Analysis
-
max time kernel
142s -
max time network
98s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
14-04-2023 06:20
General
-
Target
077f7f803e53687e8271b24f8e4569fbfe3194c8c8e883c9327cf8ea04e79b39.exe
-
Size
1.0MB
-
MD5
b9693e42f0198200df0087c194b200cc
-
SHA1
366ef95d109c73c903f719dd3b9030c7f65804bd
-
SHA256
077f7f803e53687e8271b24f8e4569fbfe3194c8c8e883c9327cf8ea04e79b39
-
SHA512
15b747da3a43fcbdfd239ffde7ea3c163a96cc50a0011c357a0b7659fa55f338887a2b7520469869fa2fc7eb0b56080261f8b1515342ac262af2843dc21cf759
-
SSDEEP
24576:tyb9GtxKNK4kVZMHLrocPRWgchfXOYEgVGa2ls:IEtgwqrDPRWgQPOYf
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
disa
185.161.248.90:4125
-
auth_value
93f8c4ca7000e3381dd4b6b86434de05
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\077f7f803e53687e8271b24f8e4569fbfe3194c8c8e883c9327cf8ea04e79b39.exe"C:\Users\Admin\AppData\Local\Temp\077f7f803e53687e8271b24f8e4569fbfe3194c8c8e883c9327cf8ea04e79b39.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimQ4736.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimQ4736.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihg9678.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihg9678.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it785292.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it785292.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr223864.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr223864.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp297102.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp297102.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr195774.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr195774.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 6363⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 7123⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 8523⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 8603⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 9203⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 8963⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 11283⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 12043⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 12323⤵
- Program crash
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD52d5adc88b61f67dd4a3d0af63556a9b2
SHA1be2a227a96abc93b9ae975d80e298b30f7397ff9
SHA2561e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318
SHA512e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a
-
Filesize
396KB
MD52d5adc88b61f67dd4a3d0af63556a9b2
SHA1be2a227a96abc93b9ae975d80e298b30f7397ff9
SHA2561e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318
SHA512e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a
-
Filesize
723KB
MD558450ce4bdc365eab63dbf69aaea0d62
SHA1e6086b598ca2840bf0162bf6e42d1c6e3851b552
SHA256ba088a3123c1ec8af40d27e3612f6a36f90efe2bea13516653552057ebdf0a4b
SHA512e2290ce3565c1454d6d0a1974fd0ab4e2b51404a50d467d3d2024444abc72e6581c9e4e85f8c0597602ddff68ae4dbe8006af4d2f5eb50c9930170f9ed83cb87
-
Filesize
723KB
MD558450ce4bdc365eab63dbf69aaea0d62
SHA1e6086b598ca2840bf0162bf6e42d1c6e3851b552
SHA256ba088a3123c1ec8af40d27e3612f6a36f90efe2bea13516653552057ebdf0a4b
SHA512e2290ce3565c1454d6d0a1974fd0ab4e2b51404a50d467d3d2024444abc72e6581c9e4e85f8c0597602ddff68ae4dbe8006af4d2f5eb50c9930170f9ed83cb87
-
Filesize
169KB
MD59015c05d29369f62f4193fea875d6715
SHA1061af2ce548a815efa686e49062395524ae586af
SHA256834686d6e44171ad3b96dee07f25a2ca7867e261be9972bb387744644d7e54f2
SHA5124f484d064e428caa95cc9854009c5ff5a4838d240ca80e6906401896e41faccb2a710f380d964e622838b171727b3db857968565d599ca1f3ec9ad41cb85cad9
-
Filesize
169KB
MD59015c05d29369f62f4193fea875d6715
SHA1061af2ce548a815efa686e49062395524ae586af
SHA256834686d6e44171ad3b96dee07f25a2ca7867e261be9972bb387744644d7e54f2
SHA5124f484d064e428caa95cc9854009c5ff5a4838d240ca80e6906401896e41faccb2a710f380d964e622838b171727b3db857968565d599ca1f3ec9ad41cb85cad9
-
Filesize
569KB
MD57f0b7eb8a28c6808db93d1b485f6217d
SHA1f5fba2d7a3e5341d7b33e4a25477ecbb801aa099
SHA256dd5481a6f72a7792f42aaa830c2aed98336e10692402399ac7c2bd85bb6790cd
SHA512a24505c36904ceb97affc0a2c98ef7502d43532c4f31d7d0ea84c2801c3a9ab8f5f66026a04c77ce099c43774c3662b0573d83dabe9b4300048b52fd2a23e2e2
-
Filesize
569KB
MD57f0b7eb8a28c6808db93d1b485f6217d
SHA1f5fba2d7a3e5341d7b33e4a25477ecbb801aa099
SHA256dd5481a6f72a7792f42aaa830c2aed98336e10692402399ac7c2bd85bb6790cd
SHA512a24505c36904ceb97affc0a2c98ef7502d43532c4f31d7d0ea84c2801c3a9ab8f5f66026a04c77ce099c43774c3662b0573d83dabe9b4300048b52fd2a23e2e2
-
Filesize
11KB
MD56f3d82ba66b148340aaed46b2583e1d9
SHA1531bca927a9375e1a0addcdb2fde53b52de5c24d
SHA256816e9cec678fe3557dbb774e91184c35ba80eb5f7a9530350b5bd22013939b92
SHA512801b34bbba36019b8da07cd4136e1ea0a9b034b43cd2e3d6cf86d1a10c522b3fe84062883ec21bdbe56ffe4650b6f45f02ea7dadfdf6589d19031b315d14b93e
-
Filesize
11KB
MD56f3d82ba66b148340aaed46b2583e1d9
SHA1531bca927a9375e1a0addcdb2fde53b52de5c24d
SHA256816e9cec678fe3557dbb774e91184c35ba80eb5f7a9530350b5bd22013939b92
SHA512801b34bbba36019b8da07cd4136e1ea0a9b034b43cd2e3d6cf86d1a10c522b3fe84062883ec21bdbe56ffe4650b6f45f02ea7dadfdf6589d19031b315d14b93e
-
Filesize
587KB
MD512920f0f4d54b5e304b536d1f2993fb7
SHA1d243e91cf0de723ed426b76e47b67ba0aef671b0
SHA2568d65b76d5a3e6c9dfe88fc6c2f26d4f91af206f6236de23db5c80b96c54f8a9d
SHA5127c2f78a0c73e2157ea77077768d0e856bb375c2f2be32aa82ff2286bf09281650d6ee9c70d679671a5c0544dd556c361b525b707045ae043c358421af6172d8a
-
Filesize
587KB
MD512920f0f4d54b5e304b536d1f2993fb7
SHA1d243e91cf0de723ed426b76e47b67ba0aef671b0
SHA2568d65b76d5a3e6c9dfe88fc6c2f26d4f91af206f6236de23db5c80b96c54f8a9d
SHA5127c2f78a0c73e2157ea77077768d0e856bb375c2f2be32aa82ff2286bf09281650d6ee9c70d679671a5c0544dd556c361b525b707045ae043c358421af6172d8a
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
200KB
-
Filesize
408KB
-
Filesize
5.0MB
-
Filesize
416KB
-
Filesize
64KB
-
Filesize
364KB
-
Filesize
236KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
24KB
-
Filesize
64KB
-
Filesize
184KB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
192KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
300KB
-
Filesize
248KB
-
Filesize
5.2MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.0MB
-
Filesize
24KB