Overview
overview
10Static
static
301aa1629bc...16.exe
windows10-2004-x64
1010c3a4b3e3...62.exe
windows10-2004-x64
1012d321d9a6...0f.exe
windows10-2004-x64
102a2e3be04e...f7.exe
windows10-2004-x64
102bca03b9ef...e5.exe
windows10-2004-x64
102d2e176ff1...1c.exe
windows10-2004-x64
102d948afc82...ca.exe
windows10-2004-x64
102ec8f43232...da.exe
windows10-2004-x64
103a0ceb2aa8...f5.exe
windows10-2004-x64
103d5d854d7b...21.exe
windows10-2004-x64
1068ab5c7a84...5d.exe
windows10-2004-x64
107732b3137a...d8.exe
windows10-2004-x64
107c81a593c9...95.exe
windows7-x64
37c81a593c9...95.exe
windows10-2004-x64
108a74314c35...5a.exe
windows10-2004-x64
79b03895e9b...54.exe
windows7-x64
39b03895e9b...54.exe
windows10-2004-x64
10a777a11027...76.exe
windows10-2004-x64
10c0dad59a3b...fd.exe
windows10-2004-x64
10de0b656af4...69.exe
windows10-2004-x64
10e0c981a9f2...55.exe
windows10-2004-x64
10e5410c580a...b5.exe
windows7-x64
1e5410c580a...b5.exe
windows10-2004-x64
1Analysis
-
max time kernel
140s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 11:56
Static task
static1
Behavioral task
behavioral1
Sample
01aa1629bce01d1d882c10d835fa7765f2a247f51bcbf0d46b77b87362877916.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
10c3a4b3e37a803bd0aa6309c39158c1cdc781b3496a972f062f1fe958597862.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
12d321d9a66bfb909ca6ae3097f6aba39263be25c619d424b1dbefd373b20d0f.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
2a2e3be04e8391170c3a71e198b45f6e45c085dff086c4e7b09748919fbeaef7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
2d2e176ff101b33e0adec2558415b76c1425ba9502c4b652c64b4751dd11181c.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
2d948afc82e00dd1f60cb24271d2c482bc87f04e3f42bcd4147a3e017a974dca.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
2ec8f4323279cbb3c829846c70e2e3b3f65d9d4591c18c17eb21dd76a257e0da.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
3a0ceb2aa80172e3223e5154bd251fc1909cd353262609fa6bfeeb684d7761f5.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
3d5d854d7b4667609b1a4eb70e50a6f99578a6ede0809793fc835cf2aebd7221.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
68ab5c7a84977eb7379341d29d2b10434cfd4ae30fb2276c4973f5fa55a7e85d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
7732b3137a721cb543261e9c4ecb5c90b51aa6d810c2df0104df6b11e319dbd8.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
7c81a593c9a2d9ab34fc28f1c121a9133b5584f0f4893ce3b51f6d7fdc040495.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
7c81a593c9a2d9ab34fc28f1c121a9133b5584f0f4893ce3b51f6d7fdc040495.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
8a74314c35a7a341a4dec6d70e0d6801d49282a77f6ca44fee133e1d3ae7b45a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
9b03895e9b8629528bbb718f6ceab16387b6aba3cfa7fd7750d1372e383a7554.exe
Resource
win7-20240220-en
Behavioral task
behavioral17
Sample
9b03895e9b8629528bbb718f6ceab16387b6aba3cfa7fd7750d1372e383a7554.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
a777a11027afe934646141f176344a5c05c946b740bea45e9684b9a8b98f6676.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
c0dad59a3bf41db6ecf798e4bdcef76482de14c96e0a17733413f0a05a686cfd.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral20
Sample
de0b656af41759ffa8477cd8c387f71b8e3cbddbc718028139d53bc1c6b95d69.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
e0c981a9f27b4ad406731c3e41ec4ff1248e97b375aacc1a4489a8065a22ed55.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
e5410c580a81399010c4afd0cb43116c8c6e79ed10a16ace6ca24b1180f130b5.exe
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
e5410c580a81399010c4afd0cb43116c8c6e79ed10a16ace6ca24b1180f130b5.exe
Resource
win10v2004-20240426-en
General
-
Target
2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5.exe
-
Size
359KB
-
MD5
00db65dad659f95f255fd66a55a3dbcd
-
SHA1
59e2ff84dd9a158365a1046620138ddd07757acb
-
SHA256
2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5
-
SHA512
7e9b19dd6cc96dc841f2bbc610e080d4ee6e2968b8faa3227fbd57b5887a22e2bffe8b3a935cac36c85963f6ea126ec4be50f0b8f1202ac96723098ce6c4aea1
-
SSDEEP
6144:Kwy+bnr+Up0yN90QElkfSgk3+ouqto7NQz7wmYo6Bv9Ov+bwR8/8gPefdHOD9:EMrMy90l/m4xz7wDoG9OmG8/Befy
Malware Config
Extracted
amadey
3.85
http://77.91.68.3
-
install_dir
3ec1f323b5
-
install_file
danke.exe
-
strings_key
827021be90f1e85ab27949ea7e9347e8
-
url_paths
/home/love/index.php
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
resource yara_rule behavioral5/files/0x0008000000023429-13.dat healer behavioral5/memory/5040-15-0x0000000000DB0000-0x0000000000DBA000-memory.dmp healer -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" a4581101.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" a4581101.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection a4581101.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" a4581101.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" a4581101.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" a4581101.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation b1678834.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation danke.exe -
Executes dropped EXE 7 IoCs
