Analysis
-
max time kernel
107s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
02/03/2023, 23:09
General
-
Target
c498a6f4c7e5212ee351ec93c39e848608373b8c2f0c2e375de0ace168490511.exe
-
Size
892KB
-
MD5
70687c408bc9222e36240c13fd046e09
-
SHA1
507e0803d60d0c93a93fba19806ed0e3a8551fe6
-
SHA256
c498a6f4c7e5212ee351ec93c39e848608373b8c2f0c2e375de0ace168490511
-
SHA512
e864dd9a5b1f5d94dd437e720db54d3bfd6221db7f65d4d896e4a10caefdccc60826f88c090f4d0c5c60c651184253df0dccacd25c65a68c435a6f58f30cae75
-
SSDEEP
24576:1y/LGgyTmIS4zvS8pNm7H28g9sIJlbm4euZBv:Q6SCNm7H2hpUHuZ
Malware Config
Extracted
redline
ruzhpe
pepunn.com:4162
-
auth_value
f735ced96ae8d01d0bd1d514240e54e0
Extracted
amadey
3.68
193.233.20.25/buH5N004d/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c498a6f4c7e5212ee351ec93c39e848608373b8c2f0c2e375de0ace168490511.exe"C:\Users\Admin\AppData\Local\Temp\c498a6f4c7e5212ee351ec93c39e848608373b8c2f0c2e375de0ace168490511.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptRC8809zK.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptRC8809zK.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptCF4061gZ.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptCF4061gZ.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bens34Du57.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bens34Du57.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 10765⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ctFt09GS07.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ctFt09GS07.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk89ys47wN68.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk89ys47wN68.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 19204⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxfv18MN99.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxfv18MN99.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe"C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ghaaer.exe /TR "C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "ghaaer.exe" /P "Admin:N"&&CACLS "ghaaer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\46aee2aca4" /P "Admin:N"&&CACLS "..\46aee2aca4" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "ghaaer.exe" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "ghaaer.exe" /P "Admin:R" /E5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\46aee2aca4" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\46aee2aca4" /P "Admin:R" /E5⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3764 -ip 37641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1164 -ip 11641⤵
-
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exeC:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exeC:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD5fd9ddeb2b4100607677ead9011f415e7
SHA1c112580e21e2f7854a2ecb182ee648f191ccd855
SHA256cbc458b82afd0babaa5fa037c9e93df3e288ed7c5312628ac9bcb24b5045694a
SHA51234bc413695395ba438255839096ece067dde50fe3b93a4dec75ec36d4512ea1f4aeaf1cb739d26e28677306fef766e3730af85bdbe13127cb934a77d95f06711
-
Filesize
235KB
MD5fd9ddeb2b4100607677ead9011f415e7
SHA1c112580e21e2f7854a2ecb182ee648f191ccd855
SHA256cbc458b82afd0babaa5fa037c9e93df3e288ed7c5312628ac9bcb24b5045694a
SHA51234bc413695395ba438255839096ece067dde50fe3b93a4dec75ec36d4512ea1f4aeaf1cb739d26e28677306fef766e3730af85bdbe13127cb934a77d95f06711
-
Filesize
235KB
MD5fd9ddeb2b4100607677ead9011f415e7
SHA1c112580e21e2f7854a2ecb182ee648f191ccd855
SHA256cbc458b82afd0babaa5fa037c9e93df3e288ed7c5312628ac9bcb24b5045694a
SHA51234bc413695395ba438255839096ece067dde50fe3b93a4dec75ec36d4512ea1f4aeaf1cb739d26e28677306fef766e3730af85bdbe13127cb934a77d95f06711
-
Filesize
235KB
MD5fd9ddeb2b4100607677ead9011f415e7
SHA1c112580e21e2f7854a2ecb182ee648f191ccd855
SHA256cbc458b82afd0babaa5fa037c9e93df3e288ed7c5312628ac9bcb24b5045694a
SHA51234bc413695395ba438255839096ece067dde50fe3b93a4dec75ec36d4512ea1f4aeaf1cb739d26e28677306fef766e3730af85bdbe13127cb934a77d95f06711
-
Filesize
235KB
MD5fd9ddeb2b4100607677ead9011f415e7
SHA1c112580e21e2f7854a2ecb182ee648f191ccd855
SHA256cbc458b82afd0babaa5fa037c9e93df3e288ed7c5312628ac9bcb24b5045694a
