Analysis
-
max time kernel
145s -
max time network
112s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
10-04-2023 20:29
General
-
Target
360cd8fb2e3c99d2d651f42411a1c024104fd191cc9eedbbe6975b89bf999a6b.exe
-
Size
938KB
-
MD5
0821bdb99698a1a91c254909761d0abb
-
SHA1
54d911e13203c6305e912fdc381c3dadd38d1b87
-
SHA256
360cd8fb2e3c99d2d651f42411a1c024104fd191cc9eedbbe6975b89bf999a6b
-
SHA512
eb7bf8523680cf229b8baa17f80563ab51ea8d9ff5910e9b3ac115e9ba9b04f0da73ed69bd504cc76c77416348e59df54e4f37cbcdb59a18f323db01624b9c2a
-
SSDEEP
12288:JMrSy906E+VILP6r67v+btENGYT4IK7CYsIf9yXurMUfST76JYGmbTlMd:Tya+rr6wtnYUIfYsIfUXurFSCJtd
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
zima
176.113.115.145:4125
-
auth_value
2ef701d510c0d27e8a8e3270281678b1
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 20 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 2 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\360cd8fb2e3c99d2d651f42411a1c024104fd191cc9eedbbe6975b89bf999a6b.exe"C:\Users\Admin\AppData\Local\Temp\360cd8fb2e3c99d2d651f42411a1c024104fd191cc9eedbbe6975b89bf999a6b.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un168179.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un168179.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un970346.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un970346.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr707721.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr707721.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu355173.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu355173.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk035114.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk035114.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si997654.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si997654.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 6163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 7043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 8363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 8443⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 8723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 8203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 10723⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si997654.exeFilesize
231KB
MD5f8117f396c10315824172b564d08490e
SHA196c20a6f156aa6e75f75fa9038a8878d75401138
SHA2567f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba
SHA51260606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si997654.exeFilesize
231KB
MD5f8117f396c10315824172b564d08490e
SHA196c20a6f156aa6e75f75fa9038a8878d75401138
SHA2567f2db89b0b8c955144ab3138b179d30a3d7f5220b3752bdfad443bab0fc935ba
SHA51260606b0cf43e2c10d42f611c47463fcce8044faad9ebb366cc455641747b47c4c2844a5b7b56194cfca524d881fd3f9db3464b8307076a69bbf1c2bc04b43743
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un168179.exeFilesize
674KB
MD58943fdfe28a8f18f6a46e1cce348f914
SHA1b285629d9bd93841c7c8ad76268c44a813e602c4
SHA2568516e546cb7abe284b94a61fbb2bdd30c991eb7bc39a5da8cc68b7db0b1ca4bc
SHA5129218564fdee272716ac4a985db426a83ace6f4ecbab10d9e5bf8f983844d611581046b04ed60d9156c460b35ab0c77a56e8f96c2627e3159056a10be48f4c522
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un168179.exeFilesize
674KB
MD58943fdfe28a8f18f6a46e1cce348f914
SHA1b285629d9bd93841c7c8ad76268c44a813e602c4
SHA2568516e546cb7abe284b94a61fbb2bdd30c991eb7bc39a5da8cc68b7db0b1ca4bc
SHA5129218564fdee272716ac4a985db426a83ace6f4ecbab10d9e5bf8f983844d611581046b04ed60d9156c460b35ab0c77a56e8f96c2627e3159056a10be48f4c522
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk035114.exeFilesize
169KB
MD50473e0b5cc18772de8b18c9a97668bfe
SHA1e3aa38255ede684d290b9612695bb43fd9ca667b
SHA256cdcbbaa6ac56757a68231be2b0b0af5ec5cbd3edc41eec975154b4044bfd8e62
SHA512212f164bfb11338e55521b0700207c4a814f91ecf471d1958fb716d1349921b89358b08f422207b7b0467b757adf0c14a4d6c6e5e99cd955e0fd0d92c37aca3e
