Analysis
-
max time kernel
315s -
max time network
370s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 05:42
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
359KB
-
MD5
6b9df39ff3bc394a9aa4ca61ed44c281
-
SHA1
0493642d0e978c91463716a6e2a0ac2efe4f4bef
-
SHA256
f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16
-
SHA512
a5ec256c0d56825487643e14c83aec5912047c2f3c69087fcbbc8ba9e7728d3a45e6c3ffac40c070f515cbbf572ddb60ffaa2cc4f8605d6432862407dde2e327
-
SSDEEP
6144:G9X5jyr2LSFHl90ezQ5louvgclYgHq50TScoCF:G9XVyyeFHl901TnHq52FxF
Malware Config
Extracted
amadey
3.50
62.204.41.6/p9cWxH/index.php
Extracted
redline
7777777
185.106.92.214:2510
-
auth_value
963a3fad67ade8410f4a236f4101f611
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
gntuud.exeanon.exepid process 4912 gntuud.exe 1584 anon.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exegntuud.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation gntuud.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 440 4868 WerFault.exe file.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
file.exegntuud.exedescription pid process target process PID 4868 wrote to memory of 4912 4868 file.exe gntuud.exe PID 4868 wrote to memory of 4912 4868 file.exe gntuud.exe PID 4868 wrote to memory of 4912 4868 file.exe gntuud.exe PID 4912 wrote to memory of 2056 4912 gntuud.exe schtasks.exe PID 4912 wrote to memory of 2056 4912 gntuud.exe schtasks.exe PID 4912 wrote to memory of 2056 4912 gntuud.exe schtasks.exe PID 4912 wrote to memory of 2436 4912 gntuud.exe rundll32.exe PID 4912 wrote to memory of 2436 4912 gntuud.exe rundll32.exe PID 4912 wrote to memory of 2436 4912 gntuud.exe rundll32.exe PID 4912 wrote to memory of 1584 4912 gntuud.exe anon.exe PID 4912 wrote to memory of 1584 4912 gntuud.exe anon.exe PID 4912 wrote to memory of 1584 4912 gntuud.exe anon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
-
C:\Users\Admin\AppData\Local\Temp\1000010001\anon.exe"C:\Users\Admin\AppData\Local\Temp\1000010001\anon.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 8682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4868 -ip 48681⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000010001\anon.exeFilesize
175KB
MD53f52500b3f5b5c3fd52472cc3c82732e
SHA12f6ad3c03bb75104395c13f24f71a2292071c93b
SHA2567d1b267f53db09f05ccf77a35c93abeb4918f76e1439cc049074845271b10ec2
SHA512c65978b53a8a60035bb2ee368bf7f6d5e8b195f0e99aec027320d95eaa037b255349b226db5f7412014f847f45b8cb75f462ab52049ac8f9b9292ca01df9456a
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
359KB
MD56b9df39ff3bc394a9aa4ca61ed44c281
SHA10493642d0e978c91463716a6e2a0ac2efe4f4bef
SHA256f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16
SHA512a5ec256c0d56825487643e14c83aec5912047c2f3c69087fcbbc8ba9e7728d3a45e6c3ffac40c070f515cbbf572ddb60ffaa2cc4f8605d6432862407dde2e327
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
359KB
MD56b9df39ff3bc394a9aa4ca61ed44c281
SHA10493642d0e978c91463716a6e2a0ac2efe4f4bef
SHA256f05c005e82478b0723820d5b21d23dd97a47513758323a7e1df581a5f0112c16
SHA512a5ec256c0d56825487643e14c83aec5912047c2f3c69087fcbbc8ba9e7728d3a45e6c3ffac40c070f515cbbf572ddb60ffaa2cc4f8605d6432862407dde2e327
-
memory/1584-144-0x0000000000000000-mapping.dmp
-
memory/2056-142-0x0000000000000000-mapping.dmp
-
memory/2436-143-0x0000000000000000-mapping.dmp
-
memory/4868-133-0x00000000001C0000-0x00000000001FE000-memory.dmpFilesize
248KB
-
memory/4868-134-0x0000000000553000-0x0000000000572000-memory.dmpFilesize
124KB
-
memory/4868-132-0x0000000000553000-0x0000000000572000-memory.dmpFilesize
124KB
-
memory/4868-138-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4912-135-0x0000000000000000-mapping.dmp
-
memory/4912-141-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4912-140-0x00000000001C0000-0x00000000001FE000-memory.dmpFilesize
248KB
-
memory/4912-139-0x0000000000763000-0x0000000000782000-memory.dmpFilesize
124KB