Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
27-08-2023 15:01
Static task
static1
Behavioral task
behavioral1
Sample
5f8b20cba22708e7aedee444397d70f77cfe92181bf3f3f55dd5f126bbfe9992.exe
Resource
win10-20230703-en
General
-
Target
5f8b20cba22708e7aedee444397d70f77cfe92181bf3f3f55dd5f126bbfe9992.exe
-
Size
1.4MB
-
MD5
f1cdae7e013c279545b82e7b0ed6e54a
-
SHA1
0a4568292d964c1e54431ec40f85b0b6ba75418c
-
SHA256
5f8b20cba22708e7aedee444397d70f77cfe92181bf3f3f55dd5f126bbfe9992
-
SHA512
dd4d838310a74a261ad19c55f45f137278478de99a8fe6bdcc1d84af0270a7aa34ef13b4c2378c65ff31342da330730c41524254a5898207ab2a46d58878667e
-
SSDEEP
24576:nytYBGfIc4Phq6bKmDrvfWgqeiYDVXk8QFzjUaFz81UZzRxAM1:ytWbBpPKmDrW7mDQJUszcM
Malware Config
Extracted
amadey
3.87
77.91.68.18/nice/index.php
Extracted
redline
nrava
77.91.124.82:19071
-
auth_value
43fe50e9ee6afb85588e03ac9676e2f7
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x000600000001afeb-38.dat family_redline behavioral1/files/0x000600000001afeb-39.dat family_redline behavioral1/memory/3912-40-0x00000000007F0000-0x0000000000820000-memory.dmp family_redline -
Executes dropped EXE 9 IoCs
pid Process 3248 y7323153.exe 816 y0022134.exe 3448 y4612367.exe 828 l7440411.exe 512 saves.exe 4600 m0650947.exe 3912 n4363193.exe 1816 saves.exe 2144 saves.exe -
Loads dropped DLL 1 IoCs
pid Process 1016 rundll32.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5f8b20cba22708e7aedee444397d70f77cfe92181bf3f3f55dd5f126bbfe9992.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y7323153.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y0022134.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" y4612367.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3756 schtasks.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4636 wrote to memory of 3248 4636 5f8b20cba22708e7aedee444397d70f77cfe92181bf3f3f55dd5f126bbfe9992.exe 70 PID 4636 wrote to memory of 3248 4636 5f8b20cba22708e7aedee444397d70f77cfe92181bf3f3f55dd5f126bbfe9992.exe 70 PID 4636 wrote to memory of 3248 4636 5f8b20cba22708e7aedee444397d70f77cfe92181bf3f3f55dd5f126bbfe9992.exe 70 PID 3248 wrote to memory of 816 3248 y7323153.exe 71 PID 3248 wrote to memory of 816 3248 y7323153.exe 71 PID 3248 wrote to memory of 816 3248 y7323153.exe 71 PID 816 wrote to memory of 3448 816 y0022134.exe 72 PID 816 wrote to memory of 3448 816 y0022134.exe 72 PID 816 wrote to memory of 3448 816 y0022134.exe 72 PID 3448 wrote to memory of 828 3448 y4612367.exe 73 PID 3448 wrote to memory of 828 3448 y4612367.exe 73 PID 3448 wrote to memory of 828 3448 y4612367.exe 73 PID 828 wrote to memory of 512 828 l7440411.exe 74 PID 828 wrote to memory of 512 828 l7440411.exe 74 PID 828 wrote to memory of 512 828 l7440411.exe 74 PID 3448 wrote to memory of 4600 3448 y4612367.exe 75 PID 3448 wrote to memory of 4600 3448 y4612367.exe 75 PID 3448 wrote to memory of 4600 3448 y4612367.exe 75 PID 512 wrote to memory of 