Overview

overview

10

Static

static

3

30b55fc29e...75.exe

windows10-2004-x64

10

4f6b8faa68...86.exe

windows10-2004-x64

10

68c37c8307...6a.exe

windows10-2004-x64

10

699bfc597d...1d.exe

windows10-2004-x64

10

844b5b7693...ab.exe

windows10-2004-x64

10

86a6beb680...62.exe

windows10-2004-x64

10

9cf3d2bf3c...cb.exe

windows10-2004-x64

10

ca9f078739...a4.exe

windows10-2004-x64

10

d0ab8687e3...e2.exe

windows10-2004-x64

10

fb468a211d...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    30b55fc29eb4d6ba84b1f82bbfa69faa222f2bc6d243a759a624fbb454475275.exe

  • Size

    389KB

  • MD5

    836c2e6c543de8734f2293001cdeb892

  • SHA1

    8d079b4246c7778350797bb66f290fa4f9e72d7a

  • SHA256

    30b55fc29eb4d6ba84b1f82bbfa69faa222f2bc6d243a759a624fbb454475275

  • SHA512

    ae73d335a26e2d0e826737c77d01cd38deca1f78fddca93483441da48dbf8c91e6ab64a1216706e6220840dfc75bb078943ab2db6b847b78f43d75f9296faf95

  • SSDEEP

    12288:wMrwy90h82X+eb0XDKMSIgBYCzzq+f0D/:QyXeDPzioU

Score
10/10
amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30b55fc29eb4d6ba84b1f82bbfa69faa222f2bc6d243a759a624fbb454475275.exe
    "C:\Users\Admin\AppData\Local\Temp\30b55fc29eb4d6ba84b1f82bbfa69faa222f2bc6d243a759a624fbb454475275.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4504
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5758399.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5758399.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5096
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6157500.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6157500.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4392
        • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
          "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2672
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:2756
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2416
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:2016
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "pdates.exe" /P "Admin:N"
                6⤵
                  PID:3836
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:R" /E
                  6⤵
                    PID:2188
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:3032
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\925e7e99c5" /P "Admin:N"
                      6⤵
                        PID:3636
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\925e7e99c5" /P "Admin:R" /E
                        6⤵
                          PID:2956
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6319005.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6319005.exe
                    3⤵
                    • Modifies Windows Defender Real-time Protection settings
                    • Executes dropped EXE
                    • Windows security modification
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4264
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3798517.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3798517.exe
                  2⤵
                  • Executes dropped EXE
                  PID:3052
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:3440
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:4528
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe start wuauserv
                1⤵
                • Launches sc.exe
                PID:1220
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:4240

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j3798517.exe
                Filesize

                173KB

                MD5

                8635a57d17ac00b9bda1d2f0b424bb32

                SHA1

                c1c7115c10c9328a94e486c3a0c8d5fc3f3768b2

                SHA256

                7dbe20e520b746881df808b5a7b0c5ae306a65e2095fc951675e223b6a550022

                SHA512

                7c61254cc1bb2a1aa5ece011b3751cf3391167fc39fee095c580a41f642cbcb76c90066c1ca25a4a0a0fbd899b9fd3bfd9b370e8f93656684ec3e78e49d9a950

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5758399.exe
                Filesize

                234KB

                MD5

                6092b931049705408b5c8b4669d207ff

                SHA1

                6e70b1118feec55ec6774e3203198eafe8f2bd13

                SHA256

                de3f6367da3dae76890a609db3de780da484f2c5f252d9c146af3053b68e960c

                SHA512

                0c3a783dd907f61b10c7e2612cbecefa53db9211e58d7c621fe27ff06eb1ac070ce78e5ff0e34906fb135b2bc3f76749290d0717b8c5cd5af52bc9fa1a7b18c2

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6157500.exe
                Filesize

                223KB

                MD5

                aea234064483f651010cf9d981f59fea

                SHA1

                002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6

                SHA256

                58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503

                SHA512

                eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6319005.exe
                Filesize

                11KB

                MD5

                7e93bacbbc33e6652e147e7fe07572a0

                SHA1

                421a7167da01c8da4dc4d5234ca3dd84e319e762

                SHA256

                850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

                SHA512

                250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

                Download Submit

              • memory/3052-32-0x0000000000740000-0x0000000000770000-memory.dmp

                Filesize

                192KB

                Download

              • memory/3052-33-0x0000000004F60000-0x0000000004F66000-memory.dmp

                Filesize

                24KB

                Download

              • memory/3052-34-0x000000000AA90000-0x000000000B0A8000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3052-35-0x000000000A5B0000-0x000000000A6BA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/3052-36-0x000000000A4F0000-0x000000000A502000-memory.dmp

                Filesize

                72KB

                Download

              • memory/3052-37-0x000000000A550000-0x000000000A58C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/3052-38-0x0000000004A20000-0x0000000004A6C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4264-27-0x0000000000200000-0x000000000020A000-memory.dmp

                Filesize

                40KB

                Download