Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-1703_x64 -
resource
win10-20230831-en -
resource tags
arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system -
submitted
04/09/2023, 08:59
Static task
static1
Behavioral task
behavioral1
Sample
694300ce6a4adcfd626c8cc09049e9aaea26d544489afefea030ee039c276ae8.exe
Resource
win10-20230831-en
General
-
Target
694300ce6a4adcfd626c8cc09049e9aaea26d544489afefea030ee039c276ae8.exe
-
Size
1.5MB
-
MD5
6e221abd0aa1564ad518c98d868cf055
-
SHA1
a72dd56a5d80b3e0c52635623bcf3a5ba1d0c152
-
SHA256
694300ce6a4adcfd626c8cc09049e9aaea26d544489afefea030ee039c276ae8
-
SHA512
5fa51aca117f2b5775aed4b9910ac575863f8dc2bc87c7136272040a20fc711cc846614b008e58dcada09c795aff50de22351f8a27904accaf878c6d4d122c2c
-
SSDEEP
49152:r55LTr6jgK64KLbz6jX3qEahwbayTXAHC/0vi56UZ50:zn2jm4KLbzO3q1GayTXAHC/x6UZ5
Malware Config
Extracted
amadey
3.87
77.91.68.18/nice/index.php
-
install_dir
b40d11255d
-
install_file
saves.exe
-
strings_key
fa622dfc42544927a6471829ee1fa9fe
Extracted
redline
gena
77.91.124.82:19071
-
auth_value
93c20961cb6b06b2d5781c212db6201e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Executes dropped EXE 9 IoCs
pid Process 4072 y1520049.exe 2668 y6296617.exe 3304 y2959951.exe 3572 l7067535.exe 2872 saves.exe 2596 m3575605.exe 4788 n5106093.exe 4244 saves.exe 1880 saves.exe -
Loads dropped DLL 1 IoCs
pid Process 808 rundll32.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y1520049.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" y6296617.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" y2959951.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 694300ce6a4adcfd626c8cc09049e9aaea26d544489afefea030ee039c276ae8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4752 schtasks.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 520 wrote to memory of 4072 520 694300ce6a4adcfd626c8cc09049e9aaea26d544489afefea030ee039c276ae8.exe 70 PID 520 wrote to memory of 4072 520 694300ce6a4adcfd626c8cc09049e9aaea26d544489afefea030ee039c276ae8.exe 70 PID 520 wrote to memory of 4072 520 694300ce6a4adcfd626c8cc09049e9aaea26d544489afefea030ee039c276ae8.exe 70 PID 4072 wrote to memory of 2668 4072 y1520049.exe 71 PID 4072 wrote to memory of 2668 4072 y1520049.exe 71 PID 4072 wrote to memory of 2668 4072 y1520049.exe 71 PID 2668 wrote to memory of 3304 2668 y6296617.exe 72 PID 2668 wrote to memory of 3304 2668 y6296617.exe 72 PID 2668 wrote to memory of 3304 2668 y6296617.exe 72 PID 3304 wrote to memory of 3572 3304 y2959951.exe 73 PID 3304 wrote to memory of 3572 3304 y2959951.exe 73 PID 3304 wrote to memory of 3572 3304 y2959951.exe 73 PID 3572 wrote to memory of 2872 3572 l7067535.exe 74 PID 3572 wrote to memory of 2872 3572 l7067535.exe 74 PID 3572 wrote to memory of 2872 3572 l7067535.exe 74 PID 3304 wrote to memory of 2596 3304 y2959951.exe 75 PID 3304 wrote to memory of 2596 3304 y2959951.exe 75 PID 3304 wrote to memory of 2596 3304 y2959951.exe 75 PID 2872 wrote to memory of 4752 2872 saves.exe 76 PID 2872 wrote to memory of 4752 2872 saves.exe 