Analysis
-
max time kernel
156s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
03-03-2023 03:57
General
-
Target
4f7a2ac9a5310d6e0f616710bf2282f3b5170eab7cba197d317ac76fde76593a.exe
-
Size
893KB
-
MD5
0c5bb6c45ea36be0c726967c453f2a0b
-
SHA1
196792bcbb80abb18b5a2f93639dd516db2de2ae
-
SHA256
4f7a2ac9a5310d6e0f616710bf2282f3b5170eab7cba197d317ac76fde76593a
-
SHA512
883c68323e4062a47d2ed279a2711d97a4794f42bbec19c62a8a6db1fead9305faa2bae0047282f608739a1b0e52a02ad1ca64306e4cd6ba6f29de64299468d9
-
SSDEEP
12288:JMrTy90cSsROU4Axe6PzKDVsA3//QAPOkUxb/s9Nr50MrAoi1shpl7XYPmY0jJri:qyt4x6bKZZVOZ+99nPlLemXjJ4ci7
Malware Config
Extracted
redline
ruzhpe
pepunn.com:4162
-
auth_value
f735ced96ae8d01d0bd1d514240e54e0
Extracted
amadey
3.68
193.233.20.25/buH5N004d/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 18 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f7a2ac9a5310d6e0f616710bf2282f3b5170eab7cba197d317ac76fde76593a.exe"C:\Users\Admin\AppData\Local\Temp\4f7a2ac9a5310d6e0f616710bf2282f3b5170eab7cba197d317ac76fde76593a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptrX3338md.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptrX3338md.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptVM1559Ko.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptVM1559Ko.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\beje80Id65.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\beje80Id65.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 10885⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ctyp22hK85.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ctyp22hK85.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk16ak67iz41.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk16ak67iz41.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 18804⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxOD66QJ89.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxOD66QJ89.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe"C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ghaaer.exe /TR "C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "ghaaer.exe" /P "Admin:N"&&CACLS "ghaaer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\46aee2aca4" /P "Admin:N"&&CACLS "..\46aee2aca4" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "ghaaer.exe" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "ghaaer.exe" /P "Admin:R" /E5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\46aee2aca4" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\46aee2aca4" /P "Admin:R" /E5⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1764 -ip 17641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3112 -ip 31121⤵
-
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exeC:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD5513e4588b68bee2eacebae851163d4dd
SHA16a3eab74218169130515962d268aa8084ba82a09
SHA256637eb72a9e8c6a73637324a252fd4a04e220e6a9c010279eeea4e5324b743950
SHA5129d38a48ed651bdf5a2999facdbfcea5c004de777f911b37f317389779c6e4e63d08b6170d607f53b294db09473a9c619f25358d4fc442b8113a32f10378a342d
-
Filesize
235KB
MD5513e4588b68bee2eacebae851163d4dd
SHA16a3eab74218169130515962d268aa8084ba82a09
SHA256637eb72a9e8c6a73637324a252fd4a04e220e6a9c010279eeea4e5324b743950
SHA5129d38a48ed651bdf5a2999facdbfcea5c004de777f911b37f317389779c6e4e63d08b6170d607f53b294db09473a9c619f25358d4fc442b8113a32f10378a342d
-
Filesize
235KB
MD5513e4588b68bee2eacebae851163d4dd
SHA16a3eab74218169130515962d268aa8084ba82a09
SHA256637eb72a9e8c6a73637324a252fd4a04e220e6a9c010279eeea4e5324b743950
SHA5129d38a48ed651bdf5a2999facdbfcea5c004de777f911b37f317389779c6e4e63d08b6170d607f53b294db09473a9c619f25358d4fc442b8113a32f10378a342d
-
Filesize
235KB
MD5513e4588b68bee2eacebae851163d4dd
SHA16a3eab74218169130515962d268aa8084ba82a09
SHA256637eb72a9e8c6a73637324a252fd4a04e220e6a9c010279eeea4e5324b743950
SHA5129d38a48ed651bdf5a2999facdbfcea5c004de777f911b37f317389779c6e4e63d08b6170d607f53b294db09473a9c619f25358d4fc442b8113a32f10378a342d
