Analysis
-
max time kernel
140s -
max time network
141s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
10-04-2023 21:16
General
-
Target
621d2debe8fa25cb6d1ca416949cca088748600bc1993541253ea60e49c18cf0.exe
-
Size
800KB
-
MD5
bf34f191c72b13d1bc7b154aa5e0664a
-
SHA1
cd57bc8e791bddc1719cd696fb3cc58a7941bed9
-
SHA256
621d2debe8fa25cb6d1ca416949cca088748600bc1993541253ea60e49c18cf0
-
SHA512
9e11a4040e84959cb8c9f3a40960f164391262f8193b2da789067c1ce890264422abb733e239de7aa08377c377fffaf3d6c539db34f920beae85b47717c4f22b
-
SSDEEP
24576:fyHvZFVS9C8cYSuxfc3Avr6FDswnbZHHTr1:qHvg9C8cYRx5PQF
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
zima
176.113.115.145:4125
-
auth_value
2ef701d510c0d27e8a8e3270281678b1
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\621d2debe8fa25cb6d1ca416949cca088748600bc1993541253ea60e49c18cf0.exe"C:\Users\Admin\AppData\Local\Temp\621d2debe8fa25cb6d1ca416949cca088748600bc1993541253ea60e49c18cf0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXT5262.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXT5262.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziHX3536.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziHX3536.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it071508.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it071508.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr625776.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr625776.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp085816.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp085816.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr236108.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr236108.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 6203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 7003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 8363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 8803⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 9243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 8243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 10763⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr236108.exeFilesize
231KB
MD55a531a1495614605383afe7a35731a7a
SHA1f00c58c5745c7adeb14b5b176fc0cd8d6d694bb6
SHA2562aa40e53a153a68c6fd28793fdd06fa3bcbe4658820261607f6f4f8ecd3b8c2d
SHA512906eb4afa865e09a68e5f40e48837bf576ced8218e8545daa25bd1ac0bea2087f77c9905d143c243cb3cbf04b3472c049620e2b51ccf243ac75f7134376e4aa3
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr236108.exeFilesize
231KB
MD55a531a1495614605383afe7a35731a7a
SHA1f00c58c5745c7adeb14b5b176fc0cd8d6d694bb6
SHA2562aa40e53a153a68c6fd28793fdd06fa3bcbe4658820261607f6f4f8ecd3b8c2d
SHA512906eb4afa865e09a68e5f40e48837bf576ced8218e8545daa25bd1ac0bea2087f77c9905d143c243cb3cbf04b3472c049620e2b51ccf243ac75f7134376e4aa3
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXT5262.exeFilesize
535KB
MD584f81f8f0ebcf0fd245137c535c2dd02
SHA14a909d421e62d978a1b6824777d8b48845bd16d9
SHA2563ee54f29817705ef346e44bfefdae0fcee942d423e7690a977ded0904a7dcaf7
SHA51231f0df780ab23f609411460ea711258d739609d704b66bc382169c189d3513aa728cde4ce2807c4da9461eb9c2c8a933575a6eb971923e334f172b47ab4eed2b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziXT5262.exeFilesize
535KB
MD584f81f8f0ebcf0fd245137c535c2dd02
SHA14a909d421e62d978a1b6824777d8b48845bd16d9
SHA2563ee54f29817705ef346e44bfefdae0fcee942d423e7690a977ded0904a7dcaf7
SHA51231f0df780ab23f609411460ea711258d739609d704b66bc382169c189d3513aa728cde4ce2807c4da9461eb9c2c8a933575a6eb971923e334f172b47ab4eed2b
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp085816.exeFilesize
