Analysis
-
max time kernel
138s -
max time network
155s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
26-08-2023 18:41
Static task
static1
Behavioral task
behavioral1
Sample
9d4ca063f089d3fa67fed5e1d5b7c88ef1ab15cb756752ec92e19cf9488736be.exe
Resource
win10-20230703-en
General
-
Target
9d4ca063f089d3fa67fed5e1d5b7c88ef1ab15cb756752ec92e19cf9488736be.exe
-
Size
1.4MB
-
MD5
ba2f2943c5b45baa21b199164716ad84
-
SHA1
0178d6e507b4f94551535f75f8498f103d9e3cfb
-
SHA256
9d4ca063f089d3fa67fed5e1d5b7c88ef1ab15cb756752ec92e19cf9488736be
-
SHA512
7598b85ddecc58a34f497840579c036b05f8cf637fb3b2696934f1f4e3470e2196f2000b1a7838e0769b73ebdfcf56e8806b58524109acd3bf316ab0d86891aa
-
SSDEEP
24576:CyHs798T6UIPeknKfI02da2TpAYH8hAz0WvmONFUNWx6L4fVE5bz:pM798TpIPBKfI0KXpAYctWvO2I4fVC
Malware Config
Extracted
amadey
3.87
77.91.68.18/nice/index.php
Extracted
redline
jaja
77.91.124.73:19071
-
auth_value
3670179d176ca399ed08e7914610b43c
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 8 IoCs
pid Process 1948 y6835372.exe 3528 y6895113.exe 1920 y2805185.exe 1848 l1763943.exe 2904 saves.exe 904 m6857157.exe 4920 n6896326.exe 3472 saves.exe -
Loads dropped DLL 1 IoCs
pid Process 4056 rundll32.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9d4ca063f089d3fa67fed5e1d5b7c88ef1ab15cb756752ec92e19cf9488736be.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y6835372.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y6895113.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" y2805185.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3520 schtasks.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 244 wrote to memory of 1948 244 9d4ca063f089d3fa67fed5e1d5b7c88ef1ab15cb756752ec92e19cf9488736be.exe 69 PID 244 wrote to memory of 1948 244 9d4ca063f089d3fa67fed5e1d5b7c88ef1ab15cb756752ec92e19cf9488736be.exe 69 PID 244 wrote to memory of 1948 244 9d4ca063f089d3fa67fed5e1d5b7c88ef1ab15cb756752ec92e19cf9488736be.exe 69 PID 1948 wrote to memory of 3528 1948 y6835372.exe 70 PID 1948 wrote to memory of 3528 1948 y6835372.exe 70 PID 1948 wrote to memory of 3528 1948 y6835372.exe 70 PID 3528 wrote to memory of 1920 3528 y6895113.exe 71 PID 3528 wrote to memory of 1920 3528 y6895113.exe 71 PID 3528 wrote to memory of 1920 3528 y6895113.exe 71 PID 1920 wrote to memory of 1848 1920 y2805185.exe 72 PID 1920 wrote to memory of 1848 1920 y2805185.exe 72 PID 1920 wrote to memory of 1848 1920 y2805185.exe 72 PID 1848 wrote to memory of 2904 1848 l1763943.exe 73 PID 1848 wrote to memory of 2904 1848 l1763943.exe 73 PID 1848 wrote to memory of 2904 1848 l1763943.exe 73 PID 1920 wrote to memory of 904 1920 y2805185.exe 74 PID 1920 wrote to memory of 904 1920 y2805185.exe 74 PID 1920 wrote to memory of 904 1920 y2805185.exe 74 PID 2904 wrote to memory of 3520 2904 saves.exe 75 PID 2904 wrote to memory of 3520 2904 saves.exe 75 PID 2904 wrote to memory of 3520 2904 saves.exe 75 PID 2904 wrote to memory of 1372 2904 saves.exe 77 PID 2904 wrote to memory of 1372 2904 saves.exe 77 PID 2904 wrote to memory of 1372 2904 saves.exe 77 PID 1372 wrote to memory of 3248 1372 cmd.exe 79 PID 1372 wrote to memory of 3248 1372 cmd.exe 79 PID 1372 wrote to memory of 3248 1372 cmd.exe 79 PID 1372 wrote to memory of 4216 1372 cmd.exe 80 PID 1372 wrote to memory of 4216 1372 cmd.exe 80 PID 1372 wrote to memory of 4216 1372 cmd.exe 80 PID 1372 wrote to memory of 3028 1372 cmd.exe 81 PID 1372 wrote to memory of 3028 1372 cmd.exe 81 PID 1372 wrote to memory of 3028 1372 cmd.exe 81 PID 1372 wrote to memory of 4976 1372 cmd.exe 82 PID 1372 wrote to memory of 4976 1372 cmd.exe 82 PID 1372 wrote to memory of 4976 1372 cmd.exe 82 PID 1372 wrote to memory of 4996 1372 cmd.exe 83 PID 1372 wrote to memory of 4996 1372 cmd.exe 83 PID 1372 wrote to memory of 4996 1372 cmd.exe 83 PID 1372 wrote to memory of 3040 1372 cmd.exe 84 PID 1372 wrote to memory of 3040 1372 cmd.exe 84 PID 1372 wrote to memory of 3040 1372 cmd.exe 84 PID 3528 wrote to memory of 4920 3528 y6895113.exe 85 PID 3528 wrote to memory of 4920 3528 y6895113.exe 85 PID 3528 wrote to memory of 4920 3528 y6895113.exe 85 PID 2904 wrote to memory of 4056 2904 saves.exe 86 PID 2904 wrote to memory of 4056 2904 saves.exe 86 PID 2904 wrote to memory of 4056 2904 saves.