-
Filesize
235KB
MD5513e4588b68bee2eacebae851163d4dd
SHA16a3eab74218169130515962d268aa8084ba82a09
SHA256637eb72a9e8c6a73637324a252fd4a04e220e6a9c010279eeea4e5324b743950
SHA5129d38a48ed651bdf5a2999facdbfcea5c004de777f911b37f317389779c6e4e63d08b6170d607f53b294db09473a9c619f25358d4fc442b8113a32f10378a342d
-
Filesize
235KB
MD5513e4588b68bee2eacebae851163d4dd
SHA16a3eab74218169130515962d268aa8084ba82a09
SHA256637eb72a9e8c6a73637324a252fd4a04e220e6a9c010279eeea4e5324b743950
SHA5129d38a48ed651bdf5a2999facdbfcea5c004de777f911b37f317389779c6e4e63d08b6170d607f53b294db09473a9c619f25358d4fc442b8113a32f10378a342d
-
Filesize
706KB
MD5a6701f88bf6d34228c69b2a47055cf50
SHA129c0fd4820adfd43549cecec2ad17eb85d5e6582
SHA2565f375f8a02fb3ff8b76d703de6d8c5fb13ea2dc1ac5b0eae22791e145c61204e
SHA512285fb7a599ac4a01c545e0f717621ea558d4fbc3fcc27602fd7680a714496a46d196b2f39fc19d84121307a4e3f493f91a930a51ccdebb7d8ca06dcc66d8355e
-
Filesize
706KB
MD5a6701f88bf6d34228c69b2a47055cf50
SHA129c0fd4820adfd43549cecec2ad17eb85d5e6582
SHA2565f375f8a02fb3ff8b76d703de6d8c5fb13ea2dc1ac5b0eae22791e145c61204e
SHA512285fb7a599ac4a01c545e0f717621ea558d4fbc3fcc27602fd7680a714496a46d196b2f39fc19d84121307a4e3f493f91a930a51ccdebb7d8ca06dcc66d8355e
-
Filesize
410KB
MD54a99afd6ed76b99078df204b18a8b896
SHA1f31f5bc1af96226972ccb4f09f31e951bf8c8c50
SHA256ef798a02a3eb5140e2cf2f4a5cc1baa245c94df5a355e26fb5e1371f7f832473
SHA51279d7fe86efd6624e78af1bdd89713ccf1a0de364ce87a1b1faa904643d5efe003e2083134cd99f78dde26c4587cee6fa8fa02153cbd24a452c49a1e95d94c6d4
-
Filesize
410KB
MD54a99afd6ed76b99078df204b18a8b896
SHA1f31f5bc1af96226972ccb4f09f31e951bf8c8c50
SHA256ef798a02a3eb5140e2cf2f4a5cc1baa245c94df5a355e26fb5e1371f7f832473
SHA51279d7fe86efd6624e78af1bdd89713ccf1a0de364ce87a1b1faa904643d5efe003e2083134cd99f78dde26c4587cee6fa8fa02153cbd24a452c49a1e95d94c6d4
-
Filesize
353KB
MD51ecf2a2b77ce0eedfdf74bf019e4c0a6
SHA1a986b26ba25b0243d80f5141f373ca067ae15a55
SHA2567dc812801eaf09eca0a7f11c6b2f97eb2a44fd963a2fd9a3367e3570cfa1b655
SHA5128ec2fe7afab1b26d9312eaa42e1ad9118c006e1a6ad4027589b3e9e624125315e368974d5378285e6aa538876e1cbe7b1526ce476b320cb12470b48c3392e24f
-
Filesize
353KB
MD51ecf2a2b77ce0eedfdf74bf019e4c0a6
SHA1a986b26ba25b0243d80f5141f373ca067ae15a55
SHA2567dc812801eaf09eca0a7f11c6b2f97eb2a44fd963a2fd9a3367e3570cfa1b655
SHA5128ec2fe7afab1b26d9312eaa42e1ad9118c006e1a6ad4027589b3e9e624125315e368974d5378285e6aa538876e1cbe7b1526ce476b320cb12470b48c3392e24f
-
Filesize
352KB
MD5946e45ca9ca57dbee2abd7de33d70086
SHA19003d342bb7b083b73c7b67e3a8059e1826d9695
SHA256aa2990a947b4f237d68abb0193d1da436930d427eced5942132bd24fd0bd3bd9
SHA51200743633925a810ce584991704d25034fd3d407838b245d456da54572b3558589acfa5dcbabf9ab09621f143dfc78767cfc979c18346a1e6baa55648405c8c3d
-
Filesize
352KB
MD5946e45ca9ca57dbee2abd7de33d70086
SHA19003d342bb7b083b73c7b67e3a8059e1826d9695
SHA256aa2990a947b4f237d68abb0193d1da436930d427eced5942132bd24fd0bd3bd9
SHA51200743633925a810ce584991704d25034fd3d407838b245d456da54572b3558589acfa5dcbabf9ab09621f143dfc78767cfc979c18346a1e6baa55648405c8c3d
-
Filesize
13KB
MD54fc8771b7826be4903179e20610ea630
SHA18771210ff49ea97fed7d74561861d18f33d1656a
SHA256812e0841592c3baf7203f285dcc9f9479f537e8ee9596badf6b4d45002a5685d
SHA51298b253f4bcf9ab93fbb1694ba9c48fc0255cc9d0fb740eeed8fa2aa3ce05108387740e43fc24efcf4d93b48803ccb902180dbccc7ee9ea01bbad052f72870cc9
-
Filesize
13KB
MD54fc8771b7826be4903179e20610ea630
SHA18771210ff49ea97fed7d74561861d18f33d1656a
SHA256812e0841592c3baf7203f285dcc9f9479f537e8ee9596badf6b4d45002a5685d
SHA51298b253f4bcf9ab93fbb1694ba9c48fc0255cc9d0fb740eeed8fa2aa3ce05108387740e43fc24efcf4d93b48803ccb902180dbccc7ee9ea01bbad052f72870cc9
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
39.8MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
39.8MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
180KB
-
Filesize
5.6MB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
40KB