Overview

overview

10

Static

static

3

23fba2c2ae...8a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 19:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23fba2c2ae34608d478a900d31c322eb8ff88cab230848ad9664699ae8fce28a.exe

  • Size

    1.1MB

  • MD5

    01cd1332044eb8b959754e8cce1ec409

  • SHA1

    0f0cfc7c3c2a4e4cb243cab0b891a06f83849203

  • SHA256

    23fba2c2ae34608d478a900d31c322eb8ff88cab230848ad9664699ae8fce28a

  • SHA512

    bcb10af9b88962614fe194bcddc3226b8c196cb6c78ed5f30620dca16b9db25074282060d0e1b231a06b8c263016bccddbb840c1f862f5ca6ae83ef52fd55022

  • SSDEEP

    24576:7yJu/fEc/XgLy4ytHgwIC/uVq3wriYBHYL34nCT3uF1ObWzs7:uA/fD/qjytDIC/aqA2GYz4nCT3ubOig

Score
10/10
amadeyhealerredlinezgratdropperevasioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

amadey

Version

3.80

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect ZGRat V1 6 IoCs
  • Detects Healer an antivirus disabler dropper 34 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 34 IoCs
  • Detects executables packed with ConfuserEx Mod 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23fba2c2ae34608d478a900d31c322eb8ff88cab230848ad9664699ae8fce28a.exe
    "C:\Users\Admin\AppData\Local\Temp\23fba2c2ae34608d478a900d31c322eb8ff88cab230848ad9664699ae8fce28a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uv339845.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uv339845.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nt937097.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nt937097.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1056
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN158839.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN158839.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4784
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1652
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253948168.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253948168.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3672
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1080
              6⤵
              • Program crash
              PID:5036
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\343316617.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\343316617.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3036
          • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:224
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:4624
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3660
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:1360
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "oneetx.exe" /P "Admin:N"
                  7⤵
                    PID:2396
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "oneetx.exe" /P "Admin:R" /E
                    7⤵
                      PID:1064
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:2920
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\cb7ae701b3" /P "Admin:N"
                        7⤵
                          PID:4360
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\cb7ae701b3" /P "Admin:R" /E
                          7⤵
                            PID:3632
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\449423373.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\449423373.exe
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:640
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3672 -ip 3672
                1⤵
                  PID:3988
                • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4436
                • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4508

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Uv339845.exe
                  Filesize

                  993KB

                  MD5

                  40db4ec774e00ad765b8f6f9d4e5d8c0

                  SHA1

                  e7d52703cacf54563107adcbe14014e7925f17db

                  SHA256

                  505ac42abf815ff774aaef235a08e2e9a4641cf5047b9b39c29e0d569d86f975

                  SHA512

                  1ff82a38ba26dc5dab610bd9a106f15658458b7b72039f7d27d56962532dc65dcb12c2b9c4b75ecd5643ac0384c83fd6733af3b23f895bfa267a07649e043f1d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\449423373.exe
                  Filesize

                  415KB

                  MD5

                  517d2a88dc40fbed026000098137614e

                  SHA1

                  88241dee5dbbb420e31e3384ea200a936444a64b

                  SHA256

                  1f14ff1a3bec8b38b0dcb90c48c6059892d7409e6877131e8a109b15f357ab95

                  SHA512

                  98178f3ef8b772e911e70bb8593d7996cd7c771fa0f408609f2713e8453858c7ae3a7d179c19129ea3818488d87eef1e97d8320320f46eb22985320d523984e1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nt937097.exe
                  Filesize

                  609KB

                  MD5

                  5c09f4f206ac9712ebe1f9b699ffc12b

                  SHA1

                  5c2403c884d94765ad94dcd1cebc285128bb05c2

                  SHA256

                  329c5f33db93271feb930cdb1a0bc9fd2accbcea714fde4521a1ce2f3a394ff6

                  SHA512

                  5439d942e958ff871c7ff2e49f4e992d263c273dcc3f508acf11b2d77aedfb5e6c4c98c4e2a914f151b3790c0706ea92430c3e06464ae1c2a8f671c208161fd0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\343316617.exe
                  Filesize

                  204KB

                  MD5

                  d5f76b45ca024975642cb5922f431ca0

                  SHA1

                  31d4c90be2c0ea7b72a7cc47dcbaf19acf3b611b

                  SHA256

                  c0efdbc48d3fead12a051f6a37c36372f220090bd35b6254e0d20c81fd7e5c30

                  SHA512

                  b3820a7c76f74265fc8f8ab8b8b45701c73b5f3597cdc737e833206cba2e107f8d6cf6b36c5f2b7660b2e5cc90d09a6de8cb76a5d27287efc11970c2cd6c92f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iN158839.exe
                  Filesize

