Analysis
-
max time kernel
136s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
21/08/2023, 12:33
Static task
static1
Behavioral task
behavioral1
Sample
493823dfb095889113527c9e670849b13d215f20752093d177966fcf8103edf4.exe
Resource
win10-20230703-en
General
-
Target
493823dfb095889113527c9e670849b13d215f20752093d177966fcf8103edf4.exe
-
Size
591KB
-
MD5
97a9fb073fa5ee804e1523d04cd3605e
-
SHA1
c26a6ea11519edfe0ac1af47588972d14b9a31b9
-
SHA256
493823dfb095889113527c9e670849b13d215f20752093d177966fcf8103edf4
-
SHA512
c0638b6e81050881671e597de3989f1b6e08e9f91540d5bf0066ed5be553ab81ccadbaf76ce2f04c7b1055068af44934817b38f0100c226504ce70f3dfc8fe76
-
SSDEEP
12288:qMrey90XMeKvXWXHybcMnykresuyypiMN9YAdJnH:wy0MxXWXHSyk6srMJnH
Malware Config
Extracted
amadey
S-%lu-
77.91.68.18/nice/index.php
3.87/nice/index.php
Extracted
redline
lang
77.91.124.73:19071
-
auth_value
92c0fc2b7a8b3fc5a01baa1abf31c42a
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 8 IoCs
pid Process 3972 y8767817.exe 2920 y3457607.exe 2704 m3486203.exe 2692 n6875864.exe 1520 saves.exe 2940 o2009238.exe 3328 saves.exe 4456 saves.exe -
Loads dropped DLL 1 IoCs
pid Process 4976 rundll32.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 493823dfb095889113527c9e670849b13d215f20752093d177966fcf8103edf4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y8767817.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y3457607.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2972 schtasks.exe -
Suspicious use of WriteProcessMemory 45 IoCs
description pid Process procid_target PID 4996 wrote to memory of 3972 4996 493823dfb095889113527c9e670849b13d215f20752093d177966fcf8103edf4.exe 69 PID 4996 wrote to memory of 3972 4996 493823dfb095889113527c9e670849b13d215f20752093d177966fcf8103edf4.exe 69 PID 4996 wrote to memory of 3972 4996 493823dfb095889113527c9e670849b13d215f20752093d177966fcf8103edf4.exe 69 PID 3972 wrote to memory of 2920 3972 y8767817.exe 70 PID 3972 wrote to memory of 2920 3972 y8767817.exe 70 PID 3972 wrote to memory of 2920 3972 y8767817.exe 70 PID 2920 wrote to memory of 2704 2920 y3457607.exe 71 PID 2920 wrote to memory of 2704 2920 y3457607.exe 71 PID 2920 wrote to memory of 2704 2920 y3457607.exe 71 PID 2920 wrote to memory of 2692 2920 y3457607.exe 72 PID 2920 wrote to memory of 2692 2920 y3457607.exe 72 PID 2920 wrote to memory of 2692 2920 y3457607.exe 72 PID 2692 wrote to memory of 1520 2692 n6875864.exe 73 PID 2692 wrote to memory of 1520 2692 n6875864.exe 73 PID 2692 wrote to memory of 1520 2692 n6875864.exe 73 PID 3972 wrote to memory of 2940 3972 y8767817.exe 74 PID 3972 wrote to memory of 2940 3972 y8767817.exe 74 PID 3972 wrote to memory of 2940 3972 y8767817.exe 74 PID 1520 wrote to memory of 2972 1520 saves.exe 75 PID 1520 wrote to memory of 2972 1520 saves.exe 75 PID 1520 wrote to memory of 2972 1520 saves.exe 75 PID 1520 wrote to memory of 4888 1520 saves.exe 76 PID 1520 wrote to memory of 4888 1520 saves.exe 76 PID 1520 wrote to memory of 4888 1520 saves.exe 76 PID 4888 wrote to memory of 4460 4888 cmd.exe 79 PID 4888 wrote to memory of 4460 4888 cmd.exe 79 PID 4888 wrote to memory of 4460 4888 cmd.exe 79 PID 4888 wrote to memory of 4188 4888 cmd.exe 80 PID 4888 wrote to memory of 4188 4888 cmd.exe 80 PID 4888 wrote to memory of 4188 4888 cmd.exe 80 PID 4888 wrote to memory of 4208 4888 cmd.exe 81 PID 4888 wrote to memory of 4208 4888 cmd.exe 81 PID 4888 wrote to memory of 4208 4888 cmd.exe 81 PID 4888 wrote to memory of 4216 4888 cmd.exe 82 PID 4888 wrote to memory of 4216 4888 cmd.exe 82 PID 4888 wrote to memory of 4216 4888 cmd.exe 82 PID 4888 wrote to memory of 2680 4888 cmd.exe 83 PID 4888 wrote to memory of 2680 4888 cmd.exe 83 PID 4888 wrote to memory of 2680 4888 cmd.exe 83 PID 4888 wrote to memory of 4264 4888 cmd.exe 84 PID 4888 wrote to memory of 4264 4888 cmd.exe 84 PID 4888 wrote to memory of 4264 4888 cmd.exe 84 PID 1520 wrote to memory of 4976 1520 saves.exe 86 PID 1520 wrote to memory of 4976 1520 saves.exe 86 PID 1520 wrote to memory of 4976 1520 saves.