Overview

overview

10

Static

static

3

d46522fabe...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 03:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d46522fabe7871e6ca2e073286cc8bf7db30132ea994c84f938dc670caa47a76.exe

  • Size

    234KB

  • MD5

    c8884088ba2dff7e7c0c59dbbd951bf5

  • SHA1

    290120fdf6333f23d9d8dd0eb935bca1de3d51a1

  • SHA256

    d46522fabe7871e6ca2e073286cc8bf7db30132ea994c84f938dc670caa47a76

  • SHA512

    7b61a8327c78f1dd70b2e40815d4a51c93d9e60c69b7cbf1caf845c5b0e96279f78ba3ed75088fb8b3639388e65df05151dc559ae89d88bb1558657f8ea64201

  • SSDEEP

    6144:KVy+bnr++p0yN90QEpJBzX/qEfxaJ/2+b:jMrey90fpfxaDb

Score
10/10
amadeyhealerdropperevasionpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d46522fabe7871e6ca2e073286cc8bf7db30132ea994c84f938dc670caa47a76.exe
    "C:\Users\Admin\AppData\Local\Temp\d46522fabe7871e6ca2e073286cc8bf7db30132ea994c84f938dc670caa47a76.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9347400.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9347400.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3932
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2943762.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2943762.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
        "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3076
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:5088
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4820
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:3236
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "pdates.exe" /P "Admin:N"
              5⤵
                PID:3544
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "pdates.exe" /P "Admin:R" /E
                5⤵
                  PID:1920
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:532
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\925e7e99c5" /P "Admin:N"
                    5⤵
                      PID:3948
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\925e7e99c5" /P "Admin:R" /E
                      5⤵
                        PID:4632
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:4140
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:4968

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9347400.exe
                Filesize

                11KB

                MD5

                6fd0be63aa8a65b2493c4b3603bce8d0

                SHA1

                8c863c4fdbec6bba661c64d9029a1a33f69b5abc

                SHA256

                a072db61cc4dbd41317f758378435870693812c3f2d431ef69188d49bb01bb5c

                SHA512

                8efed7997bc25b4b3949b7dd588ba872b17dc8d01d43a60c8fcb32b9380a165765389ecae5389c1305be494044aa63ccb024566938820523dd0bd50bbcc1be1b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2943762.exe
                Filesize

                223KB

                MD5

                ccf08cf91b2bc30eeec6d1eda0c58a88

                SHA1

                9a4821759a719dfcd7bf822c7a6752c33acde2ed

                SHA256

                57d6c8800fee750f40cd4813e50bc2e6a6d382fc2741ca34c40c504f5243a5b8

                SHA512

                a26e0675d1a8b2d69664df3823e28663b5651345328ef5583c0b9bcb8d740064987d1032672c2b3fd892622cb58ca98d2718eeadbdde7acfd96987198d7fd47e

                Download Submit

              • memory/3932-7-0x00000000007A0000-0x00000000007AA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/3932-8-0x00007FFD46603000-0x00007FFD46605000-memory.dmp

                Filesize

                8KB

                Download