Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-07-2023 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ef7f8c93db993b8a143b735371140104d2b583d0c3bbf4f925dea92d7f0552d.exe

  • Size

    515KB

  • MD5

    8e0c60e922bee82f4ca30f89d603357a

  • SHA1

    ddbcfee2d3ef09c40678f4202dcbcb3c03fb38a1

  • SHA256

    1ef7f8c93db993b8a143b735371140104d2b583d0c3bbf4f925dea92d7f0552d

  • SHA512

    ea662aca7518ed3a508ee8a809dd838dde7acb9b048f367fdffa4b3fcbb58ce5e4966292f76d69d861d0268406bca10d176107a7107b3ca035628cd9d71249f6

  • SSDEEP

    12288:7MrLy90BzeCcyjBwmygBGZOYIzegnXo7jFC1LPy0aH:syu6aGZf4BXoXmLPa

Score
10/10
amadeyhealerredlinesmokeloaderzaharbackdoordropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.85

C2

77.91.68.3/home/love/index.php

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

zahar

C2

77.91.68.56:19071

Attributes
  • auth_value

    94c55a31fcf1761f07eeb4a0c6fb74fa

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ef7f8c93db993b8a143b735371140104d2b583d0c3bbf4f925dea92d7f0552d.exe
    "C:\Users\Admin\AppData\Local\Temp\1ef7f8c93db993b8a143b735371140104d2b583d0c3bbf4f925dea92d7f0552d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4684
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5251714.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5251714.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4400
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6030617.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6030617.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4904
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1380401.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1380401.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4376
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0094672.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0094672.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1656
          • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
            "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2628
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:4816
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2408
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:3644
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "danke.exe" /P "Admin:N"
                  7⤵
                    PID:3728
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "danke.exe" /P "Admin:R" /E
                    7⤵
                      PID:1328
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:3188
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\3ec1f323b5" /P "Admin:N"
                        7⤵
                          PID:4388
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\3ec1f323b5" /P "Admin:R" /E
                          7⤵
                            PID:936
                        • C:\Windows\SysWOW64\rundll32.exe
                          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
                          6⤵
                          • Loads dropped DLL
                          PID:2036
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6615528.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6615528.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    PID:3816
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4392761.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4392761.exe
                  2⤵
                  • Executes dropped EXE
                  PID:4356
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:5000
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:1360
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe start wuauserv
                1⤵
                • Launches sc.exe
                PID:964

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                Filesize

                224KB

                MD5

                9c17a2f66c50ac62ce2fa1784552ea62

                SHA1

                a873d2ff5b7d894d18dc6b3927f676734ad0565c

                SHA256

                92273de190247f393dd77074529d9208a1d5eb1305038713744d0830cd91fb7c

                SHA512

                703e3f025eae0586da1bc3893c9f67d237f2c44e5faf08b2c3300c552aa329b44a10079c742937e33d0d3cfccb892d859c8e91c1810a6dab18f27fe81da465f4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                Filesize

                224KB

                MD5

                9c17a2f66c50ac62ce2fa1784552ea62

                SHA1

                a873d2ff5b7d894d18dc6b3927f676734ad0565c

                SHA256

                92273de190247f393dd77074529d9208a1d5eb1305038713744d0830cd91fb7c

                SHA512

                703e3f025eae0586da1bc3893c9f67d237f2c44e5faf08b2c3300c552aa329b44a10079c742937e33d0d3cfccb892d859c8e91c1810a6dab18f27fe81da465f4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                Filesize

                224KB

                MD5

                9c17a2f66c50ac62ce2fa1784552ea62

                SHA1

                a873d2ff5b7d894d18dc6b3927f676734ad0565c

                SHA256

                92273de190247f393dd77074529d9208a1d5eb1305038713744d0830cd91fb7c

                SHA512

                703e3f025eae0586da1bc3893c9f67d237f2c44e5faf08b2c3300c552aa329b44a10079c742937e33d0d3cfccb892d859c8e91c1810a6dab18f27fe81da465f4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                Filesize

                224KB

                MD5

                9c17a2f66c50ac62ce2fa1784552ea62

                SHA1

                a873d2ff5b7d894d18dc6b3927f676734ad0565c

                SHA256

                92273de190247f393dd77074529d9208a1d5eb1305038713744d0830cd91fb7c

                SHA512

                703e3f025eae0586da1bc3893c9f67d237f2c44e5faf08b2c3300c552aa329b44a10079c742937e33d0d3cfccb892d859c8e91c1810a6dab18f27fe81da465f4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                Filesize

