Analysis
-
max time kernel
177s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 05:18
Static task
static1
Behavioral task
behavioral1
Sample
f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16.exe
Resource
win10v2004-20221111-en
General
-
Target
f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16.exe
-
Size
359KB
-
MD5
6b9df39ff3bc394a9aa4ca61ed44c281
-
SHA1
0493642d0e978c91463716a6e2a0ac2efe4f4bef
-
SHA256
f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16
-
SHA512
a5ec256c0d56825487643e14c83aec5912047c2f3c69087fcbbc8ba9e7728d3a45e6c3ffac40c070f515cbbf572ddb60ffaa2cc4f8605d6432862407dde2e327
-
SSDEEP
6144:G9X5jyr2LSFHl90ezQ5louvgclYgHq50TScoCF:G9XVyyeFHl901TnHq52FxF
Malware Config
Extracted
amadey
3.50
62.204.41.6/p9cWxH/index.php
Extracted
redline
wosh
31.41.244.14:4683
-
auth_value
f0ec85e2aaa9e62929e2fb9e09d843f4
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 98 4896 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
gntuud.exegntuud.exewish.exepid process 1484 gntuud.exe 4832 gntuud.exe 4856 wish.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16.exegntuud.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation gntuud.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4896 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3120 2524 WerFault.exe f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16.exe 3996 4832 WerFault.exe gntuud.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 4896 rundll32.exe 4896 rundll32.exe 4896 rundll32.exe 4896 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16.exegntuud.exedescription pid process target process PID 2524 wrote to memory of 1484 2524 f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16.exe gntuud.exe PID 2524 wrote to memory of 1484 2524 f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16.exe gntuud.exe PID 2524 wrote to memory of 1484 2524 f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16.exe gntuud.exe PID 1484 wrote to memory of 4644 1484 gntuud.exe schtasks.exe PID 1484 wrote to memory of 4644 1484 gntuud.exe schtasks.exe PID 1484 wrote to memory of 4644 1484 gntuud.exe schtasks.exe PID 1484 wrote to memory of 4896 1484 gntuud.exe rundll32.exe PID 1484 wrote to memory of 4896 1484 gntuud.exe rundll32.exe PID 1484 wrote to memory of 4896 1484 gntuud.exe rundll32.exe PID 1484 wrote to memory of 4856 1484 gntuud.exe wish.exe PID 1484 wrote to memory of 4856 1484 gntuud.exe wish.exe PID 1484 wrote to memory of 4856 1484 gntuud.exe wish.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16.exe"C:\Users\Admin\AppData\Local\Temp\f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\1000028001\wish.exe"C:\Users\Admin\AppData\Local\Temp\1000028001\wish.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 11362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2524 -ip 25241⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4832 -ip 48321⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000028001\wish.exeFilesize
175KB
MD53b6246132b7fb972ed877b79d700e32e
SHA1af68ac119ccce9c7be5aeefa1e86102ee4019ebb
SHA2564743bad8f6939aa7645a043208010c2a9e75fbbcbbc8ca597a0c2a74ce7b6cc0
SHA51203573c63e3d03d89d2a2971d761d33e8d89895680ae8b7e5ceb3a78c8582666f8a300aad4c6c4a7c1cd118ac774ffce03053c96a57df9e66a02773111dbcfcca
-
C:\Users\Admin\AppData\Local\Temp\1000028001\wish.exeFilesize
175KB
MD53b6246132b7fb972ed877b79d700e32e
SHA1af68ac119ccce9c7be5aeefa1e86102ee4019ebb
SHA2564743bad8f6939aa7645a043208010c2a9e75fbbcbbc8ca597a0c2a74ce7b6cc0
SHA51203573c63e3d03d89d2a2971d761d33e8d89895680ae8b7e5ceb3a78c8582666f8a300aad4c6c4a7c1cd118ac774ffce03053c96a57df9e66a02773111dbcfcca
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
359KB
MD56b9df39ff3bc394a9aa4ca61ed44c281
SHA10493642d0e978c91463716a6e2a0ac2efe4f4bef
SHA256f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16
SHA512a5ec256c0d56825487643e14c83aec5912047c2f3c69087fcbbc8ba9e7728d3a45e6c3ffac40c070f515cbbf572ddb60ffaa2cc4f8605d6432862407dde2e327
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
359KB
MD56b9df39ff3bc394a9aa4ca61ed44c281
SHA10493642d0e978c91463716a6e2a0ac2efe4f4bef
SHA256f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16
SHA512a5ec256c0d56825487643e14c83aec5912047c2f3c69087fcbbc8ba9e7728d3a45e6c3ffac40c070f515cbbf572ddb60ffaa2cc4f8605d6432862407dde2e327
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
359KB
MD56b9df39ff3bc394a9aa4ca61ed44c281
SHA10493642d0e978c91463716a6e2a0ac2efe4f4bef
SHA256f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16
SHA512a5ec256c0d56825487643e14c83aec5912047c2f3c69087fcbbc8ba9e7728d3a45e6c3ffac40c070f515cbbf572ddb60ffaa2cc4f8605d6432862407dde2e327
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
memory/1484-143-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1484-138-0x0000000000723000-0x0000000000742000-memory.dmpFilesize
124KB
-
memory/1484-139-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1484-135-0x0000000000000000-mapping.dmp
-
memory/2524-141-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2524-140-0x00000000005F2000-0x0000000000611000-memory.dmpFilesize
124KB
-
memory/2524-132-0x00000000005F2000-0x0000000000611000-memory.dmpFilesize
124KB
-
memory/2524-134-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2524-133-0x00000000001C0000-0x00000000001FE000-memory.dmpFilesize
248KB
-
memory/4644-142-0x0000000000000000-mapping.dmp
-
memory/4832-150-0x0000000000714000-0x0000000000733000-memory.dmpFilesize
124KB
-
memory/4832-151-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4856-148-0x0000000000000000-mapping.dmp
-
memory/4856-153-0x0000000000FD0000-0x0000000001002000-memory.dmpFilesize
200KB
-
memory/4896-144-0x0000000000000000-mapping.dmp