Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 11:02

General

  • Target

    2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783.exe

  • Size

    390KB

  • MD5

    88cd3287b5c63e0998547f5d6f44ee26

  • SHA1

    34ee86ef1950746fb4c38d73de30714f35a49dc9

  • SHA256

    2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783

  • SHA512

    66881b34422644be2eb840992e90f73429d30018aec01c75c349a6041bce6aa279afe71adb404391371a55caad733a907b6cc6f4a9af86b2201bfed9523bd32b

  • SSDEEP

    6144:Kuy+bnr+Sp0yN90QEnqLaM6P8is7lQuxVkkm2ptpk9h28:GMray90GJtKuikmAq9k8

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783.exe
    "C:\Users\Admin\AppData\Local\Temp\2fd7c050fbac5e1af2ffeb7fa80c3d86adca912aa0593a6fcf0ada9f513ba783.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5924303.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5924303.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4719279.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4719279.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
          "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2600
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:4832
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1092
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:5000
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "danke.exe" /P "Admin:N"
                6⤵
                  PID:2684
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "danke.exe" /P "Admin:R" /E
                  6⤵
                    PID:3056
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:4192
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\3ec1f323b5" /P "Admin:N"
                      6⤵
                        PID:2316
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\3ec1f323b5" /P "Admin:R" /E
                        6⤵
                          PID:2324
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3322917.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3322917.exe
                    3⤵
                    • Modifies Windows Defender Real-time Protection settings
                    • Executes dropped EXE
                    • Windows security modification
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4480
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2498725.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2498725.exe
                  2⤵
                  • Executes dropped EXE
                  PID:1916
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:4924
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:5072
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:664

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j2498725.exe

                Filesize

                172KB

                MD5

                08fd147a1e9edded8d0bd4e2d606b190

                SHA1

                3751f9a867c5a9754d058ba1dcd475e2d4acf85d

                SHA256

                af53befab6e920f24d498773a18ceff54ab78c6f9a8f2609d4cd693486db7eb9

                SHA512

                645f0c318608308e011c563030a25fec36e199fe9c74a6b684a0008a7c75af6771728276414db61495316deb032bd6cb006779fef39abf68afb92ec16c629a2a

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5924303.exe

                Filesize

                234KB

                MD5

                799a816ea4d3026a25c673503b6821ea

                SHA1

                74fcbc62374af486599c392a94afc6859ede3fad

                SHA256

                31e450f20ad58e7cc3658ccccd0a02b68dcd50f18461a0f3080264a3aac5bf75

                SHA512

                97c5bfc0a370d44ab6fbd17a7d2b81e30e7e70c5de8e0b0b77f00a226052af23654014ab0062588b1c557cd3ab3bb2214a50dfe967838c51ae5c0f8248430c5d

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4719279.exe

                Filesize

                224KB

                MD5

                8c6b79ec436d7cf6950a804c1ec7d3e9

                SHA1

                4a589d5605d8ef785fdc78b0bf64e769e3a21ad6

                SHA256

                4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d

                SHA512

                06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3322917.exe

                Filesize

                11KB

                MD5

                7e93bacbbc33e6652e147e7fe07572a0

                SHA1

                421a7167da01c8da4dc4d5234ca3dd84e319e762

                SHA256

                850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

                SHA512

                250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

              • memory/1916-32-0x0000000000010000-0x0000000000040000-memory.dmp

                Filesize

                192KB

              • memory/1916-33-0x00000000022A0000-0x00000000022A6000-memory.dmp

                Filesize

                24KB

              • memory/1916-34-0x000000000A480000-0x000000000AA98000-memory.dmp

                Filesize

                6.1MB

              • memory/1916-35-0x0000000009FC0000-0x000000000A0CA000-memory.dmp

                Filesize

                1.0MB

              • memory/1916-36-0x0000000009F00000-0x0000000009F12000-memory.dmp

                Filesize

                72KB

              • memory/1916-37-0x0000000009F60000-0x0000000009F9C000-memory.dmp

                Filesize

                240KB

              • memory/1916-38-0x0000000002160000-0x00000000021AC000-memory.dmp

                Filesize

                304KB

              • memory/4480-27-0x0000000000140000-0x000000000014A000-memory.dmp

                Filesize

                40KB