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk035114.exeFilesize
169KB
MD50473e0b5cc18772de8b18c9a97668bfe
SHA1e3aa38255ede684d290b9612695bb43fd9ca667b
SHA256cdcbbaa6ac56757a68231be2b0b0af5ec5cbd3edc41eec975154b4044bfd8e62
SHA512212f164bfb11338e55521b0700207c4a814f91ecf471d1958fb716d1349921b89358b08f422207b7b0467b757adf0c14a4d6c6e5e99cd955e0fd0d92c37aca3e
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un970346.exeFilesize
520KB
MD5a94e302a86509c3e203132af3803d9d7
SHA1a81876832c920ad610efed79c0fbc241fbbf627c
SHA2568166ec1903be2332ca0141340b77ebeb4360f73931cafa394808863d78f7820a
SHA5126eb0a7dbfa8c4d6ce22b15e48bc9ecb3d7777d9b083d3da125e05682fd99a2ca3c710f2a367382b34e0e9bbe44e99f546b364ed138a316932dfcfc9990b4f4d6
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un970346.exeFilesize
520KB
MD5a94e302a86509c3e203132af3803d9d7
SHA1a81876832c920ad610efed79c0fbc241fbbf627c
SHA2568166ec1903be2332ca0141340b77ebeb4360f73931cafa394808863d78f7820a
SHA5126eb0a7dbfa8c4d6ce22b15e48bc9ecb3d7777d9b083d3da125e05682fd99a2ca3c710f2a367382b34e0e9bbe44e99f546b364ed138a316932dfcfc9990b4f4d6
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr707721.exeFilesize
239KB
MD594246a2d2624993c051d97e13ba7b8a4
SHA1f562eaa41ba9c136f8cd8dac778bbaf669b71e09
SHA2562c2bfc07e74476f989bd923eae10be9c8c6325ba6bc97be6a6fd6a39a62335d4
SHA51273faffd729987d7b0e1c4c674e79c743712aa9f9421d5a995affbbb3f9dc1787a5eab6b5538a4db64a978fbe6993aff3d9c5009eb5da19693b36bbb49e43b61f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr707721.exeFilesize
239KB
MD594246a2d2624993c051d97e13ba7b8a4
SHA1f562eaa41ba9c136f8cd8dac778bbaf669b71e09
SHA2562c2bfc07e74476f989bd923eae10be9c8c6325ba6bc97be6a6fd6a39a62335d4
SHA51273faffd729987d7b0e1c4c674e79c743712aa9f9421d5a995affbbb3f9dc1787a5eab6b5538a4db64a978fbe6993aff3d9c5009eb5da19693b36bbb49e43b61f
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu355173.exeFilesize
297KB
MD59072cc7673835dc19fad760ce0af17ce
SHA1b24952992b92978cdd342699470771e66c1cecf3
SHA2563de89ef2064a87135588a24d379bd27e67c47ce9c2b5f1f240d6402d88270c05
SHA51284d93803a72439608fba1cdbb2eb0bebeff35bc796cb7943bcf905c800d146eb8b7832e622f80dfed73a74b95d13fd9d0d0d31a252e90a4753c3f4485b325321
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu355173.exeFilesize
297KB
MD59072cc7673835dc19fad760ce0af17ce
SHA1b24952992b92978cdd342699470771e66c1cecf3
SHA2563de89ef2064a87135588a24d379bd27e67c47ce9c2b5f1f240d6402d88270c05
SHA51284d93803a72439608fba1cdbb2eb0bebeff35bc796cb7943bcf905c800d146eb8b7832e622f80dfed73a74b95d13fd9d0d0d31a252e90a4753c3f4485b325321
-
memory/2668-1104-0x0000000005300000-0x000000000534B000-memory.dmpFilesize
300KB
-
memory/2668-1107-0x0000000005530000-0x0000000005596000-memory.dmpFilesize
408KB
-
memory/2668-1115-0x0000000006750000-0x0000000006C7C000-memory.dmpFilesize
5.2MB
-
memory/2668-1114-0x0000000006570000-0x0000000006732000-memory.dmpFilesize
1.8MB
-
memory/2668-1113-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/2668-1112-0x00000000064F0000-0x0000000006540000-memory.dmpFilesize
320KB
-
memory/2668-1111-0x0000000006470000-0x00000000064E6000-memory.dmpFilesize
472KB
-
memory/2668-1110-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/2668-1109-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/2668-1108-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/2668-1106-0x0000000005490000-0x0000000005522000-memory.dmpFilesize
584KB
-
memory/2668-1103-0x00000000051B0000-0x00000000051EE000-memory.dmpFilesize
248KB
-
memory/2668-1102-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/2668-1101-0x0000000005190000-0x00000000051A2000-memory.dmpFilesize
72KB
-
memory/2668-1100-0x0000000005050000-0x000000000515A000-memory.dmpFilesize
1.0MB
-
memory/2668-1099-0x00000000055E0000-0x0000000005BE6000-memory.dmpFilesize
6.0MB
-
memory/2668-235-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/2668-232-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/2668-230-0x0000000004A70000-0x0000000004A80000-memory.dmpFilesize