3756 512 saves.exe 76 PID 512 wrote to memory of 3756 512 saves.exe 76 PID 512 wrote to memory of 3756 512 saves.exe 76 PID 512 wrote to memory of 4836 512 saves.exe 78 PID 512 wrote to memory of 4836 512 saves.exe 78 PID 512 wrote to memory of 4836 512 saves.exe 78 PID 4836 wrote to memory of 1056 4836 cmd.exe 80 PID 4836 wrote to memory of 1056 4836 cmd.exe 80 PID 4836 wrote to memory of 1056 4836 cmd.exe 80 PID 4836 wrote to memory of 920 4836 cmd.exe 81 PID 4836 wrote to memory of 920 4836 cmd.exe 81 PID 4836 wrote to memory of 920 4836 cmd.exe 81 PID 4836 wrote to memory of 772 4836 cmd.exe 82 PID 4836 wrote to memory of 772 4836 cmd.exe 82 PID 4836 wrote to memory of 772 4836 cmd.exe 82 PID 4836 wrote to memory of 3892 4836 cmd.exe 83 PID 4836 wrote to memory of 3892 4836 cmd.exe 83 PID 4836 wrote to memory of 3892 4836 cmd.exe 83 PID 4836 wrote to memory of 3976 4836 cmd.exe 84 PID 4836 wrote to memory of 3976 4836 cmd.exe 84 PID 4836 wrote to memory of 3976 4836 cmd.exe 84 PID 4836 wrote to memory of 4944 4836 cmd.exe 85 PID 4836 wrote to memory of 4944 4836 cmd.exe 85 PID 4836 wrote to memory of 4944 4836 cmd.exe 85 PID 816 wrote to memory of 3912 816 y0022134.exe 86 PID 816 wrote to memory of 3912 816 y0022134.exe 86 PID 816 wrote to memory of 3912 816 y0022134.exe 86 PID 512 wrote to memory of 1016 512 saves.exe 88 PID 512 wrote to memory of 1016 512 saves.exe 88 PID 512 wrote to memory of 1016 512 saves.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f8b20cba22708e7aedee444397d70f77cfe92181bf3f3f55dd5f126bbfe9992.exe"C:\Users\Admin\AppData\Local\Temp\5f8b20cba22708e7aedee444397d70f77cfe92181bf3f3f55dd5f126bbfe9992.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7323153.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7323153.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0022134.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0022134.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4612367.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4612367.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l7440411.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l7440411.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F7⤵
- Creates scheduled task(s)
PID:3756
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:1056
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"8⤵PID:920
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E8⤵PID:772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:3892
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"8⤵PID:3976
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E8⤵PID:4944
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main7⤵
- Loads dropped DLL
PID:1016
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m0650947.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m0650947.exe5⤵
- Executes dropped EXE
PID:4600
