Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
09-05-2024 14:29
General
-
Target
51c9916d6f5b5ac66aa9b7e4343b3d5a2fa54d57996f9b7bb0d4b18987afd8bf.exe
-
Size
642KB
-
MD5
0bc5faf0e7fdbd7657e543edd6737f85
-
SHA1
10b8a75b664245ec610d52ff93e6018790e0f029
-
SHA256
51c9916d6f5b5ac66aa9b7e4343b3d5a2fa54d57996f9b7bb0d4b18987afd8bf
-
SHA512
44a5669177dc9edc2996016254f48b35252e5bcfbc513cbd85cd7405f03d78ec2f86d28071353ffb6cf6ae5411e4e1f5252c2ef4f9d785d867dfb9b88751beee
-
SSDEEP
12288:0Mrjy90oZo0FV0/keZ9Ni15Iv6aCt3JV7i9wQE4Ytm4Nqz/EjCPyZ:HytFjs9NiOCI+Qotm4NAdPG
Malware Config
Extracted
amadey
3.86
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
papik
77.91.124.156:19071
-
auth_value
325a615d8be5db8e2f7a4c2448fdac3a
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\51c9916d6f5b5ac66aa9b7e4343b3d5a2fa54d57996f9b7bb0d4b18987afd8bf.exe"C:\Users\Admin\AppData\Local\Temp\51c9916d6f5b5ac66aa9b7e4343b3d5a2fa54d57996f9b7bb0d4b18987afd8bf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3635371.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3635371.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4873105.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4873105.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8727024.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8727024.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4242672.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4242672.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:N"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:R" /E8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:N"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:R" /E8⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1719717.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1719717.exe4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3589664.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3589664.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3635371.exeFilesize
514KB
MD536c1eafd6f7fac3289a2ad10902214c7
SHA13ff125f846161d490e86aa1dc2a9130fdf9fd79a
SHA256d214bcc70876290c7f60d745d572ab3679e71b2389056c2049e00cf379979a4e
SHA5126e06ebe7ffa04eecd535b70c8aaedcd4215fcec8c23cc121a9294077a3d4b845abf5333ceb319aa72473008fde7d754027bddedfc47a42aed26ef54701c8c851
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3589664.exeFilesize
173KB
MD5917f94f6028c80c28cf5088711eecd7e
SHA13be68ffb766d9f2d5684591e15ed29cc3c0708ae
SHA256e8090ca6653f22816f4342681c55f9a37a294c1171f84b2f2d1468ade4edc501
SHA512d337d66c91a9f1fc7847cf8a91dd1bf6d986add1beb74bb765783cf9d122e68e63321b707e63cab0b573b69f751a627ef917ba7c50a73d3fd093537e3be3483a
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4873105.exeFilesize
359KB
MD5997e3acf55722532483c24d4a42018bd
SHA1999874b95eefe4f4a596cb651784d5433ed59602
SHA2569e5a9a1f8cf6212a3ff80db93b3b95a80581db8db8cca62e2767ef942c1cc0ef
SHA512826dd2a0fade9daec8435eb86804f26422ae42ad46c546d574503cd3247d8876be1a1e76945b459ed00ebc40bce2a2328bfda7fdd978689571a6958bd6f26533
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1719717.exeFilesize
37KB
MD509dd91c0db272565e91d72f057db3875
SHA14ec3dce96293580b7dd7b7daec38d67b61a88ce8
SHA256df26e4fe0aecb23e5ae430e765f004d6fd680cdcd2e35a93deb77110b0cf9b0d
SHA5121da34e535d01107c16a76658e72ca8ed451521732f4d7266c68b27e7f96f12ecb9da5485e66629dc5830de1e9c82723b0cfd56126fe462c0f264d0122034ef80
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8727024.exeFilesize
234KB
MD520a66ecc613784a21da380e50bd9d8da
SHA129a18e71e8d0b0e3715d6d6197db85148005a458
SHA256ec09abd890dc124b5d8d05b239a433d4eadb0fe616361640b1f3fbfaaf26fd70
SHA512cec5a26e112d39fff7ffffaf1aea846b3135f658f8a602d2efacf758876bee8aa00b5a00c207df4cf503daf6cce1fd6cc9a45fb0bd071c9d9cee6d3a1396354e
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exeFilesize
11KB
MD577c06d90742d8a47aaa9a0de251e354c
SHA17093e1dfd6707015b4d55e0cae3bd895de53ef97
SHA256d26e443a261981f9b6d556f0ffa0afea82e397b727b99910706252cb1b3bd012
SHA5123e10d699112f347f9e1706339222a3ae1776b8540480466f065d208be9283bd52492387c80e713ec2dca576093c24e889a63150683853798b46535dbd509268f
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4242672.exeFilesize
227KB
MD52440a5f6bec87a6ee29cbca62f765c6e
SHA1a2b08b1b3205429e13da332f697b8a2f50f1f75f
SHA2566ad91da98a7fa15322e15b887b4409165c70b752e65efd830bcd113c5be97f59
SHA5129078fcd7456d254e463ffd78700c410fd60d98d3a8c0a3bfd9f0fc5928ff95e36eba6b1c4af82c1f36899162ce1871eed85b44f29700e6415ff2d028d8280f25
-
memory/1832-46-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2164-53-0x0000000004A60000-0x0000000004B6A000-memory.dmpFilesize
1.0MB
-
memory/2164-50-0x0000000000010000-0x0000000000040000-memory.dmpFilesize
192KB
-
memory/2164-51-0x0000000002200000-0x0000000002206000-memory.dmpFilesize
24KB
-
memory/2164-52-0x0000000004F50000-0x0000000005568000-memory.dmpFilesize
6.1MB
-
memory/2164-54-0x00000000049A0000-0x00000000049B2000-memory.dmpFilesize
72KB
-
memory/2164-55-0x0000000004A00000-0x0000000004A3C000-memory.dmpFilesize
240KB
-
memory/2164-56-0x0000000004B70000-0x0000000004BBC000-memory.dmpFilesize
304KB
-
memory/2808-28-0x0000000000260000-0x000000000026A000-memory.dmpFilesize
40KB