Analysis
-
max time kernel
147s -
max time network
104s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
14-04-2023 06:10
General
-
Target
0b59d97605d1b0f5980fe4f7fa42b3bc9f0cb2429fef78af34ca905373dd26ee.exe
-
Size
1.0MB
-
MD5
97cdd02e950aeb0303a5e6538fa85283
-
SHA1
7c47684aa6a4d6b26793338360754674ed89ccc5
-
SHA256
0b59d97605d1b0f5980fe4f7fa42b3bc9f0cb2429fef78af34ca905373dd26ee
-
SHA512
70ed7a535538ca57f2926fce2d3325db377e87e9390a0aeb16f12848f758c712dcf4b4901f1b8dcde04e478b26681b7fb96e68dd9e2b2a0b5e07fbb284511bba
-
SSDEEP
24576:dyHdpTNkr832TrVVeHLzwWs108cFmizLquQ5LoZ:4zQrEzde08kL3QJo
Malware Config
Extracted
redline
lada
185.161.248.90:4125
-
auth_value
0b3678897547fedafe314eda5a2015ba
Extracted
redline
disa
185.161.248.90:4125
-
auth_value
93f8c4ca7000e3381dd4b6b86434de05
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b59d97605d1b0f5980fe4f7fa42b3bc9f0cb2429fef78af34ca905373dd26ee.exe"C:\Users\Admin\AppData\Local\Temp\0b59d97605d1b0f5980fe4f7fa42b3bc9f0cb2429fef78af34ca905373dd26ee.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziii5752.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziii5752.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihR8058.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zihR8058.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it262807.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it262807.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr100967.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr100967.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp959929.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp959929.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr428307.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr428307.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 6323⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 7083⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 8483⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 8363⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 8843⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 8963⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 11323⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 11843⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 10883⤵
- Program crash
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
396KB
MD52d5adc88b61f67dd4a3d0af63556a9b2
SHA1be2a227a96abc93b9ae975d80e298b30f7397ff9
SHA2561e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318
SHA512e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a
-
Filesize
396KB
MD52d5adc88b61f67dd4a3d0af63556a9b2
SHA1be2a227a96abc93b9ae975d80e298b30f7397ff9
SHA2561e48b404d2d2964a05cf261b6a76f91b598c699a5ab7964e182a287b812aa318
SHA512e5d941a3ccc88562eb9e27795ad337a2aa8f52547a5f4d81f0e6a6be7d121ef1e1179246135ac869554f07605682c76024ca1bdf84910e1b593a445dd8f3986a
-
Filesize
723KB
MD510e9546cc207740213ba3939fe7718d5
SHA1b72f8fb0126744177ddabad9ba26f24a60a126ee
SHA25602fec00b9088360c90641d5a7e1d51517c3ea772f45aa67814cd6a88763252e3
SHA512deec34a7f85942962b525f05eea8d0a415fbf32c34ef7d0e3d9df6d7cefb84c840a8a81788dc9b14d2874ddcdfcbaf082df27af1774c9b2e05b45723bca94744
-
Filesize
723KB
MD510e9546cc207740213ba3939fe7718d5
SHA1b72f8fb0126744177ddabad9ba26f24a60a126ee
SHA25602fec00b9088360c90641d5a7e1d51517c3ea772f45aa67814cd6a88763252e3
