Analysis
-
max time kernel
127s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 22:05
Static task
static1
Behavioral task
behavioral1
Sample
cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8.exe
Resource
win10v2004-20220812-en
General
-
Target
cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8.exe
-
Size
226KB
-
MD5
cdd4c17bc79e0e111d637b515d7b20df
-
SHA1
6b644f1606f5a2af380ca1dc720c7eb2fd21b1fc
-
SHA256
cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8
-
SHA512
d7f4ffad5cca735d073e0b4dff54635a62170015a109e18ff227f864654d9f0c7fed76ed3019fd1badc7eedd9046b9bc526d96a20c554e5f6e2480d886eb31ed
-
SSDEEP
6144:gpKes0N5fHjkaBQXjwwyJ4jmuv7nM12pzn:Xes0NtjNBNL4jV7n5
Malware Config
Extracted
amadey
3.50
193.56.146.194/h49vlBP/index.php
Extracted
redline
pops
31.41.244.14:4694
-
auth_value
c377eb074ac3f12f85b0ff38d543b16d
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll amadey_cred_module -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000141001\laba.exe family_redline C:\Users\Admin\AppData\Local\Temp\1000141001\laba.exe family_redline behavioral1/memory/3836-147-0x0000000000AE0000-0x0000000000B08000-memory.dmp family_redline -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 34 4520 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
rovwer.exelaba.exelinda5.exerovwer.exepid process 1316 rovwer.exe 3836 laba.exe 4476 linda5.exe 552 rovwer.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
linda5.execc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8.exerovwer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation linda5.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation rovwer.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 2136 regsvr32.exe 4520 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rovwer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\laba.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000141001\\laba.exe" rovwer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000142001\\linda5.exe" rovwer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2960 3588 WerFault.exe cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8.exe 2316 552 WerFault.exe rovwer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exelaba.exepid process 4520 rundll32.exe 4520 rundll32.exe 4520 rundll32.exe 4520 rundll32.exe 3836 laba.exe 3836 laba.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
laba.exedescription pid process Token: SeDebugPrivilege 3836 laba.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8.exerovwer.exelinda5.exedescription pid process target process PID 3588 wrote to memory of 1316 3588 cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8.exe rovwer.exe PID 3588 wrote to memory of 1316 3588 cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8.exe rovwer.exe PID 3588 wrote to memory of 1316 3588 cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8.exe rovwer.exe PID 1316 wrote to memory of 3756 1316 rovwer.exe schtasks.exe PID 1316 wrote to memory of 3756 1316 rovwer.exe schtasks.exe PID 1316 wrote to memory of 3756 1316 rovwer.exe schtasks.exe PID 1316 wrote to memory of 3836 1316 rovwer.exe laba.exe PID 1316 wrote to memory of 3836 1316 rovwer.exe laba.exe PID 1316 wrote to memory of 3836 1316 rovwer.exe laba.exe PID 1316 wrote to memory of 4476 1316 rovwer.exe linda5.exe PID 1316 wrote to memory of 4476 1316 rovwer.exe linda5.exe PID 1316 wrote to memory of 4476 1316 rovwer.exe linda5.exe PID 4476 wrote to memory of 2136 4476 linda5.exe regsvr32.exe PID 4476 wrote to memory of 2136 4476 linda5.exe regsvr32.exe PID 4476 wrote to memory of 2136 4476 linda5.exe regsvr32.exe PID 1316 wrote to memory of 4520 1316 rovwer.exe rundll32.exe PID 1316 wrote to memory of 4520 1316 rovwer.exe rundll32.exe PID 1316 wrote to memory of 4520 1316 rovwer.