Overview

overview

10

Static

static

3

9ebbac2bba...20.exe

windows7-x64

10

9ebbac2bba...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-01-2024 11:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ebbac2bbaa6ff937d94383e93ae1953ebcc3ed17f942b9a914556d1402e9220.exe

  • Size

    642KB

  • MD5

    eed421d8e4550632375fa205977352f4

  • SHA1

    d0427215a9c1f17169d3044134a8b4891432f602

  • SHA256

    9ebbac2bbaa6ff937d94383e93ae1953ebcc3ed17f942b9a914556d1402e9220

  • SHA512

    9e883d51e8877fa621abacf653c037956e651c5628e2aac1638c6d9af83bae51d907181c0541f30f5c464e39422df9add6bb52484b7d87ade6038a6e2190df55

  • SSDEEP

    12288:cMrcy90fzVl1UQoQDsSQ5YVpuutHrcKv9j3K0c+JSNH/w9FF1y5uXJ:QyOZUQ4SQWVpHLbZupI9Zn

Score
10/10
amadeyhealerredlinesmokeloadermaxikbackdoordropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

maxik

C2

77.91.124.156:19071

Attributes
  • auth_value

    a7714e1bc167c67e3fc8f9e368352269

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ebbac2bbaa6ff937d94383e93ae1953ebcc3ed17f942b9a914556d1402e9220.exe
    "C:\Users\Admin\AppData\Local\Temp\9ebbac2bbaa6ff937d94383e93ae1953ebcc3ed17f942b9a914556d1402e9220.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3169190.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3169190.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9357820.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9357820.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3308
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3509104.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3509104.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1036
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8793616.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8793616.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:388
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8506718.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8506718.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:940
            • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
              "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:812
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2672
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:N"
                  8⤵
                    PID:3268
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    8⤵
                      PID:3404
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\925e7e99c5" /P "Admin:N"
                      8⤵
                        PID:1396
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        8⤵
                          PID:3616
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "pdates.exe" /P "Admin:R" /E
                          8⤵
                            PID:2448
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "..\925e7e99c5" /P "Admin:R" /E
                            8⤵
                              PID:3244
                          • C:\Windows\SysWOW64\schtasks.exe
                            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
                            7⤵
                            • Creates scheduled task(s)
                            PID:1620
                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1335382.exe
                      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1335382.exe
                      4⤵
                      • Executes dropped EXE
                      • Checks SCSI registry key(s)
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      PID:368
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7739759.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7739759.exe
                    3⤵
                    • Executes dropped EXE
                    PID:4752
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:3884
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:1592

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3169190.exe
                Filesize

                515KB

                MD5

                4766f6c16a2be63b1dd1edbce39b12de

                SHA1

                a0d66b657ca6f8cbd66cbc0cf35ad9e8ffd29115

                SHA256

                8d4618325aebe1e1d54ea077a65ce283635620f3e86c87808f9556bc69cc4218

                SHA512

                9dda378e3fc368510c54c9b39884c9506ce4397b95bb61e86b326ee7dae2d21fb00de2430df81d72cfdd98940ddfc38767eb2084462385a07752f6fa37158533

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d7739759.exe
                Filesize

                174KB

                MD5

                76ded6367b2fab4e55883e9b20f8043c

                SHA1

                0c4a953f9c465a421ad4bd5a8bd6913f4f1ba265

                SHA256

                25fdb66625e3dacbb006f26062d41c2b3adac823d86b063adf1c460a9c959dfc

                SHA512

                34aeb665a4a1d8b39252ff77c982228e0633c7f9c4d531380552b677f034bacc38819cf920bd561974d941876a972109f4ab1a7039e8ac2b68962a85a3438aa8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9357820.exe
                Filesize

                359KB

                MD5

                1f94360c0be4fa13fd63dd926d75bd26

                SHA1

                72b9f4e7cc216dde8ca3bbbf42e3a5c579bd0d7f

                SHA256

                5e7fc1d5ad15a5dfa2f4c9f43f2e2c1c86d88a3822e1152d29f0bf46ebcea987

                SHA512

                73595f59cd4f7ba5810ffa67ca1b68a38525479b1eb656ad6f531b0f584f4c2cff2c5cdf570e6241cf3cc10b7a4f82dc47bd659b3d05db9ab6defc2816d1499e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1335382.exe
                Filesize

                39KB

                MD5

                01ea89c10b0228d0026072cdb06ba040

                SHA1

                3b164e335ea84450ed4f3c04a93e786145e13fbd

                SHA256

                f9be7f3afa083fb10258ece46786eb826e3b576d0f406a642f4da199cb53b8f0

                SHA512

                50f7896829152b0bc627b552a173cdb982fde67d6e2dc98440008132163734350eec9a922671456f8be1f418ba285dc83bb58761942ccf81ab191fff11afe710

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3509104.exe
                Filesize

                234KB

                MD5

                8dba1d1511306b256354785676a538a1

                SHA1

                848d50cb51be14e2bf4ec6ab6d17b02ad4ce7e0e

                SHA256

                58917d2aac1c385654bdb9536f87cf7f0f0c87a173187a7ce1be910147d5d5f2

                SHA512

                74bc7b8a8946a04bfefbc4e7505292edfb77a1a8e26a462721c8ac98a20b0fd1117d4079fe9536ff9f5a27f9da15d418feb74e28742d822cf4a9742ccc3f3e01

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8793616.exe
                Filesize

                11KB

                MD5

                7e93bacbbc33e6652e147e7fe07572a0

                SHA1

                421a7167da01c8da4dc4d5234ca3dd84e319e762

                SHA256

                850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

                SHA512

                250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8506718.exe
                Filesize

                230KB

                MD5

                e73052694833a0bd05cef48e25ebc353

                SHA1

                3cd1b2a6b7463d974647e9c0ab36f2821f1c83ee

                SHA256

                15f35e559f06fbfc84e71edaa9686896f89ca98b151570ef535408fdee3826d7

                SHA512

                48264582bee799ffb266de3ed566655d28640a1880b62a150102329e123de56884628b68dd4be371d2160f59c809dd786cae129f08494ca8baf69d22ff7dc489

                Download Submit

              • memory/368-48-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/368-50-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/388-31-0x00007FF86B8A0000-0x00007FF86C361000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/388-29-0x00007FF86B8A0000-0x00007FF86C361000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/388-28-0x0000000000A20000-0x0000000000A2A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/3600-49-0x0000000002C50000-0x0000000002C66000-memory.dmp

                Filesize

                88KB

                Download

              • memory/4752-59-0x00000000050B0000-0x00000000056C8000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/4752-57-0x0000000072F60000-0x0000000073710000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4752-58-0x00000000048F0000-0x00000000048F6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4752-56-0x0000000000010000-0x0000000000040000-memory.dmp

                Filesize

                192KB

                Download

              • memory/4752-60-0x0000000004BA0000-0x0000000004CAA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/4752-62-0x0000000004AE0000-0x0000000004AF2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4752-61-0x0000000004980000-0x0000000004990000-memory.dmp

                Filesize

                64KB

                Download

              • memory/4752-63-0x0000000004B40000-0x0000000004B7C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/4752-64-0x0000000004CB0000-0x0000000004CFC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4752-66-0x0000000072F60000-0x0000000073710000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4752-67-0x0000000004980000-0x0000000004990000-memory.dmp

                Filesize

                64KB

                Download