Analysis
-
max time kernel
140s -
max time network
106s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
09-04-2023 20:07
General
-
Target
58a6892e83a4491143ac9375e93bf9330db2886cddacdea5ab5aed8e93aaf2d7.exe
-
Size
925KB
-
MD5
9921e545ca4584baaf54011db29e4987
-
SHA1
7f1657a02ba5806df6641665bae869f89cded226
-
SHA256
58a6892e83a4491143ac9375e93bf9330db2886cddacdea5ab5aed8e93aaf2d7
-
SHA512
419f0d276089cabd46154e7b3e988dfbc5aafd5a6b2079303bcbce8ba72d9cb7c4188b0918b4550c0c765b92aeef17ade85b49dab6c89f7403e1c8c699b79d88
-
SSDEEP
24576:pyICJXgTqRxHL6ndT+FME9lVyjXRdZ3FB4Bc1:cZHDHLeKF79MlYB
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 21 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\58a6892e83a4491143ac9375e93bf9330db2886cddacdea5ab5aed8e93aaf2d7.exe"C:\Users\Admin\AppData\Local\Temp\58a6892e83a4491143ac9375e93bf9330db2886cddacdea5ab5aed8e93aaf2d7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un808433.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un808433.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un730727.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un730727.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822642.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822642.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu623272.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu623272.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk051532.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk051532.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si904255.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si904255.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 6163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 6963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 8363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 8443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 8803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 8683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 10683⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si904255.exeFilesize
226KB
MD5d8c3f20eef4f33bd865589859629bf41
SHA13590244f8774ff4ac4e3c54cdbb149363fd9dc7d
SHA2562883beaaf38f654125933398a46d5bd8c9db9fd04793cb50b28eb2343b4dd36f
SHA51252b84685dacaa20eac474ee035ff3302d95324a3bf9deeff447c05a0d8066cda8fa86592e48806c661de4510b83bbae4a76ec121594e4987b27c1f883bfc77cb
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si904255.exeFilesize
226KB
MD5d8c3f20eef4f33bd865589859629bf41
SHA13590244f8774ff4ac4e3c54cdbb149363fd9dc7d
SHA2562883beaaf38f654125933398a46d5bd8c9db9fd04793cb50b28eb2343b4dd36f
SHA51252b84685dacaa20eac474ee035ff3302d95324a3bf9deeff447c05a0d8066cda8fa86592e48806c661de4510b83bbae4a76ec121594e4987b27c1f883bfc77cb
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un808433.exeFilesize
662KB
MD5ddfbac0944ad8e44ba00a341e3dc8952
SHA1139159a4a9ae3fa542f8c980b9799356094ddcfd
SHA256db882af4b0429af7e87e5ce2ca686149c1b288496ed5926f4fa466650e611c5c
SHA51215c634d4fa2b2f44daa6ffa07b8f3ee8d2e06f4071a50dd70331ef30b415e59b796e44d1471d20ad61f225a88c54e14dbf7020a415d5eac331d85e757d109f39
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un808433.exeFilesize
662KB
MD5ddfbac0944ad8e44ba00a341e3dc8952
SHA1139159a4a9ae3fa542f8c980b9799356094ddcfd
SHA256db882af4b0429af7e87e5ce2ca686149c1b288496ed5926f4fa466650e611c5c
SHA51215c634d4fa2b2f44daa6ffa07b8f3ee8d2e06f4071a50dd70331ef30b415e59b796e44d1471d20ad61f225a88c54e14dbf7020a415d5eac331d85e757d109f39
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk051532.exeFilesize
175KB
MD5bb6d43fa4ebafe62b98ec4dea4ff49d9
SHA1d8188e664ac977f59d3ec26589e3cf67b1fab23b
SHA2561d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89
SHA512679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk051532.exeFilesize