169KB
MD51f19560a80ff2ee5cfb47f45de5e60da
SHA1143a715a487088cfbc2fae6cfacb308a11eebaad
SHA2562be903c827631ec23444338a81f8c543b91b9c2cb647b3aa2956b838ccefa220
SHA5124c56cd9fe52779fa5376b20ffbd7d860be4bb475658f3dd64678a02c5d7e4c967b9047389198cf68b6dfb77f304c133f21e284dd03cecf7cef22ac03fc1157b8
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp085816.exeFilesize
169KB
MD51f19560a80ff2ee5cfb47f45de5e60da
SHA1143a715a487088cfbc2fae6cfacb308a11eebaad
SHA2562be903c827631ec23444338a81f8c543b91b9c2cb647b3aa2956b838ccefa220
SHA5124c56cd9fe52779fa5376b20ffbd7d860be4bb475658f3dd64678a02c5d7e4c967b9047389198cf68b6dfb77f304c133f21e284dd03cecf7cef22ac03fc1157b8
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziHX3536.exeFilesize
382KB
MD5fe32ce6c2b356e546c2c1258ce8134a9
SHA1f4cb3e310a952bd2e0c3891eed010b695a349f97
SHA256f0d1c514687f6b6e3d6e6ef06ef67b8a92311cebb2e76a124e522f50f1b34591
SHA512aa5d37ac16ed35452f5bb586f7f54ed7d2ffc97c3ce8f69869c5373dc679cfe0665bca16791a5f98acd4da34e62d607ee6cb217831888b0a9a98d422e95a7c4a
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziHX3536.exeFilesize
382KB
MD5fe32ce6c2b356e546c2c1258ce8134a9
SHA1f4cb3e310a952bd2e0c3891eed010b695a349f97
SHA256f0d1c514687f6b6e3d6e6ef06ef67b8a92311cebb2e76a124e522f50f1b34591
SHA512aa5d37ac16ed35452f5bb586f7f54ed7d2ffc97c3ce8f69869c5373dc679cfe0665bca16791a5f98acd4da34e62d607ee6cb217831888b0a9a98d422e95a7c4a
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it071508.exeFilesize
11KB
MD5ec79ce9f927cf61d4610ae4cc520e578
SHA1b5e068fa33f5a92038c1208f507ff7bba2bdd75c
SHA256062961affa282282b0178a277342fb669c099e22e89f585c221e8cebfdc08df6
SHA51254351113b29a706d7f6f80ffba43c93ea2bd2abfd2ef295f4d267101cce374b3090567780da856c5b46c66accf5dbadb937bece0866d335f1e3ec84e69b1d4b5
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it071508.exeFilesize
11KB
MD5ec79ce9f927cf61d4610ae4cc520e578
SHA1b5e068fa33f5a92038c1208f507ff7bba2bdd75c
SHA256062961affa282282b0178a277342fb669c099e22e89f585c221e8cebfdc08df6
SHA51254351113b29a706d7f6f80ffba43c93ea2bd2abfd2ef295f4d267101cce374b3090567780da856c5b46c66accf5dbadb937bece0866d335f1e3ec84e69b1d4b5
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr625776.exeFilesize
297KB
MD58f28f08eace4a48e59631face142f9cb
SHA1d99bbcabda16abf33aa87a3c022d7565c36fe844
SHA25626c6efe6ab84c6de14b83f7856c7eed5828f7c0beb281344939b90c507874950
SHA512286514397c9ae262534018d0eec57a4a8b6f29d2e8a76bde4854d8f1875f2caff6963caf6b1c6321b96ffeb9e07e97c487551515b089f5265bb9d278e9abd66a
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr625776.exeFilesize
297KB
MD58f28f08eace4a48e59631face142f9cb
SHA1d99bbcabda16abf33aa87a3c022d7565c36fe844
SHA25626c6efe6ab84c6de14b83f7856c7eed5828f7c0beb281344939b90c507874950
SHA512286514397c9ae262534018d0eec57a4a8b6f29d2e8a76bde4854d8f1875f2caff6963caf6b1c6321b96ffeb9e07e97c487551515b089f5265bb9d278e9abd66a
-
memory/4004-1091-0x0000000000580000-0x00000000005BB000-memory.dmpFilesize
236KB
-
memory/4324-1082-0x0000000004FC0000-0x0000000004FC6000-memory.dmpFilesize
24KB
-
memory/4324-1081-0x0000000000810000-0x0000000000840000-memory.dmpFilesize
192KB
-
memory/4324-1086-0x00000000050B0000-0x00000000050C0000-memory.dmpFilesize
64KB
-
memory/4324-1084-0x00000000050B0000-0x00000000050C0000-memory.dmpFilesize
64KB
-
memory/4324-1083-0x000000000A5F0000-0x000000000A63B000-memory.dmpFilesize
300KB
-
memory/4700-140-0x0000000000DB0000-0x0000000000DBA000-memory.dmpFilesize
40KB
-
memory/4808-185-0x0000000004BD0000-0x0000000004BE0000-memory.dmpFilesize
64KB
-
