amadey | 2a57fa0e264c30123d79d5a18397ff8ecfce4d9f58a5938c968ad3a9dd12e935

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 15:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38.exe
Size

641KB
MD5

788d92f47b212e2049463dd423a5dee1
SHA1

ec638a326f621c2ac72199ddb8e02affffe0dee6
SHA256

74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38
SHA512

2ff493ef1f3f2e9905e2930669eefb995041eeb8045ec1a4bfc935b655454aea9c591dfe179ec3c711fb22ff25374a64a01e7a56b204b37fd417e1b3278ab2a0
SSDEEP

12288:/Mrey90DQanCnYpz9L+2CBiMx5A5nF9npy7OsW6f/g9EcqOEluM:FyKPC8zBBE7jcF9py7OsW6ng9Ecq5uM

Score

10^/10

amadey healer redline smokeloader papik backdoor dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

http://77.91.68.61

Attributes

install_dir
925e7e99c5
install_file
pdates.exe
strings_key
ada76b8b0e1f6892ee93c20ab8946117
url_paths
/rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

papik

77.91.124.156:19071

Attributes

auth_value
325a615d8be5db8e2f7a4c2448fdac3a

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral10/files/0x0008000000023434-26.dat	healer
behavioral10/memory/5044-28-0x0000000000260000-0x000000000026A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5537611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5537611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5537611.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5537611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5537611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5537611.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral10/files/0x000700000002342f-48.dat	family_redline
behavioral10/memory/1572-50-0x0000000000DC0000-0x0000000000DF0000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	b8545807.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	pdates.exe

Executes dropped EXE 10 IoCs

pid	Process
4068	v3275973.exe
4836	v9906445.exe
4256	v3094225.exe
5044	a5537611.exe
3952	b8545807.exe
3376	pdates.exe
4252	c9373749.exe
1572	d2527041.exe
2196	pdates.exe
4472	pdates.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5537611.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9906445.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3094225.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3275973.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4904	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c9373749.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c9373749.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c9373749.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5044	a5537611.exe
5044	a5537611.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5044	a5537611.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 4068	1432	74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38.exe	82
PID 1432 wrote to memory of 4068	1432	74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38.exe	82
PID 1432 wrote to memory of 4068	1432	74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38.exe	82
PID 4068 wrote to memory of 4836	4068	v3275973.exe	83
PID 4068 wrote to memory of 4836	4068	v3275973.exe	83
PID 4068 wrote to memory of 4836	4068	v3275973.exe	83
PID 4836 wrote to memory of 4256	4836	v9906445.exe	85
PID 4836 wrote to memory of 4256	4836	v9906445.exe	85
PID 4836 wrote to memory of 4256	4836	v9906445.exe	85
PID 4256 wrote to memory of 5044	4256	v3094225.exe	86
PID 4256 wrote to memory of 5044	4256	v3094225.exe	86
PID 4256 wrote to memory of 3952	4256	v3094225.exe	97
PID 4256 wrote to memory of 3952	4256	v3094225.exe	97
PID 4256 wrote to memory of 3952	4256	v3094225.exe	97
PID 3952 wrote to memory of 3376	3952	b8545807.exe	98
PID 3952 wrote to memory of 3376	3952	b8545807.exe	98
PID 3952 wrote to memory of 3376	3952	b8545807.exe	98
PID 4836 wrote to memory of 4252	4836	v9906445.exe	99
PID 4836 wrote to memory of 4252	4836	v9906445.exe	99
PID 4836 wrote to memory of 4252	4836	v9906445.exe	99
PID 3376 wrote to memory of 4132	3376	pdates.exe	100
PID 3376 wrote to memory of 4132	3376	pdates.exe	100
PID 3376 wrote to memory of 4132	3376	pdates.exe	100
PID 3376 wrote to memory of 4016	3376	pdates.exe	102
PID 3376 wrote to memory of 4016	3376	pdates.exe	102
PID 3376 wrote to memory of 4016	3376	pdates.exe	102
PID 4016 wrote to memory of 4804	4016	cmd.exe	104
PID 4016 wrote to memory of 4804	4016	cmd.exe	104
PID 4016 wrote to memory of 4804	4016	cmd.exe	104
PID 4016 wrote to memory of 3172	4016	cmd.exe	105
PID 4016 wrote to memory of 3172	4016	cmd.exe	105
PID 4016 wrote to memory of 3172	4016	cmd.exe	105
PID 4016 wrote to memory of 1424	4016	cmd.exe	106
PID 4016 wrote to memory of 1424	4016	cmd.exe	106
PID 4016 wrote to memory of 1424	4016	cmd.exe	106
PID 4016 wrote to memory of 4984	4016	cmd.exe	107
PID 4016 wrote to memory of 4984	4016	cmd.exe	107
PID 4016 wrote to memory of 4984	4016	cmd.exe	107
PID 4016 wrote to memory of 1796	4016	cmd.exe	108
PID 4016 wrote to memory of 1796	4016	cmd.exe	108
PID 4016 wrote to memory of 1796	4016	cmd.exe	108
PID 4016 wrote to memory of 3180	4016	cmd.exe	109
PID 4016 wrote to memory of 3180	4016	cmd.exe	109
PID 4016 wrote to memory of 3180	4016	cmd.exe	109
PID 4068 wrote to memory of 1572	4068	v3275973.exe	114
PID 4068 wrote to memory of 1572	4068	v3275973.exe	114
PID 4068 wrote to memory of 1572	4068	v3275973.exe	114