                224KB

                MD5

                9c17a2f66c50ac62ce2fa1784552ea62

                SHA1

                a873d2ff5b7d894d18dc6b3927f676734ad0565c

                SHA256

                92273de190247f393dd77074529d9208a1d5eb1305038713744d0830cd91fb7c

                SHA512

                703e3f025eae0586da1bc3893c9f67d237f2c44e5faf08b2c3300c552aa329b44a10079c742937e33d0d3cfccb892d859c8e91c1810a6dab18f27fe81da465f4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4392761.exe
                Filesize

                173KB

                MD5

                d5dae7b0eedf24fa8dc5e632a282b2a8

                SHA1

                ac2963efc81309834a430e1336ad376f586867fa

                SHA256

                404e68b5b46d609d75cece1929eb1cce055de54f5116b003dcb1a6220a708d08

                SHA512

                0bde17e0364078988e87592df10a756f03307b32a92c4a14954354c606cab632cecd64473d48848a9f154b2cc8c27781053099e10274995a941ccb24333ba53e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4392761.exe
                Filesize

                173KB

                MD5

                d5dae7b0eedf24fa8dc5e632a282b2a8

                SHA1

                ac2963efc81309834a430e1336ad376f586867fa

                SHA256

                404e68b5b46d609d75cece1929eb1cce055de54f5116b003dcb1a6220a708d08

                SHA512

                0bde17e0364078988e87592df10a756f03307b32a92c4a14954354c606cab632cecd64473d48848a9f154b2cc8c27781053099e10274995a941ccb24333ba53e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5251714.exe
                Filesize

                359KB

                MD5

                e61ffaed3e6911b506e1d739c2d9586c

                SHA1

                49bfcb4e70513a8b0714cdb379131bb1bb47e393

                SHA256

                51639f608cc0fb47862e9c3f81fa7bca0c3cacf675d73bbd4c6b55333803aba7

                SHA512

                df23ce63acf87b17ad6be34f6d4d52c9d75917901eea73294d23a2e56bddcc3e6215bff8b14c322b8cfc28b9f9f73be1a2c5af0fe61f4c2177767e43dc2546eb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5251714.exe
                Filesize

                359KB

                MD5

                e61ffaed3e6911b506e1d739c2d9586c

                SHA1

                49bfcb4e70513a8b0714cdb379131bb1bb47e393

                SHA256

                51639f608cc0fb47862e9c3f81fa7bca0c3cacf675d73bbd4c6b55333803aba7

                SHA512

                df23ce63acf87b17ad6be34f6d4d52c9d75917901eea73294d23a2e56bddcc3e6215bff8b14c322b8cfc28b9f9f73be1a2c5af0fe61f4c2177767e43dc2546eb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6615528.exe
                Filesize

                30KB

                MD5

                faaee7ec7c502eda0b476357efea6740

                SHA1

                eef79527f53f8ef6cafcceb469ee9de300989446

                SHA256

                6a58dda11b2d0fc40e4e962aeb3514c69a58b660d721c7cbce611a2c64de5542

                SHA512

                95f4968c4ee7056f4212fc085e49a06fd907a46dca442d4a7ef054a689606bf341ab9f228b01495bb672b0629d764538bd0c888783c9fa77e0380b1e0a56cb4b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6615528.exe
                Filesize

                30KB

                MD5

                faaee7ec7c502eda0b476357efea6740

                SHA1

                eef79527f53f8ef6cafcceb469ee9de300989446

                SHA256

                6a58dda11b2d0fc40e4e962aeb3514c69a58b660d721c7cbce611a2c64de5542

                SHA512

                95f4968c4ee7056f4212fc085e49a06fd907a46dca442d4a7ef054a689606bf341ab9f228b01495bb672b0629d764538bd0c888783c9fa77e0380b1e0a56cb4b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6030617.exe
                Filesize

                235KB

                MD5

                fbbf147bf6d72b350355f04d78ac2a7b

                SHA1

                0bc991f35042c76ae7584c59eb6630096c67608d

                SHA256

                2424d1aed317d9d7edda198b2e2689effbe3cdf715b7391b079e98080bf169b1

                SHA512

                2b782b520aa6e74532807fdf519c55eb80459d428534b0e9594bec89f0e90b62e8bb562052edeea6cb5d3a0264f3859b73ca6bbcb837f25fedeb99016a6e199c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6030617.exe
                Filesize

                235KB

                MD5

                fbbf147bf6d72b350355f04d78ac2a7b

                SHA1

                0bc991f35042c76ae7584c59eb6630096c67608d

                SHA256

                2424d1aed317d9d7edda198b2e2689effbe3cdf715b7391b079e98080bf169b1

                SHA512

                2b782b520aa6e74532807fdf519c55eb80459d428534b0e9594bec89f0e90b62e8bb562052edeea6cb5d3a0264f3859b73ca6bbcb837f25fedeb99016a6e199c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1380401.exe
                Filesize

