Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 14:29

General

  • Target

    51c9916d6f5b5ac66aa9b7e4343b3d5a2fa54d57996f9b7bb0d4b18987afd8bf.exe

  • Size

    642KB

  • MD5

    0bc5faf0e7fdbd7657e543edd6737f85

  • SHA1

    10b8a75b664245ec610d52ff93e6018790e0f029

  • SHA256

    51c9916d6f5b5ac66aa9b7e4343b3d5a2fa54d57996f9b7bb0d4b18987afd8bf

  • SHA512

    44a5669177dc9edc2996016254f48b35252e5bcfbc513cbd85cd7405f03d78ec2f86d28071353ffb6cf6ae5411e4e1f5252c2ef4f9d785d867dfb9b88751beee

  • SSDEEP

    12288:0Mrjy90oZo0FV0/keZ9Ni15Iv6aCt3JV7i9wQE4Ytm4Nqz/EjCPyZ:HytFjs9NiOCI+Qotm4NAdPG

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

papik

C2

77.91.124.156:19071

Attributes
  • auth_value

    325a615d8be5db8e2f7a4c2448fdac3a

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51c9916d6f5b5ac66aa9b7e4343b3d5a2fa54d57996f9b7bb0d4b18987afd8bf.exe
    "C:\Users\Admin\AppData\Local\Temp\51c9916d6f5b5ac66aa9b7e4343b3d5a2fa54d57996f9b7bb0d4b18987afd8bf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3635371.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3635371.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4873105.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4873105.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8727024.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8727024.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2808
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4242672.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4242672.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3156
            • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
              "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1120
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
                7⤵
                • Creates scheduled task(s)
                PID:3716
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2304
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                    PID:4748
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "pdates.exe" /P "Admin:N"
                    8⤵
                      PID:944
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "pdates.exe" /P "Admin:R" /E
                      8⤵
                        PID:3572
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        8⤵
                          PID:4712
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\925e7e99c5" /P "Admin:N"
                          8⤵
                            PID:5060
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "..\925e7e99c5" /P "Admin:R" /E
                            8⤵
                              PID:3744
                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1719717.exe
                      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1719717.exe
                      4⤵
                      • Executes dropped EXE
                      • Checks SCSI registry key(s)
                      PID:1832
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3589664.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3589664.exe
                    3⤵
                    • Executes dropped EXE
                    PID:2164
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:4124
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:4616
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:4508

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Execution

              Scheduled Task/Job

              1
              T1053

              Persistence

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Scheduled Task/Job

              1
              T1053

              Privilege Escalation

              Create or Modify System Process

              1
              T1543

              Windows Service

              1
              T1543.003

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Scheduled Task/Job

              1
              T1053

              Defense Evasion

              Modify Registry

              3
              T1112

              Impair Defenses

              2
              T1562

              Disable or Modify Tools

              2
              T1562.001

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              3
              T1082

              Peripheral Device Discovery

              1
              T1120

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3635371.exe
                Filesize

                514KB

                MD5

                36c1eafd6f7fac3289a2ad10902214c7

                SHA1

                3ff125f846161d490e86aa1dc2a9130fdf9fd79a

                SHA256

                d214bcc70876290c7f60d745d572ab3679e71b2389056c2049e00cf379979a4e

                SHA512

                6e06ebe7ffa04eecd535b70c8aaedcd4215fcec8c23cc121a9294077a3d4b845abf5333ceb319aa72473008fde7d754027bddedfc47a42aed26ef54701c8c851

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3589664.exe
                Filesize

                173KB

                MD5

                917f94f6028c80c28cf5088711eecd7e

                SHA1

                3be68ffb766d9f2d5684591e15ed29cc3c0708ae

                SHA256

                e8090ca6653f22816f4342681c55f9a37a294c1171f84b2f2d1468ade4edc501

                SHA512

                d337d66c91a9f1fc7847cf8a91dd1bf6d986add1beb74bb765783cf9d122e68e63321b707e63cab0b573b69f751a627ef917ba7c50a73d3fd093537e3be3483a

