Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
24-08-2023 07:46
Static task
static1
Behavioral task
behavioral1
Sample
c6cdb98c0503db1bf1fd14bc4c389c605729e45bba4e294f8b1ede8b8059bfd1.exe
Resource
win10v2004-20230703-en
General
-
Target
c6cdb98c0503db1bf1fd14bc4c389c605729e45bba4e294f8b1ede8b8059bfd1.exe
-
Size
1.4MB
-
MD5
8433f0bcec3b480df469f96bd81ca7c9
-
SHA1
abecc396a640e84a471ab5b270f872c7092a66f6
-
SHA256
c6cdb98c0503db1bf1fd14bc4c389c605729e45bba4e294f8b1ede8b8059bfd1
-
SHA512
f60fd8dfcf5fd37f6acbda564aa0a6b6b10ac9eb808598eba8fb2fda40f6c1f105b492cc71026a9681dd6dbde668a2ffae5945d6dc883a62d3edb7ea04fed8bf
-
SSDEEP
24576:fyQ3rOsRh4zEXlxAdCj47wE+F69RT9IEN7jiwVJbNe4cpgURpvQiSy:qQqsRyzEXlNjRFkRT9JNX/VtN4gUXvQL
Malware Config
Extracted
amadey
3.87
77.91.68.18/nice/index.php
Extracted
redline
rwan
77.91.124.73:19071
-
auth_value
7c40eda5da4f888d6f61befbf947d9fe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 9 IoCs
pid Process 2468 y7641600.exe 216 y0293243.exe 4724 y1020223.exe 1728 l3205864.exe 400 m5015157.exe 4040 saves.exe 4800 n9516828.exe 3836 saves.exe 4704 saves.exe -
Loads dropped DLL 1 IoCs
pid Process 3728 rundll32.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c6cdb98c0503db1bf1fd14bc4c389c605729e45bba4e294f8b1ede8b8059bfd1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y7641600.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y0293243.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" y1020223.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3328 schtasks.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1080 wrote to memory of 2468 1080 c6cdb98c0503db1bf1fd14bc4c389c605729e45bba4e294f8b1ede8b8059bfd1.exe 81 PID 1080 wrote to memory of 2468 1080 c6cdb98c0503db1bf1fd14bc4c389c605729e45bba4e294f8b1ede8b8059bfd1.exe 81 PID 1080 wrote to memory of 2468 1080 c6cdb98c0503db1bf1fd14bc4c389c605729e45bba4e294f8b1ede8b8059bfd1.exe 81 PID 2468 wrote to memory of 216 2468 y7641600.exe 82 PID 2468 wrote to memory of 216 2468 y7641600.exe 82 PID 2468 wrote to memory of 216 2468 y7641600.exe 82 PID 216 wrote to memory of 4724 216 y0293243.exe 83 PID 216 wrote to memory of 4724 216 y0293243.exe 83 PID 216 wrote to memory of 4724 216 y0293243.exe 83 PID 4724 wrote to memory of 1728 4724 y1020223.exe 84 PID 4724 wrote to memory of 1728 4724 y1020223.exe 84 PID 4724 wrote to memory of 1728 4724 y1020223.exe 84 PID 4724 wrote to memory of 400 4724 y1020223.exe 85 PID 4724 wrote to memory of 400 4724 y1020223.exe 85 PID 4724 wrote to memory of 400 4724 y1020223.exe 85 PID 400 wrote to memory of 4040 400 m5015157.exe 86 PID 400 wrote to memory of 4040 400 m5015157.exe 86 PID 400 wrote to memory of 4040 400 m5015157.exe 86 PID 216 wrote to memory of 4800 216 y0293243.exe 87 PID 216 wrote to memory of 4800 216 y0293243.exe 87 PID 216 wrote to memory of 4800 216 y0293243.exe 87 PID 