis
-
max time kernel
134s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
12-11-2022 13:15
General
-
Target
773123f439cd65d61c49f0593f74b94d223013d8d2341674e7ee8a514a5a156b.exe
-
Size
259KB
-
MD5
c6fbed69bf7f6a50dd27c2e4b5dc3607
-
SHA1
90e5b712608e74b31b7b99ce9b75465c401f47b6
-
SHA256
773123f439cd65d61c49f0593f74b94d223013d8d2341674e7ee8a514a5a156b
-
SHA512
ae455aaa304aa8e8f8bfd4459647f6e6e4875d16ffc80ac8233f5bdf1b763577bc34d6634e7e829ca20a0f2acc3fe216ce1ffec867c59465cf45d03d3424e336
-
SSDEEP
3072:/88XR1VlLhjtoLnhKr2TU/nR22iZMsnOKRwlpmsXbc2/N6gCzsakhExUVUBzsZi3:/N3LQLhKr8wQ3alpigeRkhExxzsbVmn
Malware Config
Extracted
redline
boy
77.73.134.241:4691
-
auth_value
a91fa8cc2cfaefc42a23c03faef44bd3
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module 8 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 4 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\773123f439cd65d61c49f0593f74b94d223013d8d2341674e7ee8a514a5a156b.exe"C:\Users\Admin\AppData\Local\Temp\773123f439cd65d61c49f0593f74b94d223013d8d2341674e7ee8a514a5a156b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\1000006000\lego.exe"C:\Users\Admin\AppData\Roaming\1000006000\lego.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\1000007001\mana.exe"C:\Users\Admin\AppData\Local\Temp\1000007001\mana.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 12122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1176 -ip 11761⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000007001\mana.exeFilesize
137KB
MD5e63d74cec6926b2d04e474b889d08af4
SHA1a64a888ccfb4e82ade71f1a00a7ae681d29c7bcb
SHA256a9ffffff38aca59d7d2f041fbdb253ca612c7ba2d597782b2e6a59a914f49b33
SHA512fd59c0a1c613611002e52a309ee4baad626df8fbbd8c0c230bcb8e6fed4a3059296ab11b88a1d25a0f54c65f730a027f876629298120f7b4c251bf6d2aaed148
-
C:\Users\Admin\AppData\Local\Temp\1000007001\mana.exeFilesize
137KB
MD5e63d74cec6926b2d04e474b889d08af4
SHA1a64a888ccfb4e82ade71f1a00a7ae681d29c7bcb
SHA256a9ffffff38aca59d7d2f041fbdb253ca612c7ba2d597782b2e6a59a914f49b33
SHA512fd59c0a1c613611002e52a309ee4baad626df8fbbd8c0c230bcb8e6fed4a3059296ab11b88a1d25a0f54c65f730a027f876629298120f7b4c251bf6d2aaed148
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
259KB
MD5c6fbed69bf7f6a50dd27c2e4b5dc3607
SHA190e5b712608e74b31b7b99ce9b75465c401f47b6
SHA256773123f439cd65d61c49f0593f74b94d223013d8d2341674e7ee8a514a5a156b
SHA512ae455aaa304aa8e8f8bfd4459647f6e6e4875d16ffc80ac8233f5bdf1b763577bc34d6634e7e829ca20a0f2acc3fe216ce1ffec867c59465cf45d03d3424e336
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
259KB
MD5c6fbed69bf7f6a50dd27c2e4b5dc3607
SHA190e5b712608e74b31b7b99ce9b75465c401f47b6
SHA256773123f439cd65d61c49f0593f74b94d223013d8d2341674e7ee8a514a5a156b
SHA512ae455aaa304aa8e8f8bfd4459647f6e6e4875d16ffc80ac8233f5bdf1b763577bc34d6634e7e829ca20a0f2acc3fe216ce1ffec867c59465cf45d03d3424e336
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
241KB
MD5b466f58861bb4069db99312de146a2e8
SHA1295f06794b26ba5ac7c73fbf636c581624f897cd
SHA2566cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420
SHA5128693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
241KB
MD5b466f58861bb4069db99312de146a2e8
SHA1295f06794b26ba5ac7c73fbf636c581624f897cd
SHA2566cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420
SHA5128693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
241KB
MD5b466f58861bb4069db99312de146a2e8
SHA1295f06794b26ba5ac7c73fbf636c581624f897cd
SHA2566cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420
SHA5128693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
241KB
MD5b466f58861bb4069db99312de146a2e8
SHA1295f06794b26ba5ac7c73fbf636c581624f897cd
SHA2566cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420
SHA5128693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
241KB
MD5b466f58861bb4069db99312de146a2e8
SHA1295f06794b26ba5ac7c73fbf636c581624f897cd
SHA2566cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420