SHA512deec34a7f85942962b525f05eea8d0a415fbf32c34ef7d0e3d9df6d7cefb84c840a8a81788dc9b14d2874ddcdfcbaf082df27af1774c9b2e05b45723bca94744
-
Filesize
169KB
MD5d9b49a8174479c7be116ca1e08b3d402
SHA1e712a7e92c0df6d01d7905eb0e34911fa56d356f
SHA25619f171def907d2bc2642200188140f3d40c3c5e8ac7cf13c790ebace4502de31
SHA512748ef338baf7a1532e530e6b2a75acc920e2834634f9593934a6bfec2b88c5c16dad1ea7c354f25b5fd72a51099564032853d8059c93637b5fb8e332790b9d18
-
Filesize
169KB
MD5d9b49a8174479c7be116ca1e08b3d402
SHA1e712a7e92c0df6d01d7905eb0e34911fa56d356f
SHA25619f171def907d2bc2642200188140f3d40c3c5e8ac7cf13c790ebace4502de31
SHA512748ef338baf7a1532e530e6b2a75acc920e2834634f9593934a6bfec2b88c5c16dad1ea7c354f25b5fd72a51099564032853d8059c93637b5fb8e332790b9d18
-
Filesize
569KB
MD5093305e3ada0b175a0b85f2fce250fb0
SHA12105712ea2694992c7c26d7e10ed96eb75c336d0
SHA25608fea1521e2503794f6592e929aa53cbfb33d387be43b76d73d0b48c8ff73342
SHA512309eb040b70862181d4b52baeb510078ba10181801f60c2806b2f024746b3461e94c99dd0f4b113ee415c33082b13c30bdeca2ee761bc1a59354271d2de6bd48
-
Filesize
569KB
MD5093305e3ada0b175a0b85f2fce250fb0
SHA12105712ea2694992c7c26d7e10ed96eb75c336d0
SHA25608fea1521e2503794f6592e929aa53cbfb33d387be43b76d73d0b48c8ff73342
SHA512309eb040b70862181d4b52baeb510078ba10181801f60c2806b2f024746b3461e94c99dd0f4b113ee415c33082b13c30bdeca2ee761bc1a59354271d2de6bd48
-
Filesize
11KB
MD5f061ffc02a0f4bbcb07725b34547d624
SHA148f160581b0279f1b30c09591c344556e5fa4116
SHA2569c8936c0b0965a7269ebb525dcdfb1b3d30c3d5ff3a6aea102f57f59ddcf9e43
SHA5124cdc7122165211cbab2fb7b021e2a002248d38c36777d54fa2b9fac81d5635f4330145dabb8ea9643ecd4a9b2286d817cb4f8a272b2bb3a0f8fa2a8a2be65fd2
-
Filesize
11KB
MD5f061ffc02a0f4bbcb07725b34547d624
SHA148f160581b0279f1b30c09591c344556e5fa4116
SHA2569c8936c0b0965a7269ebb525dcdfb1b3d30c3d5ff3a6aea102f57f59ddcf9e43
SHA5124cdc7122165211cbab2fb7b021e2a002248d38c36777d54fa2b9fac81d5635f4330145dabb8ea9643ecd4a9b2286d817cb4f8a272b2bb3a0f8fa2a8a2be65fd2
-
Filesize
587KB
MD5432735a0b2cd5b4ec85f9dbfe3257ce2
SHA15736f9bbf65447cd4973419b83d911eed4a702f9
SHA2561c1d42122bfbe770734a1385e2d9a33dcc72e675c3accf437e1f000ec65b961d
SHA5124775e7fb1abfabb36cd89f7bd3067fdd38c307c777beb625a0c77e1f3e1875b97db440a60f3cc86bf721a2bb55be9ab3ecc5e4832bef6a4e42aa8cf4e63262ae
-
Filesize
587KB
MD5432735a0b2cd5b4ec85f9dbfe3257ce2
SHA15736f9bbf65447cd4973419b83d911eed4a702f9
SHA2561c1d42122bfbe770734a1385e2d9a33dcc72e675c3accf437e1f000ec65b961d
SHA5124775e7fb1abfabb36cd89f7bd3067fdd38c307c777beb625a0c77e1f3e1875b97db440a60f3cc86bf721a2bb55be9ab3ecc5e4832bef6a4e42aa8cf4e63262ae
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
168KB
MD503728fed675bcde5256342183b1d6f27
SHA1d13eace7d3d92f93756504b274777cc269b222a2
SHA256f1181356c69b3dcebadc67d4c751d01164c929eab2b250b83cdedeedd4cd5ef0
SHA5126e2800d2d4e7dcbcbe1842d78029b75d2faa742c8fd7925ae2486396c3dd8c0b8f66e760f3916e42631cde41c0606c48528a4cb779f124b8d28c7af9197c18d1
-
Filesize
1.8MB
-
Filesize
248KB
-
Filesize
64KB
-
Filesize
184KB
-
Filesize
24KB
-
Filesize
6.0MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
300KB
-
Filesize
64KB
-
Filesize
5.2MB
-
Filesize
64KB
-
Filesize
24KB
-
Filesize
584KB
-
Filesize
192KB
-
Filesize
320KB
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
236KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
408KB
-
Filesize
5.0MB
-
Filesize
64KB
-
Filesize
364KB
-
Filesize
416KB