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4873105.exe
                Filesize

                359KB

                MD5

                997e3acf55722532483c24d4a42018bd

                SHA1

                999874b95eefe4f4a596cb651784d5433ed59602

                SHA256

                9e5a9a1f8cf6212a3ff80db93b3b95a80581db8db8cca62e2767ef942c1cc0ef

                SHA512

                826dd2a0fade9daec8435eb86804f26422ae42ad46c546d574503cd3247d8876be1a1e76945b459ed00ebc40bce2a2328bfda7fdd978689571a6958bd6f26533

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1719717.exe
                Filesize

                37KB

                MD5

                09dd91c0db272565e91d72f057db3875

                SHA1

                4ec3dce96293580b7dd7b7daec38d67b61a88ce8

                SHA256

                df26e4fe0aecb23e5ae430e765f004d6fd680cdcd2e35a93deb77110b0cf9b0d

                SHA512

                1da34e535d01107c16a76658e72ca8ed451521732f4d7266c68b27e7f96f12ecb9da5485e66629dc5830de1e9c82723b0cfd56126fe462c0f264d0122034ef80

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8727024.exe
                Filesize

                234KB

                MD5

                20a66ecc613784a21da380e50bd9d8da

                SHA1

                29a18e71e8d0b0e3715d6d6197db85148005a458

                SHA256

                ec09abd890dc124b5d8d05b239a433d4eadb0fe616361640b1f3fbfaaf26fd70

                SHA512

                cec5a26e112d39fff7ffffaf1aea846b3135f658f8a602d2efacf758876bee8aa00b5a00c207df4cf503daf6cce1fd6cc9a45fb0bd071c9d9cee6d3a1396354e

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4350346.exe
                Filesize

                11KB

                MD5

                77c06d90742d8a47aaa9a0de251e354c

                SHA1

                7093e1dfd6707015b4d55e0cae3bd895de53ef97

                SHA256

                d26e443a261981f9b6d556f0ffa0afea82e397b727b99910706252cb1b3bd012

                SHA512

                3e10d699112f347f9e1706339222a3ae1776b8540480466f065d208be9283bd52492387c80e713ec2dca576093c24e889a63150683853798b46535dbd509268f

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4242672.exe
                Filesize

                227KB

                MD5

                2440a5f6bec87a6ee29cbca62f765c6e

                SHA1

                a2b08b1b3205429e13da332f697b8a2f50f1f75f

                SHA256

                6ad91da98a7fa15322e15b887b4409165c70b752e65efd830bcd113c5be97f59

                SHA512

                9078fcd7456d254e463ffd78700c410fd60d98d3a8c0a3bfd9f0fc5928ff95e36eba6b1c4af82c1f36899162ce1871eed85b44f29700e6415ff2d028d8280f25

              • memory/1832-46-0x0000000000400000-0x0000000000409000-memory.dmp
                Filesize

                36KB

              • memory/2164-53-0x0000000004A60000-0x0000000004B6A000-memory.dmp
                Filesize

                1.0MB

              • memory/2164-50-0x0000000000010000-0x0000000000040000-memory.dmp
                Filesize

                192KB

              • memory/2164-51-0x0000000002200000-0x0000000002206000-memory.dmp
                Filesize

                24KB

              • memory/2164-52-0x0000000004F50000-0x0000000005568000-memory.dmp
                Filesize

                6.1MB

              • memory/2164-54-0x00000000049A0000-0x00000000049B2000-memory.dmp
                Filesize

                72KB

              • memory/2164-55-0x0000000004A00000-0x0000000004A3C000-memory.dmp
                Filesize

                240KB

              • memory/2164-56-0x0000000004B70000-0x0000000004BBC000-memory.dmp
                Filesize

                304KB

              • memory/2808-28-0x0000000000260000-0x000000000026A000-memory.dmp
                Filesize

                40KB