Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 08:55
Static task
static1
Behavioral task
behavioral1
Sample
e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b.exe
Resource
win10v2004-20220812-en
General
-
Target
e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b.exe
-
Size
247KB
-
MD5
798ff0b559822277e4ac2f672152171d
-
SHA1
10bb06bcc4d6cf3c1cce06ae178488afe4e64c51
-
SHA256
e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b
-
SHA512
dfe1c14446b2a52529fb5cea43967fa99cec4d91bc46afcbe536fcac3299e00c226dbb2b7df814d842c90c2c647efdd83988fa47f4fdb3edd47cd750bb18bf45
-
SSDEEP
3072:qh2ugGVHrD61I8L5psIRuVi5DWRUoE7qN8QYUl9wcwUy8PpfnuF09BeqZFtFsGLX:C21L5pDu9RUoE7qBxkRO1numeqP9X
Malware Config
Extracted
amadey
3.50
193.56.146.194/h49vlBP/index.php
Extracted
redline
NewYear2023
185.106.92.111:2510
-
auth_value
99e9bde3b38509ea98c3316cc27e6106
Extracted
laplas
clipper.guru
-
api_key
ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll amadey_cred_module -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe family_redline C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe family_redline behavioral1/memory/3764-145-0x00000000009D0000-0x00000000009F8000-memory.dmp family_redline -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 31 4436 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
rovwer.exenon.exeree.exelinda5.exerovwer.exepid process 3088 rovwer.exe 3764 non.exe 4888 ree.exe 4208 linda5.exe 5064 rovwer.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rovwer.exelinda5.exee49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation rovwer.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation linda5.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b.exe -
Loads dropped DLL 2 IoCs
Processes:
msiexec.exerundll32.exepid process 3128 msiexec.exe 4436 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
rovwer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\non.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000130001\\non.exe" rovwer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ree.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000131001\\ree.exe" rovwer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000133001\\linda5.exe" rovwer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4796 4368 WerFault.exe e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b.exe 2728 5064 WerFault.exe rovwer.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3136 schtasks.exe 2132 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
non.exerundll32.exepid process 3764 non.exe 3764 non.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
non.exedescription pid process Token: SeDebugPrivilege 3764 non.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b.exerovwer.exelinda5.exeree.execmd.exedescription pid process target process PID 4368 wrote to memory of 3088 4368 e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b.exe rovwer.exe PID 4368 wrote to memory of 3088 4368 e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b.exe rovwer.exe PID 4368 wrote to memory of 3088 4368 e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b.exe rovwer.exe PID 3088 wrote to memory of 3136 3088 rovwer.exe schtasks.exe PID 3088 wrote to memory of 3136 3088 rovwer.exe schtasks.exe PID 3088 wrote to memory of 3136 3088 rovwer.exe schtasks.exe PID 3088 wrote to memory of 3764 3088 rovwer.exe non.exe PID 3088 wrote to memory of 3764 3088 rovwer.exe non.exe PID 3088 wrote to memory of 3764 3088 rovwer.exe non.exe PID 3088 wrote to memory of 4888 3088 rovwer.exe ree.exe PID 3088 wrote to memory of 4888 3088 rovwer.exe ree.exe PID 3088 wrote to memory of 4888 3088 rovwer.exe ree.exe PID 3088 wrote to memory of 4208 3088 rovwer.exe linda5.exe PID 3088 wrote to memory of 4208 3088 rovwer.exe linda5.exe PID 3088 wrote to memory of 4208 3088 rovwer.exe linda5.exe PID 4208 wrote to memory of 3128 4208 linda5.exe msiexec.exe PID 4208 wrote to memory of 3128 4208 linda5.exe msiexec.exe PID 4208 wrote to memory of 3128 4208 linda5.exe msiexec.exe PID 4888 wrote to memory of 4692 4888 ree.exe cmd.exe PID 4888 wrote to memory of 4692 4888 ree.exe cmd.exe PID 4888 wrote to memory of 4692 4888 ree.exe cmd.exe PID 4692 wrote to memory of 2132 4692 cmd.exe schtasks.exe PID 4692 wrote to memory of 2132 4692 cmd.exe schtasks.exe PID 4692 wrote to memory of 2132 4692 cmd.exe schtasks.exe PID 3088 wrote to memory of 4436 3088 rovwer.exe rundll32.exe PID 3088 wrote to memory of 4436 3088 rovwer.exe rundll32.exe PID 3088 wrote to memory of 4436 3088 rovwer.