Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 14:29

General

  • Target

    7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe

  • Size

    514KB

  • MD5

    0fa62ebed394e0d1ca75a047dfcd8883

  • SHA1

    c320dd1803bf38cd5822882b9c3aed0c0d2df000

  • SHA256

    7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b

  • SHA512

    d36d9c9ce7042ca5942ec1a762e109c21a717057b6895b8d1b74892c6b08ff7b017c7142012685eb2112ac6800344910e8f2086980887641717db5a20fb437da

  • SSDEEP

    12288:VMrNy90LyyzBA8YCgPxn4VxjSadSX9zheZnSW:cykXgPaSadSX9tmnSW

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes
  • auth_value

    f099c2cf92834dbc554a94e1456cf576

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe
    "C:\Users\Admin\AppData\Local\Temp\7a08e2a624c497b3986fed503c84dd39612ab1fdda740280e5a1514c1aac802b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8266423.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8266423.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:692
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0782272.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0782272.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3340
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3040
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4366386.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4366386.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3800
          • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
            "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4864
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:3752
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4808
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:1344
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "danke.exe" /P "Admin:N"
                  7⤵
                    PID:4432
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "danke.exe" /P "Admin:R" /E
                    7⤵
                      PID:5048
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:4820
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\3ec1f323b5" /P "Admin:N"
                        7⤵
                          PID:4824
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\3ec1f323b5" /P "Admin:R" /E
                          7⤵
                            PID:1576
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3646519.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3646519.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    PID:3192
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8228646.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8228646.exe
                  2⤵
                  • Executes dropped EXE
                  PID:2588
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:2340
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:8
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:4964

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Execution

              Scheduled Task/Job

              1
              T1053

              Persistence

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Scheduled Task/Job

              1
              T1053

              Privilege Escalation

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Scheduled Task/Job

              1
              T1053

              Defense Evasion

              Modify Registry

              3
              T1112

              Impair Defenses

              2
              T1562

              Disable or Modify Tools

              2
              T1562.001

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              3
              T1082

              Peripheral Device Discovery

              1
              T1120

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8228646.exe
                Filesize

                174KB

                MD5

                497cc12633c7b690fc84fe172ff0a210

                SHA1

                7e9536fcd70a4c9ad1648b6b6c03f73402d72839

                SHA256

                53acb8295d1517e6cd156542b43e84bf57713a7962aa2feb2c787e5aa5603f5f

                SHA512

                699c014824c4ddd1ff9eb0f3cc669ee626645f098687bf8e54bd3f4c780eb7adb72e92789f078fb3ebfa872e308e09727914ad3913ad21162fcadbe033020629

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8266423.exe
                Filesize

                359KB

                MD5

                718ccdae6522b3565b00d5b5115a54a3

                SHA1

                2791911108e9025489c6a38e53a2d4647ae82ece

                SHA256

                41ce2351f24593197ae25dd9ebdcd3c80ba4fae58ab0da8bed75214c7090d3fc

                SHA512

                1c49c00dd8244dfe894531ffb34cf18db9d3067b0fe4471d3b049d7900933268b7290af53fe401db951746c800692b55b7222c56cf1c5d2ba7f9578e8cad6e05

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3646519.exe
                Filesize

                31KB

                MD5

                314fa0836479755b541b458a7c348818

                SHA1

                e19844a55994fe5b8b89eb9615b1b97f92836025

                SHA256

                b4514de3acdd6e051b3bb0aa10353c14310c726bb338a007ab9d46b3843341a7

                SHA512

                eb8d39b7cfe1b1a847549518b14b4ea85b98ec40bdfce423239560e48aee4cd6ea7f393ee81c916ab7aaa19024dfb33211c1991759a1a54f9a89afca0e98afd9

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0782272.exe
                Filesize

                235KB

                MD5

                3a307272bdc873647e125f30374ad454

                SHA1

                ec3832c7facaf5951522ccda4873ddb9c6a66734

                SHA256

                d1470ff18fc503704258b59863b706ddc9dd0b9ebddc89c3dcd6f37386590b9b

                SHA512

                2ec0adcf2b9fac89e9c14f75b71af6c0b4669c0571c64ff552c301b9f0f81c31c3dd048fdd68de5a450b6675a7d406fa7645b91d9f589936a971b3ac65871cd3

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a2141193.exe
                Filesize

                13KB

                MD5

                7fcbf387238b1edd626f4438f4754e56

                SHA1

                fc497bfd4594da7fc54580773335d14e676672fc

                SHA256

                f426ef07d2b5c8c64227e1d8d6ec1bc609e228255c341a1ac37ef90d4b477d7d

                SHA512

                3f6021efd6a3a696bf654c713a4fbb1f7e1e7aaf4c5f03769faa772e895268152654b00fe02f5b6c88efa4eed86e1bcb122a385714ec0ccce4d5c61b7efd5176

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4366386.exe
                Filesize

                225KB

                MD5

                c44455cce9ce61149ee6633001620646

                SHA1

                c5e1b8ae1ad1490e76eccfaaa9381921afe6e86c

                SHA256

                18ab09cc53d5236f8e572106e31040ff62f192115dad1518ea43ceb36c675730

                SHA512

                d2cd6db8246ab5ce4285035ece5a9290759a5f309240afcdc0f5ab0592bca44e46e39e9c7fac3387d571e0a532c5af3b091348ae5b58750911ffc889b64ba50d

              • memory/2588-51-0x0000000004C90000-0x0000000004CDC000-memory.dmp
                Filesize

                304KB

              • memory/2588-48-0x0000000004D20000-0x0000000004E2A000-memory.dmp
                Filesize

                1.0MB

              • memory/2588-50-0x0000000004C50000-0x0000000004C8C000-memory.dmp
                Filesize

                240KB

              • memory/2588-49-0x0000000004AB0000-0x0000000004AC2000-memory.dmp
                Filesize

                72KB

              • memory/2588-45-0x0000000000230000-0x0000000000260000-memory.dmp
                Filesize

                192KB

              • memory/2588-46-0x0000000002540000-0x0000000002546000-memory.dmp
                Filesize

                24KB

              • memory/2588-47-0x0000000005230000-0x0000000005848000-memory.dmp
                Filesize

                6.1MB

              • memory/3040-21-0x00000000009F0000-0x00000000009FA000-memory.dmp
                Filesize

                40KB

              • memory/3040-22-0x00007FFBFB043000-0x00007FFBFB045000-memory.dmp
                Filesize

                8KB

              • memory/3192-41-0x0000000000400000-0x0000000000409000-memory.dmp
                Filesize

                36KB

              • memory/3192-40-0x0000000000400000-0x0000000000409000-memory.dmp
                Filesize

                36KB