4040 wrote to memory of 3328 4040 saves.exe 88 PID 4040 wrote to memory of 3328 4040 saves.exe 88 PID 4040 wrote to memory of 3328 4040 saves.exe 88 PID 4040 wrote to memory of 3948 4040 saves.exe 90 PID 4040 wrote to memory of 3948 4040 saves.exe 90 PID 4040 wrote to memory of 3948 4040 saves.exe 90 PID 3948 wrote to memory of 1588 3948 cmd.exe 92 PID 3948 wrote to memory of 1588 3948 cmd.exe 92 PID 3948 wrote to memory of 1588 3948 cmd.exe 92 PID 3948 wrote to memory of 2680 3948 cmd.exe 93 PID 3948 wrote to memory of 2680 3948 cmd.exe 93 PID 3948 wrote to memory of 2680 3948 cmd.exe 93 PID 3948 wrote to memory of 4288 3948 cmd.exe 94 PID 3948 wrote to memory of 4288 3948 cmd.exe 94 PID 3948 wrote to memory of 4288 3948 cmd.exe 94 PID 3948 wrote to memory of 4700 3948 cmd.exe 95 PID 3948 wrote to memory of 4700 3948 cmd.exe 95 PID 3948 wrote to memory of 4700 3948 cmd.exe 95 PID 3948 wrote to memory of 5012 3948 cmd.exe 96 PID 3948 wrote to memory of 5012 3948 cmd.exe 96 PID 3948 wrote to memory of 5012 3948 cmd.exe 96 PID 3948 wrote to memory of 1368 3948 cmd.exe 97 PID 3948 wrote to memory of 1368 3948 cmd.exe 97 PID 3948 wrote to memory of 1368 3948 cmd.exe 97 PID 4040 wrote to memory of 3728 4040 saves.exe 108 PID 4040 wrote to memory of 3728 4040 saves.exe 108 PID 4040 wrote to memory of 3728 4040 saves.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6cdb98c0503db1bf1fd14bc4c389c605729e45bba4e294f8b1ede8b8059bfd1.exe"C:\Users\Admin\AppData\Local\Temp\c6cdb98c0503db1bf1fd14bc4c389c605729e45bba4e294f8b1ede8b8059bfd1.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7641600.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7641600.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0293243.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0293243.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1020223.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1020223.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l3205864.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l3205864.exe5⤵
- Executes dropped EXE
PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m5015157.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m5015157.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F7⤵
- Creates scheduled task(s)
PID:3328
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:1588
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"8⤵PID:2680
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E8⤵PID:4288
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4700
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"8⤵PID:5012
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E8⤵PID:1368
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main7⤵
- Loads dropped DLL
PID:3728
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9516828.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n9516828.exe4⤵