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8.exe"C:\Users\Admin\AppData\Local\Temp\cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000141001\laba.exe"C:\Users\Admin\AppData\Local\Temp\1000141001\laba.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000142001\linda5.exe"C:\Users\Admin\AppData\Local\Temp\1000142001\linda5.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /u 3dZVP.i6 /s4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 12842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3588 -ip 35881⤵
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 552 -ip 5521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000141001\laba.exeFilesize
137KB
MD59299834655f07e6896b1ff0b9e92c7b4
SHA1acba1e9262b4aebf020758e30326afdc99c714ad
SHA256fe105a23e4bee42b0401669d6ce9d34dbc7816a6cbef7c7108e11adc3c339257
SHA5127ab23ac1eedb82044946bb9e6afb308580d434be45f3ebd18c5fc90cd98281738e4f50e75a3506315785e60d93e90cc4facc285fe7760985dfe0fd47771bc650
-
C:\Users\Admin\AppData\Local\Temp\1000141001\laba.exeFilesize
137KB
MD59299834655f07e6896b1ff0b9e92c7b4
SHA1acba1e9262b4aebf020758e30326afdc99c714ad
SHA256fe105a23e4bee42b0401669d6ce9d34dbc7816a6cbef7c7108e11adc3c339257
SHA5127ab23ac1eedb82044946bb9e6afb308580d434be45f3ebd18c5fc90cd98281738e4f50e75a3506315785e60d93e90cc4facc285fe7760985dfe0fd47771bc650
-
C:\Users\Admin\AppData\Local\Temp\1000142001\linda5.exeFilesize
1.5MB
MD552c8c983f1e3b56b898b0f0cc42cf054
SHA1e5d59471700b884f37d384e14a33ca9ba4d6f4e8
SHA25609256476bf582af3d0033de7d558262e196a1f7192ce25a1e436d24d94a2ba3a
SHA512aa73e15a564725c94ac5019f59386b41e3f6bfd84c1e895d8b523e500439a95a3369c6a2b9a545a6693d7c70b0d76483f2cab61ae96522ae7d4a47dd0af48c21
-
C:\Users\Admin\AppData\Local\Temp\1000142001\linda5.exeFilesize
1.5MB
MD552c8c983f1e3b56b898b0f0cc42cf054
SHA1e5d59471700b884f37d384e14a33ca9ba4d6f4e8
SHA25609256476bf582af3d0033de7d558262e196a1f7192ce25a1e436d24d94a2ba3a
SHA512aa73e15a564725c94ac5019f59386b41e3f6bfd84c1e895d8b523e500439a95a3369c6a2b9a545a6693d7c70b0d76483f2cab61ae96522ae7d4a47dd0af48c21
-
C:\Users\Admin\AppData\Local\Temp\3dZVP.i6Filesize
1.8MB
MD5831de3b17ad30d66472856f09bd52692
SHA1ca7d0a23ca25885062e2434213beb2ff0ca0b345
SHA2567b1f2b718cc34d584619c00077efdc305104952bf626546d5f51c30b62e970e5
SHA51297402d713c386ad74335e4694a750ef45d7f13d7d95b99af3e096e21a7ef33d19c228dab80313c5e28c88cdf7b3ed642a69797b9b02df5459a1c9601f569dcf1
-
C:\Users\Admin\AppData\Local\Temp\3dZvp.i6Filesize
1.8MB
MD5831de3b17ad30d66472856f09bd52692
SHA1ca7d0a23ca25885062e2434213beb2ff0ca0b345
SHA2567b1f2b718cc34d584619c00077efdc305104952bf626546d5f51c30b62e970e5
SHA51297402d713c386ad74335e4694a750ef45d7f13d7d95b99af3e096e21a7ef33d19c228dab80313c5e28c88cdf7b3ed642a69797b9b02df5459a1c9601f569dcf1
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
226KB
MD5cdd4c17bc79e0e111d637b515d7b20df
SHA16b644f1606f5a2af380ca1dc720c7eb2fd21b1fc
SHA256cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8
SHA512d7f4ffad5cca735d073e0b4dff54635a62170015a109e18ff227f864654d9f0c7fed76ed3019fd1badc7eedd9046b9bc526d96a20c554e5f6e2480d886eb31ed
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
226KB
MD5cdd4c17bc79e0e111d637b515d7b20df
SHA16b644f1606f5a2af380ca1dc720c7eb2fd21b1fc