76 PID 2872 wrote to memory of 4752 2872 saves.exe 76 PID 2872 wrote to memory of 1512 2872 saves.exe 78 PID 2872 wrote to memory of 1512 2872 saves.exe 78 PID 2872 wrote to memory of 1512 2872 saves.exe 78 PID 1512 wrote to memory of 1932 1512 cmd.exe 80 PID 1512 wrote to memory of 1932 1512 cmd.exe 80 PID 1512 wrote to memory of 1932 1512 cmd.exe 80 PID 1512 wrote to memory of 2208 1512 cmd.exe 81 PID 1512 wrote to memory of 2208 1512 cmd.exe 81 PID 1512 wrote to memory of 2208 1512 cmd.exe 81 PID 1512 wrote to memory of 964 1512 cmd.exe 82 PID 1512 wrote to memory of 964 1512 cmd.exe 82 PID 1512 wrote to memory of 964 1512 cmd.exe 82 PID 1512 wrote to memory of 4472 1512 cmd.exe 84 PID 1512 wrote to memory of 4472 1512 cmd.exe 84 PID 1512 wrote to memory of 4472 1512 cmd.exe 84 PID 1512 wrote to memory of 4656 1512 cmd.exe 83 PID 1512 wrote to memory of 4656 1512 cmd.exe 83 PID 1512 wrote to memory of 4656 1512 cmd.exe 83 PID 1512 wrote to memory of 5032 1512 cmd.exe 85 PID 1512 wrote to memory of 5032 1512 cmd.exe 85 PID 1512 wrote to memory of 5032 1512 cmd.exe 85 PID 2668 wrote to memory of 4788 2668 y6296617.exe 86 PID 2668 wrote to memory of 4788 2668 y6296617.exe 86 PID 2668 wrote to memory of 4788 2668 y6296617.exe 86 PID 2872 wrote to memory of 808 2872 saves.exe 88 PID 2872 wrote to memory of 808 2872 saves.exe 88 PID 2872 wrote to memory of 808 2872 saves.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\694300ce6a4adcfd626c8cc09049e9aaea26d544489afefea030ee039c276ae8.exe"C:\Users\Admin\AppData\Local\Temp\694300ce6a4adcfd626c8cc09049e9aaea26d544489afefea030ee039c276ae8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1520049.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1520049.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6296617.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6296617.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y2959951.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y2959951.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l7067535.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l7067535.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F7⤵
- Creates scheduled task(s)
PID:4752
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:1932
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:N"8⤵PID:2208
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "saves.exe" /P "Admin:R" /E8⤵PID:964
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:N"8⤵PID:4656
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵PID:4472
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\b40d11255d" /P "Admin:R" /E8⤵PID:5032
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main7⤵
- Loads dropped DLL
PID:808
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m3575605.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\m3575605.exe5⤵
- Executes dropped EXE
PID:2596
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5106093.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5106093.exe4⤵
- Executes dropped EXE