C:\Users\Admin\AppData\Local\Temp\74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38.exe
"C:\Users\Admin\AppData\Local\Temp\74991b8b0544fa500ea5cb196e746fa3f4d98c5d0623c46470044b2710b5da38.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275973.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275973.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9906445.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9906445.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094225.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094225.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4256
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8545807.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8545807.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3952
      - C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
        
        "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:N"
        8⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "pdates.exe" /P "Admin:R" /E
        8⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:N"
        8⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\925e7e99c5" /P "Admin:R" /E
        8⤵
        
        PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9373749.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9373749.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      PID:4252
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2527041.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2527041.exe
    3⤵
    - Executes dropped EXE
    PID:1572

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275973.exe

Filesize
514KB

MD5
0c217f89099eda433b9cf3f5e4cf38db

SHA1
35a474a669acf1f1d0003faf3070f373851346d1

SHA256
36f21f0823382d0ec4e031f21139eb69ad36a8fa2dea1e793d35ae932c5e97d8

SHA512
cb8dd763f2cc18fefe7712d369edf22582eda6cec006f2e6b2aae16f214c2a1592868e1a80d970aef672e2342227e2138a8bdb422948aa3aa91f550024066ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2527041.exe

Filesize
173KB

MD5
e47e3aba018821e3af6ad1ca7e340bcc

SHA1
7a30646566fdfd7e2fb8101f8d8d3c0e5ec63db1

SHA256
65a354189fb0c95c75197e6ac71e870c8ede662ccac0b5589277e04180110857

SHA512
4cced0461ed7f28e1f6081cbcbe7907c2ba932f758bdfa6cc339e2bb7fb04277c05e929a046f2e98e7748174413ffadae56afd1d2c0e4af24e71664cb98bf248

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9906445.exe

Filesize
359KB

MD5
82a0189b51579796f5af643cdd64b219

SHA1
58266c9f5286827e9818f6de26240394f414d1f2

SHA256
7fc2fc7a4a54a24e857b93dbe9ea59171a4b1ec85201f57e9bf5763f85570f8a

SHA512
655f371c6edbb589c79c885be93a32a4d96a55ce22c342dc49f60ffb05327bbcfb5e1f8c78f206f6f9311278ce7173222b6993f46a9832a17d3981c15852f73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9373749.exe

Filesize
37KB

MD5
ad76331cb3e0ba1ef3282e942ab0897a

SHA1
7fe032b40c5c00187925f057285020287b95b776

SHA256
8673193d10d77511c07dfd6d04b1bc2efffe69c6a5b01f35a145bdf1aaae48f2

SHA512
c712e922476ec30d00c16656009a9c964153303508144cd235859bfa57dc7bcef28a9db06cc8ca5f631468c4d7a9837a07282f3bedc537a82aa4aeda9cfa5b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3094225.exe

Filesize
234KB

MD5
2175823686be6b3356cd784e86eb3acb

SHA1
9a0fa52f2a3c32756e07dc3699f235f399a0698f

SHA256
a34660ea0ed56a821719a17b6b81955353848de7996151da5e69b442032f400f

SHA512
7f4f4aa03f58d4dd3ae1ec21e914488a1fd468c30c8b07b46fba1c9ae173c9bd4fae7c25839e9e9fc666b3a9ec46876cdb710eca7e63c086489ef6159608eb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5537611.exe

Filesize
11KB

MD5
72f6e5b3d37f8e459aa8d443f0dee42c

SHA1
b2bf68250386a762387d32d12fe9034773b3b274

SHA256
177dfde9f2a767310111bd9e285cf0b4134bb0753af04033a561fee4d45b817f

SHA512
323188ab51bc45876a804acaa2585522a1fd20a468d2b0112f5c90ec439ee63212036e1d892941766ec5abb23c8c2c9b93a8258129767b37455efa78a4230ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8545807.exe

Filesize
227KB

MD5
56bb2a170eef8548aaf7e46ae9378b4a

SHA1
6f7a6cfbfaec571bb944eba344403ad85df09960

SHA256
8a6310e8dad47a438c3ad1e54864144a779ee80db19000604daafd367f4fe740

SHA512
a54fb145d5b23683a2ae1467ce9b07cd77c0b7d06553c7d18786da9885c0c1be29e0b60e173027675899eaa08ee94b4b617577c3503dfbb58365b0e413a28ed4

Download Submit
memory/1572-53-0x000000000AD70000-0x000000000AE7A000-memory.dmp

Filesize
1.0MB

Download
memory/1572-50-0x0000000000DC0000-0x0000000000DF0000-memory.dmp

Filesize
192KB

Download
memory/1572-51-0x0000000005720000-0x0000000005726000-memory.dmp

Filesize
24KB

Download
memory/1572-52-0x000000000B240000-0x000000000B858000-memory.dmp

Filesize
6.1MB

Download
memory/1572-54-0x000000000ACB0000-0x000000000ACC2000-memory.dmp

Filesize
72KB

Download
memory/1572-55-0x000000000AD10000-0x000000000AD4C000-memory.dmp

Filesize
240KB

Download
memory/1572-56-0x00000000031A0000-0x00000000031EC000-memory.dmp

Filesize
304KB

Download
memory/4252-46-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5044-28-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download