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4363193.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n4363193.exe4⤵
- Executes dropped EXE
PID:3912
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:1816
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:2144
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD53d296521c8866f50a4638cba829c19ea
SHA1e2fb67f9897bea82c832b88fc5eecf804bcd261b
SHA25654a02813dd2aa75295b8aaffa8c00ea0cd485331bec8332d365aedc2199cda77
SHA512b0e621183cf37b94a9cc7a708858c4a9f54cbb3b564e8dbb4dc71043011a8eea99467d42f875178161b7e01577e1a5e9b1a9b3467d4bc99f20de4df0486cc77c
-
Filesize
1.3MB
MD53d296521c8866f50a4638cba829c19ea
SHA1e2fb67f9897bea82c832b88fc5eecf804bcd261b
SHA25654a02813dd2aa75295b8aaffa8c00ea0cd485331bec8332d365aedc2199cda77
SHA512b0e621183cf37b94a9cc7a708858c4a9f54cbb3b564e8dbb4dc71043011a8eea99467d42f875178161b7e01577e1a5e9b1a9b3467d4bc99f20de4df0486cc77c
-
Filesize
475KB
MD52a5a29586e22687c7daeea9c1711fcd6
SHA1d95c8904e8e1b4fbac3d3f06551126cde0cbd81d
SHA256a7f00a3b1c2eaddc0fadc86cedec9a2ae7141bda02a994529d9f8018a5247495
SHA5126c54930a17a9b594d68d6d876882d5b268c5cc1a9a02a2fd4e5c92759e3ec81c21a88b87b50261e5978eb05556365b6fd8b829753a451fb0932d6c15e5a233f2
-
Filesize
475KB
MD52a5a29586e22687c7daeea9c1711fcd6
SHA1d95c8904e8e1b4fbac3d3f06551126cde0cbd81d
SHA256a7f00a3b1c2eaddc0fadc86cedec9a2ae7141bda02a994529d9f8018a5247495
SHA5126c54930a17a9b594d68d6d876882d5b268c5cc1a9a02a2fd4e5c92759e3ec81c21a88b87b50261e5978eb05556365b6fd8b829753a451fb0932d6c15e5a233f2
-
Filesize
174KB
MD5d17e9e78d96b329c910e21f30adcdbf4
SHA135a5c5dca98250f7a65a95266c5da75bf9d17b67
SHA25689a350fc40d460719e4ce7ab84571136b49ca9a3a4f8812d94df07f6dddcb9e8
SHA512d77698a5152a57f8238ad57cfbbc7cb1430b4bb1fd5f986d032ecd739cb112bd0437f6f3698772d8ea8e3393e4166196fd6c97610ee954719c8f6090b14e06e0
-
Filesize
174KB
MD5d17e9e78d96b329c910e21f30adcdbf4
SHA135a5c5dca98250f7a65a95266c5da75bf9d17b67
SHA25689a350fc40d460719e4ce7ab84571136b49ca9a3a4f8812d94df07f6dddcb9e8
SHA512d77698a5152a57f8238ad57cfbbc7cb1430b4bb1fd5f986d032ecd739cb112bd0437f6f3698772d8ea8e3393e4166196fd6c97610ee954719c8f6090b14e06e0
-
Filesize
319KB
MD5d76eebb80fbb14757c4a680ea9de0947
SHA12e170892634ed75660833b6a053b4a3956b632b3
SHA256481403d28f55ec6e26287129f8d7cf2c492b2cc4ea8932b84f88eee40de6f519
SHA5125dceff574a41a12b2ccdfe229eb890845bb8307a1a2b8ad40f3f4b4a0659502b032e2b875289fc5d7b6d1766fcbc4559f1f55c838e63c1e8c1a16ded2854523f
-
Filesize
319KB
MD5d76eebb80fbb14757c4a680ea9de0947
SHA12e170892634ed75660833b6a053b4a3956b632b3
SHA256481403d28f55ec6e26287129f8d7cf2c492b2cc4ea8932b84f88eee40de6f519
SHA5125dceff574a41a12b2ccdfe229eb890845bb8307a1a2b8ad40f3f4b4a0659502b032e2b875289fc5d7b6d1766fcbc4559f1f55c838e63c1e8c1a16ded2854523f
-
Filesize
322KB
MD5d96bc0babe53542d9afc3af5ec3a8441
SHA1e2113300ff76d1f326c7ce770441f4b9f790e37b
SHA256efe022293e532e7bcb8c8aafdb46bde85a46d9d9938aae902c7cd84f7e393587
