Overview

overview

10

Static

static

3

7d57b41c83...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 23:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d57b41c83e4f2d8f13ff9478b552737b881f73892f9c9f4419daea75a5d1991.exe

  • Size

    609KB

  • MD5

    1e6a63ca1ee2c63625362f59ece464e4

  • SHA1

    f1b956db4610e18114484326d13e7d3445c1db4d

  • SHA256

    7d57b41c83e4f2d8f13ff9478b552737b881f73892f9c9f4419daea75a5d1991

  • SHA512

    24ca8f1a6af38f6a354c32ada274a5f8ff73831f76bf9ac4c44e8b8190bb685554d13ab1101232b8e0580093b6a7f22e8d1de486176cd4ae929b22c0047b778e

  • SSDEEP

    12288:vy90vqVyT0LPPw5q8Rb1iN7cqyl+oYbl6scY1:vyAsyT2PUq8rihByl+Y2

Score
10/10
amadeyhealerdropperevasionpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.80

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 35 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 35 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d57b41c83e4f2d8f13ff9478b552737b881f73892f9c9f4419daea75a5d1991.exe
    "C:\Users\Admin\AppData\Local\Temp\7d57b41c83e4f2d8f13ff9478b552737b881f73892f9c9f4419daea75a5d1991.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eg226714.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eg226714.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3468
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\125090175.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\125090175.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3204
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\256855610.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\256855610.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1280
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 1076
          4⤵
          • Program crash
          PID:2284
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\344183579.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\344183579.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:460
      • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
        "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2952
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:1396
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2328
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:2236
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "oneetx.exe" /P "Admin:N"
              5⤵
                PID:2032
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                5⤵
                  PID:4288
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:2608
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\cb7ae701b3" /P "Admin:N"
                    5⤵
                      PID:4344
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\cb7ae701b3" /P "Admin:R" /E
                      5⤵
                        PID:3404
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1280 -ip 1280
                1⤵
                  PID:720
                • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  1⤵
                  • Executes dropped EXE
                  PID:2272
                • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1068

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\344183579.exe
                  Filesize

                  204KB

                  MD5

                  d601b92182e45c7f6422a5fe5dbc313b

                  SHA1

                  deec86b74593a8a91b8f87a3c48c28d0380b860d

                  SHA256

                  474382ec151ba2cd22188423c72e23318850b1e6b0f863d66280805a41721a10

                  SHA512

                  663e76b174f293db00f1d4ab205a7f9e7157e8c44585ce307303afa7bdf16a3004e8d9864725a8d2b0db32f76b8a099f6ad1ca0fc2ec226fd2aa11bef922260b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eg226714.exe
                  Filesize

                  437KB

                  MD5

                  119fefd51c51b368c9e932ab89873701

                  SHA1

                  a74ff4aa2ef1e3bb8c4dfa34a5400f2e12984c19

                  SHA256

                  53e62d0648542cf8c8445e868f92314b01759d5a16f888b7fb6af4b49a10b45f

                  SHA512

                  26fe4a3a5bf41c311a0ead7a8c7e62ef251b369199acc01b38903855bc63a0147234b577977559664bfe6108a689981d115703dd32767c1f295710ecc778b1ad

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\125090175.exe
                  Filesize

                  175KB

                  MD5

                  81e1961511f1d91559177d4a0b976111

                  SHA1

                  4a4d1c1a48e760600d21f6de813667b41e60c78a

                  SHA256

                  0fd63af78ccbcc55257485ecccc3e7e4486422776e91160cf4bff9501e16fa3b

                  SHA512

                  cf7b7eba32eb67294349ac1e477096c954331fec386ac9996d7a1ebffb237bfaf1c1dace6d6377b1fa8132ceb75bd6a511e19526b9139f6701b641908a21bc41

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\256855610.exe
                  Filesize

                  332KB

                  MD5

                  dec622622f502200146436c0ef75bcfa

                  SHA1

                  8194a891d89434739731fb32a943680ddb59f2df

                  SHA256

                  320a70d5678330aab33909d84b93c05a358c0e8e4ae607ec7353c10728751edb

                  SHA512

                  e8d601a71298723c4dfea2ef5d18fbbf7931ab9314f44dc8f9c2c7802c5c43c1f77c80929dbd828038b4f1f6119faec1ce9ecbd9faf8923955765516d8cf86c8

                  Download Submit

                • memory/1280-68-0x0000000004A00000-0x0000000004A12000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1280-72-0x0000000004A00000-0x0000000004A12000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1280-62-0x0000000004A00000-0x0000000004A12000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1280-84-0x0000000004A00000-0x0000000004A12000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1280-64-0x0000000004A00000-0x0000000004A12000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1280-66-0x0000000004A00000-0x0000000004A12000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1280-58-0x0000000004A00000-0x0000000004A12000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1280-86-0x0000000000400000-0x0000000000466000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/1280-70-0x0000000004A00000-0x0000000004A12000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1280-61-0x0000000004A00000-0x0000000004A12000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1280-74-0x0000000004A00000-0x0000000004A12000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1280-76-0x0000000004A00000-0x0000000004A12000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1280-81-0x0000000004A00000-0x0000000004A12000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1280-82-0x0000000004A00000-0x0000000004A12000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1280-78-0x0000000004A00000-0x0000000004A12000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1280-57-0x0000000004A00000-0x0000000004A12000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1280-56-0x0000000004A00000-0x0000000004A18000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/1280-55-0x00000000023F0000-0x000000000240A000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/3204-45-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3204-38-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3204-50-0x00000000742A0000-0x0000000074A50000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/3204-26-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3204-32-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3204-34-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3204-21-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3204-22-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3204-24-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3204-28-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3204-30-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3204-48-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3204-40-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3204-43-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3204-46-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3204-36-0x0000000004AD0000-0x0000000004AE3000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/3204-20-0x0000000004AD0000-0x0000000004AE8000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/3204-19-0x0000000004C70000-0x0000000005214000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/3204-16-0x0000000004C60000-0x0000000004C70000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3204-17-0x0000000004C60000-0x0000000004C70000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3204-18-0x0000000004C60000-0x0000000004C70000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3204-15-0x00000000742A0000-0x0000000074A50000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/3204-14-0x00000000007E0000-0x00000000007FA000-memory.dmp

                  Filesize

                  104KB

                  Download