175KB
MD5bb6d43fa4ebafe62b98ec4dea4ff49d9
SHA1d8188e664ac977f59d3ec26589e3cf67b1fab23b
SHA2561d1cdf01afc38fc6784a41fe8aa2f308ec44606d2d16c4edd9445813af33fe89
SHA512679a0e394c5751020c38ceaba6a1bd1a33c558b8c9142fc796fa3570baa0ac082d099891451fde50249e165625b9738ead7321dccf2b2da567f3f7e3d4ee4644
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un730727.exeFilesize
520KB
MD5fc66664ca488279b43c58be6cda8cb24
SHA1b513a6c2a9b8b6836bea75ec316336c1482f86f4
SHA256fd9490ef17a35cdae9860e46133805c21970cdd3787ff4bf6fa6a085c000b238
SHA512720e06246ecb1473f0066bbc6768164b15bf52070c86bae1eacd18eb264fa8b9a2515e7c43d9813e141f46568efcad781cc54d3a883e51262edbd7f9cde5b7b2
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un730727.exeFilesize
520KB
MD5fc66664ca488279b43c58be6cda8cb24
SHA1b513a6c2a9b8b6836bea75ec316336c1482f86f4
SHA256fd9490ef17a35cdae9860e46133805c21970cdd3787ff4bf6fa6a085c000b238
SHA512720e06246ecb1473f0066bbc6768164b15bf52070c86bae1eacd18eb264fa8b9a2515e7c43d9813e141f46568efcad781cc54d3a883e51262edbd7f9cde5b7b2
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822642.exeFilesize
235KB
MD5b955442b12f6e3acec004233daedb31b
SHA10d7f6093da2769464dc685cd795dc6f2e1ff7cd0
SHA25689cbfab8f885cddadab8352da980a5fd66d09f25b773c6c7177222274cf6fee5
SHA512393fb1e7f30d3d18e169bc9ae8f6f51ec2df26b72c7b122fb60be82101f48e414d15011aa9b1812ed7676b51ce4d3ccd29b263ccae037df112f74f8143fc002e
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr822642.exeFilesize
235KB
MD5b955442b12f6e3acec004233daedb31b
SHA10d7f6093da2769464dc685cd795dc6f2e1ff7cd0
SHA25689cbfab8f885cddadab8352da980a5fd66d09f25b773c6c7177222274cf6fee5
SHA512393fb1e7f30d3d18e169bc9ae8f6f51ec2df26b72c7b122fb60be82101f48e414d15011aa9b1812ed7676b51ce4d3ccd29b263ccae037df112f74f8143fc002e
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu623272.exeFilesize
292KB
MD5ce90ddf0e2645ca5b3681cc4ff3e8169
SHA13e49246c5a86a4a4e7c98e8fbd91f4e7be443d15
SHA2560fc38f5c6324fc1459b780d28554dfe7c80486ca405065b182fdb5b8522ec143
SHA512b3153778c59776f1cc8909a011d3ee13aff2c8618b6b583b09b123eeebf03367e3d9065ac6399c6d29938616f8765a5a53f1ed41da0e76eae7a587c6fcfc9fc1
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu623272.exeFilesize
292KB
MD5ce90ddf0e2645ca5b3681cc4ff3e8169
SHA13e49246c5a86a4a4e7c98e8fbd91f4e7be443d15
SHA2560fc38f5c6324fc1459b780d28554dfe7c80486ca405065b182fdb5b8522ec143
SHA512b3153778c59776f1cc8909a011d3ee13aff2c8618b6b583b09b123eeebf03367e3d9065ac6399c6d29938616f8765a5a53f1ed41da0e76eae7a587c6fcfc9fc1
-
memory/1596-150-0x00000000021D0000-0x00000000021E2000-memory.dmpFilesize
72KB
-
memory/1596-162-0x00000000021D0000-0x00000000021E2000-memory.dmpFilesize
72KB
-
memory/1596-146-0x00000000021D0000-0x00000000021E8000-memory.dmpFilesize
96KB
-
memory/1596-147-0x00000000021D0000-0x00000000021E2000-memory.dmpFilesize
72KB
-
memory/1596-148-0x00000000021D0000-0x00000000021E2000-memory.dmpFilesize
72KB
-
memory/1596-152-0x00000000021D0000-0x00000000021E2000-memory.dmpFilesize
72KB
-
memory/1596-144-0x0000000000A00000-0x0000000000A1A000-memory.dmpFilesize
104KB
-
memory/1596-156-0x00000000021D0000-0x00000000021E2000-memory.dmpFilesize
72KB
-
memory/1596-154-0x00000000021D0000-0x00000000021E2000-memory.dmpFilesize
72KB
-
memory/1596-158-0x00000000021D0000-0x00000000021E2000-memory.dmpFilesize
72KB
-
memory/1596-160-0x00000000021D0000-0x00000000021E2000-memory.dmpFilesize
72KB
-
memory/1596-145-0x0000000004C30000-0x000000000512E000-memory.dmpFilesize
5.0MB
-
memory/1596-164-0x00000000021D0000-0x00000000021E2000-memory.dmpFilesize
72KB
-
memory/1596-166-0x00000000021D0000-0x00000000021E2000-memory.dmpFilesize
72KB
-
memory/1596-168-0x00000000021D0000-0x00000000021E2000-memory.dmpFilesize
72KB
-
memory/1596-172-0x00000000021D0000-0x00000000021E2000-memory.dmpFilesize
72KB
-