64KB
-
memory/2668-229-0x00000000004C0000-0x000000000050B000-memory.dmpFilesize
300KB
-
memory/2668-222-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-220-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-187-0x00000000023A0000-0x00000000023E6000-memory.dmpFilesize
280KB
-
memory/2668-188-0x0000000004F80000-0x0000000004FC4000-memory.dmpFilesize
272KB
-
memory/2668-189-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-190-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-192-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-194-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-196-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-198-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-200-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-202-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-204-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-206-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-208-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-210-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-212-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-214-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-216-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/2668-218-0x0000000004F80000-0x0000000004FBF000-memory.dmpFilesize
252KB
-
memory/4520-1131-0x00000000004B0000-0x00000000004EB000-memory.dmpFilesize
236KB
-
memory/4596-161-0x0000000002220000-0x0000000002232000-memory.dmpFilesize
72KB
-
memory/4596-147-0x0000000004BE0000-0x0000000004BF0000-memory.dmpFilesize
64KB
-
memory/4596-163-0x0000000002220000-0x0000000002232000-memory.dmpFilesize
72KB
-
memory/4596-179-0x0000000004BE0000-0x0000000004BF0000-memory.dmpFilesize
64KB
-
memory/4596-178-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB
-
memory/4596-177-0x0000000002220000-0x0000000002232000-memory.dmpFilesize
72KB
-
memory/4596-175-0x0000000002220000-0x0000000002232000-memory.dmpFilesize
72KB
-
memory/4596-173-0x0000000002220000-0x0000000002232000-memory.dmpFilesize
72KB
-
memory/4596-171-0x0000000002220000-0x0000000002232000-memory.dmpFilesize
72KB
-
memory/4596-169-0x0000000002220000-0x0000000002232000-memory.dmpFilesize
72KB
-
memory/4596-149-0x0000000004BE0000-0x0000000004BF0000-memory.dmpFilesize
64KB
-
memory/4596-167-0x0000000002220000-0x0000000002232000-memory.dmpFilesize
72KB
-
memory/4596-150-0x0000000002220000-0x0000000002232000-memory.dmpFilesize
72KB
-
memory/4596-165-0x0000000002220000-0x0000000002232000-memory.dmpFilesize
72KB
-
memory/4596-180-0x0000000004BE0000-0x0000000004BF0000-memory.dmpFilesize
64KB
-
memory/4596-159-0x0000000002220000-0x0000000002232000-memory.dmpFilesize
72KB
-
memory/4596-182-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB
-
memory/4596-157-0x0000000002220000-0x0000000002232000-memory.dmpFilesize
72KB
-
memory/4596-153-0x0000000002220000-0x0000000002232000-memory.dmpFilesize
72KB
-
memory/4596-155-0x0000000002220000-0x0000000002232000-memory.dmpFilesize
72KB
-
memory/4596-151-0x0000000002220000-0x0000000002232000-memory.dmpFilesize
72KB
-
memory/4596-146-0x00000000004B0000-0x00000000004DD000-memory.dmpFilesize
180KB
-
memory/4596-145-0x0000000002220000-0x0000000002238000-memory.dmpFilesize
96KB
-
memory/4596-148-0x0000000004BE0000-0x0000000004BF0000-memory.dmpFilesize
64KB
-
memory/4596-143-0x00000000020A0000-0x00000000020BA000-memory.dmpFilesize
104KB
-
memory/4596-144-0x0000000004BF0000-0x00000000050EE000-memory.dmpFilesize
5.0MB
-
memory/4740-1124-0x0000000005630000-0x0000000005640000-memory.dmpFilesize
64KB
-
memory/4740-1125-0x0000000005630000-0x0000000005640000-memory.dmpFilesize
64KB
-
memory/4740-1123-0x000000000AC10000-0x000000000AC5B000-memory.dmpFilesize
300KB
-
memory/4740-1122-0x00000000055B0000-0x00000000055B6000-memory.dmpFilesize
24KB
-
memory/4740-1121-0x0000000000D00000-0x0000000000D30000-memory.dmpFilesize
192KB