Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
03/03/2023, 07:44
General
-
Target
5948d44f6db487b7688fa38258fec5bae99e7c2b3e7c5c19c19234831c5842a7.exe
-
Size
857KB
-
MD5
7fd1dbd81377a01ec0d825ec15b0174f
-
SHA1
052026e7741a772e2b2167cab0ff43f98d3a09fa
-
SHA256
5948d44f6db487b7688fa38258fec5bae99e7c2b3e7c5c19c19234831c5842a7
-
SHA512
93994b438db3c25c8eabef961f6508d0b099818613c3535690829586233d202014b6c11ff5316cbdf19b94c0ac9cf953fbb884bd6eadbef0ef20e3b1348daeae
-
SSDEEP
24576:yyrx+WUDETa5sWZc9uSd55ptg7H+l32/7Y2:ZriDETOsG0uibvLg/
Malware Config
Extracted
redline
ruzhpe
pepunn.com:4162
-
auth_value
f735ced96ae8d01d0bd1d514240e54e0
Extracted
amadey
3.68
193.233.20.25/buH5N004d/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5948d44f6db487b7688fa38258fec5bae99e7c2b3e7c5c19c19234831c5842a7.exe"C:\Users\Admin\AppData\Local\Temp\5948d44f6db487b7688fa38258fec5bae99e7c2b3e7c5c19c19234831c5842a7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptPh0109ec.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptPh0109ec.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptrT9672cN.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptrT9672cN.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\beAs54nN65.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\beAs54nN65.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 10845⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cton55AW36.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cton55AW36.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk19Ek19ZR38.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk19Ek19ZR38.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 16404⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxCj73qo09.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxCj73qo09.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe"C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ghaaer.exe /TR "C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe" /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "ghaaer.exe" /P "Admin:N"&&CACLS "ghaaer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\46aee2aca4" /P "Admin:N"&&CACLS "..\46aee2aca4" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "ghaaer.exe" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "ghaaer.exe" /P "Admin:R" /E5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\46aee2aca4" /P "Admin:N"5⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\46aee2aca4" /P "Admin:R" /E5⤵
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main4⤵
- Loads dropped DLL
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4608 -ip 46081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1772 -ip 17721⤵
-
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exeC:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exeC:\Users\Admin\AppData\Local\Temp\46aee2aca4\ghaaer.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD5a0466731c5317d85566b01f1142e3635
SHA1c61f62ae49b45d6bd25f815072cd07b78e5889ef
SHA256911e1bcf6ffeac92666eac2797ff8a419f815e25737bf4db32d9ad81333a77ad
SHA5120de018b804dc994a423bc3d7b5a14b0d281d8242108c11377f7a0fdd58e76051f93f5fdf71e9c03269935facef19548ac3f2861790f4da5fafd26ac4e1eebf19
-
Filesize
235KB
MD5a0466731c5317d85566b01f1142e3635
SHA1c61f62ae49b45d6bd25f815072cd07b78e5889ef
SHA256911e1bcf6ffeac92666eac2797ff8a419f815e25737bf4db32d9ad81333a77ad
SHA5120de018b804dc994a423bc3d7b5a14b0d281d8242108c11377f7a0fdd58e76051f93f5fdf71e9c03269935facef19548ac3f2861790f4da5fafd26ac4e1eebf19
-
Filesize
235KB
MD5a0466731c5317d85566b01f1142e3635
SHA1c61f62ae49b45d6bd25f815072cd07b78e5889ef
SHA256911e1bcf6ffeac92666eac2797ff8a419f815e25737bf4db32d9ad81333a77ad
SHA5120de018b804dc994a423bc3d7b5a14b0d281d8242108c11377f7a0fdd58e76051f93f5fdf71e9c03269935facef19548ac3f2861790f4da5fafd26ac4e1eebf19
-
Filesize
235KB
MD5a0466731c5317d85566b01f1142e3635
SHA1c61f62ae49b45d6bd25f815072cd07b78e5889ef
SHA256911e1bcf6ffeac92666eac2797ff8a419f815e25737bf4db32d9ad81333a77ad
SHA5120de018b804dc994a423bc3d7b5a14b0d281d8242108c11377f7a0fdd58e76051f93f5fdf71e9c03269935facef19548ac3f2861790f4da5fafd26ac4e1eebf19
-
Filesize
235KB
MD5a0466731c5317d85566b01f1142e3635
SHA1c61f62ae49b45d6bd25f815072cd07b78e5889ef
SHA256911e1bcf6ffeac92666eac2797ff8a419f815e25737bf4db32d9ad81333a77ad
SHA5120de018b804dc994a423bc3d7b5a14b0d281d8242108c11377f7a0fdd58e76051f93f5fdf71e9c03269935facef19548ac3f2861790f4da5fafd26ac4e1eebf19
