Overview

overview

10

Static

static

3

30b55fc29e...75.exe

windows10-2004-x64

10

4f6b8faa68...86.exe

windows10-2004-x64

10

68c37c8307...6a.exe

windows10-2004-x64

10

699bfc597d...1d.exe

windows10-2004-x64

10

844b5b7693...ab.exe

windows10-2004-x64

10

86a6beb680...62.exe

windows10-2004-x64

10

9cf3d2bf3c...cb.exe

windows10-2004-x64

10

ca9f078739...a4.exe

windows10-2004-x64

10

d0ab8687e3...e2.exe

windows10-2004-x64

10

fb468a211d...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0ab8687e34a8f0343980bddd26689960bc998ce3537a995751d70b47f6b24e2.exe

  • Size

    390KB

  • MD5

    7f2c00bbadc73ad53e903c94a20db4e5

  • SHA1

    9270d43f9bebdd6380fac9c6d6340fee4b28aaa6

  • SHA256

    d0ab8687e34a8f0343980bddd26689960bc998ce3537a995751d70b47f6b24e2

  • SHA512

    71d813c1dc82e4fbd9a62e8eb425b3094daa39cf4787a7df7223c2b4e767706a362144682753bf5e00ea3d9aa50ecd1c3e079ae7f9baf7d90477e557b3c098e3

  • SSDEEP

    6144:K/y+bnr+ep0yN90QEOcfek0pdG7xF25AE3ABmsEQX0mHhWjdbrfm5:FMrOy909eYxFKAEwBDjBWjJrfm5

Score
10/10
amadeyhealerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0ab8687e34a8f0343980bddd26689960bc998ce3537a995751d70b47f6b24e2.exe
    "C:\Users\Admin\AppData\Local\Temp\d0ab8687e34a8f0343980bddd26689960bc998ce3537a995751d70b47f6b24e2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8304226.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8304226.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2900
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0416455.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0416455.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
          "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3016
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:2944
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4500
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:3032
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "danke.exe" /P "Admin:N"
                6⤵
                  PID:3640
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "danke.exe" /P "Admin:R" /E
                  6⤵
                    PID:728
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:3500
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\3ec1f323b5" /P "Admin:N"
                      6⤵
                        PID:4728
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\3ec1f323b5" /P "Admin:R" /E
                        6⤵
                          PID:4268
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4419793.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4419793.exe
                    3⤵
                    • Modifies Windows Defender Real-time Protection settings
                    • Executes dropped EXE
                    • Windows security modification
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4312
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6147775.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6147775.exe
                  2⤵
                  • Executes dropped EXE
                  PID:396
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:4512
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:4920
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe start wuauserv
                1⤵
                • Launches sc.exe
                PID:1992
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:1668

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j6147775.exe
                Filesize

                173KB

                MD5

                b7f729379a37c0f7f5dfb7a17f1bcb1c

                SHA1

                c3df08c950d0d9d8fffa8d2f25216f8b74fc9f36

                SHA256

                e7fe2de161d98a92f13385743abb9a5a37e7d27ae238adbefa07fc859035b2af

                SHA512

                753bf2a61bffad0d69999996f08353942b9814abf9a8d676649c925f4a49b2b0bfd71df45098837ed2c19468b7f1b7c142137b9d4887faaca3d913b5d35dc056

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8304226.exe
                Filesize

                234KB

                MD5

                87aedfc560c9bd0c8573f0c5459e0c03

                SHA1

                94ecaa60536bf743c72ad3d463e24414a82b0b07

                SHA256

                d8a30b3f0111c04c370ebe3791b3edce9716e90df42e4056c327377a4410fb09

                SHA512

                7a4842a87e18f6589d1052e7435322ec6b31af5f82d97d1ffbf18a440d266d540eec6014634907afd4c455afbdc615e3b0835406681657fe8c0ba81331956d2e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0416455.exe
                Filesize

                224KB

                MD5

                8c6b79ec436d7cf6950a804c1ec7d3e9

                SHA1

                4a589d5605d8ef785fdc78b0bf64e769e3a21ad6

                SHA256

                4e1377f9874f333dcb0b1b758e3131949e667fc39aadf3091e4e3b7cdbaeef1d

                SHA512

                06f2de433876963bb7bbddbe93cab0b7dd22164d1c10726294445944dcf5fa4a0fb450fc683c32565177a81a6103f6a5f11d291958bc7fcff7fdb9cf41a001ce

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4419793.exe
                Filesize

                11KB

                MD5

                7e93bacbbc33e6652e147e7fe07572a0

                SHA1

                421a7167da01c8da4dc4d5234ca3dd84e319e762

                SHA256

                850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

                SHA512

                250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

                Download Submit

              • memory/396-32-0x0000000000D00000-0x0000000000D30000-memory.dmp

                Filesize

                192KB

                Download

              • memory/396-33-0x0000000005520000-0x0000000005526000-memory.dmp

                Filesize

                24KB

                Download

              • memory/396-34-0x000000000B080000-0x000000000B698000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/396-35-0x000000000AB70000-0x000000000AC7A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/396-36-0x000000000AAB0000-0x000000000AAC2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/396-37-0x000000000AB10000-0x000000000AB4C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/396-38-0x0000000005010000-0x000000000505C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/4312-27-0x0000000000E10000-0x0000000000E1A000-memory.dmp

                Filesize

                40KB

                Download