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b.exe"C:\Users\Admin\AppData\Local\Temp\e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe"C:\Users\Admin\AppData\Local\Temp\1000130001\non.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000131001\ree.exe"C:\Users\Admin\AppData\Local\Temp\1000131001\ree.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C schtasks /create /tn KaAOqfgxzZ /tr C:\Users\Admin\AppData\Roaming\KaAOqfgxzZ\JnEdxrtoRb.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn KaAOqfgxzZ /tr C:\Users\Admin\AppData\Roaming\KaAOqfgxzZ\JnEdxrtoRb.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000133001\linda5.exe"C:\Users\Admin\AppData\Local\Temp\1000133001\linda5.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" -y .\xZew.U4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 11362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4368 -ip 43681⤵
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 4242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5064 -ip 50641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000130001\non.exeFilesize
137KB
MD5c8fbf7e62159275b2d13849b26341184
SHA1a1245f045d07a1edf3690b7a2e09b65036342f9a
SHA25696062d8acceacfd16b85960764411640718d9bc7b56cabd43cf664d07744368a
SHA51281b1c74d56900f034b7076091dbe2102b1a3434524b5c7d92e2310166bf6a059079181532db09a007207688a22e563f05d31081c509530ba122d1a385126c216
-
C:\Users\Admin\AppData\Local\Temp\1000130001\non.exeFilesize
137KB
MD5c8fbf7e62159275b2d13849b26341184
SHA1a1245f045d07a1edf3690b7a2e09b65036342f9a
SHA25696062d8acceacfd16b85960764411640718d9bc7b56cabd43cf664d07744368a
SHA51281b1c74d56900f034b7076091dbe2102b1a3434524b5c7d92e2310166bf6a059079181532db09a007207688a22e563f05d31081c509530ba122d1a385126c216
-
C:\Users\Admin\AppData\Local\Temp\1000131001\ree.exeFilesize
4.6MB
MD5f6829a19455a7b24a79e0b984d2a42d9
SHA1c71d657301d721b42c52c0252aa5fe0dbfb04f9f
SHA2567dc8f90673b102c2945e36747763ccccd243519500eca01fd1cfdbbfcb61d61b
SHA512e3d8db3d3938366e9fe8c1645647dbf29bfb5c9a6210f54bdfca05b9782f005b9b40df2a7980f160143c48139a638c5a4ff6b091d0d846a839d363eba94bce4c
-
C:\Users\Admin\AppData\Local\Temp\1000131001\ree.exeFilesize
4.6MB
MD5f6829a19455a7b24a79e0b984d2a42d9
SHA1c71d657301d721b42c52c0252aa5fe0dbfb04f9f
SHA2567dc8f90673b102c2945e36747763ccccd243519500eca01fd1cfdbbfcb61d61b
SHA512e3d8db3d3938366e9fe8c1645647dbf29bfb5c9a6210f54bdfca05b9782f005b9b40df2a7980f160143c48139a638c5a4ff6b091d0d846a839d363eba94bce4c
-
C:\Users\Admin\AppData\Local\Temp\1000133001\linda5.exeFilesize
1.7MB
MD5ab096a32e13a22485de8e5d843bdd5e3
SHA1be867d609bf8e38b9a3c6bc03f7caf16ee92bb9c
SHA256364ad5d08966d3e1694054fc3ae4360dbb81e21cacebd24442b1bb37fe991558
SHA51235a5b8f56047f9977747ec68cc2c97d28e8c75a9d34b8e19e080ad35939e16f9afde45ce73dbec3e97d82fb514361c854fde4d5ccd12d4d5c96c79a3a4d35966
-
C:\Users\Admin\AppData\Local\Temp\1000133001\linda5.exeFilesize
1.7MB
MD5ab096a32e13a22485de8e5d843bdd5e3
SHA1be867d609bf8e38b9a3c6bc03f7caf16ee92bb9c
SHA256364ad5d08966d3e1694054fc3ae4360dbb81e21cacebd24442b1bb37fe991558
SHA51235a5b8f56047f9977747ec68cc2c97d28e8c75a9d34b8e19e080ad35939e16f9afde45ce73dbec3e97d82fb514361c854fde4d5ccd12d4d5c96c79a3a4d35966
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
247KB
MD5798ff0b559822277e4ac2f672152171d
SHA110bb06bcc4d6cf3c1cce06ae178488afe4e64c51
SHA256e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b
SHA512dfe1c14446b2a52529fb5cea43967fa99cec4d91bc46afcbe536fcac3299e00c226dbb2b7df814d842c90c2c647efdd83988fa47f4fdb3edd47cd750bb18bf45
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
247KB
MD5798ff0b559822277e4ac2f672152171d
SHA110bb06bcc4d6cf3c1cce06ae178488afe4e64c51
SHA256e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b
