Overview

overview

10

Static

static

3

1d90edda9f...51.exe

windows7-x64

3

1d90edda9f...51.exe

windows10-2004-x64

10

1e44c41d8d...91.exe

windows10-2004-x64

10

1ed736973c...3e.exe

windows10-2004-x64

10

40d54c2855...14.exe

windows10-2004-x64

10

41c3e42a10...04.exe

windows10-2004-x64

10

559234fc52...e2.exe

windows10-2004-x64

10

55c06ba8dc...48.exe

windows10-2004-x64

10

67045db960...01.exe

windows10-2004-x64

10

6d684b37ca...5c.exe

windows10-2004-x64

10

755b6a534e...41.exe

windows10-2004-x64

10

77cbabe9fe...cf.exe

windows7-x64

3

77cbabe9fe...cf.exe

windows10-2004-x64

10

b0f8fc9921...32.exe

windows10-2004-x64

10

b72cfb2517...df.exe

windows10-2004-x64

10

ca6d56a637...da.exe

windows10-2004-x64

10

cd303f71ad...fd.exe

windows10-2004-x64

10

d7a90d1783...78.exe

windows10-2004-x64

10

db14966ca7...cb.exe

windows7-x64

10

db14966ca7...cb.exe

windows10-2004-x64

10

e800205bb9...fd.exe

windows7-x64

3

e800205bb9...fd.exe

windows10-2004-x64

10

f8a2da44f9...41.exe

windows10-2004-x64

10

fc8b501a18...d3.exe

windows7-x64

3

fc8b501a18...d3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 14:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0f8fc992132e7592e37766b35451eaa7dfdbfd3d15abe0b8c692f700870b032.exe

  • Size

    641KB

  • MD5

    1d0fbd5c41a0aef56f28e1c20d10e394

  • SHA1

    aabbe503a0cd0511597bcfdd4df77993b1af0f76

  • SHA256

    b0f8fc992132e7592e37766b35451eaa7dfdbfd3d15abe0b8c692f700870b032

  • SHA512

    fed895eb492ae6994d0dcaa145e779bf46bd7cd92b98fa1f14e35f7fc3ed63a070877d2b56893393425576853510600fe99b4a7b2f13f2bab56396d4b7dd1c7c

  • SSDEEP

    12288:QMrey90Wa5yBOAdL1yBrSFbUhlBXxs8SHlaCYYMrk6SpoBeaKVl:eyFaEgAEhvJSHECYApIWl

Score
10/10
amadeyhealerredlinesmokeloaderpapikbackdoordropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

papik

C2

77.91.124.156:19071

Attributes
  • auth_value

    325a615d8be5db8e2f7a4c2448fdac3a

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0f8fc992132e7592e37766b35451eaa7dfdbfd3d15abe0b8c692f700870b032.exe
    "C:\Users\Admin\AppData\Local\Temp\b0f8fc992132e7592e37766b35451eaa7dfdbfd3d15abe0b8c692f700870b032.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1769708.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1769708.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4782366.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4782366.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7478463.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7478463.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4848
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4475769.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4475769.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1180
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5727213.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5727213.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:3684
            • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
              "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2692
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
                7⤵
                • Creates scheduled task(s)
                PID:5028
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2576
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                    PID:2716
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "pdates.exe" /P "Admin:N"
                    8⤵
                      PID:4236
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "pdates.exe" /P "Admin:R" /E
                      8⤵
                        PID:3660
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        8⤵
                          PID:4792
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\925e7e99c5" /P "Admin:N"
                          8⤵
                            PID:392
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "..\925e7e99c5" /P "Admin:R" /E
                            8⤵
                              PID:3880
                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2075048.exe
                      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2075048.exe
                      4⤵
                      • Executes dropped EXE
                      • Checks SCSI registry key(s)
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      PID:3404
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d5091095.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d5091095.exe
                    3⤵
                    • Executes dropped EXE
                    PID:3356
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:748
                • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                  C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4512
                • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                  C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                  1⤵
                  • Executes dropped EXE
                  PID:2060

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1769708.exe
                  Filesize

                  514KB

                  MD5

                  7a2d3c4a82a09a3031f4ba34ace60c29

                  SHA1

                  a97778e12316ea6554509a2200499acac34cfbbb

                  SHA256

                  abde4ab5556453d1f8f112395377eaff87c54b72538ebde8bbeb4bc0b7a69643

                  SHA512

                  50e3fef3cb681e269699cf81d4fe965bf01eefee37bd8d7ec17a899cbd901402c7a1794428275d84b0f126f847990626e5bbab548b2927d13e37f283abe6126e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d5091095.exe
                  Filesize