SHA512f18793dcf72372937a3d429e4cb089540146b06dbd8494045e00026c16a670e5cedd697e79d062ebeb255dcbceff6fd9fd67600da946df68985d021a5f7da771
-
Filesize
322KB
MD5d96bc0babe53542d9afc3af5ec3a8441
SHA1e2113300ff76d1f326c7ce770441f4b9f790e37b
SHA256efe022293e532e7bcb8c8aafdb46bde85a46d9d9938aae902c7cd84f7e393587
SHA512f18793dcf72372937a3d429e4cb089540146b06dbd8494045e00026c16a670e5cedd697e79d062ebeb255dcbceff6fd9fd67600da946df68985d021a5f7da771
-
Filesize
140KB
MD55ebe3cfc37087c599d3e7d77b303fd39
SHA11dc2de2167c76392f401c7e62905287b859d79ae
SHA2566dc4aa2fced03afd6535c04d99a757831127c4f1f4487f87bfc1b39639144522
SHA512bf3a7074a32c9b33362437adfadef08d9259cf4db467210bbe47dcfc4093d1223a372d64f61cfe8b0edc4ea292736e1261402f9637070b3bbe89bc1a20d58227
-
Filesize
140KB
MD55ebe3cfc37087c599d3e7d77b303fd39
SHA11dc2de2167c76392f401c7e62905287b859d79ae
SHA2566dc4aa2fced03afd6535c04d99a757831127c4f1f4487f87bfc1b39639144522
SHA512bf3a7074a32c9b33362437adfadef08d9259cf4db467210bbe47dcfc4093d1223a372d64f61cfe8b0edc4ea292736e1261402f9637070b3bbe89bc1a20d58227
-
Filesize
322KB
MD5d96bc0babe53542d9afc3af5ec3a8441
SHA1e2113300ff76d1f326c7ce770441f4b9f790e37b
SHA256efe022293e532e7bcb8c8aafdb46bde85a46d9d9938aae902c7cd84f7e393587
SHA512f18793dcf72372937a3d429e4cb089540146b06dbd8494045e00026c16a670e5cedd697e79d062ebeb255dcbceff6fd9fd67600da946df68985d021a5f7da771
-
Filesize
322KB
MD5d96bc0babe53542d9afc3af5ec3a8441
SHA1e2113300ff76d1f326c7ce770441f4b9f790e37b
SHA256efe022293e532e7bcb8c8aafdb46bde85a46d9d9938aae902c7cd84f7e393587
SHA512f18793dcf72372937a3d429e4cb089540146b06dbd8494045e00026c16a670e5cedd697e79d062ebeb255dcbceff6fd9fd67600da946df68985d021a5f7da771
-
Filesize
322KB
MD5d96bc0babe53542d9afc3af5ec3a8441
SHA1e2113300ff76d1f326c7ce770441f4b9f790e37b
SHA256efe022293e532e7bcb8c8aafdb46bde85a46d9d9938aae902c7cd84f7e393587
SHA512f18793dcf72372937a3d429e4cb089540146b06dbd8494045e00026c16a670e5cedd697e79d062ebeb255dcbceff6fd9fd67600da946df68985d021a5f7da771
-
Filesize
322KB
MD5d96bc0babe53542d9afc3af5ec3a8441
SHA1e2113300ff76d1f326c7ce770441f4b9f790e37b
SHA256efe022293e532e7bcb8c8aafdb46bde85a46d9d9938aae902c7cd84f7e393587
SHA512f18793dcf72372937a3d429e4cb089540146b06dbd8494045e00026c16a670e5cedd697e79d062ebeb255dcbceff6fd9fd67600da946df68985d021a5f7da771
-
Filesize
322KB
MD5d96bc0babe53542d9afc3af5ec3a8441
SHA1e2113300ff76d1f326c7ce770441f4b9f790e37b
SHA256efe022293e532e7bcb8c8aafdb46bde85a46d9d9938aae902c7cd84f7e393587
SHA512f18793dcf72372937a3d429e4cb089540146b06dbd8494045e00026c16a670e5cedd697e79d062ebeb255dcbceff6fd9fd67600da946df68985d021a5f7da771
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
273B
MD5374bfdcfcf19f4edfe949022092848d2
SHA1df5ee40497e98efcfba30012452d433373d287d4
SHA256224a123b69af5a3ab0553e334f6c70846c650597a63f6336c9420bbe8f00571f
SHA512bc66dd6e675942a8b8cd776b0813d4b182091e45bfa7734b3818f58c83d04f81f0599a27625ff345d393959b8dbe478d8f1ed33d49f9bcee052c986c8665b8d7
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b