SHA512dfe1c14446b2a52529fb5cea43967fa99cec4d91bc46afcbe536fcac3299e00c226dbb2b7df814d842c90c2c647efdd83988fa47f4fdb3edd47cd750bb18bf45
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
247KB
MD5798ff0b559822277e4ac2f672152171d
SHA110bb06bcc4d6cf3c1cce06ae178488afe4e64c51
SHA256e49b3fdea8e24430453b8b8691da0f8959d93a0a6d8007d0846282498e53636b
SHA512dfe1c14446b2a52529fb5cea43967fa99cec4d91bc46afcbe536fcac3299e00c226dbb2b7df814d842c90c2c647efdd83988fa47f4fdb3edd47cd750bb18bf45
-
C:\Users\Admin\AppData\Local\Temp\xZew.UFilesize
2.0MB
MD525d2fc1ba77872da52162dc64c52c366
SHA1dd8e82f724114c02ef59661b574edf39a13ea477
SHA25629b90675adfbfe4ff879d6372c155e803acdf7bcfa0b3fa672519a8b5dd3b761
SHA512016a9ec956b4a1caaadcea7c005f7174d5443fd6c03764749fba7b9f36a4d728d5197d404cb1ac7a7420cff9eea4d7319e861d2669fc33eea154d30fb93537f0
-
C:\Users\Admin\AppData\Local\Temp\xZew.UFilesize
2.0MB
MD525d2fc1ba77872da52162dc64c52c366
SHA1dd8e82f724114c02ef59661b574edf39a13ea477
SHA25629b90675adfbfe4ff879d6372c155e803acdf7bcfa0b3fa672519a8b5dd3b761
SHA512016a9ec956b4a1caaadcea7c005f7174d5443fd6c03764749fba7b9f36a4d728d5197d404cb1ac7a7420cff9eea4d7319e861d2669fc33eea154d30fb93537f0
-
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dllFilesize
126KB
MD5674cec24e36e0dfaec6290db96dda86e
SHA1581e3a7a541cc04641e751fc850d92e07236681f
SHA256de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA5126d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029
-
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dllFilesize
126KB
MD5674cec24e36e0dfaec6290db96dda86e
SHA1581e3a7a541cc04641e751fc850d92e07236681f
SHA256de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA5126d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029
-
memory/2132-169-0x0000000000000000-mapping.dmp
-
memory/3088-135-0x0000000000000000-mapping.dmp
-
memory/3088-140-0x0000000000400000-0x0000000000A2C000-memory.dmpFilesize
6.2MB
-
memory/3088-157-0x0000000000400000-0x0000000000A2C000-memory.dmpFilesize
6.2MB
-
memory/3088-139-0x0000000000A8C000-0x0000000000AAB000-memory.dmpFilesize
124KB
-
memory/3088-156-0x0000000000A8C000-0x0000000000AAB000-memory.dmpFilesize
124KB
-
memory/3128-171-0x0000000003200000-0x00000000032B4000-memory.dmpFilesize
720KB
-
memory/3128-166-0x0000000002D30000-0x0000000002EC9000-memory.dmpFilesize
1.6MB
-
memory/3128-167-0x0000000003000000-0x000000000312E000-memory.dmpFilesize
1.2MB
-
memory/3128-163-0x0000000000000000-mapping.dmp
-
memory/3128-170-0x0000000003130000-0x00000000031F8000-memory.dmpFilesize
800KB
-
memory/3128-174-0x0000000003000000-0x000000000312E000-memory.dmpFilesize
1.2MB
-
memory/3136-141-0x0000000000000000-mapping.dmp
-
memory/3764-142-0x0000000000000000-mapping.dmp
-
memory/3764-147-0x0000000005310000-0x000000000541A000-memory.dmpFilesize
1.0MB
-
memory/3764-145-0x00000000009D0000-0x00000000009F8000-memory.dmpFilesize
160KB
-
memory/3764-158-0x00000000077C0000-0x0000000007982000-memory.dmpFilesize
1.8MB
-
memory/3764-155-0x0000000005E30000-0x0000000005E96000-memory.dmpFilesize
408KB
-
memory/3764-154-0x0000000006370000-0x0000000006914000-memory.dmpFilesize
5.6MB
-
memory/3764-153-0x00000000055F0000-0x0000000005682000-memory.dmpFilesize
584KB
-
memory/3764-146-0x00000000057A0000-0x0000000005DB8000-memory.dmpFilesize
6.1MB
-
memory/3764-149-0x00000000052A0000-0x00000000052DC000-memory.dmpFilesize
240KB
-
memory/3764-148-0x0000000005240000-0x0000000005252000-memory.dmpFilesize
72KB
-
memory/3764-159-0x0000000007EC0000-0x00000000083EC000-memory.dmpFilesize
5.2MB
-
memory/4208-160-0x0000000000000000-mapping.dmp
-
memory/4368-132-0x0000000000D1E000-0x0000000000D3D000-memory.dmpFilesize
124KB
-
memory/4368-138-0x0000000000400000-0x0000000000A2C000-memory.dmpFilesize
6.2MB
-
memory/4368-134-0x0000000000400000-0x0000000000A2C000-memory.dmpFilesize
6.2MB
-
memory/4368-133-0x00000000027A0000-0x00000000027DE000-memory.dmpFilesize
248KB
-
memory/4436-176-0x0000000000000000-mapping.dmp
-
memory/4692-168-0x0000000000000000-mapping.dmp
-
memory/4888-150-0x0000000000000000-mapping.dmp
-
memory/5064-179-0x0000000000D90000-0x0000000000DAF000-memory.dmpFilesize
124KB
-
memory/5064-180-0x0000000000400000-0x0000000000A2C000-memory.dmpFilesize
6.2MB