PID:4788
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:4244
-
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exeC:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe1⤵
- Executes dropped EXE
PID:1880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5787ad190cc822a9a191826361d77db5f
SHA18f9c76df46c12286bb9cfba030b0881432d0c30f
SHA25659ba566833265c8538582bc845625497b3e80817e15fc1228483cff91bcb3f76
SHA512c985fe78b091d95403c5b0633319f6ca28090928d09ab226ea660a5ca544546f436a4fb0b0eae4e43f1333c6d5e5c14874e4ceb718c58f2ff424058a8ae52387
-
Filesize
1.4MB
MD5787ad190cc822a9a191826361d77db5f
SHA18f9c76df46c12286bb9cfba030b0881432d0c30f
SHA25659ba566833265c8538582bc845625497b3e80817e15fc1228483cff91bcb3f76
SHA512c985fe78b091d95403c5b0633319f6ca28090928d09ab226ea660a5ca544546f436a4fb0b0eae4e43f1333c6d5e5c14874e4ceb718c58f2ff424058a8ae52387
-
Filesize
475KB
MD538cd0b7e43cbf082a7a2e83e6cd90991
SHA1313380582afc270695436acc447918018b52d278
SHA2566b916fc2a62a6afb033efd9eef12838c4f405148a3dad5b5344613380cbe8373
SHA51235d65ad45e5c6056d35985190ac1c58ae0b1201e0baa4a05941468a1383d8e627c608f136fe4e78194df34e3041dba4d30577d16048098f4fc040a3918700c34
-
Filesize
475KB
MD538cd0b7e43cbf082a7a2e83e6cd90991
SHA1313380582afc270695436acc447918018b52d278
SHA2566b916fc2a62a6afb033efd9eef12838c4f405148a3dad5b5344613380cbe8373
SHA51235d65ad45e5c6056d35985190ac1c58ae0b1201e0baa4a05941468a1383d8e627c608f136fe4e78194df34e3041dba4d30577d16048098f4fc040a3918700c34
-
Filesize
174KB
MD5ad733145892b11aa5db843bf466aa465
SHA148c04495fa136bbd51cf2a4b795a2cbe376a3db8
SHA256361e19d3d4f7d0d5a787e02d325bc982ac12c1db9ad8d81f8ce1ce493eb580dc
SHA512591361bfd919d08f7c2d209ebe2d786660d9cbd40e0442b88a2022f12cd5068d5e678eea0aa7279d4998f5260ef927ff67748f9916de1a09ce226f8a24e2c03f
-
Filesize
174KB
MD5ad733145892b11aa5db843bf466aa465
SHA148c04495fa136bbd51cf2a4b795a2cbe376a3db8
SHA256361e19d3d4f7d0d5a787e02d325bc982ac12c1db9ad8d81f8ce1ce493eb580dc
SHA512591361bfd919d08f7c2d209ebe2d786660d9cbd40e0442b88a2022f12cd5068d5e678eea0aa7279d4998f5260ef927ff67748f9916de1a09ce226f8a24e2c03f
-
Filesize
319KB
MD56729477cfec9ec863361576c27d8bca1
SHA188b9ae2fd1692517796c8623943bddb2ed55b725
SHA2564fdf6e86bd372faf37e8f58389a099f87626b0178f4acd7508cd37b9118f31be
SHA5122c5b24110714d7d1c82cddc7201169ba5dedf26023db30b59f213c641ff223a8fd8a1f12c00e7d02c908210a3c2b2f5e04451349103017658ac6c1f1cb0a490f
-
Filesize
319KB
MD56729477cfec9ec863361576c27d8bca1
SHA188b9ae2fd1692517796c8623943bddb2ed55b725
SHA2564fdf6e86bd372faf37e8f58389a099f87626b0178f4acd7508cd37b9118f31be
SHA5122c5b24110714d7d1c82cddc7201169ba5dedf26023db30b59f213c641ff223a8fd8a1f12c00e7d02c908210a3c2b2f5e04451349103017658ac6c1f1cb0a490f
-
Filesize
335KB
MD52d53a638650ad73110dc234389645422
SHA11a213554fcec0faf428652c342a58af0e50d9d28
SHA256a3e876e2f7e93dfdc806cadab97f97d3229591bb29283fd51253209ae8a5fda2
SHA5124a93d76539b354e06b6e723e1e681140caef5b9c6f8975499fe64991bd215a9d3cd7eda8144164a46e080ed5f198d636823707d568ca366dd79afcf06960e341
-
Filesize
335KB
MD52d53a638650ad73110dc234389645422
