Analysis

  • max time kernel
    140s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 11:56

General

  • Target

    2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5.exe

  • Size

    359KB

  • MD5

    00db65dad659f95f255fd66a55a3dbcd

  • SHA1

    59e2ff84dd9a158365a1046620138ddd07757acb

  • SHA256

    2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5

  • SHA512

    7e9b19dd6cc96dc841f2bbc610e080d4ee6e2968b8faa3227fbd57b5887a22e2bffe8b3a935cac36c85963f6ea126ec4be50f0b8f1202ac96723098ce6c4aea1

  • SSDEEP

    6144:Kwy+bnr+Up0yN90QElkfSgk3+ouqto7NQz7wmYo6Bv9Ov+bwR8/8gPefdHOD9:EMrMy90l/m4xz7wDoG9OmG8/Befy

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5.exe
    "C:\Users\Admin\AppData\Local\Temp\2bca03b9ef1fd0076fbe6ffcb97d4378326e6bff7afa395802e5c93bf74f66e5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8933544.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8933544.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4140
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4581101.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4581101.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5040
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1678834.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1678834.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1092
        • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
          "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2808
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:456
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1320
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:4880
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "danke.exe" /P "Admin:N"
                6⤵
                  PID:1760
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "danke.exe" /P "Admin:R" /E
                  6⤵
                    PID:4848
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:1548
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\3ec1f323b5" /P "Admin:N"
                      6⤵
                        PID:3348
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\3ec1f323b5" /P "Admin:R" /E
                        6⤵
                          PID:3728
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3490647.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3490647.exe
                  2⤵
                  • Executes dropped EXE
                  • Checks SCSI registry key(s)
                  PID:1424
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:2276
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:4572

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3490647.exe

                Filesize

                34KB

                MD5

                3b99009b91884fe51364e5917d969b4f

                SHA1

                a13eaa174a8072b3d1aaa8bf8f31d16079b00d4c

                SHA256

                397d9b9ba6c9c4b9b55a0cde147074700c2b382a7f67b3d5b50903f323f60ce1

                SHA512

                8287dc3c7190eb551b1e3df9ecffd9a3e0b1a64141084432ce791a0d03016a75ef8d4585934f402b1772e2e5a0d604813ebc27a65447208ac60f7b718f74645f

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8933544.exe

                Filesize

                235KB

                MD5

                87521c8035ca421a6e47dcc31f8e4a89

                SHA1

                29252b1a00e300f880ed48836f54ad8644800bcf

                SHA256

                02b51800b95d6592f077610422908ae8e835af33b4c1c4cb292853108b572d3a

                SHA512

                6e61676726b127fedcadb1addbf4d149c7cfff0727b49edd53a08c572d214910030becbbdfd92e78b1fad71e35f8b385996f87ba8f638c598f489610a7ca29d4

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4581101.exe

                Filesize

                12KB

                MD5

                9120b06d028c4bf29570fe065160d155

                SHA1

                18b2f49a05731331ece3b0e5eb587d9c519ee990

                SHA256

                c2c2554038de21891c7ca2baa9e5edf95d41733f66965069d9ceb3e1f0728194

                SHA512

                829d7d6575f60398e7840cb167f84c53c6c1a6176d913cd8645b6badd458990ca59fce8edaea267c03ec2c4a39e253c640b24886be60c3f26a1807386bfb47b1

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1678834.exe

                Filesize

                230KB

                MD5

                741cf7533dc12b1edceeeb05d953dd4a

                SHA1

                b95c702ef75da4bd8eabd03b6431a423e4e4df3e

                SHA256

                1ce61973bbe1a0bd48a571ef3ad5f1e6472e53d50bbefaecf187842b192ea3d6

                SHA512

                b51f1eca818ca18fd5c1d9b6c595343f60d91d4f64eb98f12367c56825b6c162900f1a03ec690c5f0e2e42edebc6f4cd4112a495f11690af0432f63e379e6b62

              • memory/1424-33-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              • memory/5040-14-0x00007FF9D49B3000-0x00007FF9D49B5000-memory.dmp

                Filesize

                8KB

              • memory/5040-15-0x0000000000DB0000-0x0000000000DBA000-memory.dmp

                Filesize

                40KB