pid Process 4140 v8933544.exe 5040 a4581101.exe 1092 b1678834.exe 2808 danke.exe 1424 c3490647.exe 2276 danke.exe 4572 danke.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a4581101.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v8933544.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c3490647.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c3490647.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c3490647.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 456 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5040 a4581101.exe 5040 a4581101.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5040 a4581101.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4280 wrote to memory of 4140 4280 2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5.exe 82 PID 4280 wrote to memory of 4140 4280 2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5.exe 82 PID 4280 wrote to memory of 4140 4280 2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5.exe 82 PID 4140 wrote to memory of 5040 4140 v8933544.exe 83 PID 4140 wrote to memory of 5040 4140 v8933544.exe 83 PID 4140 wrote to memory of 1092 4140 v8933544.exe 86 PID 4140 wrote to memory of 1092 4140 v8933544.exe 86 PID 4140 wrote to memory of 1092 4140 v8933544.exe 86 PID 1092 wrote to memory of 2808 1092 b1678834.exe 87 PID 1092 wrote to memory of 2808 1092 b1678834.exe 87 PID 1092 wrote to memory of 2808 1092 b1678834.exe 87 PID 4280 wrote to memory of 1424 4280 2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5.exe 88 PID 4280 wrote to memory of 1424 4280 2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5.exe 88 PID 4280 wrote to memory of 1424 4280 2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5.exe 88 PID 2808 wrote to memory of 456 2808 danke.exe 89 PID 2808 wrote to memory of 456 2808 danke.exe 89 PID 2808 wrote to memory of 456 2808 danke.exe 89 PID 2808 wrote to memory of 1320 2808 danke.exe 91 PID 2808 wrote to memory of 1320 2808 danke.exe 91 PID 2808 wrote to memory of 1320 2808 danke.exe 91 PID 1320 wrote to memory of 4880 1320 cmd.exe 93 PID 1320 wrote to memory of 4880 1320 cmd.exe 93 PID 1320 wrote to memory of 4880 1320 cmd.exe 93 PID 1320 wrote to memory of 1760 1320 cmd.exe 94 PID 1320 wrote to memory of 1760 1320 cmd.exe 94 PID 1320 wrote to memory of 1760 1320 cmd.exe 94 PID 1320 wrote to memory of 4848 1320 cmd.exe 95 PID 1320 wrote to memory of 4848 1320 cmd.exe 95 PID 1320 wrote to memory of 4848 1320 cmd.exe 95 PID 1320 wrote to memory of 1548 1320 cmd.exe 96 PID 1320 wrote to memory of 1548 1320 cmd.exe 96 PID 1320 wrote to memory of 1548 1320 cmd.exe 96 PID 1320 wrote to memory of 3348 1320 cmd.exe 97 PID 1320 wrote to memory of 3348 1320 cmd.exe 97 PID 1320 wrote to memory of 3348 1320 cmd.exe 97 PID 1320 wrote to memory of 3728 1320 cmd.exe 98 PID 1320 wrote to memory of 3728 1320 cmd.exe 98 PID 1320 wrote to memory of 3728 1320 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5.exe"C:\Users\Admin\AppData\Local\Temp\2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8933544.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8933544.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4581101.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4581101.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1678834.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1678834.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F5⤵
- Creates scheduled task(s)
PID:456
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4880
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:N"6⤵PID:1760
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "danke.exe" /P "Admin:R" /E6⤵PID:4848
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:1548
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:N"6⤵PID:3348
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\3ec1f323b5" /P "Admin:R" /E6⤵PID:3728
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3490647.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3490647.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1424
-
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:2276
-
C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exeC:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe1⤵
- Executes dropped EXE
PID:4572
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD53b99009b91884fe51364e5917d969b4f
SHA1a13eaa174a8072b3d1aaa8bf8f31d16079b00d4c
SHA256397d9b9ba6c9c4b9b55a0cde147074700c2b382a7f67b3d5b50903f323f60ce1
SHA5128287dc3c7190eb551b1e3df9ecffd9a3e0b1a64141084432ce791a0d03016a75ef8d4585934f402b1772e2e5a0d604813ebc27a65447208ac60f7b718f74645f
-
Filesize
235KB
MD587521c8035ca421a6e47dcc31f8e4a89
SHA129252b1a00e300f880ed48836f54ad8644800bcf
SHA25602b51800b95d6592f077610422908ae8e835af33b4c1c4cb292853108b572d3a
SHA5126e61676726b127fedcadb1addbf4d149c7cfff0727b49edd53a08c572d214910030becbbdfd92e78b1fad71e35f8b385996f87ba8f638c598f489610a7ca29d4
-
Filesize
12KB
MD59120b06d028c4bf29570fe065160d155
SHA118b2f49a05731331ece3b0e5eb587d9c519ee990
SHA256c2c2554038de21891c7ca2baa9e5edf95d41733f66965069d9ceb3e1f0728194
SHA512829d7d6575f60398e7840cb167f84c53c6c1a6176d913cd8645b6badd458990ca59fce8edaea267c03ec2c4a39e253c640b24886be60c3f26a1807386bfb47b1
-
Filesize
230KB
MD5741cf7533dc12b1edceeeb05d953dd4a
SHA1b95c702ef75da4bd8eabd03b6431a423e4e4df3e
SHA2561ce61973bbe1a0bd48a571ef3ad5f1e6472e53d50bbefaecf187842b192ea3d6
SHA512b51f1eca818ca18fd5c1d9b6c595343f60d91d4f64eb98f12367c56825b6c162900f1a03ec690c5f0e2e42edebc6f4cd4112a495f11690af0432f63e379e6b62