Analysis
-
max time kernel
125s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
17/12/2022, 12:24
General
-
Target
06d029aae48062ad1278b32434d9a96e517decc85ebec7c252e6ab06ea571907.exe
-
Size
274KB
-
MD5
9c57753557ed258d731987834c56fa4c
-
SHA1
eca22a5499bffac8f1c486bc6a3c9a466ae6c783
-
SHA256
06d029aae48062ad1278b32434d9a96e517decc85ebec7c252e6ab06ea571907
-
SHA512
372c2b1deb6e912670d46ac3efc03c6dc124d3d01d4f4189df81f6c5630c3ecb9d6c6dbd6d9e457663d8ff99878f96b03afb59e705491fbf3d9eb86596900087
-
SSDEEP
6144:CwsBLXJtgdJPtJOmEph6xQzrIwQ5eg3Cm4U0VB:CwoVaTWmE2SzrjM5SmtO
Malware Config
Extracted
amadey
3.60
62.204.41.79/fb73jc3/index.php
Extracted
redline
Upadated.999
185.106.92.214:27015
-
auth_value
a6d503c1c63820e9c4a9b5de84087f3f
Extracted
amadey
3.50
31.41.244.237/jg94cVd30f/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module 4 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\06d029aae48062ad1278b32434d9a96e517decc85ebec7c252e6ab06ea571907.exe"C:\Users\Admin\AppData\Local\Temp\06d029aae48062ad1278b32434d9a96e517decc85ebec7c252e6ab06ea571907.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\2c33368f7d" /P "Admin:N"&&CACLS "..\2c33368f7d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:N"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:R" /E4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\2c33368f7d" /P "Admin:N"4⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\2c33368f7d" /P "Admin:R" /E4⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000002051\joker.exe"C:\Users\Admin\AppData\Local\Temp\1000002051\joker.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 16484⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000004051\anon.exe"C:\Users\Admin\AppData\Local\Temp\1000004051\anon.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1000006051\saiwer.exe"C:\Users\Admin\AppData\Local\Temp\1000006051\saiwer.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9c69749b54" /P "Admin:N"&&CACLS "..\9c69749b54" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:R" /E6⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\9c69749b54" /P "Admin:N"6⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\9c69749b54" /P "Admin:R" /E6⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000012001\joker.exe"C:\Users\Admin\AppData\Local\Temp\1000012001\joker.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 12486⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 9042⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4612 -ip 46121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1132 -ip 11321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3104 -ip 31041⤵
-
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exeC:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exeC:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56280633c9acfd9ed67906bada1d0b408
SHA11183fe166d8a5d047137373857e8c41980548608
SHA2563d41d4ebf421ffe0784df18be73d2b0509f71f71c1e77aae8f42c0ebacae1c1c
SHA5127eb02593a335e2be440d07109e37e6714974e3b54f48ee4865d923f3bc08d0bac3492151c11086c8e2e0823f3fa68fb74818c964a3ba5c3289416977a9ee0980