SHA5128693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d
-
C:\Users\Admin\AppData\Roaming\1000006000\lego.exeFilesize
241KB
MD5b466f58861bb4069db99312de146a2e8
SHA1295f06794b26ba5ac7c73fbf636c581624f897cd
SHA2566cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420
SHA5128693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d
-
C:\Users\Admin\AppData\Roaming\1000006000\lego.exeFilesize
241KB
MD5b466f58861bb4069db99312de146a2e8
SHA1295f06794b26ba5ac7c73fbf636c581624f897cd
SHA2566cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420
SHA5128693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dllFilesize
126KB
MD5b8d80046e28849a320a3dcd868b73d7c
SHA1f15bc4a4c5189e7aa845213469c6def5afd68186
SHA256d23147a448d24f81d81d4bb226f3fc968386792c0987dda75917104b5ecd9d5a
SHA512b7f6d59ee55d2b579c2185560d2e660c1952f9214f3db3096b1358af3559fd985859aa3389be333c826f35b85cd63c6f65a03e65a7ad57c7834bb09abd1d853e
-
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dllFilesize
126KB
MD5b8d80046e28849a320a3dcd868b73d7c
SHA1f15bc4a4c5189e7aa845213469c6def5afd68186
SHA256d23147a448d24f81d81d4bb226f3fc968386792c0987dda75917104b5ecd9d5a
SHA512b7f6d59ee55d2b579c2185560d2e660c1952f9214f3db3096b1358af3559fd985859aa3389be333c826f35b85cd63c6f65a03e65a7ad57c7834bb09abd1d853e
-
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dllFilesize
126KB
MD5b8d80046e28849a320a3dcd868b73d7c
SHA1f15bc4a4c5189e7aa845213469c6def5afd68186
SHA256d23147a448d24f81d81d4bb226f3fc968386792c0987dda75917104b5ecd9d5a
SHA512b7f6d59ee55d2b579c2185560d2e660c1952f9214f3db3096b1358af3559fd985859aa3389be333c826f35b85cd63c6f65a03e65a7ad57c7834bb09abd1d853e
-
memory/100-154-0x0000000000000000-mapping.dmp
-
memory/1132-149-0x0000000000000000-mapping.dmp
-
memory/1176-136-0x0000000000830000-0x000000000086E000-memory.dmpFilesize
248KB
-
memory/1176-137-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/1176-135-0x00000000008F8000-0x0000000000917000-memory.dmpFilesize
124KB
-
memory/1272-144-0x0000000000000000-mapping.dmp
-
memory/1524-150-0x0000000000000000-mapping.dmp
-
memory/1536-176-0x00000000006A0000-0x00000000006C4000-memory.dmpFilesize
144KB
-
memory/1536-172-0x0000000000000000-mapping.dmp
-
memory/2312-147-0x0000000000000000-mapping.dmp
-
memory/2668-177-0x0000000000000000-mapping.dmp
-
memory/2668-181-0x0000000000800000-0x0000000000824000-memory.dmpFilesize
144KB
-
memory/3548-132-0x0000000000000000-mapping.dmp
-
memory/3548-140-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/3548-139-0x00000000005C8000-0x00000000005E7000-memory.dmpFilesize
124KB
-
memory/3548-164-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/3568-158-0x0000000000990000-0x00000000009B8000-memory.dmpFilesize
160KB
-
memory/3568-161-0x0000000005340000-0x0000000005352000-memory.dmpFilesize
72KB
-
memory/3568-167-0x00000000068B0000-0x0000000006E54000-memory.dmpFilesize
5.6MB
-
memory/3568-168-0x00000000064B0000-0x0000000006526000-memory.dmpFilesize
472KB
-
memory/3568-169-0x0000000006350000-0x00000000063A0000-memory.dmpFilesize
320KB
-
memory/3568-170-0x0000000008030000-0x00000000081F2000-memory.dmpFilesize
1.8MB
-
memory/3568-171-0x0000000008730000-0x0000000008C5C000-memory.dmpFilesize
5.2MB
-
memory/3568-165-0x00000000056B0000-0x0000000005716000-memory.dmpFilesize
408KB
-
memory/3568-162-0x00000000053A0000-0x00000000053DC000-memory.dmpFilesize
240KB
-
memory/3568-166-0x0000000006260000-0x00000000062F2000-memory.dmpFilesize
584KB
-
memory/3568-160-0x0000000005410000-0x000000000551A000-memory.dmpFilesize
1.0MB
-
memory/3568-159-0x0000000005890000-0x0000000005EA8000-memory.dmpFilesize
6.1MB
-
memory/3568-155-0x0000000000000000-mapping.dmp
-
memory/3924-152-0x0000000000000000-mapping.dmp
-
memory/4084-153-0x0000000000000000-mapping.dmp
-
memory/4240-148-0x0000000000000000-mapping.dmp
-
memory/4920-138-0x0000000000000000-mapping.dmp
-
memory/4972-141-0x0000000000000000-mapping.dmp
-
memory/5024-151-0x0000000000000000-mapping.dmp