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d4ca063f089d3fa67fed5e1d5b7c88ef1ab15cb756752ec92e19cf9488736be.exe"C:\Users\Admin\AppData\Local\Temp\9d4ca063f089d3fa67fed5e1d5b7c88ef1ab15cb756752ec92e19cf9488736be.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6835372.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6835372.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6895113.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6895113.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y2805185.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y2805185.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1763943.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1763943.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F7⤵
- Creates scheduled task(s)
PID:3520
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:3248
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"8⤵PID:4216
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E8⤵PID:3028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4976
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"8⤵PID:4996
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E8⤵PID:3040
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main7⤵
- Loads dropped DLL
PID:4056
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m6857157.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m6857157.exe5⤵
- Executes dropped EXE
PID:904
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6896326.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n6896326.exe4⤵
- Executes dropped EXE
PID:4920
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:3472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5dfe3a9dc79eb0e5690a64ec3cca1c2c7
SHA19e810aeec5dc668bac8204738346db39f6e469a3
SHA2568d13b38e254d8401d63c29106cd40fa0875e9f0e692779089085747ab9d4ea5d
SHA512e84ae11d393dab445a9de39d49c12d0f3b7f2857a57f2cc07bef859cd57948859eb03fc0f97221047673f85828bf4dc77bd0dcb44d145e8a705e3d1855c699ed
-
Filesize
1.3MB
MD5dfe3a9dc79eb0e5690a64ec3cca1c2c7
SHA19e810aeec5dc668bac8204738346db39f6e469a3
SHA2568d13b38e254d8401d63c29106cd40fa0875e9f0e692779089085747ab9d4ea5d
SHA512e84ae11d393dab445a9de39d49c12d0f3b7f2857a57f2cc07bef859cd57948859eb03fc0f97221047673f85828bf4dc77bd0dcb44d145e8a705e3d1855c699ed
-
Filesize
475KB
MD5fdf023e124dbd3f3bcb543cd3380beb9
SHA12c157854af49773af4c886252dd97e5b3ab037c8
SHA25658cb9cad2eca042c67ab07ba4a291f367c888e20fb4de14f3230d52a2acb5fac
SHA512b5c0ec0caf21348400eb7f53cf9901eaaecb4f5ad59e69d4f10d306732fca844df055ad24153036d8ad5535b0688b331afd1bcf29ccf59b7876d0ed2affc4d8e
-
Filesize
475KB
MD5fdf023e124dbd3f3bcb543cd3380beb9
SHA12c157854af49773af4c886252dd97e5b3ab037c8
SHA25658cb9cad2eca042c67ab07ba4a291f367c888e20fb4de14f3230d52a2acb5fac
SHA512b5c0ec0caf21348400eb7f53cf9901eaaecb4f5ad59e69d4f10d306732fca844df055ad24153036d8ad5535b0688b331afd1bcf29ccf59b7876d0ed2affc4d8e
-
Filesize
175KB
MD506485b1b1cf2ed17bf380c764000df6a
SHA1fc1ef9cebd78822438783673d20a7ccb4c88aca8
SHA2565238e747a111aa159726b2c41dc17000ecbcbd685760346158818401550ef5ac
SHA5128ab9c51cbacf0f33ce183bce8eb6702dd29e1669aa05f21c3249500fb4c2e32c24ee2f85debff198a710dbefa3bca1f6ea1e926fb3a5d924783bb8c396d66198
-
Filesize
175KB
