Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 12:56

General

  • Target

    27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f.exe

  • Size

    514KB

  • MD5

    05b1bd5fc4cfbb5ac811b1085e421a0e

  • SHA1

    cc9da7c9ffe07eac65e1c6b57d62f820a9b75e99

  • SHA256

    27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f

  • SHA512

    8b84c660b2a8819f5bf546405f63c359e9836fba5d4145878afbe02c98a1d30d6380df9e70a9f819494a89f6c3a5f3fd1b86ea2e1218ab5834490ef790d41c65

  • SSDEEP

    12288:bMrFy90nQ3cYBUovwEOAjj3pvqur9J1VpR8/G98aYE03ZoRU:iyBsOUovwsjjMupbR2GSVlJoe

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f.exe
    "C:\Users\Admin\AppData\Local\Temp\27bf431b08d40bcbf5b763154e97f70f0745d6072ffe1d77d49e6cc8d3181c9f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4549806.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4549806.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1515895.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1515895.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4596
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8274244.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8274244.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1980
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8596918.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8596918.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4408
          • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
            "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4332
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:4948
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4476
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:5016
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:N"
                  7⤵
                    PID:4532
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "pdates.exe" /P "Admin:R" /E
                    7⤵
                      PID:3340
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:4944
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\925e7e99c5" /P "Admin:N"
                        7⤵
                          PID:3048
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\925e7e99c5" /P "Admin:R" /E
                          7⤵
                            PID:2692
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9178124.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9178124.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    PID:2696
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4707782.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4707782.exe
                  2⤵
                  • Executes dropped EXE
                  PID:808
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:64
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:4852

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4707782.exe

                Filesize

                172KB

                MD5

                324b9c52a440df10451ea56cddbb933f

                SHA1

                79a4aac847a6e13f4309434507cf418d1db1a0be

                SHA256

                ebdd5ae808c56954a715afbc029e8d8c58ee33b8a9351d83031a9a7cef0441e4

                SHA512

                881f26d3c69f4dde394ce450c9ec742f8a90932430bdf69986fdf72fd48bdea9e786272a0acd5ba24e1904d0f434e93794fdf3145ff5104c8e37f083e79c373f

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4549806.exe

                Filesize

                359KB

                MD5

                9687f62b277e9e4c38388e52a3914ca6

                SHA1

                a9cd5f4023526c8df5d9442244133c8c5471d057

                SHA256

                daa2762feeb31382796706720fe749e99ab594f942baf09480423a79c3c6d383

                SHA512

                58560f27f3ed5040564a8d270fd67dbe0c3212649e3c46df89b89516e140a6f88c4a4f000562cdb02607b777ed86cc0a6207980e46530ba689bb0d27f9f9df9b

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9178124.exe

                Filesize

                35KB

                MD5

                25142518552111557da73643ef6ace9e

                SHA1

                505a10b7ad3556ef3af75354a2aae0a061e19a0a

                SHA256

                dea04fdae7f23df334a0481f22f9fdb14ca4b9c99cfacbca80d160ac1ec05927

                SHA512

                44cdfdb33a767bdcc14c1fcb0e251332fa48d929b47244536adcd5b2ee596bf017fd9b802684b7e8d9102c0094453c291b72238260acb013b46e17e9ad6440dc

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1515895.exe

                Filesize

                234KB

                MD5

                a7fff079383e825173137379ab670cd5

                SHA1

                1fc0bf08810633f1e20c0c350ba50042e95bf6ec

                SHA256

                21854cd5d1a30272f224300bcd8b41a10c020cd805952a6fa59d6e97d7052294

                SHA512

                4371434fbc5f814d7c93ad3b7506f6b9d95aeabb7923bbb7739daa97a3d54e3ebe4dfecb92cc5eeca8750c5bc60c3fecabe73dece70feb0142118af2a50109d4

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8274244.exe

                Filesize

                12KB

                MD5

                dd8411c84825addf4c2fb62ea2de05e7

                SHA1

                94eee2c85a6cf96bac81febe04a23f0d4996d87a

                SHA256

                03e09dd7805602f105f3744033d0db0937e6f08145c0245c916d5fd1ddec18b2

                SHA512

                3a78176b1214c2af3bedb1822c6da3874d5d50e1a00efc40e220f77cfd79b42cb402e4162af05b8d1b805188f6eb57843863403256a218c978d91d9442d7fd2b

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8596918.exe

                Filesize

                224KB

                MD5

                0c18ddfc5cf775eb6ac1c62de1fedc90

                SHA1

                da280fea7c358272c21dc5c5372e32454ef99b0d

                SHA256

                4986eb6b0771f1600534231e29d7dad8f1a124763664535c485fe2db4ab8f403

                SHA512

                a3c8e5f994c4ff4bbb9f46c57fd8118fc69ce41f6c4f7c91d04fb06ffd31f9c5452a6734f6c1c45513c89f4cf89e97d3bdb63468033c100ee87213627a7f8afa

              • memory/808-51-0x0000000004DF0000-0x0000000004E3C000-memory.dmp

                Filesize

                304KB

              • memory/808-46-0x0000000002530000-0x0000000002536000-memory.dmp

                Filesize

                24KB

              • memory/808-47-0x00000000051F0000-0x0000000005808000-memory.dmp

                Filesize

                6.1MB

              • memory/808-48-0x0000000004CE0000-0x0000000004DEA000-memory.dmp

                Filesize

                1.0MB

              • memory/808-49-0x0000000004C10000-0x0000000004C22000-memory.dmp

                Filesize

                72KB

              • memory/808-50-0x0000000004C70000-0x0000000004CAC000-memory.dmp

                Filesize

                240KB

              • memory/808-45-0x0000000000140000-0x0000000000170000-memory.dmp

                Filesize

                192KB

              • memory/1980-21-0x0000000000440000-0x000000000044A000-memory.dmp

                Filesize

                40KB

              • memory/1980-22-0x00007FFF454A3000-0x00007FFF454A5000-memory.dmp

                Filesize

                8KB

              • memory/2696-41-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              • memory/2696-40-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB