Overview

overview

10

Static

static

3

73d68c52c7...KI.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 11:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe

  • Size

    1.1MB

  • MD5

    73d68c52c799495637a7ea3b3b4a9b20

  • SHA1

    18f886fb80bf064caeb4b135d52740ecdba6b1ee

  • SHA256

    0655d16e9a5566cd065f65ab31cab51ac2dea2c4201b967bf4438fe8c7d75e8a

  • SHA512

    02f2eb77559863b2f9149492063bc022ed5dbca6c0cb38532dd395bb5579adbd41293494831c048d7aa9c439006fd52e9c55ec370b9c12cfba0c94219b609a1d

  • SSDEEP

    24576:6yjnsO3+2f1tMMHM+WUHtmtkE3bZPPToxYTscRh556zsyC6:BrsO3+2f1txJTmtJZPPToKTzRU9C

Score
10/10
amadeyhealerredlinezgratdropperevasioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

amadey

Version

3.80

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect ZGRat V1 6 IoCs
  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\73d68c52c799495637a7ea3b3b4a9b20_NEIKI.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4660
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4648
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2164
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5080
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3556
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 1020
              6⤵
              • Program crash
              PID:2584
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326468569.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326468569.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3324
          • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:748
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:3636
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2976
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:3748
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "oneetx.exe" /P "Admin:N"
                  7⤵
                    PID:4164
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "oneetx.exe" /P "Admin:R" /E
                    7⤵
                      PID:3444
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:3532
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\cb7ae701b3" /P "Admin:N"
                        7⤵
                          PID:4476
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\cb7ae701b3" /P "Admin:R" /E
                          7⤵
                            PID:2236
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\404469749.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\404469749.exe
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:932
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3556 -ip 3556
                1⤵
                  PID:4724
                • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  1⤵
                  • Executes dropped EXE
                  PID:5756
                • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
                  1⤵
                  • Executes dropped EXE
                  PID:5144

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CH988882.exe
                  Filesize

                  940KB

                  MD5

                  dfe434a69f2348ebf90b85c207c02ef8

                  SHA1

                  9b12b8825afc0e37f0bad0f22f8f0de317d9e247

                  SHA256

                  c95e9f67bc68689910dc07b3ed80d0cd23c2a65adcc865a5482789b44a851023

                  SHA512

                  1911e79174058bc2e6b2ae409ca238cf9f5603a04b49a8cf294706a7bb310ab63d2b2f649d41f0fd1caec88b9f983923cf31fa6b1ce441f6082bb988844ffbaa

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\404469749.exe
                  Filesize

                  342KB

                  MD5

                  c7f65640e61c71e4258fbc5b9992d3a2

                  SHA1

                  c6bbdd037abcb025def5ffb9dc9f941b7e13fa98

                  SHA256

                  dd565a1874687e6232cffc7cd91b8e230bbc01db92948687f54094023daaee66

                  SHA512

                  3178ba3584a7205844befb2b828b30bf7d971aaaed84915713a9cc3adc392b0f7aec4ea7df7be68aa87793ea1548ba64fd1a2d547b6e9c9545286a81013e1192

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\yf412220.exe
                  Filesize

                  586KB

                  MD5

                  b9caa9de272c1785c900a5735bebea09

                  SHA1

                  00a49290df5123d222a6390033d0c8ea13d01344

                  SHA256

                  126968089982cace9207987f9a1dcf85cb09f830b0f3e22fca99195de7bd3dfe

                  SHA512

                  fde2b945dcd99b0d4f9cc55a8ba61a290310b47d69ab8a3071b0369dcfd9cff4c7a9f4f24320fe68301530c7f33e23a6bccefbe30efd24a38fc103bb56455462

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\326468569.exe
                  Filesize

                  204KB

                  MD5

                  1304f384653e08ae497008ff13498608

                  SHA1

                  d9a76ed63d74d4217c5027757cb9a7a0d0093080

                  SHA256

                  2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa

                  SHA512

                  4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fn668898.exe
                  Filesize

                  414KB

                  MD5

                  c15bdaf4b089ace62138eb9c3fa2e9b5

                  SHA1

                  4c6fd1ad3245063b34e01e0346f572ae37caeae9

                  SHA256

                  80e4f8805a09874cb112214f2fe585471e228071f89178e7b37227b8db2b0e79

                  SHA512

                  b474220096c242ef5201a5043feb7f7870a800fa9fc1d3156efddaebaa1f66a142767343a27b90f313deef8682bc7d7b7e63210f0442961db3a272085383502b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\144105729.exe
                  Filesize

                  175KB

                  MD5

                  a165b5f6b0a4bdf808b71de57bf9347d

                  SHA1

                  39a7b301e819e386c162a47e046fa384bb5ab437

                  SHA256

                  68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

                  SHA512

                  3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\257341906.exe
                  Filesize

                  259KB

                  MD5

                  8527975d775cb7bad819b513e23cc188

                  SHA1

                  45cefaee9740f544108e1bc0abd0ee6d6a347912

                  SHA256

                  a4a924435ec820400a5a9afd180d6423c1d54481d764f9b0d85eae90ce26edfd

                  SHA512

                  4204ec5386e1b7f2292026cb82f70dde7ab27bbe97037897f18fb13b285f381649b017181a5b928708c023bdfb17ea6e5f7ddb1b87918f959210c595266d26b9

                  Download Submit

                • memory/932-115-0x0000000005050000-0x0000000005085000-memory.dmp

                  Filesize

                  212KB

                  Download

                • memory/932-906-0x0000000007B70000-0x0000000008188000-memory.dmp

                  Filesize

                  6.1MB

                  Download

                • memory/932-907-0x00000000075D0000-0x00000000075E2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/932-908-0x00000000075F0000-0x00000000076FA000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/932-117-0x0000000005050000-0x0000000005085000-memory.dmp

                  Filesize

                  212KB

                  Download

                • memory/932-119-0x0000000005050000-0x0000000005085000-memory.dmp

                  Filesize

                  212KB

                  Download

                • memory/932-114-0x0000000005050000-0x0000000005085000-memory.dmp

                  Filesize

                  212KB

                  Download

                • memory/932-113-0x0000000005050000-0x000000000508A000-memory.dmp

                  Filesize

                  232KB

                  Download

                • memory/932-112-0x0000000004A20000-0x0000000004A5C000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/932-909-0x0000000007710000-0x000000000774C000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/932-910-0x0000000002420000-0x000000000246C000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/3556-94-0x0000000000400000-0x0000000000455000-memory.dmp

                  Filesize

                  340KB

                  Download

                • memory/3556-92-0x0000000000400000-0x0000000000455000-memory.dmp

                  Filesize

                  340KB

                  Download

                • memory/5080-58-0x0000000002430000-0x0000000002443000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/5080-48-0x0000000002430000-0x0000000002443000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/5080-32-0x0000000002430000-0x0000000002443000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/5080-34-0x0000000002430000-0x0000000002443000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/5080-36-0x0000000002430000-0x0000000002443000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/5080-38-0x0000000002430000-0x0000000002443000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/5080-40-0x0000000002430000-0x0000000002443000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/5080-42-0x0000000002430000-0x0000000002443000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/5080-44-0x0000000002430000-0x0000000002443000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/5080-46-0x0000000002430000-0x0000000002443000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/5080-50-0x0000000002430000-0x0000000002443000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/5080-54-0x0000000002430000-0x0000000002443000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/5080-56-0x0000000002430000-0x0000000002443000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/5080-52-0x0000000002430000-0x0000000002443000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/5080-31-0x0000000002430000-0x0000000002443000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/5080-30-0x0000000002430000-0x0000000002448000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/5080-29-0x0000000004A60000-0x0000000005004000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/5080-28-0x0000000002050000-0x000000000206A000-memory.dmp

                  Filesize

                  104KB

                  Download