MD506485b1b1cf2ed17bf380c764000df6a
SHA1fc1ef9cebd78822438783673d20a7ccb4c88aca8
SHA2565238e747a111aa159726b2c41dc17000ecbcbd685760346158818401550ef5ac
SHA5128ab9c51cbacf0f33ce183bce8eb6702dd29e1669aa05f21c3249500fb4c2e32c24ee2f85debff198a710dbefa3bca1f6ea1e926fb3a5d924783bb8c396d66198
-
Filesize
319KB
MD5176061a7c53bd4fd15a39b61a9f392a2
SHA1a3750478384b02b4c1d45491dc1f49772dcf3ca0
SHA256be1afc9689dcfe74225ebd261f7281f9f68e0a771488c278d0c5c48f1a06d6a5
SHA512d75a065c40d9c5b14a40daa8c62c48a5fa4646132900d41677afc9a7ba4281ade998ac4297a6a10c8bb736b6e5d8f1dbe775d1746c3731d785e1b91c8cce873b
-
Filesize
319KB
MD5176061a7c53bd4fd15a39b61a9f392a2
SHA1a3750478384b02b4c1d45491dc1f49772dcf3ca0
SHA256be1afc9689dcfe74225ebd261f7281f9f68e0a771488c278d0c5c48f1a06d6a5
SHA512d75a065c40d9c5b14a40daa8c62c48a5fa4646132900d41677afc9a7ba4281ade998ac4297a6a10c8bb736b6e5d8f1dbe775d1746c3731d785e1b91c8cce873b
-
Filesize
321KB
MD58f897426c6f7c60584fe303bb8c92970
SHA12a8b470393f0fd5db93df35907dda09e882e46af
SHA25607e93833a44966620cdac99cd6f80d479839f27405ebf7e450aa0d5291d82c8b
SHA512a69b7504356e3ad34a35cfca4f0959aad7b85cddd1d6da39b5a0a0083f1eabd115eaed3220535f85f5a2dcb95b5b36366ae797dd97cd4b45626f0eecc71b4949
-
Filesize
321KB
MD58f897426c6f7c60584fe303bb8c92970
SHA12a8b470393f0fd5db93df35907dda09e882e46af
SHA25607e93833a44966620cdac99cd6f80d479839f27405ebf7e450aa0d5291d82c8b
SHA512a69b7504356e3ad34a35cfca4f0959aad7b85cddd1d6da39b5a0a0083f1eabd115eaed3220535f85f5a2dcb95b5b36366ae797dd97cd4b45626f0eecc71b4949
-
Filesize
141KB
MD552a1d84eabaa80a025b3fc3ee61c912d
SHA1de1ed823512c49494b7c34234b7777f03b103d81
SHA256a363a2807417db8827f60b860a1b0b6a963347790f180ba2226621eccdfbf61a
SHA512f55253ab1e12acb29603a2c27a6d31680c5188a5a70ff43db0c0be99b2682e52fcf695d7e9e5345b5e4c3fe2688e7620f96073fa7dc01aa05ef9b86c672b24b6
-
Filesize
141KB
MD552a1d84eabaa80a025b3fc3ee61c912d
SHA1de1ed823512c49494b7c34234b7777f03b103d81
SHA256a363a2807417db8827f60b860a1b0b6a963347790f180ba2226621eccdfbf61a
SHA512f55253ab1e12acb29603a2c27a6d31680c5188a5a70ff43db0c0be99b2682e52fcf695d7e9e5345b5e4c3fe2688e7620f96073fa7dc01aa05ef9b86c672b24b6
-
Filesize
321KB
MD58f897426c6f7c60584fe303bb8c92970
SHA12a8b470393f0fd5db93df35907dda09e882e46af
SHA25607e93833a44966620cdac99cd6f80d479839f27405ebf7e450aa0d5291d82c8b
SHA512a69b7504356e3ad34a35cfca4f0959aad7b85cddd1d6da39b5a0a0083f1eabd115eaed3220535f85f5a2dcb95b5b36366ae797dd97cd4b45626f0eecc71b4949
-
Filesize
321KB
MD58f897426c6f7c60584fe303bb8c92970
SHA12a8b470393f0fd5db93df35907dda09e882e46af
SHA25607e93833a44966620cdac99cd6f80d479839f27405ebf7e450aa0d5291d82c8b
SHA512a69b7504356e3ad34a35cfca4f0959aad7b85cddd1d6da39b5a0a0083f1eabd115eaed3220535f85f5a2dcb95b5b36366ae797dd97cd4b45626f0eecc71b4949
-
Filesize
321KB
MD58f897426c6f7c60584fe303bb8c92970
SHA12a8b470393f0fd5db93df35907dda09e882e46af
SHA25607e93833a44966620cdac99cd6f80d479839f27405ebf7e450aa0d5291d82c8b
SHA512a69b7504356e3ad34a35cfca4f0959aad7b85cddd1d6da39b5a0a0083f1eabd115eaed3220535f85f5a2dcb95b5b36366ae797dd97cd4b45626f0eecc71b4949
-
Filesize
321KB
MD58f897426c6f7c60584fe303bb8c92970
SHA12a8b470393f0fd5db93df35907dda09e882e46af
SHA25607e93833a44966620cdac99cd6f80d479839f27405ebf7e450aa0d5291d82c8b
SHA512a69b7504356e3ad34a35cfca4f0959aad7b85cddd1d6da39b5a0a0083f1eabd115eaed3220535f85f5a2dcb95b5b36366ae797dd97cd4b45626f0eecc71b4949
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
273B
MD5374bfdcfcf19f4edfe949022092848d2
SHA1df5ee40497e98efcfba30012452d433373d287d4
SHA256224a123b69af5a3ab0553e334f6c70846c650597a63f6336c9420bbe8f00571f
SHA512bc66dd6e675942a8b8cd776b0813d4b182091e45bfa7734b3818f58c83d04f81f0599a27625ff345d393959b8dbe478d8f1ed33d49f9bcee052c986c8665b8d7
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b