Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
09-05-2024 11:02
General
-
Target
4663b4277cecac818e54c11c72e9cf1ad537fe10a266e09ebb9f0026ab9a96a5.exe
-
Size
514KB
-
MD5
83901ef0a5b975b100a0dabfb11c7cea
-
SHA1
34a15996b4f2d4bcbdd398658f85eb07e1c90345
-
SHA256
4663b4277cecac818e54c11c72e9cf1ad537fe10a266e09ebb9f0026ab9a96a5
-
SHA512
8bfdc76b1f5abeee4a9043b60adc7992262f980ede10a4ab3c4202f088c4f906aafa70a6da1ec7e729018276d84b8cfe8fff70880bf09488baec63619284893e
-
SSDEEP
12288:rMrXy90YS+RDQE4GGAqO6wSgaqsoCpAPiFT1lg:Ey5SjvGEOJu5g
Malware Config
Extracted
amadey
3.85
http://77.91.68.3
-
install_dir
3ec1f323b5
-
install_file
danke.exe
-
strings_key
827021be90f1e85ab27949ea7e9347e8
-
url_paths
/home/love/index.php
Extracted
redline
news
77.91.68.68:19071
-
auth_value
99ba2ffe8d72ebe9fdc7e758c94db148
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4663b4277cecac818e54c11c72e9cf1ad537fe10a266e09ebb9f0026ab9a96a5.exe"C:\Users\Admin\AppData\Local\Temp\4663b4277cecac818e54c11c72e9cf1ad537fe10a266e09ebb9f0026ab9a96a5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4832294.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4832294.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2938738.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2938738.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3588610.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a3588610.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6542666.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6542666.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1964322.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1964322.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5591518.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d5591518.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD531df0894347caaaef259e2e74c3273ca
SHA161b731be9911b72c2e25367e276409efa7729911
SHA256bd52ad8d28113281760dad60a2dc8a80c4dbd355b5fc99fd6683da38458e2562
SHA51231d78f923d89b65363679c8693707f41fea3a58a5f87fc87d01829c9202825d6c41eb9278d01a4ae64989cdd7cac708f64dffdf3e25a3a1a679f53286c271a6e
-
Filesize
359KB
MD5c8b837d87424640f379241af42394991
SHA18be0131290c7a0ff0492eb154662a2ab0eead141
SHA256361030ee64076cbd0a45dfd2b842caa68e89a2ed513db0c428148672e0aa4161
SHA5122d420050100972abd2a39802b9a60fef7854fac1a55667cee6d335db50501e058f0c9fb6940b0a088961e286940ebcf061976b13ed7b6bb943c822090a6693b8
-
Filesize
34KB
MD53802989e409dbf4ae29081fe55df7e25
SHA12335b8445d874ef1471ab98c51f8a5e327c47bcc
SHA256ef9af28db9eb7e1030ebfd255f0294c5515d3af2432b4374346e2f839de26b90
SHA5124afabcbe96c7edb6b850685aa4a9d295900df9b986622d482106c2e297c11a8d87bcd4b778f7173570a2021263b4cf59c2790268c36600a97150b4167dab257d
-
Filesize
234KB
MD5a6cf36ef0cb936be2e48b770ffaa692a
SHA1c852ab2016c488531c2360ccb45100d41d27087a
SHA256350b02638361c39cdfc97bdcd6aa8da65ada1391d622ccbf771876cb1907071c
SHA51258786472efff11a8883ca0567a43075d8ebe7d639fd13d6d131b5b10fbb5dcceaa6ae2907d8baadadf71dd72df233f9e09434c812b45000e7e8699a4e08717bc
-
Filesize
12KB
MD5f42c5e225d737b9c3fee86c53fcde9e1
SHA1194f0b1858498d790ffc30a750e689f8677a76e2
SHA256d3362dd3c549e8bf353de30125a3730b33efac4e127bd0eb24eb66a197ec09e0
SHA5126b0560f2b4e11bf154311db52d8cb4e04b8d2ee21fd26d1cefece829d13541fa0c3194115175a8d65c1c3f9fe86eb68b5eb74ec6bf374ca3aa5b87b4b8c90a92
-
Filesize
230KB
MD589d742e7e14729b64f3789a49431df00
SHA1a62b8f96272e8762500c43a76fb2d39bf6b0ad28
SHA256e2cd2b696d33cfc0738eded231b9f1d67a0cc77bcaea5fb5c88998eadc737829
SHA512b8375f5c0648b5606d89e894485312cdb39becbf433a6983e8868effe660d856907a1d1379af985f5f8769b8c695461519c34f47d2ca620a50d17ee77193992e
-
Filesize
1.0MB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
36KB