                  437KB

                  MD5

                  791cfc3c5902051fa7f92affe12fd4c7

                  SHA1

                  774e8fef815388c7a9453e72fb47e73b61ba1bc3

                  SHA256

                  48023a9d4a5e8aa35a99d1f32aedbe2d35b70e04df8bf4040e58e959c59f740e

                  SHA512

                  135e073b2ac0952385096faf3061bd90998db428920f03a62e8abd65a36e0bb9e6611fa67105b927a9b2d4c10ff7446567c2bc260b9e65beae4e51b15911814c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\156290212.exe
                  Filesize

                  175KB

                  MD5

                  3d8bd03b2fc9de52e7164547fcd8a9f4

                  SHA1

                  c223e4a232feecfff267ebcf68e4e2b486ef99c9

                  SHA256

                  c21b053de1cafdc4afc86926438dc6c08ddda6c570fdff93f5f07c474bc358f0

                  SHA512

                  f4cb9cf687ddb57dfef47471deadf7c3c2ae08b3db0871ed661deb5f7a541dc52b58d36c537638768c693a21956994ae46053a09209008c3501cf4803700ab77

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\253948168.exe
                  Filesize

                  332KB

                  MD5

                  d12ac6a0fb2bcc77826019b7185e0c45

                  SHA1

                  032170314e9d384d8ca7c8213d1ec9b678f85c77

                  SHA256

                  8bef91225deb2c0271fc5011628a13618bce9a0ab56173fe66dae8eae45ec2ca

                  SHA512

                  a5fb2e55ecd88b678da9857a63161a7c3e0c4a3e58c796bb32909bf45ce4d13ec7ee18a0992807972d143555b5e9a0e387e91257581d21abd017a81284989290

                  Download Submit

                • memory/640-114-0x0000000004A60000-0x0000000004A9C000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/640-115-0x0000000004AE0000-0x0000000004B1A000-memory.dmp

                  Filesize

                  232KB

                  Download

                • memory/640-912-0x0000000004590000-0x00000000045DC000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/640-911-0x0000000004BD0000-0x0000000004C0C000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/640-909-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/640-910-0x0000000007660000-0x000000000776A000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/640-908-0x0000000007C80000-0x0000000008298000-memory.dmp

                  Filesize

                  6.1MB

                  Download

                • memory/640-116-0x0000000004AE0000-0x0000000004B15000-memory.dmp

                  Filesize

                  212KB

                  Download

                • memory/640-117-0x0000000004AE0000-0x0000000004B15000-memory.dmp

                  Filesize

                  212KB

                  Download

                • memory/640-119-0x0000000004AE0000-0x0000000004B15000-memory.dmp

                  Filesize

                  212KB

                  Download

                • memory/640-121-0x0000000004AE0000-0x0000000004B15000-memory.dmp

                  Filesize

                  212KB

                  Download

                • memory/1652-45-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/1652-50-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/1652-42-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/1652-40-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/1652-38-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/1652-37-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/1652-34-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/1652-33-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/1652-48-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/1652-28-0x0000000004A10000-0x0000000004A2A000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/1652-46-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/1652-29-0x0000000004B70000-0x0000000005114000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/1652-30-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/1652-31-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/1652-58-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/1652-56-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/1652-54-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/1652-52-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3672-65-0x00000000026C0000-0x00000000026D8000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/3672-91-0x00000000026C0000-0x00000000026D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3672-77-0x00000000026C0000-0x00000000026D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3672-75-0x00000000026C0000-0x00000000026D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3672-73-0x00000000026C0000-0x00000000026D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3672-69-0x00000000026C0000-0x00000000026D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3672-85-0x00000000026C0000-0x00000000026D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3672-87-0x00000000026C0000-0x00000000026D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3672-89-0x00000000026C0000-0x00000000026D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3672-81-0x00000000026C0000-0x00000000026D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3672-93-0x00000000026C0000-0x00000000026D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3672-83-0x00000000026C0000-0x00000000026D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3672-71-0x00000000026C0000-0x00000000026D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3672-79-0x00000000026C0000-0x00000000026D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3672-64-0x0000000002400000-0x000000000241A000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/3672-67-0x00000000026C0000-0x00000000026D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3672-66-0x00000000026C0000-0x00000000026D2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3672-94-0x0000000000400000-0x0000000000466000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/3672-96-0x0000000000400000-0x0000000000466000-memory.dmp

                  Filesize

                  408KB

                  Download