Analysis
-
max time kernel
183s -
max time network
214s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 00:12
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
331KB
-
MD5
008a0ba6dce7fc04132a2e11096c822c
-
SHA1
4c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5
-
SHA256
440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90
-
SHA512
65f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8
-
SSDEEP
6144:NCHVs7DyEPUAQwU8KxZsNdlJbR2gOjIDcgeVS:NC1ODxPUAwxYP1JdDcgeVS
Malware Config
Extracted
amadey
3.50
31.41.244.167/v7eWcjs/index.php
Extracted
redline
nosh
31.41.244.14:4683
-
auth_value
7455ba4498ca1bfb73b0efbf830fb9b4
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 63 4992 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
gntuud.exegntuud.exenash.exepid process 2800 gntuud.exe 3116 gntuud.exe 4032 nash.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
gntuud.exefile.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation gntuud.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation file.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4992 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 6 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1136 208 WerFault.exe file.exe 4468 3116 WerFault.exe gntuud.exe 3352 208 WerFault.exe file.exe 4916 208 WerFault.exe file.exe 4748 3116 WerFault.exe gntuud.exe 4160 3116 WerFault.exe gntuud.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 4992 rundll32.exe 4992 rundll32.exe 4992 rundll32.exe 4992 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
file.exegntuud.exedescription pid process target process PID 208 wrote to memory of 2800 208 file.exe gntuud.exe PID 208 wrote to memory of 2800 208 file.exe gntuud.exe PID 208 wrote to memory of 2800 208 file.exe gntuud.exe PID 2800 wrote to memory of 1504 2800 gntuud.exe schtasks.exe PID 2800 wrote to memory of 1504 2800 gntuud.exe schtasks.exe PID 2800 wrote to memory of 1504 2800 gntuud.exe schtasks.exe PID 2800 wrote to memory of 4992 2800 gntuud.exe rundll32.exe PID 2800 wrote to memory of 4992 2800 gntuud.exe rundll32.exe PID 2800 wrote to memory of 4992 2800 gntuud.exe rundll32.exe PID 2800 wrote to memory of 4032 2800 gntuud.exe nash.exe PID 2800 wrote to memory of 4032 2800 gntuud.exe nash.exe PID 2800 wrote to memory of 4032 2800 gntuud.exe nash.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\1000013001\nash.exe"C:\Users\Admin\AppData\Local\Temp\1000013001\nash.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 13042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 13082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 12242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 208 -ip 2081⤵
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 5442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 7962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 8042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3116 -ip 31161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 208 -ip 2081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 208 -ip 2081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3116 -ip 31161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3116 -ip 31161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000013001\nash.exeFilesize
175KB
MD5f9021651b165064dfbe6662f543e1792
SHA1104ab0e4fb3302dd77489f9d41ee28b60d06adc0
SHA256fc0e730c9b09606eb09f91f39d9e780f005bd0f1674ee411cbb0de75acbe4bae
SHA5121b747dd451092bfa6115c0993e7ad84b4262cbf4b0b91f6418544d5796d145b9cc6fec8bcf4b6a63644b9458f987469ded3580ac6aa378cb435fe86fe14ab96f
-
C:\Users\Admin\AppData\Local\Temp\1000013001\nash.exeFilesize
175KB
MD5f9021651b165064dfbe6662f543e1792
SHA1104ab0e4fb3302dd77489f9d41ee28b60d06adc0
SHA256fc0e730c9b09606eb09f91f39d9e780f005bd0f1674ee411cbb0de75acbe4bae
SHA5121b747dd451092bfa6115c0993e7ad84b4262cbf4b0b91f6418544d5796d145b9cc6fec8bcf4b6a63644b9458f987469ded3580ac6aa378cb435fe86fe14ab96f
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
331KB
MD5008a0ba6dce7fc04132a2e11096c822c
SHA14c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5
SHA256440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90
SHA51265f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
331KB
MD5008a0ba6dce7fc04132a2e11096c822c
SHA14c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5
SHA256440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90
SHA51265f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
331KB
MD5008a0ba6dce7fc04132a2e11096c822c
SHA14c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5
SHA256440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90
SHA51265f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8
-
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
memory/208-132-0x0000000000799000-0x00000000007B8000-memory.dmpFilesize
124KB
-
memory/208-142-0x0000000000799000-0x00000000007B8000-memory.dmpFilesize
124KB
-
memory/208-143-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/208-134-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/208-154-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/208-133-0x00000000005C0000-0x00000000005FE000-memory.dmpFilesize
248KB
-
memory/1504-138-0x0000000000000000-mapping.dmp
-
memory/2800-140-0x0000000001FB0000-0x0000000001FEE000-memory.dmpFilesize
248KB
-
memory/2800-141-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2800-135-0x0000000000000000-mapping.dmp
-
memory/2800-139-0x0000000000728000-0x0000000000747000-memory.dmpFilesize
124KB
-
memory/3116-146-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/3116-145-0x00000000005EC000-0x000000000060A000-memory.dmpFilesize
120KB
-
memory/3116-159-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/4032-150-0x0000000000000000-mapping.dmp
-
memory/4032-153-0x00000000008F0000-0x0000000000922000-memory.dmpFilesize
200KB
-
memory/4032-155-0x0000000005800000-0x0000000005E18000-memory.dmpFilesize
6.1MB
-
memory/4032-156-0x0000000005380000-0x000000000548A000-memory.dmpFilesize
1.0MB
-
memory/4032-157-0x00000000052B0000-0x00000000052C2000-memory.dmpFilesize
72KB
-
memory/4032-158-0x0000000005490000-0x00000000054CC000-memory.dmpFilesize
240KB
-
memory/4992-147-0x0000000000000000-mapping.dmp