                11KB

                MD5

                147be3e9f28ff2b981c0d39c95eb977a

                SHA1

                b366eaad27f284b441b4c3ae3becf4ebda101f1c

                SHA256

                e305c1b1ec49c7f8715709df7e109643050eb2f4bd5e9fa6876ac93916158d4b

                SHA512

                538b8a5129ad23a342294bf071db3e29e46e6a81449318bcd07ef06d915d5d5d22bea61ed93414cd058457de0ee75bcab8953f44acf594e2f1b899b2cc810be9

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1380401.exe
                Filesize

                11KB

                MD5

                147be3e9f28ff2b981c0d39c95eb977a

                SHA1

                b366eaad27f284b441b4c3ae3becf4ebda101f1c

                SHA256

                e305c1b1ec49c7f8715709df7e109643050eb2f4bd5e9fa6876ac93916158d4b

                SHA512

                538b8a5129ad23a342294bf071db3e29e46e6a81449318bcd07ef06d915d5d5d22bea61ed93414cd058457de0ee75bcab8953f44acf594e2f1b899b2cc810be9

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0094672.exe
                Filesize

                224KB

                MD5

                9c17a2f66c50ac62ce2fa1784552ea62

                SHA1

                a873d2ff5b7d894d18dc6b3927f676734ad0565c

                SHA256

                92273de190247f393dd77074529d9208a1d5eb1305038713744d0830cd91fb7c

                SHA512

                703e3f025eae0586da1bc3893c9f67d237f2c44e5faf08b2c3300c552aa329b44a10079c742937e33d0d3cfccb892d859c8e91c1810a6dab18f27fe81da465f4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0094672.exe
                Filesize

                224KB

                MD5

                9c17a2f66c50ac62ce2fa1784552ea62

                SHA1

                a873d2ff5b7d894d18dc6b3927f676734ad0565c

                SHA256

                92273de190247f393dd77074529d9208a1d5eb1305038713744d0830cd91fb7c

                SHA512

                703e3f025eae0586da1bc3893c9f67d237f2c44e5faf08b2c3300c552aa329b44a10079c742937e33d0d3cfccb892d859c8e91c1810a6dab18f27fe81da465f4

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                dc587d08b8ca3cd62e5dc057d41a966b

                SHA1

                0ba6a88377c74a0c53b956d405ad17dd5f8c4164

                SHA256

                7d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426

                SHA512

                7300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                dc587d08b8ca3cd62e5dc057d41a966b

                SHA1

                0ba6a88377c74a0c53b956d405ad17dd5f8c4164

                SHA256

                7d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426

                SHA512

                7300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
                Filesize

                89KB

                MD5

                dc587d08b8ca3cd62e5dc057d41a966b

                SHA1

                0ba6a88377c74a0c53b956d405ad17dd5f8c4164

                SHA256

                7d8f216ba04419aae32d5902449a0c5271ed577c722e582fb42e7d43b3b08426

                SHA512

                7300ecc40bfa1129d907a9b074e8406fa01b5ff893c7c281e4441f8cc6a546bcb5e099d6635b2f9714ec1f0453dc41de19f2fca3475f36f62babc425892699a9

                Download Submit

              • C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
                Filesize

                272B

                MD5

                d867eabb1be5b45bc77bb06814e23640

                SHA1

                3139a51ce7e8462c31070363b9532c13cc52c82d

                SHA256

                38c69e3f9f3927f8178d55cde9774a2b170c057b349b73932b87b76499d03349

                SHA512

                afc40d5fa7bcd41b8445f597990d150d57e3621ddef9400af742471aa0d14c2e66cfecc34482dadbaeb6f20912fda8ab786e584bf7fd1ad5fa23d3b95425fd59

                Download Submit

              • memory/3216-175-0x0000000002450000-0x0000000002466000-memory.dmp

                Filesize

                88KB

                Download

              • memory/3816-176-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/3816-173-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/4356-186-0x000000000A300000-0x000000000A312000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4356-187-0x0000000002710000-0x0000000002720000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4356-184-0x000000000A8A0000-0x000000000AEB8000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/4356-188-0x000000000A360000-0x000000000A39C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/4356-189-0x0000000072980000-0x0000000073130000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4356-190-0x0000000002710000-0x0000000002720000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4356-182-0x0000000000550000-0x0000000000580000-memory.dmp

                Filesize

                192KB

                Download

              • memory/4356-183-0x0000000072980000-0x0000000073130000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4356-185-0x000000000A3D0000-0x000000000A4DA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/4376-157-0x00007FFE9EEE0000-0x00007FFE9F9A1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4376-155-0x00007FFE9EEE0000-0x00007FFE9F9A1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/4376-154-0x0000000000290000-0x000000000029A000-memory.dmp

                Filesize

                40KB

                Download