Analysis
-
max time kernel
141s -
max time network
117s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
10-04-2023 20:14
General
-
Target
9a312c4842f686e4e35bf00934fbf3a0d46d3d76af216e06978048406815810a.exe
-
Size
940KB
-
MD5
e16087743eebc53a87905df46125a260
-
SHA1
eb0ef78ba68c022e65c7f51c7a19f5a1c49dcb60
-
SHA256
9a312c4842f686e4e35bf00934fbf3a0d46d3d76af216e06978048406815810a
-
SHA512
e2b935516ae7238c72b82463ae5d6c93ec6cdb3f891d6a69fb506969f7b2581d9afd74c57cc4baed0c229d8d06821652aaf1ca7f707b0636ae706034e88521ef
-
SSDEEP
24576:AyBZjFGPBAg9i5SIBQfM8Yb0IEY49UE1NJiWQXC:HBJFGpdi9QfM8V59U8NAW
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
zima
176.113.115.145:4125
-
auth_value
2ef701d510c0d27e8a8e3270281678b1
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a312c4842f686e4e35bf00934fbf3a0d46d3d76af216e06978048406815810a.exe"C:\Users\Admin\AppData\Local\Temp\9a312c4842f686e4e35bf00934fbf3a0d46d3d76af216e06978048406815810a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094521.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094521.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un513392.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un513392.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr750322.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr750322.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu384636.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu384636.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk503474.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk503474.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si433224.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si433224.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 6203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 7003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 8403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 8523⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 8883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 8923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 10563⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si433224.exeFilesize
231KB
MD5f8117f396c10315824172b564d08490e
SHA196c20a6f156aa6e75f75fa9038a8878d75401138
SHA2567f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba
SHA51260606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si433224.exeFilesize
231KB
MD5f8117f396c10315824172b564d08490e
SHA196c20a6f156aa6e75f75fa9038a8878d75401138
SHA2567f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba
SHA51260606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094521.exeFilesize
675KB
MD5db6c5206b486f9f11b599a40c352038b
SHA10969fbe782428029d3c37ac0d43cc177b103bfca
SHA2564490dc14fa952a43cb1ba41cbf81c87e08e3c6633490290dc69449f8803cb3d3
SHA5121646d60ad87779ac4749e032dcd2147fff93cb0540e64dbdccfb9b4f6f95a5deb814506022bee0e1de9e6f46fb282ef99b9fb08033350e581833bed87a370664
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094521.exeFilesize
675KB
MD5db6c5206b486f9f11b599a40c352038b
SHA10969fbe782428029d3c37ac0d43cc177b103bfca
SHA2564490dc14fa952a43cb1ba41cbf81c87e08e3c6633490290dc69449f8803cb3d3
SHA5121646d60ad87779ac4749e032dcd2147fff93cb0540e64dbdccfb9b4f6f95a5deb814506022bee0e1de9e6f46fb282ef99b9fb08033350e581833bed87a370664
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk503474.exeFilesize
169KB
MD53405edfe9b6962b6fc7f574dfcf76863
SHA12d6d4be650baf275a3078cb3087ac632835f73c3
SHA256ce9d670d2abd02891a95ab8cff238c4be21ed6dd42781f3c06799d5d3fddf584
SHA5129b35b0ea400b78067dc39fc8ec9ef55d3e2573722468755664561722b7fa05f07b857a4eff62422d7aa2a6e8a0e46149a3b0f4e8d63dbce415435742e457d0b9
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk503474.exeFilesize
169KB
MD53405edfe9b6962b6fc7f574dfcf76863
SHA12d6d4be650baf275a3078cb3087ac632835f73c3
