Analysis
-
max time kernel
129s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 08:05
Static task
static1
Behavioral task
behavioral1
Sample
ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd.exe
Resource
win10v2004-20220812-en
General
-
Target
ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd.exe
-
Size
358KB
-
MD5
9aa75e68077b6931ceb2614e8c4398ab
-
SHA1
a1004d12ab58eb3716ec1a427be7d7beffac5529
-
SHA256
ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
-
SHA512
816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
SSDEEP
6144:NoHGyQyL3QzpZeQ50O4IV9FuyHJAkavffVN+F:Nomy7jQzpZx0O59s+JAdVN+F
Malware Config
Extracted
amadey
3.50
77.73.133.72/hfk3vK9/index.php
Extracted
redline
@2023@
193.106.191.138:32796
-
auth_value
ca057e5baadfd0774a34a6a949cd5e69
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll amadey_cred_module -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 43 2364 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
gntuud.exesoftx64.exegntuud.exegntuud.exepid process 1372 gntuud.exe 116 softx64.exe 4608 gntuud.exe 4564 gntuud.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
gntuud.exeff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation gntuud.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2364 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
gntuud.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\softx64.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000014001\\softx64.exe" gntuud.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
softx64.exedescription pid process target process PID 116 set thread context of 4212 116 softx64.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1664 4772 WerFault.exe ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd.exe 3608 116 WerFault.exe softx64.exe 1960 4608 WerFault.exe gntuud.exe 4332 4564 WerFault.exe gntuud.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rundll32.exevbc.exepid process 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 4212 vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
vbc.exedescription pid process Token: SeDebugPrivilege 4212 vbc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd.exegntuud.exesoftx64.exedescription pid process target process PID 4772 wrote to memory of 1372 4772 ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd.exe gntuud.exe PID 4772 wrote to memory of 1372 4772 ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd.exe gntuud.exe PID 4772 wrote to memory of 1372 4772 ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd.exe gntuud.exe PID 1372 wrote to memory of 824 1372 gntuud.exe schtasks.exe PID 1372 wrote to memory of 824 1372 gntuud.exe schtasks.exe PID 1372 wrote to memory of 824 1372 gntuud.exe schtasks.exe PID 1372 wrote to memory of 116 1372 gntuud.exe softx64.exe PID 1372 wrote to memory of 116 1372 gntuud.exe softx64.exe PID 1372 wrote to memory of 116 1372 gntuud.exe softx64.exe PID 116 wrote to memory of 4212 116 softx64.exe vbc.exe PID 116 wrote to memory of 4212 116 softx64.exe vbc.exe PID 116 wrote to memory of 4212 116 softx64.exe vbc.exe PID 116 wrote to memory of 4212 116 softx64.exe vbc.exe PID 116 wrote to memory of 4212 116 softx64.exe vbc.exe PID 1372 wrote to memory of 2364 1372 gntuud.exe rundll32.exe PID 1372 wrote to memory of 2364 1372 gntuud.exe rundll32.exe PID 1372 wrote to memory of 2364 1372 gntuud.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd.exe"C:\Users\Admin\AppData\Local\Temp\ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exe"C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 4404⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 11362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4772 -ip 47721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 116 -ip 1161⤵
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4608 -ip 46081⤵
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeC:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4564 -ip 45641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
277KB
MD5eaaf6526f8907fe5aaaa2f5d8274422e