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\493823dfb095889113527c9e670849b13d215f20752093d177966fcf8103edf4.exe"C:\Users\Admin\AppData\Local\Temp\493823dfb095889113527c9e670849b13d215f20752093d177966fcf8103edf4.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8767817.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8767817.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3457607.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3457607.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3486203.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m3486203.exe4⤵
- Executes dropped EXE
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6875864.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6875864.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F6⤵
- Creates scheduled task(s)
PID:2972
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4460
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"7⤵PID:4188
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E7⤵PID:4208
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:4216
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"7⤵PID:2680
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E7⤵PID:4264
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
PID:4976
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2009238.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o2009238.exe3⤵
- Executes dropped EXE
PID:2940
-
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:3328
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:4456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
476KB
MD5a599d37db8615c814df905bbfab572e9
SHA108ac33997eb44750e2e38dcf92145e00c3a14823
SHA256905f7403acec353fb731b926dd2c8637b87e2d54dcad66693fdbf634cd0a19d7
SHA5124f815a651f613825a4fe64bbe1d887aa13caf47f3d7e8e22f6bb2e24a954a14fdde1dfe70812849701b53710f447665d2b538d17c1b0ee72eaa6d5dfa2dc9e04
-
Filesize
476KB
MD5a599d37db8615c814df905bbfab572e9
SHA108ac33997eb44750e2e38dcf92145e00c3a14823
SHA256905f7403acec353fb731b926dd2c8637b87e2d54dcad66693fdbf634cd0a19d7
SHA5124f815a651f613825a4fe64bbe1d887aa13caf47f3d7e8e22f6bb2e24a954a14fdde1dfe70812849701b53710f447665d2b538d17c1b0ee72eaa6d5dfa2dc9e04
-
Filesize
174KB
MD51df53a2b1a6ed71cf71b6c954cc5a4aa
SHA1bf2527bcdd73aff1e895c57c4ff98c0a0c1d65e2
SHA256cc0104b4a17db1388c615fbd62f3a6a413d8c53a370fc740a08b83dcf67034de
SHA512b220709665d3c5bf99f8e92687d630f63866e98dda36cbab24241e96be4a41d4c46b4dc59220c752e2fcbd78e52f983aada960e9d1d313f652153c2c0e2a5a60
-
Filesize
174KB
MD51df53a2b1a6ed71cf71b6c954cc5a4aa
SHA1bf2527bcdd73aff1e895c57c4ff98c0a0c1d65e2
SHA256cc0104b4a17db1388c615fbd62f3a6a413d8c53a370fc740a08b83dcf67034de
SHA512b220709665d3c5bf99f8e92687d630f63866e98dda36cbab24241e96be4a41d4c46b4dc59220c752e2fcbd78e52f983aada960e9d1d313f652153c2c0e2a5a60
-
Filesize
320KB
MD57ffda2121a9f29152182b423c116e2f9
SHA14f9a2192adb81e633d73d4b099a0da2005786d4f
SHA25604411fbb7b2c57f502d070af66f77e0a272c313eecc436ee55a96d5348126b6e