memory/1596-170-0x00000000021D0000-0x00000000021E2000-memory.dmpFilesize
72KB
-
memory/1596-174-0x00000000021D0000-0x00000000021E2000-memory.dmpFilesize
72KB
-
memory/1596-175-0x0000000004C20000-0x0000000004C30000-memory.dmpFilesize
64KB
-
memory/1596-176-0x0000000004C20000-0x0000000004C30000-memory.dmpFilesize
64KB
-
memory/1596-177-0x0000000004C20000-0x0000000004C30000-memory.dmpFilesize
64KB
-
memory/1596-178-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1596-180-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/1596-143-0x0000000000580000-0x00000000005AD000-memory.dmpFilesize
180KB
-
memory/4104-192-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-222-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-188-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-190-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-186-0x0000000004F60000-0x0000000004FA4000-memory.dmpFilesize
272KB
-
memory/4104-194-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-196-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-198-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-200-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-202-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-204-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-206-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-211-0x0000000004A50000-0x0000000004A60000-memory.dmpFilesize
64KB
-
memory/4104-212-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-213-0x0000000004A50000-0x0000000004A60000-memory.dmpFilesize
64KB
-
memory/4104-216-0x0000000004A50000-0x0000000004A60000-memory.dmpFilesize
64KB
-
memory/4104-215-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-209-0x0000000000590000-0x00000000005DB000-memory.dmpFilesize
300KB
-
memory/4104-208-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-218-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-220-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-187-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-224-0x0000000004F60000-0x0000000004F9F000-memory.dmpFilesize
252KB
-
memory/4104-1097-0x0000000004FD0000-0x00000000055D6000-memory.dmpFilesize
6.0MB
-
memory/4104-1098-0x0000000005660000-0x000000000576A000-memory.dmpFilesize
1.0MB
-
memory/4104-1099-0x00000000057A0000-0x00000000057B2000-memory.dmpFilesize
72KB
-
memory/4104-1100-0x0000000004A50000-0x0000000004A60000-memory.dmpFilesize
64KB
-
memory/4104-1101-0x00000000057C0000-0x00000000057FE000-memory.dmpFilesize
248KB
-
memory/4104-1102-0x0000000005910000-0x000000000595B000-memory.dmpFilesize
300KB
-
memory/4104-1104-0x0000000005AA0000-0x0000000005B32000-memory.dmpFilesize
584KB
-
memory/4104-1105-0x0000000005B40000-0x0000000005BA6000-memory.dmpFilesize
408KB
-
memory/4104-1107-0x0000000004A50000-0x0000000004A60000-memory.dmpFilesize
64KB
-
memory/4104-1108-0x0000000004A50000-0x0000000004A60000-memory.dmpFilesize
64KB
-
memory/4104-1106-0x0000000004A50000-0x0000000004A60000-memory.dmpFilesize
64KB
-
memory/4104-1109-0x0000000006330000-0x00000000063A6000-memory.dmpFilesize
472KB
-
memory/4104-1110-0x00000000063B0000-0x0000000006400000-memory.dmpFilesize
320KB
-
memory/4104-1111-0x0000000006430000-0x00000000065F2000-memory.dmpFilesize
1.8MB
-
memory/4104-1112-0x0000000006610000-0x0000000006B3C000-memory.dmpFilesize
5.2MB
-
memory/4104-1113-0x0000000004A50000-0x0000000004A60000-memory.dmpFilesize
64KB
-
memory/4104-185-0x00000000049D0000-0x0000000004A16000-memory.dmpFilesize
280KB
-
memory/4752-1127-0x0000000000580000-0x00000000005BB000-memory.dmpFilesize
236KB
-
memory/4908-1120-0x0000000005750000-0x000000000579B000-memory.dmpFilesize
300KB
-
memory/4908-1119-0x0000000000D10000-0x0000000000D42000-memory.dmpFilesize
200KB
-
memory/4908-1121-0x0000000005620000-0x0000000005630000-memory.dmpFilesize
64KB