-
Filesize
334KB
MD522452f46bb0efaca76266d3143d685f5
SHA13256e837001765fd9201681c1135d74bee6956de
SHA256c3a353cc295a948723fecef9ff8beef2f6e620a36864fde51d7fa60ed21d55e3
SHA512594a01d2db68b040d7b0349d4210339fca5bf73ee94117b7d1e15db8e8de242ac1896af2818d146e6657af8eb11f64631b906fc56f4059f226e08241e73de05a
-
Filesize
334KB
MD522452f46bb0efaca76266d3143d685f5
SHA13256e837001765fd9201681c1135d74bee6956de
SHA256c3a353cc295a948723fecef9ff8beef2f6e620a36864fde51d7fa60ed21d55e3
SHA512594a01d2db68b040d7b0349d4210339fca5bf73ee94117b7d1e15db8e8de242ac1896af2818d146e6657af8eb11f64631b906fc56f4059f226e08241e73de05a
-
Filesize
334KB
MD522452f46bb0efaca76266d3143d685f5
SHA13256e837001765fd9201681c1135d74bee6956de
SHA256c3a353cc295a948723fecef9ff8beef2f6e620a36864fde51d7fa60ed21d55e3
SHA512594a01d2db68b040d7b0349d4210339fca5bf73ee94117b7d1e15db8e8de242ac1896af2818d146e6657af8eb11f64631b906fc56f4059f226e08241e73de05a
-
Filesize
337KB
MD59009ad04b331e8d32b0c518dd6874c94
SHA19ae4cac69ff706ba4d80847a51a30ad34ddf29c6
SHA256b3419f26d63c40050e577e64a6210bf1a9e5ceb8a9205b982d5eaa44191bf24d
SHA512a1f5e2b12f696c37bdeb26f4f6a729b23bff79305c1e12b75d401e371102cc7db8cbbb625b273e29c7a1330bed374338fcc19a7d2efc1dd2241adc13757ec9aa
-
Filesize
337KB
MD59009ad04b331e8d32b0c518dd6874c94
SHA19ae4cac69ff706ba4d80847a51a30ad34ddf29c6
SHA256b3419f26d63c40050e577e64a6210bf1a9e5ceb8a9205b982d5eaa44191bf24d
SHA512a1f5e2b12f696c37bdeb26f4f6a729b23bff79305c1e12b75d401e371102cc7db8cbbb625b273e29c7a1330bed374338fcc19a7d2efc1dd2241adc13757ec9aa
-
Filesize
241KB
MD5369321f33d5ffaeeadb4da9f33c78156
SHA1fe82623db9ce76ab210c510ac969add839795612
SHA2565c5db333e1a7ce5e55ffa3aca2858d8e431e6e1fc0dae0ca508c6081819828dd
SHA512635df1c74d13a2de4021e9700296e2d367ccc3cf89bbb2923e8a874c46324742ec077a9958dee6a13b336a75ff6d44271f109c66b70f00d0ffd3cc7a0d0ed5f7
-
Filesize
241KB
MD5369321f33d5ffaeeadb4da9f33c78156
SHA1fe82623db9ce76ab210c510ac969add839795612
SHA2565c5db333e1a7ce5e55ffa3aca2858d8e431e6e1fc0dae0ca508c6081819828dd
SHA512635df1c74d13a2de4021e9700296e2d367ccc3cf89bbb2923e8a874c46324742ec077a9958dee6a13b336a75ff6d44271f109c66b70f00d0ffd3cc7a0d0ed5f7
-
Filesize
334KB
MD522452f46bb0efaca76266d3143d685f5
SHA13256e837001765fd9201681c1135d74bee6956de
SHA256c3a353cc295a948723fecef9ff8beef2f6e620a36864fde51d7fa60ed21d55e3
SHA512594a01d2db68b040d7b0349d4210339fca5bf73ee94117b7d1e15db8e8de242ac1896af2818d146e6657af8eb11f64631b906fc56f4059f226e08241e73de05a
-
Filesize
334KB
MD522452f46bb0efaca76266d3143d685f5
SHA13256e837001765fd9201681c1135d74bee6956de
SHA256c3a353cc295a948723fecef9ff8beef2f6e620a36864fde51d7fa60ed21d55e3
SHA512594a01d2db68b040d7b0349d4210339fca5bf73ee94117b7d1e15db8e8de242ac1896af2818d146e6657af8eb11f64631b906fc56f4059f226e08241e73de05a
-
Filesize
274KB
MD59c57753557ed258d731987834c56fa4c
SHA1eca22a5499bffac8f1c486bc6a3c9a466ae6c783
SHA25606d029aae48062ad1278b32434d9a96e517decc85ebec7c252e6ab06ea571907
SHA512372c2b1deb6e912670d46ac3efc03c6dc124d3d01d4f4189df81f6c5630c3ecb9d6c6dbd6d9e457663d8ff99878f96b03afb59e705491fbf3d9eb86596900087