memory/4808-204-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-157-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-159-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-161-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-163-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-165-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-167-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-169-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-171-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-173-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-175-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-177-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-179-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-181-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-183-0x0000000004BD0000-0x0000000004BE0000-memory.dmpFilesize
64KB
-
memory/4808-184-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-153-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-187-0x0000000004BD0000-0x0000000004BE0000-memory.dmpFilesize
64KB
-
memory/4808-188-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-190-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-192-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-194-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-196-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-198-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-200-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-202-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-155-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-206-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-208-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-210-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-212-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-214-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-216-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-1059-0x00000000051E0000-0x00000000057E6000-memory.dmpFilesize
6.0MB
-
memory/4808-1060-0x00000000057F0000-0x00000000058FA000-memory.dmpFilesize
1.0MB
-
memory/4808-1061-0x0000000004BB0000-0x0000000004BC2000-memory.dmpFilesize
72KB
-
memory/4808-1062-0x0000000005900000-0x000000000593E000-memory.dmpFilesize
248KB
-
memory/4808-1063-0x0000000004BD0000-0x0000000004BE0000-memory.dmpFilesize
64KB
-
memory/4808-1064-0x0000000005A50000-0x0000000005A9B000-memory.dmpFilesize
300KB
-
memory/4808-1066-0x0000000005BE0000-0x0000000005C72000-memory.dmpFilesize
584KB
-
memory/4808-1067-0x0000000005C80000-0x0000000005CE6000-memory.dmpFilesize
408KB
-
memory/4808-1068-0x0000000004BD0000-0x0000000004BE0000-memory.dmpFilesize
64KB
-
memory/4808-1069-0x0000000004BD0000-0x0000000004BE0000-memory.dmpFilesize
64KB
-
memory/4808-1070-0x0000000004BD0000-0x0000000004BE0000-memory.dmpFilesize
64KB
-
memory/4808-1071-0x0000000004BD0000-0x0000000004BE0000-memory.dmpFilesize
64KB
-
memory/4808-151-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-150-0x00000000023C0000-0x00000000023FF000-memory.dmpFilesize
252KB
-
memory/4808-149-0x00000000023C0000-0x0000000002404000-memory.dmpFilesize
272KB
-
memory/4808-148-0x0000000004BE0000-0x00000000050DE000-memory.dmpFilesize
5.0MB
-
memory/4808-147-0x0000000002160000-0x00000000021A6000-memory.dmpFilesize
280KB
-
memory/4808-146-0x0000000000590000-0x00000000005DB000-memory.dmpFilesize
300KB
-
memory/4808-1072-0x0000000006710000-0x0000000006786000-memory.dmpFilesize
472KB
-
memory/4808-1073-0x0000000006790000-0x00000000067E0000-memory.dmpFilesize
320KB
-
memory/4808-1074-0x0000000006800000-0x00000000069C2000-memory.dmpFilesize
1.8MB
-
memory/4808-1075-0x00000000069D0000-0x0000000006EFC000-memory.dmpFilesize
5.2MB