SHA11a213554fcec0faf428652c342a58af0e50d9d28
SHA256a3e876e2f7e93dfdc806cadab97f97d3229591bb29283fd51253209ae8a5fda2
SHA5124a93d76539b354e06b6e723e1e681140caef5b9c6f8975499fe64991bd215a9d3cd7eda8144164a46e080ed5f198d636823707d568ca366dd79afcf06960e341
-
Filesize
140KB
MD5e515c62dad4b37ea27390d1b23f32f13
SHA1a8afb2bd0902ef90b78fffc70580f2770e7ab7dd
SHA25679b039ce37635f8eec703e9bdd1073fb6ee583e7cd1a5ab645ec6104ad72095d
SHA512f1f1f8ce165738b10dbe8773daedb49dac2a6fafda6b5351a3625814c760fbb385667b340cd44727d5bf6c2a8ec96556a0ff0e862e5de8d99190b24ec7d03751
-
Filesize
140KB
MD5e515c62dad4b37ea27390d1b23f32f13
SHA1a8afb2bd0902ef90b78fffc70580f2770e7ab7dd
SHA25679b039ce37635f8eec703e9bdd1073fb6ee583e7cd1a5ab645ec6104ad72095d
SHA512f1f1f8ce165738b10dbe8773daedb49dac2a6fafda6b5351a3625814c760fbb385667b340cd44727d5bf6c2a8ec96556a0ff0e862e5de8d99190b24ec7d03751
-
Filesize
335KB
MD52d53a638650ad73110dc234389645422
SHA11a213554fcec0faf428652c342a58af0e50d9d28
SHA256a3e876e2f7e93dfdc806cadab97f97d3229591bb29283fd51253209ae8a5fda2
SHA5124a93d76539b354e06b6e723e1e681140caef5b9c6f8975499fe64991bd215a9d3cd7eda8144164a46e080ed5f198d636823707d568ca366dd79afcf06960e341
-
Filesize
335KB
MD52d53a638650ad73110dc234389645422
SHA11a213554fcec0faf428652c342a58af0e50d9d28
SHA256a3e876e2f7e93dfdc806cadab97f97d3229591bb29283fd51253209ae8a5fda2
SHA5124a93d76539b354e06b6e723e1e681140caef5b9c6f8975499fe64991bd215a9d3cd7eda8144164a46e080ed5f198d636823707d568ca366dd79afcf06960e341
-
Filesize
335KB
MD52d53a638650ad73110dc234389645422
SHA11a213554fcec0faf428652c342a58af0e50d9d28
SHA256a3e876e2f7e93dfdc806cadab97f97d3229591bb29283fd51253209ae8a5fda2
SHA5124a93d76539b354e06b6e723e1e681140caef5b9c6f8975499fe64991bd215a9d3cd7eda8144164a46e080ed5f198d636823707d568ca366dd79afcf06960e341
-
Filesize
335KB
MD52d53a638650ad73110dc234389645422
SHA11a213554fcec0faf428652c342a58af0e50d9d28
SHA256a3e876e2f7e93dfdc806cadab97f97d3229591bb29283fd51253209ae8a5fda2
SHA5124a93d76539b354e06b6e723e1e681140caef5b9c6f8975499fe64991bd215a9d3cd7eda8144164a46e080ed5f198d636823707d568ca366dd79afcf06960e341
-
Filesize
335KB
MD52d53a638650ad73110dc234389645422
SHA11a213554fcec0faf428652c342a58af0e50d9d28
SHA256a3e876e2f7e93dfdc806cadab97f97d3229591bb29283fd51253209ae8a5fda2
SHA5124a93d76539b354e06b6e723e1e681140caef5b9c6f8975499fe64991bd215a9d3cd7eda8144164a46e080ed5f198d636823707d568ca366dd79afcf06960e341
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b
-
Filesize
273B
MD5374bfdcfcf19f4edfe949022092848d2
SHA1df5ee40497e98efcfba30012452d433373d287d4
SHA256224a123b69af5a3ab0553e334f6c70846c650597a63f6336c9420bbe8f00571f
SHA512bc66dd6e675942a8b8cd776b0813d4b182091e45bfa7734b3818f58c83d04f81f0599a27625ff345d393959b8dbe478d8f1ed33d49f9bcee052c986c8665b8d7
-
Filesize
89KB
MD55bc0153d2973241b72a38c51a2f72116
SHA1cd9c689663557452631d9f8ff609208b01884a32
SHA25668ec0ef5c26d0204c713ec50f6ad66f8029063c6a9dbd51836f4942bacace554
SHA5122eef4cc2568b18559f2a2a87d1fcde1f3b77f7aba23dc4483be409cb2c4722ebf89bd1316f785cbb9a21e8d017446e0d876442aec77bf8f28b198aead2b9a55b