SHA256cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8
SHA512d7f4ffad5cca735d073e0b4dff54635a62170015a109e18ff227f864654d9f0c7fed76ed3019fd1badc7eedd9046b9bc526d96a20c554e5f6e2480d886eb31ed
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
226KB
MD5cdd4c17bc79e0e111d637b515d7b20df
SHA16b644f1606f5a2af380ca1dc720c7eb2fd21b1fc
SHA256cc6573c4ad6f0700c00a02ed4bc305107eecd995f1612be99f07f318017efec8
SHA512d7f4ffad5cca735d073e0b4dff54635a62170015a109e18ff227f864654d9f0c7fed76ed3019fd1badc7eedd9046b9bc526d96a20c554e5f6e2480d886eb31ed
-
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dllFilesize
126KB
MD5674cec24e36e0dfaec6290db96dda86e
SHA1581e3a7a541cc04641e751fc850d92e07236681f
SHA256de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA5126d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029
-
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dllFilesize
126KB
MD5674cec24e36e0dfaec6290db96dda86e
SHA1581e3a7a541cc04641e751fc850d92e07236681f
SHA256de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA5126d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029
-
memory/552-176-0x00000000008E0000-0x00000000008FF000-memory.dmpFilesize
124KB
-
memory/552-177-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/1316-143-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/1316-139-0x0000000002210000-0x000000000224E000-memory.dmpFilesize
248KB
-
memory/1316-135-0x0000000000000000-mapping.dmp
-
memory/1316-138-0x000000000098C000-0x00000000009AB000-memory.dmpFilesize
124KB
-
memory/1316-140-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/2136-158-0x0000000002F90000-0x00000000030E9000-memory.dmpFilesize
1.3MB
-
memory/2136-167-0x00000000031F0000-0x00000000032EE000-memory.dmpFilesize
1016KB
-
memory/2136-164-0x00000000033C0000-0x0000000003471000-memory.dmpFilesize
708KB
-
memory/2136-159-0x00000000031F0000-0x00000000032EE000-memory.dmpFilesize
1016KB
-
memory/2136-163-0x00000000032F0000-0x00000000033B5000-memory.dmpFilesize
788KB
-
memory/2136-155-0x0000000000000000-mapping.dmp
-
memory/3588-133-0x0000000002450000-0x000000000248E000-memory.dmpFilesize
248KB
-
memory/3588-142-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3588-132-0x000000000089E000-0x00000000008BD000-memory.dmpFilesize
124KB
-
memory/3588-134-0x0000000000400000-0x000000000071A000-memory.dmpFilesize
3.1MB
-
memory/3756-141-0x0000000000000000-mapping.dmp
-
memory/3836-149-0x0000000005560000-0x000000000566A000-memory.dmpFilesize
1.0MB
-
memory/3836-147-0x0000000000AE0000-0x0000000000B08000-memory.dmpFilesize
160KB
-
memory/3836-144-0x0000000000000000-mapping.dmp
-
memory/3836-151-0x00000000054F0000-0x000000000552C000-memory.dmpFilesize
240KB
-
memory/3836-150-0x0000000005490000-0x00000000054A2000-memory.dmpFilesize
72KB
-
memory/3836-168-0x0000000006200000-0x0000000006266000-memory.dmpFilesize
408KB
-
memory/3836-169-0x0000000006A20000-0x0000000006FC4000-memory.dmpFilesize
5.6MB
-
memory/3836-170-0x0000000006550000-0x00000000065E2000-memory.dmpFilesize
584KB
-
memory/3836-171-0x0000000006FD0000-0x0000000007192000-memory.dmpFilesize
1.8MB
-
memory/3836-172-0x00000000076D0000-0x0000000007BFC000-memory.dmpFilesize
5.2MB
-
memory/3836-173-0x0000000006880000-0x00000000068F6000-memory.dmpFilesize
472KB
-
memory/3836-174-0x0000000006900000-0x0000000006950000-memory.dmpFilesize
320KB
-
memory/3836-148-0x0000000005A30000-0x0000000006048000-memory.dmpFilesize
6.1MB
-
memory/4476-152-0x0000000000000000-mapping.dmp
-
memory/4520-160-0x0000000000000000-mapping.dmp