-
Filesize
274KB
MD59c57753557ed258d731987834c56fa4c
SHA1eca22a5499bffac8f1c486bc6a3c9a466ae6c783
SHA25606d029aae48062ad1278b32434d9a96e517decc85ebec7c252e6ab06ea571907
SHA512372c2b1deb6e912670d46ac3efc03c6dc124d3d01d4f4189df81f6c5630c3ecb9d6c6dbd6d9e457663d8ff99878f96b03afb59e705491fbf3d9eb86596900087
-
Filesize
241KB
MD5369321f33d5ffaeeadb4da9f33c78156
SHA1fe82623db9ce76ab210c510ac969add839795612
SHA2565c5db333e1a7ce5e55ffa3aca2858d8e431e6e1fc0dae0ca508c6081819828dd
SHA512635df1c74d13a2de4021e9700296e2d367ccc3cf89bbb2923e8a874c46324742ec077a9958dee6a13b336a75ff6d44271f109c66b70f00d0ffd3cc7a0d0ed5f7
-
Filesize
241KB
MD5369321f33d5ffaeeadb4da9f33c78156
SHA1fe82623db9ce76ab210c510ac969add839795612
SHA2565c5db333e1a7ce5e55ffa3aca2858d8e431e6e1fc0dae0ca508c6081819828dd
SHA512635df1c74d13a2de4021e9700296e2d367ccc3cf89bbb2923e8a874c46324742ec077a9958dee6a13b336a75ff6d44271f109c66b70f00d0ffd3cc7a0d0ed5f7
-
Filesize
241KB
MD5369321f33d5ffaeeadb4da9f33c78156
SHA1fe82623db9ce76ab210c510ac969add839795612
SHA2565c5db333e1a7ce5e55ffa3aca2858d8e431e6e1fc0dae0ca508c6081819828dd
SHA512635df1c74d13a2de4021e9700296e2d367ccc3cf89bbb2923e8a874c46324742ec077a9958dee6a13b336a75ff6d44271f109c66b70f00d0ffd3cc7a0d0ed5f7
-
Filesize
241KB
MD5369321f33d5ffaeeadb4da9f33c78156
SHA1fe82623db9ce76ab210c510ac969add839795612
SHA2565c5db333e1a7ce5e55ffa3aca2858d8e431e6e1fc0dae0ca508c6081819828dd
SHA512635df1c74d13a2de4021e9700296e2d367ccc3cf89bbb2923e8a874c46324742ec077a9958dee6a13b336a75ff6d44271f109c66b70f00d0ffd3cc7a0d0ed5f7
-
Filesize
126KB
MD5c0fd0167e213b6148333351bd16ed1fb
SHA11cfb2b42686557656dead53e02d1db3f2a848026
SHA256c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b
SHA512d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9
-
Filesize
126KB
MD5c0fd0167e213b6148333351bd16ed1fb
SHA11cfb2b42686557656dead53e02d1db3f2a848026
SHA256c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b
SHA512d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9
-
Filesize
126KB
MD59995abf2f401e4945a7d2930a3727619
SHA17715e14ad6e4adf609c62c5812419800343fbd4f
SHA256d35b5dd18d91dbfe3dc89cb75b6a26757777b5c52a33cd8fcf6e5ed45a946f1a
SHA51242726fb602958594914b5bc936aff36833823f9f9da9bc80a46579d96cec12c7df070c174ec9dd82c21f2fe44f1e9a4a2e50d9944fea6379dbdec666727a7eda
-
Filesize
126KB
MD59995abf2f401e4945a7d2930a3727619
SHA17715e14ad6e4adf609c62c5812419800343fbd4f
SHA256d35b5dd18d91dbfe3dc89cb75b6a26757777b5c52a33cd8fcf6e5ed45a946f1a
SHA51242726fb602958594914b5bc936aff36833823f9f9da9bc80a46579d96cec12c7df070c174ec9dd82c21f2fe44f1e9a4a2e50d9944fea6379dbdec666727a7eda
-
Filesize
6.1MB
-
Filesize
320KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
5.6MB
-
Filesize
472KB
-
Filesize
500KB
-
Filesize
500KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
184KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
300KB
-
Filesize
360KB
-
Filesize
500KB
-
Filesize
184KB
-
Filesize
500KB
-
Filesize
440KB
-
Filesize
124KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
1024KB
-
Filesize
248KB
-
Filesize
440KB