                  173KB

                  MD5

                  028af37cd70bf53962253470737ee3af

                  SHA1

                  06e00855be95cb487667d40b10de22e5c12f91bd

                  SHA256

                  022b7a9e00824d70dd61582c52945dcc1361b7da607af6b9c96c33fe432dd951

                  SHA512

                  7dae9d88f2b7902fb9ecddbc5d3615baf26159a3778f3b1bae0824eb3e45880426e9c4650165c387ed752a7ce61a4c8e981303f0ea82874f63496ecbb59c406f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4782366.exe
                  Filesize

                  359KB

                  MD5

                  f58247eeab098420f0857249f1e0de7f

                  SHA1

                  838acb6b4b150c188445b7633052f1f02f253f9d

                  SHA256

                  84524e515655961d6aadd8b4173620b3245cd58d564b626b301326593acc0845

                  SHA512

                  1413d573006ca4993d4ef208ebdd5c694579fccfe266347eead146bd14a0193229c6f37da80c65561a00555ab8cbcc63755fa923da68a5f219b8820d5d408eca

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2075048.exe
                  Filesize

                  37KB

                  MD5

                  ef042fef96b5cb05413692409bdaf626

                  SHA1

                  62c2af43ebdf12cabaeadf5a248fd9a48dd776cd

                  SHA256

                  bff49c60ff35728524aa8e23017134eda8d3d07482d459f608e7ebe9131ec850

                  SHA512

                  4f89f0461bb7b505c2cc97ba428ce8e0342b4f76321ed5195974a46ea7880e682a8d36a751c1c970207edd9549ab8bef0eafe04a279d9ef7215559336d30e9ee

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7478463.exe
                  Filesize

                  234KB

                  MD5

                  b694261037fec3d2c30c15f1b3eda248

                  SHA1

                  1e3c35842413c2ec08f97e150956a18819d7acf1

                  SHA256

                  bdc64d77e90c043aaa78be6f2fad11aee100deb0001da671327d0ea5cda6e7fc

                  SHA512

                  8cdf12baf9cc54be2993f89fe8d0c3fa9aa097fdb212b12b074b6b13769aef67e7f5bc0591c316f81a7c89986f911ad86808d2bf2ea72460a1083a61d0bf7984

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4475769.exe
                  Filesize

                  11KB

                  MD5

                  1cdbf941ccc9de4b1f14c24e1cfaff47

                  SHA1

                  f63e35492fa97f4b9728546932366314e79b624f

                  SHA256

                  28379a18f1fefd2841c051f8a3b6da73ef4d8bb2861d0f211ea83c21cad6a56e

                  SHA512

                  5078a541e90e2addda10dace672170769caf0b25190b4c11d82ae8c0f858d6c0b98e0017087a0d9e206777805c499bb903d858594754952602b9e2fa14e494c5

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b5727213.exe
                  Filesize

                  227KB

                  MD5

                  87864bdd796fa4ac12de1d9bef05a67d

                  SHA1

                  d789bdf46f33cf4d91cec44045deff80c3eac473

                  SHA256

                  578289200cb71983c1b6ce725ac7feed77c69671ac929c37b6af407dfbfc6b7a

                  SHA512

                  40c6053ce764d5e2cd7a83af290ba53f06822fb785f02cefd489d584f76ae0d0d167754415d1e403b3903895f80b030746af8ccb83c3f8457c5d79782e8f02e7

                  Download Submit

                • memory/1180-28-0x00000000008E0000-0x00000000008EA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/3240-47-0x0000000002B00000-0x0000000002B16000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/3356-54-0x0000000000270000-0x00000000002A0000-memory.dmp

                  Filesize

                  192KB

                  Download

                • memory/3356-56-0x0000000002600000-0x0000000002606000-memory.dmp

                  Filesize

                  24KB

                  Download

                • memory/3356-57-0x000000000A6E0000-0x000000000ACF8000-memory.dmp

                  Filesize

                  6.1MB

                  Download

                • memory/3356-58-0x000000000A220000-0x000000000A32A000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/3356-59-0x000000000A160000-0x000000000A172000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3356-60-0x000000000A1C0000-0x000000000A1FC000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/3356-61-0x000000000A330000-0x000000000A37C000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/3404-50-0x0000000000400000-0x0000000000409000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/3404-45-0x0000000000400000-0x0000000000409000-memory.dmp

                  Filesize

                  36KB

                  Download