SHA256ce9d670d2abd02891a95ab8cff238c4be21ed6dd42781f3c06799d5d3fddf584
SHA5129b35b0ea400b78067dc39fc8ec9ef55d3e2573722468755664561722b7fa05f07b857a4eff62422d7aa2a6e8a0e46149a3b0f4e8d63dbce415435742e457d0b9
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un513392.exeFilesize
521KB
MD58b73daf928e9c9e3c5d9b376c75de905
SHA1a7717ff00a8f85db9b08fcbeb9ad6b84067f20ba
SHA2568be68c22ab5266868117b5f30aa6560a170fffbd8310af194d3ba5646f42c902
SHA512b40dd8f68f1cbae01fe82ed7d262a04f761966726c1f0208e68fbc66fdac5bd4d7060b6b1dfd45cbb319a4d54affd9de46d467be559231f353736c9691c906e4
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un513392.exeFilesize
521KB
MD58b73daf928e9c9e3c5d9b376c75de905
SHA1a7717ff00a8f85db9b08fcbeb9ad6b84067f20ba
SHA2568be68c22ab5266868117b5f30aa6560a170fffbd8310af194d3ba5646f42c902
SHA512b40dd8f68f1cbae01fe82ed7d262a04f761966726c1f0208e68fbc66fdac5bd4d7060b6b1dfd45cbb319a4d54affd9de46d467be559231f353736c9691c906e4
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr750322.exeFilesize
239KB
MD593f5567820fd1a70a0aa60543711e248
SHA16d4e5465cfad10ed28063de9abd4e5406d7a5846
SHA256637b04a71587672ac6853dce61e253e5f9319eabac8571f2ac9a32931c61cbf1
SHA512976b40818b19f2563570e41a85d309ca0ac92a09af124e99a59898ed17e0538d6cf1ffd44ed704679ae6cb4a0235ce3e490546230fdacfc4ec888e524b97230f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr750322.exeFilesize
239KB
MD593f5567820fd1a70a0aa60543711e248
SHA16d4e5465cfad10ed28063de9abd4e5406d7a5846
SHA256637b04a71587672ac6853dce61e253e5f9319eabac8571f2ac9a32931c61cbf1
SHA512976b40818b19f2563570e41a85d309ca0ac92a09af124e99a59898ed17e0538d6cf1ffd44ed704679ae6cb4a0235ce3e490546230fdacfc4ec888e524b97230f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu384636.exeFilesize
297KB
MD53b3760dc0e38f0086e23f62e609d423e
SHA1c1493a73a2d28a46ea2a6bc60cfe34075a4482cc
SHA2565a2c365cf980b71998282fa61ab9f6270a8dbbd4358093fe75b2912c4c63d003
SHA5124d95e9d4b230a0c0f5348a033425e3960f0ca94f760fa92eb0e038255c185eb910a5b39dc8657b2e96b335fbcc26fae3501cec535ea4c241344ece0f5eb4fb43
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu384636.exeFilesize
297KB
MD53b3760dc0e38f0086e23f62e609d423e
SHA1c1493a73a2d28a46ea2a6bc60cfe34075a4482cc
SHA2565a2c365cf980b71998282fa61ab9f6270a8dbbd4358093fe75b2912c4c63d003
SHA5124d95e9d4b230a0c0f5348a033425e3960f0ca94f760fa92eb0e038255c185eb910a5b39dc8657b2e96b335fbcc26fae3501cec535ea4c241344ece0f5eb4fb43
-
memory/3516-1100-0x00000000052F0000-0x000000000532E000-memory.dmpFilesize
248KB
-
memory/3516-1105-0x0000000002050000-0x0000000002060000-memory.dmpFilesize
64KB
-
memory/3516-1112-0x0000000006750000-0x0000000006C7C000-memory.dmpFilesize
5.2MB
-
memory/3516-1111-0x0000000006580000-0x0000000006742000-memory.dmpFilesize
1.8MB
-
memory/3516-1110-0x0000000006510000-0x0000000006560000-memory.dmpFilesize
320KB
-
memory/3516-1109-0x0000000006490000-0x0000000006506000-memory.dmpFilesize
472KB
-
memory/3516-1108-0x0000000002050000-0x0000000002060000-memory.dmpFilesize
64KB
-
memory/3516-1107-0x0000000002050000-0x0000000002060000-memory.dmpFilesize
64KB
-
memory/3516-1106-0x0000000002050000-0x0000000002060000-memory.dmpFilesize
64KB
-
memory/3516-1103-0x00000000062B0000-0x0000000006342000-memory.dmpFilesize
584KB
-
memory/3516-1102-0x00000000055D0000-0x0000000005636000-memory.dmpFilesize
408KB
-
memory/3516-1101-0x0000000005440000-0x000000000548B000-memory.dmpFilesize
300KB
-
memory/3516-1099-0x0000000002050000-0x0000000002060000-memory.dmpFilesize
64KB
-
memory/3516-1098-0x00000000052D0000-0x00000000052E2000-memory.dmpFilesize
72KB
-
memory/3516-1097-0x0000000005190000-0x000000000529A000-memory.dmpFilesize
1.0MB
-
memory/3516-1096-0x0000000005720000-0x0000000005D26000-memory.dmpFilesize
6.0MB
-
memory/3516-225-0x0000000002050000-0x0000000002060000-memory.dmpFilesize
64KB
-