- Executes dropped EXE
PID:4800
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:3836
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:4704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5676fb95e93e474567aa56408464495a9
SHA109efec70f467daf5bbb29d6ed3e3c048e5088f08
SHA25661cc6351f513a6d66edadcc846d1de84d38e05b1d92858994acef7975b20902f
SHA512b55b094314e201fbdc1cde26b6e079d079dd6e2efcfb96176fcd83ec2fec4aa257e705fe06b87a7a98ec2b8444a3bbf6ed833ecf95db398c900f79712f9c3053
-
Filesize
1.3MB
MD5676fb95e93e474567aa56408464495a9
SHA109efec70f467daf5bbb29d6ed3e3c048e5088f08
SHA25661cc6351f513a6d66edadcc846d1de84d38e05b1d92858994acef7975b20902f
SHA512b55b094314e201fbdc1cde26b6e079d079dd6e2efcfb96176fcd83ec2fec4aa257e705fe06b87a7a98ec2b8444a3bbf6ed833ecf95db398c900f79712f9c3053
-
Filesize
476KB
MD5354b473f8a1a6ba2f0abb448ce7793ad
SHA1c98c37f58dfde5961f4c0e28018720b69650aeb2
SHA2562d48108eee6cb3abd0f4d770aed84f5813bb68b91efb7d11bac4ebdef3e565ea
SHA51294244dd265768f8727dcfa1f8698e2560fcde811bbd5b0e5908e575d6463ac420fd7f9188a1991ffdb00dc77d57b6a2f392fa14bdd64b7aa2bb0181682072b05
-
Filesize
476KB
MD5354b473f8a1a6ba2f0abb448ce7793ad
SHA1c98c37f58dfde5961f4c0e28018720b69650aeb2
SHA2562d48108eee6cb3abd0f4d770aed84f5813bb68b91efb7d11bac4ebdef3e565ea
SHA51294244dd265768f8727dcfa1f8698e2560fcde811bbd5b0e5908e575d6463ac420fd7f9188a1991ffdb00dc77d57b6a2f392fa14bdd64b7aa2bb0181682072b05
-
Filesize
174KB
MD51872fac8124ba20db38b48dc54b730fb
SHA14c4af3426b087c7fd9b683672463395b36e79d04
SHA2566eb67ac2beb582572d45027bc48f0bab28d3043bcf52ba1e0bbc547b51481aa2
SHA512869f7dac0cda466285faeb9cab7ca8e86c3d65e1b78d27d3f757722d42a3ba26acb39cca36a72eda42e364109edf1f21fa305ffb24ba75e8dce043d6699dc0ea
-
Filesize
174KB
MD51872fac8124ba20db38b48dc54b730fb
SHA14c4af3426b087c7fd9b683672463395b36e79d04
SHA2566eb67ac2beb582572d45027bc48f0bab28d3043bcf52ba1e0bbc547b51481aa2
SHA512869f7dac0cda466285faeb9cab7ca8e86c3d65e1b78d27d3f757722d42a3ba26acb39cca36a72eda42e364109edf1f21fa305ffb24ba75e8dce043d6699dc0ea
-
Filesize
320KB
MD5149813c39d4e2234949a9e61987660a8
SHA1dfa009ba385221c2335af53af413efe6b6b438b1
SHA256d018ed17c716b24562e64f598006fbaeddab9ff45eaf671783e449d6a6465dc9
SHA5122079af89478282a587596c480412fd1add8a4417fd6d4cfd2152c25348116b2a17660447d63e81d182132c09dd935212c791fdcb9a94eaf56656d58320fba2c6
-
Filesize
320KB
MD5149813c39d4e2234949a9e61987660a8
SHA1dfa009ba385221c2335af53af413efe6b6b438b1
SHA256d018ed17c716b24562e64f598006fbaeddab9ff45eaf671783e449d6a6465dc9
SHA5122079af89478282a587596c480412fd1add8a4417fd6d4cfd2152c25348116b2a17660447d63e81d182132c09dd935212c791fdcb9a94eaf56656d58320fba2c6
-
Filesize
140KB
MD5d4420e8767a0df67a50c513d8436a197
SHA1656aeef4969ac2c90b489d503e5edb0d296210e0
SHA256ddcea0299ad859c342ee89869a35ad980ce709a983876f7aae977f9e60f002c9