-
Filesize
235KB
MD5a0466731c5317d85566b01f1142e3635
SHA1c61f62ae49b45d6bd25f815072cd07b78e5889ef
SHA256911e1bcf6ffeac92666eac2797ff8a419f815e25737bf4db32d9ad81333a77ad
SHA5120de018b804dc994a423bc3d7b5a14b0d281d8242108c11377f7a0fdd58e76051f93f5fdf71e9c03269935facef19548ac3f2861790f4da5fafd26ac4e1eebf19
-
Filesize
235KB
MD5a0466731c5317d85566b01f1142e3635
SHA1c61f62ae49b45d6bd25f815072cd07b78e5889ef
SHA256911e1bcf6ffeac92666eac2797ff8a419f815e25737bf4db32d9ad81333a77ad
SHA5120de018b804dc994a423bc3d7b5a14b0d281d8242108c11377f7a0fdd58e76051f93f5fdf71e9c03269935facef19548ac3f2861790f4da5fafd26ac4e1eebf19
-
Filesize
670KB
MD55f5bdf553560c5ff6cd0e63ea144ffa6
SHA163a3ea1070ade6fefce8e391f15ff746d651af6d
SHA2566aa5b9f6610bc71c42fa5a196dedff6661266871d4be64083849c7d0c534cb91
SHA512ef5b14dca07cc06d82888527d1334c9bc7794419cee5884b50f346212125a126005da6e5ce08995eee81074d965910bdf370bbc82f6ba6308938d699f57de257
-
Filesize
670KB
MD55f5bdf553560c5ff6cd0e63ea144ffa6
SHA163a3ea1070ade6fefce8e391f15ff746d651af6d
SHA2566aa5b9f6610bc71c42fa5a196dedff6661266871d4be64083849c7d0c534cb91
SHA512ef5b14dca07cc06d82888527d1334c9bc7794419cee5884b50f346212125a126005da6e5ce08995eee81074d965910bdf370bbc82f6ba6308938d699f57de257
-
Filesize
309KB
MD5284f5cacca006d191a474f8c3eada4c1
SHA105ccc7b3be213f8543b80cd95e4cbd1aac6190dd
SHA25652e7f367705bf1ad2aed8f9ac8dde3a1c3cd7fc0bd64ae3a3d5a44be416c1341
SHA51226887be6f3f12322ca653e2ba5ee592d5dba31c09312c27d5d29b1d9832f84e42f19a4588787894792d26068dc029ab6abca08a02cc2651e3c8dfe75c41fe4ee
-
Filesize
309KB
MD5284f5cacca006d191a474f8c3eada4c1
SHA105ccc7b3be213f8543b80cd95e4cbd1aac6190dd
SHA25652e7f367705bf1ad2aed8f9ac8dde3a1c3cd7fc0bd64ae3a3d5a44be416c1341
SHA51226887be6f3f12322ca653e2ba5ee592d5dba31c09312c27d5d29b1d9832f84e42f19a4588787894792d26068dc029ab6abca08a02cc2651e3c8dfe75c41fe4ee
-
Filesize
335KB
MD59eefb21c70f35b17e47398ad97367423
SHA1d4c5d5c97440cb1a70160167957a5535f95ad0dc
SHA256230b1a2ac3a034d7cb4f32cd729920d566d4f5313eb5f37b0f4e5fc8ac3db874
SHA5129f011e3d5003160567ad4d62d632788c1f676902ae1a7be50141b8bd6ea758a29311060fe1a08ef08db60e473500a0bd764841bcdc820ac4490abf495ba93df8
-
Filesize
335KB
MD59eefb21c70f35b17e47398ad97367423
SHA1d4c5d5c97440cb1a70160167957a5535f95ad0dc
SHA256230b1a2ac3a034d7cb4f32cd729920d566d4f5313eb5f37b0f4e5fc8ac3db874
SHA5129f011e3d5003160567ad4d62d632788c1f676902ae1a7be50141b8bd6ea758a29311060fe1a08ef08db60e473500a0bd764841bcdc820ac4490abf495ba93df8
-
Filesize
250KB
MD5452980bfe4732aaef2162c53c88f7ea4
SHA131b4e28e7ffdf36023ea859f0c343036dfb0470e
SHA256855df086e7969ec6904fde9c5920ab3c6c364ebbc240aa266f78a3103b59d06d
SHA5127ad12f0badc78bb1d42743e8776bece49a55e25244a9b7681c17c345f212bd2d28077e7fe495903de160d43aa7b3d57a419f0895ae3420a3b945d830d1d58707
-
Filesize
250KB
MD5452980bfe4732aaef2162c53c88f7ea4
SHA131b4e28e7ffdf36023ea859f0c343036dfb0470e
SHA256855df086e7969ec6904fde9c5920ab3c6c364ebbc240aa266f78a3103b59d06d
SHA5127ad12f0badc78bb1d42743e8776bece49a55e25244a9b7681c17c345f212bd2d28077e7fe495903de160d43aa7b3d57a419f0895ae3420a3b945d830d1d58707
-
Filesize
13KB
MD5eb076c960658dcda13a21fbcc848ff38
SHA1554f452f6e0bba9b465a88e16cf26b993ba8fa89
SHA2568c2f60419e662d80a6df6a6e1760d1a890ad3f7fe82e291599a4b89ec67637c3
SHA512a664f7d8d512aa806fbcfdf94bd657943bcb07ec7a444ff87c5b2fc8b985ff152aa08b87c654a678bd843393516a7355e5e7adede44b2a759a297b27fdbad0bb
-
Filesize
13KB
MD5eb076c960658dcda13a21fbcc848ff38
SHA1554f452f6e0bba9b465a88e16cf26b993ba8fa89
SHA2568c2f60419e662d80a6df6a6e1760d1a890ad3f7fe82e291599a4b89ec67637c3
SHA512a664f7d8d512aa806fbcfdf94bd657943bcb07ec7a444ff87c5b2fc8b985ff152aa08b87c654a678bd843393516a7355e5e7adede44b2a759a297b27fdbad0bb
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
89KB
MD529b9780bb2992d018ae312ed4180a663
SHA1592a993f9518c1ceab3186a8b5007826fa204b60
SHA256b0308039b578ab07a5710745e5895b90a88133c669ca14a8f1943845387d223a
SHA512988a85a0270759d2936e9ffcdf0b0543ad29a6be6342472e796b9ee2406730b8f892f9416fe385e58ecffc39862cc74604bc32a7920133209286ca20c0ac346d
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
408KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
6.1MB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
1.5MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.5MB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
180KB
-
Filesize
5.6MB