SHA512c5be08bdc88fdf53ecea29b3451e82cd277bf6696ca3a86c172378a3e4e4ff8717976fbed0dc17fbe5f7d1b748c46dec287077f5653fa1e8c5f1703a1cd92b33
-
Filesize
320KB
MD57ffda2121a9f29152182b423c116e2f9
SHA14f9a2192adb81e633d73d4b099a0da2005786d4f
SHA25604411fbb7b2c57f502d070af66f77e0a272c313eecc436ee55a96d5348126b6e
SHA512c5be08bdc88fdf53ecea29b3451e82cd277bf6696ca3a86c172378a3e4e4ff8717976fbed0dc17fbe5f7d1b748c46dec287077f5653fa1e8c5f1703a1cd92b33
-
Filesize
140KB
MD5ada09f3e2d30a71866c625fbdb0796af
SHA1dab201c2c08ce62327fc6facc1d7d0bc6c559eb6
SHA256107dcf131d4fcd083d1ecc4abfde86a64414154be7e9c3c9d5ce16f94b96dc33
SHA5123df2cea0496c26b7ac603d5f10a0c5e9ebf282cc893c694bb7916278d18da27e3a7639a36e39ed6b4d1bf23a9b64082a8710b757c5da49e51e4dd5f0b6c28934
-
Filesize
140KB
MD5ada09f3e2d30a71866c625fbdb0796af
SHA1dab201c2c08ce62327fc6facc1d7d0bc6c559eb6
SHA256107dcf131d4fcd083d1ecc4abfde86a64414154be7e9c3c9d5ce16f94b96dc33
SHA5123df2cea0496c26b7ac603d5f10a0c5e9ebf282cc893c694bb7916278d18da27e3a7639a36e39ed6b4d1bf23a9b64082a8710b757c5da49e51e4dd5f0b6c28934
-
Filesize
314KB
MD5bc8917491d6faae320baa57e395ce90a
SHA135aa11ebc145548cb51419cd5df5b61c53a2496e
SHA25651df4431d2814be29757fec8246d5639ef4fc13acec2148bf8b630b2d39d3e09
SHA512abebe162e949db82ef629e1477da0c1d77719375c0c705dfcda4867bae1e6a4ee82ed8dc0d9c3c7a7f617608e8bc92542838a3a5f36917dc5235307dcd163011
-
Filesize
314KB
MD5bc8917491d6faae320baa57e395ce90a
SHA135aa11ebc145548cb51419cd5df5b61c53a2496e
SHA25651df4431d2814be29757fec8246d5639ef4fc13acec2148bf8b630b2d39d3e09
SHA512abebe162e949db82ef629e1477da0c1d77719375c0c705dfcda4867bae1e6a4ee82ed8dc0d9c3c7a7f617608e8bc92542838a3a5f36917dc5235307dcd163011
-
Filesize
314KB
MD5bc8917491d6faae320baa57e395ce90a
SHA135aa11ebc145548cb51419cd5df5b61c53a2496e
SHA25651df4431d2814be29757fec8246d5639ef4fc13acec2148bf8b630b2d39d3e09
SHA512abebe162e949db82ef629e1477da0c1d77719375c0c705dfcda4867bae1e6a4ee82ed8dc0d9c3c7a7f617608e8bc92542838a3a5f36917dc5235307dcd163011
-
Filesize
314KB
MD5bc8917491d6faae320baa57e395ce90a
SHA135aa11ebc145548cb51419cd5df5b61c53a2496e
SHA25651df4431d2814be29757fec8246d5639ef4fc13acec2148bf8b630b2d39d3e09
SHA512abebe162e949db82ef629e1477da0c1d77719375c0c705dfcda4867bae1e6a4ee82ed8dc0d9c3c7a7f617608e8bc92542838a3a5f36917dc5235307dcd163011
-
Filesize
314KB
MD5bc8917491d6faae320baa57e395ce90a
SHA135aa11ebc145548cb51419cd5df5b61c53a2496e
SHA25651df4431d2814be29757fec8246d5639ef4fc13acec2148bf8b630b2d39d3e09
SHA512abebe162e949db82ef629e1477da0c1d77719375c0c705dfcda4867bae1e6a4ee82ed8dc0d9c3c7a7f617608e8bc92542838a3a5f36917dc5235307dcd163011
-
Filesize
314KB
MD5bc8917491d6faae320baa57e395ce90a
SHA135aa11ebc145548cb51419cd5df5b61c53a2496e
SHA25651df4431d2814be29757fec8246d5639ef4fc13acec2148bf8b630b2d39d3e09
SHA512abebe162e949db82ef629e1477da0c1d77719375c0c705dfcda4867bae1e6a4ee82ed8dc0d9c3c7a7f617608e8bc92542838a3a5f36917dc5235307dcd163011
-
Filesize
314KB
MD5bc8917491d6faae320baa57e395ce90a
SHA135aa11ebc145548cb51419cd5df5b61c53a2496e
SHA25651df4431d2814be29757fec8246d5639ef4fc13acec2148bf8b630b2d39d3e09
SHA512abebe162e949db82ef629e1477da0c1d77719375c0c705dfcda4867bae1e6a4ee82ed8dc0d9c3c7a7f617608e8bc92542838a3a5f36917dc5235307dcd163011
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
273B
MD5374bfdcfcf19f4edfe949022092848d2
SHA1df5ee40497e98efcfba30012452d433373d287d4
SHA256224a123b69af5a3ab0553e334f6c70846c650597a63f6336c9420bbe8f00571f
SHA512bc66dd6e675942a8b8cd776b0813d4b182091e45bfa7734b3818f58c83d04f81f0599a27625ff345d393959b8dbe478d8f1ed33d49f9bcee052c986c8665b8d7
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b