SHA5124dfeb362f03d8e1145b76ffb4662c3bf7b26085737dd32187b757225a37f7b106289dd154454783bd81f6bd79be640c3bec799663566b5b81a1a68b31c194bf6
-
Filesize
140KB
MD5d4420e8767a0df67a50c513d8436a197
SHA1656aeef4969ac2c90b489d503e5edb0d296210e0
SHA256ddcea0299ad859c342ee89869a35ad980ce709a983876f7aae977f9e60f002c9
SHA5124dfeb362f03d8e1145b76ffb4662c3bf7b26085737dd32187b757225a37f7b106289dd154454783bd81f6bd79be640c3bec799663566b5b81a1a68b31c194bf6
-
Filesize
317KB
MD5515dd90d5996d4508a031f6653a1e5d6
SHA19535e1de1ddc9db500c0a96fe6793140403fb28a
SHA2569fbc19130a1a561ef45bc28ce84cd104431e405961122c9b20a8b5735ca7e5ce
SHA512db1e54cae8667d5cb013e1937047885524e13542eed6a723cb0551085691d785ac24e871f5813389748f7d46b9cdc401c7d168c5dabbbe164e730c05ea9a6def
-
Filesize
317KB
MD5515dd90d5996d4508a031f6653a1e5d6
SHA19535e1de1ddc9db500c0a96fe6793140403fb28a
SHA2569fbc19130a1a561ef45bc28ce84cd104431e405961122c9b20a8b5735ca7e5ce
SHA512db1e54cae8667d5cb013e1937047885524e13542eed6a723cb0551085691d785ac24e871f5813389748f7d46b9cdc401c7d168c5dabbbe164e730c05ea9a6def
-
Filesize
317KB
MD5515dd90d5996d4508a031f6653a1e5d6
SHA19535e1de1ddc9db500c0a96fe6793140403fb28a
SHA2569fbc19130a1a561ef45bc28ce84cd104431e405961122c9b20a8b5735ca7e5ce
SHA512db1e54cae8667d5cb013e1937047885524e13542eed6a723cb0551085691d785ac24e871f5813389748f7d46b9cdc401c7d168c5dabbbe164e730c05ea9a6def
-
Filesize
317KB
MD5515dd90d5996d4508a031f6653a1e5d6
SHA19535e1de1ddc9db500c0a96fe6793140403fb28a
SHA2569fbc19130a1a561ef45bc28ce84cd104431e405961122c9b20a8b5735ca7e5ce
SHA512db1e54cae8667d5cb013e1937047885524e13542eed6a723cb0551085691d785ac24e871f5813389748f7d46b9cdc401c7d168c5dabbbe164e730c05ea9a6def
-
Filesize
317KB
MD5515dd90d5996d4508a031f6653a1e5d6
SHA19535e1de1ddc9db500c0a96fe6793140403fb28a
SHA2569fbc19130a1a561ef45bc28ce84cd104431e405961122c9b20a8b5735ca7e5ce
SHA512db1e54cae8667d5cb013e1937047885524e13542eed6a723cb0551085691d785ac24e871f5813389748f7d46b9cdc401c7d168c5dabbbe164e730c05ea9a6def
-
Filesize
317KB
MD5515dd90d5996d4508a031f6653a1e5d6
SHA19535e1de1ddc9db500c0a96fe6793140403fb28a
SHA2569fbc19130a1a561ef45bc28ce84cd104431e405961122c9b20a8b5735ca7e5ce
SHA512db1e54cae8667d5cb013e1937047885524e13542eed6a723cb0551085691d785ac24e871f5813389748f7d46b9cdc401c7d168c5dabbbe164e730c05ea9a6def
-
Filesize
317KB
MD5515dd90d5996d4508a031f6653a1e5d6
SHA19535e1de1ddc9db500c0a96fe6793140403fb28a
SHA2569fbc19130a1a561ef45bc28ce84cd104431e405961122c9b20a8b5735ca7e5ce
SHA512db1e54cae8667d5cb013e1937047885524e13542eed6a723cb0551085691d785ac24e871f5813389748f7d46b9cdc401c7d168c5dabbbe164e730c05ea9a6def
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
273B
MD5374bfdcfcf19f4edfe949022092848d2
SHA1df5ee40497e98efcfba30012452d433373d287d4
SHA256224a123b69af5a3ab0553e334f6c70846c650597a63f6336c9420bbe8f00571f
SHA512bc66dd6e675942a8b8cd776b0813d4b182091e45bfa7734b3818f58c83d04f81f0599a27625ff345d393959b8dbe478d8f1ed33d49f9bcee052c986c8665b8d7