SHA51234bc413695395ba438255839096ece067dde50fe3b93a4dec75ec36d4512ea1f4aeaf1cb739d26e28677306fef766e3730af85bdbe13127cb934a77d95f06711
-
Filesize
235KB
MD5fd9ddeb2b4100607677ead9011f415e7
SHA1c112580e21e2f7854a2ecb182ee648f191ccd855
SHA256cbc458b82afd0babaa5fa037c9e93df3e288ed7c5312628ac9bcb24b5045694a
SHA51234bc413695395ba438255839096ece067dde50fe3b93a4dec75ec36d4512ea1f4aeaf1cb739d26e28677306fef766e3730af85bdbe13127cb934a77d95f06711
-
Filesize
235KB
MD5fd9ddeb2b4100607677ead9011f415e7
SHA1c112580e21e2f7854a2ecb182ee648f191ccd855
SHA256cbc458b82afd0babaa5fa037c9e93df3e288ed7c5312628ac9bcb24b5045694a
SHA51234bc413695395ba438255839096ece067dde50fe3b93a4dec75ec36d4512ea1f4aeaf1cb739d26e28677306fef766e3730af85bdbe13127cb934a77d95f06711
-
Filesize
705KB
MD51c86c6665c50e030e13ef34a9f74a6bf
SHA1bf402ec9a5813381cf9e626f90a6f4afe1631cc8
SHA2560509503ff72dd449a8d4d1bab9d52a7ad063eae658c6921c0c00d40c0e730e63
SHA5123690c91c11b900841cc3b9186858b0b45d5b620b2e85b28f3f9e00dce223e6784d55a77dd9c5f355b16540e8c93646abc36de3d307081e6928fbe396dbca1659
-
Filesize
705KB
MD51c86c6665c50e030e13ef34a9f74a6bf
SHA1bf402ec9a5813381cf9e626f90a6f4afe1631cc8
SHA2560509503ff72dd449a8d4d1bab9d52a7ad063eae658c6921c0c00d40c0e730e63
SHA5123690c91c11b900841cc3b9186858b0b45d5b620b2e85b28f3f9e00dce223e6784d55a77dd9c5f355b16540e8c93646abc36de3d307081e6928fbe396dbca1659
-
Filesize
410KB
MD5cc1e39c942634bbd04ef3eb880af3cb4
SHA1390ee64e70074c204d8c7fc736e69b91940375bc
SHA25698f330627fe244da794aa21cd74d45861fab6d06f9fedc1bcc02eaf434adacec
SHA512f66cac5ccd3318e7c9baca955b64b22f9cb96693557dcf13a7e334878a0e3c2bc18f1757432b78b6c06c28c91881fb2436fc0641f6eb75a57167a4254cb470d2
-
Filesize
410KB
MD5cc1e39c942634bbd04ef3eb880af3cb4
SHA1390ee64e70074c204d8c7fc736e69b91940375bc
SHA25698f330627fe244da794aa21cd74d45861fab6d06f9fedc1bcc02eaf434adacec
SHA512f66cac5ccd3318e7c9baca955b64b22f9cb96693557dcf13a7e334878a0e3c2bc18f1757432b78b6c06c28c91881fb2436fc0641f6eb75a57167a4254cb470d2
-
Filesize
353KB
MD5c4be8e6ec96f4a778c1163e780475274
SHA1289ce50b59a34553dfdf00065f15f40e166a22f1
SHA2569e7f0c95d92d3272c0b7c2a60cda789019fa4d22e97c53c4586e5056c24287bc
SHA5125a3438011f5bfb77213d413f463270b82eaf6f51382b5298e0d66e9faa8b1bcde272335456a441e11bdddcaab55f37647782c1b142fd823f348c723112bfb5d3
-
Filesize
353KB
MD5c4be8e6ec96f4a778c1163e780475274
SHA1289ce50b59a34553dfdf00065f15f40e166a22f1
SHA2569e7f0c95d92d3272c0b7c2a60cda789019fa4d22e97c53c4586e5056c24287bc
SHA5125a3438011f5bfb77213d413f463270b82eaf6f51382b5298e0d66e9faa8b1bcde272335456a441e11bdddcaab55f37647782c1b142fd823f348c723112bfb5d3
-
Filesize
352KB
MD56345b3da7da3d9a3012ba87a252a29f6
SHA1a36f23e5d0802652705df132bce0a8589ff5e7bf
SHA256caf994d14f8b0767df1e38508af9bb7816673aa0b6fc7fbf591a135e3173b7df
SHA5123d82f717809ab81fa0fdb60d262af1547d12a69331b755d02ec94a250f4e25c5aa1adc910381e91bf4d9b32aa8f281f1252e5912068d0378461890a5893fae82
-
Filesize
352KB
MD56345b3da7da3d9a3012ba87a252a29f6
SHA1a36f23e5d0802652705df132bce0a8589ff5e7bf
SHA256caf994d14f8b0767df1e38508af9bb7816673aa0b6fc7fbf591a135e3173b7df
SHA5123d82f717809ab81fa0fdb60d262af1547d12a69331b755d02ec94a250f4e25c5aa1adc910381e91bf4d9b32aa8f281f1252e5912068d0378461890a5893fae82
-
Filesize
12KB
MD5fa9903abc912758961625bf9a4ea3df3
SHA12f4c00bb09ff4274e3dc268c11a2c7276f9f2d86
SHA2560a962f70fdaf02d6d60ee66a6df9c23c6fb6abca9945d02ef452fb6dc9549a66
SHA51297053aefc06020f0e9673ef7ae0d77f1ec38ac372fd4960bd9ee71dca7d38396aa3f7b4177a2564a5df8c85d12d2d57619b92056dcbe054056acdc0e32c1f633
-
Filesize
12KB
MD5fa9903abc912758961625bf9a4ea3df3
SHA12f4c00bb09ff4274e3dc268c11a2c7276f9f2d86
SHA2560a962f70fdaf02d6d60ee66a6df9c23c6fb6abca9945d02ef452fb6dc9549a66
SHA51297053aefc06020f0e9673ef7ae0d77f1ec38ac372fd4960bd9ee71dca7d38396aa3f7b4177a2564a5df8c85d12d2d57619b92056dcbe054056acdc0e32c1f633
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
1.0MB
-
Filesize
64KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
39.8MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
39.8MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
180KB
-
Filesize
5.6MB