SHA184bfbc9a8f30999f907d9f5edd636ac66e3f384b
SHA256f83528450d2b2bb3928544fa48583a76e93e09bf384a0d58e8e4990a1405b43d
SHA512fad1c0898fa326a394f8d5d97096e6b1a11bed0efb8ca82a804d2bf18b58418f586c0e79e095497fc9bc7eb5e24812108142fd73015331995a9093f35209b8de
-
C:\Users\Admin\AppData\Local\Temp\1000014001\softx64.exeFilesize
277KB
MD5eaaf6526f8907fe5aaaa2f5d8274422e
SHA184bfbc9a8f30999f907d9f5edd636ac66e3f384b
SHA256f83528450d2b2bb3928544fa48583a76e93e09bf384a0d58e8e4990a1405b43d
SHA512fad1c0898fa326a394f8d5d97096e6b1a11bed0efb8ca82a804d2bf18b58418f586c0e79e095497fc9bc7eb5e24812108142fd73015331995a9093f35209b8de
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
358KB
MD59aa75e68077b6931ceb2614e8c4398ab
SHA1a1004d12ab58eb3716ec1a427be7d7beffac5529
SHA256ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
SHA512816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
358KB
MD59aa75e68077b6931ceb2614e8c4398ab
SHA1a1004d12ab58eb3716ec1a427be7d7beffac5529
SHA256ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
SHA512816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
358KB
MD59aa75e68077b6931ceb2614e8c4398ab
SHA1a1004d12ab58eb3716ec1a427be7d7beffac5529
SHA256ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
SHA512816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
C:\Users\Admin\AppData\Local\Temp\ecaac49691\gntuud.exeFilesize
358KB
MD59aa75e68077b6931ceb2614e8c4398ab
SHA1a1004d12ab58eb3716ec1a427be7d7beffac5529
SHA256ff367726c451ef7599cee67a51badaf6c96019165d55b2b5fbf4598502335efd
SHA512816d6c3511293bf83c7e39c12bea88e067285bd2977395a2f80a238eb276f24fd44f9cf41e50d692f0ea7a70b7e4c067b2bb438420f93b81e259a3eac8b5f855
-
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
C:\Users\Admin\AppData\Roaming\f49dfc5e4e2508\cred64.dllFilesize
126KB
MD5349b2b47fef50fa6a1fc19d0ee4b2db8
SHA1077f4328b3f060a9f010b1a63d9e127d24ddafd4
SHA2565cd41f164de6f783b7da82b5f6dbd49413eccd87cc7470f2004d58ca081fb0e0
SHA51283fd58be4c0051ed05b7a03443d256d52f09206d2f433bd302c9e9e3780b9d472e823aed1db01b5052dc8fdc63a4352beac9e399858a8252c057f11cf2bd1773
-
memory/116-145-0x0000000000000000-mapping.dmp
-
memory/824-144-0x0000000000000000-mapping.dmp
-
memory/1372-143-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/1372-155-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1372-142-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/1372-136-0x0000000000000000-mapping.dmp
-
memory/1372-156-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2364-164-0x0000000000000000-mapping.dmp
-
memory/4212-161-0x0000000007D20000-0x0000000007D5C000-memory.dmpFilesize
240KB
-
memory/4212-171-0x0000000008980000-0x0000000008EAC000-memory.dmpFilesize
5.2MB
-
memory/4212-149-0x0000000000000000-mapping.dmp
-
memory/4212-157-0x0000000005AC0000-0x00000000060D8000-memory.dmpFilesize
6.1MB
-
memory/4212-158-0x0000000005950000-0x0000000005A5A000-memory.dmpFilesize
1.0MB
-
memory/4212-159-0x0000000007470000-0x0000000007482000-memory.dmpFilesize
72KB
-
memory/4212-150-0x0000000000570000-0x00000000005A2000-memory.dmpFilesize
200KB
-
memory/4212-169-0x0000000000A20000-0x0000000000A86000-memory.dmpFilesize
408KB
-
memory/4212-168-0x0000000007EA0000-0x0000000008444000-memory.dmpFilesize
5.6MB
-
memory/4212-167-0x0000000000EB0000-0x0000000000F42000-memory.dmpFilesize
584KB
-
memory/4212-170-0x00000000076F0000-0x00000000078B2000-memory.dmpFilesize
1.8MB
-
memory/4564-174-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4564-173-0x00000000007B4000-0x00000000007D3000-memory.dmpFilesize
124KB
-
memory/4608-163-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4608-162-0x0000000000674000-0x0000000000693000-memory.dmpFilesize
124KB
-
memory/4772-140-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB
-
memory/4772-135-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4772-141-0x0000000000630000-0x000000000066E000-memory.dmpFilesize
248KB
-
memory/4772-134-0x0000000000630000-0x000000000066E000-memory.dmpFilesize
248KB
-
memory/4772-148-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4772-133-0x0000000000460000-0x0000000000560000-memory.dmpFilesize
1024KB