memory/3516-219-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-220-0x00000000005A0000-0x00000000005EB000-memory.dmpFilesize
300KB
-
memory/3516-223-0x0000000002050000-0x0000000002060000-memory.dmpFilesize
64KB
-
memory/3516-184-0x0000000002080000-0x00000000020C6000-memory.dmpFilesize
280KB
-
memory/3516-185-0x0000000002600000-0x0000000002644000-memory.dmpFilesize
272KB
-
memory/3516-186-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-187-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-189-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-191-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-193-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-197-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-199-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-195-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-201-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-203-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-205-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-207-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-209-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-211-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-213-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-215-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-217-0x0000000002600000-0x000000000263F000-memory.dmpFilesize
252KB
-
memory/3516-221-0x0000000002050000-0x0000000002060000-memory.dmpFilesize
64KB
-
memory/4340-1118-0x0000000000190000-0x00000000001C0000-memory.dmpFilesize
192KB
-
memory/4340-1122-0x00000000049A0000-0x00000000049B0000-memory.dmpFilesize
64KB
-
memory/4340-1121-0x00000000049A0000-0x00000000049B0000-memory.dmpFilesize
64KB
-
memory/4340-1120-0x000000000A0A0000-0x000000000A0EB000-memory.dmpFilesize
300KB
-
memory/4340-1119-0x0000000000910000-0x0000000000916000-memory.dmpFilesize
24KB
-
memory/4556-164-0x0000000002070000-0x0000000002082000-memory.dmpFilesize
72KB
-
memory/4556-156-0x0000000002070000-0x0000000002082000-memory.dmpFilesize
72KB
-
memory/4556-173-0x00000000001D0000-0x00000000001FD000-memory.dmpFilesize
180KB
-
memory/4556-146-0x0000000002070000-0x0000000002082000-memory.dmpFilesize
72KB
-
memory/4556-172-0x0000000002070000-0x0000000002082000-memory.dmpFilesize
72KB
-
memory/4556-170-0x0000000002070000-0x0000000002082000-memory.dmpFilesize
72KB
-
memory/4556-168-0x0000000002070000-0x0000000002082000-memory.dmpFilesize
72KB
-
memory/4556-148-0x0000000002070000-0x0000000002082000-memory.dmpFilesize
72KB
-
memory/4556-166-0x0000000002070000-0x0000000002082000-memory.dmpFilesize
72KB
-
memory/4556-152-0x0000000002070000-0x0000000002082000-memory.dmpFilesize
72KB
-
memory/4556-162-0x0000000002070000-0x0000000002082000-memory.dmpFilesize
72KB
-
memory/4556-160-0x0000000002070000-0x0000000002082000-memory.dmpFilesize
72KB
-
memory/4556-158-0x0000000002070000-0x0000000002082000-memory.dmpFilesize
72KB
-
memory/4556-174-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/4556-154-0x0000000002070000-0x0000000002082000-memory.dmpFilesize
72KB
-
memory/4556-145-0x0000000002070000-0x0000000002082000-memory.dmpFilesize
72KB
-
memory/4556-144-0x0000000002070000-0x0000000002088000-memory.dmpFilesize
96KB
-
memory/4556-175-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/4556-176-0x0000000004BF0000-0x0000000004C00000-memory.dmpFilesize
64KB
-
memory/4556-177-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB
-
memory/4556-179-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB
-
memory/4556-150-0x0000000002070000-0x0000000002082000-memory.dmpFilesize
72KB
-
memory/4556-143-0x0000000004C00000-0x00000000050FE000-memory.dmpFilesize
5.0MB
-
memory/4556-142-0x00000000007C0000-0x00000000007DA000-memory.dmpFilesize
104KB
-
memory/4696-1128-0x00000000005A0000-0x00000000005DB000-memory.dmpFilesize
236KB