Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
14-04-2023 06:09
General
-
Target
e81571911b86a7fcb1cb192ea5a776a0242232be3e7095aa41d41cb11a12fc3c.exe
-
Size
1.0MB
-
MD5
dc13b2843d749a31fee6bffbd0a45c42
-
SHA1
95e5b9e901c86baf2c134dffdf9f3c10a7f3b845
-
SHA256
e81571911b86a7fcb1cb192ea5a776a0242232be3e7095aa41d41cb11a12fc3c
-
SHA512
5cb62bf94b1d688f412135ae25d4fe65682b815d11bcb74a5dda460f145eee88881f276564026a75b056b220e7fadf8bb3015d57a0dfa93aec8998135b868eb7
-
SSDEEP
24576:oy/0TIk1mGOMJ3pqBVIJFLwN5MGBUJoH9tKqGN923:vzOmGXkWwjM+UJG9kqGNI
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
disa
185.161.248.90:4125
-
auth_value
93f8c4ca7000e3381dd4b6b86434de05
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e81571911b86a7fcb1cb192ea5a776a0242232be3e7095aa41d41cb11a12fc3c.exe"C:\Users\Admin\AppData\Local\Temp\e81571911b86a7fcb1cb192ea5a776a0242232be3e7095aa41d41cb11a12fc3c.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zite1097.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zite1097.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zieb5353.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zieb5353.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it920111.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it920111.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr073127.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr073127.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp052406.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp052406.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr506239.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr506239.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 6363⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 7083⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 8483⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 8603⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 8843⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 6923⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 11323⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 11523⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 10963⤵
- Program crash
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD52d5adc88b61f67dd4a3d0af63556a9b2
SHA1be2a227a96abc93b9ae975d80e298b30f7397ff9
SHA2561e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318
SHA512e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a
-
Filesize
396KB
MD52d5adc88b61f67dd4a3d0af63556a9b2
SHA1be2a227a96abc93b9ae975d80e298b30f7397ff9
SHA2561e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318
SHA512e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a
-
Filesize
722KB
MD51be48ba648b759b1ee04b5a507a549de
SHA1382809c997d5c512c7618ddaa270345c03b18977
SHA25652674010968987533f5191bd33d3357d51b19c02cbc1b73b8b82d54c261642ed
SHA512c29a49cf9795a973fc810a709ef558ffbc55d27a377f896c5336250aa3cc79cda06734334031ed4130928f36eb7fd250109fd8b896dca0bd51e70450ad99cb85
-
Filesize
722KB
MD51be48ba648b759b1ee04b5a507a549de
SHA1382809c997d5c512c7618ddaa270345c03b18977
SHA25652674010968987533f5191bd33d3357d51b19c02cbc1b73b8b82d54c261642ed
SHA512c29a49cf9795a973fc810a709ef558ffbc55d27a377f896c5336250aa3cc79cda06734334031ed4130928f36eb7fd250109fd8b896dca0bd51e70450ad99cb85
-
Filesize
169KB
MD5b2d6784100501db097bd3113ee149ea4
SHA1c09c0660c75a18250ca27dba1d0ebabee76fedcd
SHA25698eaf07b181de23d498a549ccce4f0ab44391368ac8e32551b17529883869b1c
SHA51216a6bc216c87c10765eb7e115777e6b5289cec49b791a8f2b8992dcf4c922699631a168373326bfbe88a8fb7d929206de0e2f898fa7ee8154f2028c74a96ef05
-
Filesize
169KB
MD5b2d6784100501db097bd3113ee149ea4
SHA1c09c0660c75a18250ca27dba1d0ebabee76fedcd
SHA25698eaf07b181de23d498a549ccce4f0ab44391368ac8e32551b17529883869b1c
SHA51216a6bc216c87c10765eb7e115777e6b5289cec49b791a8f2b8992dcf4c922699631a168373326bfbe88a8fb7d929206de0e2f898fa7ee8154f2028c74a96ef05
-
Filesize
569KB
MD548cb983878aef835f73999a3a1b89445
SHA1ae9cd2e6007a8437b0b4d7e5429abb555196ac7a
SHA25648335d3055e3a1631ff9d3be19993226a16c2b70ac749431037afb7d646b4b00
SHA5129dcb7e7523af6b90536e3cb4b0d23771748768760143bf09fc9e91f06e5c7f57340038d2f001cbf946bd58aae3edacdb68ab3dbe935ac1e90ae25b3a2d39cb63
-
Filesize
569KB
MD548cb983878aef835f73999a3a1b89445
SHA1ae9cd2e6007a8437b0b4d7e5429abb555196ac7a
SHA25648335d3055e3a1631ff9d3be19993226a16c2b70ac749431037afb7d646b4b00
SHA5129dcb7e7523af6b90536e3cb4b0d23771748768760143bf09fc9e91f06e5c7f57340038d2f001cbf946bd58aae3edacdb68ab3dbe935ac1e90ae25b3a2d39cb63
-
Filesize
11KB
MD5c223b21f10a9faeda79c1124b3746efd
SHA1c80cb91330141bfe37ab8f869db188cda6e6e34d
SHA25631b0d9c21e14e7a9e05aaaa58e7869179c49b6dacc169ccaf70bc264d0874349
SHA512a1f9c003526d448aaa7371a79674353338187a65639530e5d2afd28a713f2e88b894bcedabd3d34ba13a895f224bdea2fcea04bdc0000a8cedab8baf8b751d10
-
Filesize
11KB
MD5c223b21f10a9faeda79c1124b3746efd
SHA1c80cb91330141bfe37ab8f869db188cda6e6e34d
SHA25631b0d9c21e14e7a9e05aaaa58e7869179c49b6dacc169ccaf70bc264d0874349
SHA512a1f9c003526d448aaa7371a79674353338187a65639530e5d2afd28a713f2e88b894bcedabd3d34ba13a895f224bdea2fcea04bdc0000a8cedab8baf8b751d10
-
Filesize
587KB
MD5e2f443710a785a4287e57dc120a5ab91
SHA177d2b434c88c77ce820bd0aeadc9ba2118dbe741
SHA25612e6311500c5c93bc11df87a2f1abccf8cabf023a302a16c08824784d21a07f6
SHA512671410fbca5ef161ef4be73f7afb49a9b24747ccf0d49ff8f1e0c23df20ffada5cb088be806f8f1c7d127149b9593344bf701c2309eb1c1eb4a59a2b791af212
-
Filesize
587KB
MD5e2f443710a785a4287e57dc120a5ab91
SHA177d2b434c88c77ce820bd0aeadc9ba2118dbe741
SHA25612e6311500c5c93bc11df87a2f1abccf8cabf023a302a16c08824784d21a07f6
SHA512671410fbca5ef161ef4be73f7afb49a9b24747ccf0d49ff8f1e0c23df20ffada5cb088be806f8f1c7d127149b9593344bf701c2309eb1c1eb4a59a2b791af212
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
408KB
-
Filesize
24KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
192KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
6.0MB
-
Filesize
320KB
-
Filesize
24KB
-
Filesize
472KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
184KB
-
Filesize
236KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
64KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
200KB
-
Filesize
64KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
408KB
-
Filesize
5.0MB
-
Filesize
64KB
-
Filesize
364KB
-
Filesize
416KB
-
Filesize
40KB