Overview

overview

10

Static

static

3

0b77ecaa1b...bd.exe

windows10-2004-x64

10

15a93b61b0...e6.exe

windows10-2004-x64

10

209703dd4d...93.exe

windows7-x64

3

209703dd4d...93.exe

windows10-2004-x64

10

371f83e057...f2.exe

windows10-2004-x64

10

4f86d48b3d...df.exe

windows10-2004-x64

10

613e8de3b5...a6.exe

windows7-x64

3

613e8de3b5...a6.exe

windows10-2004-x64

10

6bd55afbde...65.exe

windows10-2004-x64

10

74991b8b05...38.exe

windows10-2004-x64

10

75ccbf328f...af.exe

windows10-2004-x64

10

798aee8abb...5b.exe

windows10-2004-x64

10

7b57226b37...3e.exe

windows10-2004-x64

10

7fe3c52960...9b.exe

windows10-2004-x64

10

8e6c08ec1c...56.exe

windows10-2004-x64

10

9cb8e2b154...93.exe

windows10-2004-x64

10

a5bd0160df...49.exe

windows10-2004-x64

10

a62a548ffb...a0.exe

windows10-2004-x64

10

bfe644d3bd...29.exe

windows10-2004-x64

10

c606fbb70c...7c.exe

windows10-2004-x64

10

c84d7a88c3...a4.exe

windows10-2004-x64

10

d637403a7a...09.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 15:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b57226b37b29e8c8fc26bb0a8f5f069da16548a19709cb24661efa4e037303e.exe

  • Size

    515KB

  • MD5

    7d2ce35a27a37baf28988e65cab27fcb

  • SHA1

    55a23ab7eb441e4a904916bad1ebefe8aa212d2d

  • SHA256

    7b57226b37b29e8c8fc26bb0a8f5f069da16548a19709cb24661efa4e037303e

  • SHA512

    eb8c1c631efb67b344bf93ffb8398f26009b1cc158e8d0a05ccf39bd989bb6267b743b8175fcf59933dc227cbbc7f5ffc2de94feefbdc97735e64fe71bf5f6e4

  • SSDEEP

    12288:UMrxy900zkSW5R1HN6zM61qV0h6B9UDGElqD:9yjyHNr61uVjUDGX

Score
10/10
amadeyhealerredlinesmokeloaderlandebackdoordropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b57226b37b29e8c8fc26bb0a8f5f069da16548a19709cb24661efa4e037303e.exe
    "C:\Users\Admin\AppData\Local\Temp\7b57226b37b29e8c8fc26bb0a8f5f069da16548a19709cb24661efa4e037303e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9388032.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9388032.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3864
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8945346.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8945346.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4106329.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4106329.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:212
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5418397.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5418397.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:728
          • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
            "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2500
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:1528
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2944
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:3720
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:N"
                  7⤵
                    PID:4956
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "pdates.exe" /P "Admin:R" /E
                    7⤵
                      PID:2640
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:5028
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\925e7e99c5" /P "Admin:N"
                        7⤵
                          PID:1244
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\925e7e99c5" /P "Admin:R" /E
                          7⤵
                            PID:1692
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1541210.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1541210.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    PID:2288
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4653379.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4653379.exe
                  2⤵
                  • Executes dropped EXE
                  PID:3684
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4216,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:8
                1⤵
                  PID:2280
                • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                  C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1484
                • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                  C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1528

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4653379.exe
                  Filesize

                  174KB

                  MD5

                  f929cf45e5696adf5666926d12ea97c7

                  SHA1

                  3640bdf242887dd0ddb3db105ff7ce45c8c116fb

                  SHA256

                  881be44b46f7a81fe38f97b33e89dce6ef6cabd81325d64051d664a51014365e

                  SHA512

                  ec47cb258ac27c982f40721b297d37c725efd0b0399ee115df8e89542f08ff6e0512846506ebfbba7b586f58ed44459c312f84f345f2c907cce0378f60ad1562

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9388032.exe
                  Filesize

                  359KB

                  MD5

                  c83f9d17470f70d854cf61584b7b9d6b

                  SHA1

                  008b2d72fc7bb5880133cff8da93940f6f27ee9d

                  SHA256

                  5be7d8a73a15ef936280f0c027d3589377bae3c537abc8fc3b7afdfd10760df6

                  SHA512

                  4281a3717d4ac4b62489e6477a9ea1dc458ddfefa5620c91b062cf88c67aa2e89a0449849a82dbdd107f4624b9a60fe22437e9ed1ae00b8e2fc338f22b0a70fc

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1541210.exe
                  Filesize

                  36KB

                  MD5

                  fd17878796266b1fb103f7f9f25c6465

                  SHA1

                  afb817e72c5ebeebaecb23d78f354ae042c493fc

                  SHA256

                  c4ec40856d6f3fcbb8e3913a8e6e796182ef0c15024e3bd297ed75396b317e61

                  SHA512

                  0796bf8724f391d7d7aa2bb7b3303cfa55ba9a5ff3bc55d8de10f319d72523b2e0098b80e7cdd4f267461289e8817c386b1c7d5756beac43314b52e87a3eb66f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8945346.exe
                  Filesize

                  234KB

                  MD5

                  ae04ae8f82ef7c5c18a122e988955911

                  SHA1

                  f9d4e359e3d606ecba052f1ad164032f3ea3508a

                  SHA256

                  07d79376f4928c9646f92b27bb20846aa423bcdc7449d9e62536c32c668b7796

                  SHA512

                  ab110f326e1e8f00191dba0712e04020ff1e8d1dc89b144a14572b00b2a9e883d1b0ce088a2235186a8221ee92ecd84fe396f8847386c01976f7bf4c909cc0dc

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4106329.exe
                  Filesize

                  13KB

                  MD5

                  692007d2606bdf905dcb3bb4b84cbc62

                  SHA1

                  0fdf5885f237df7c841080dd84aa17007bd8b3a8

                  SHA256

                  d04192febd6695ec19e9b9e81ba4c645e52543959784fe2e5bf709a640911618

                  SHA512

                  b5b140855638d16aa07f480cf65fcf22dca75126c1158c4967255ae5024ee600d7210eca10318e6f7fb4829d9097e72a055fd5fc81d0f8c0eb33b717856dfcd5

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5418397.exe
                  Filesize

                  225KB

                  MD5

                  0b906be516f3f396f75658e1cf9575ab

                  SHA1

                  3111e750196ca48bd29d0390e54bf9d11785de9c

                  SHA256

                  08d1cc127541e1e558cb004b7c53e3808c41970b0b7645ea0b74d134cda2125f

                  SHA512

                  5bc965f3cae439d9dd47b8449e26b9ad1aa6214395a601a713bb2c00f23f22a2b64e54323f052ef3e1e3948eed48346de754b30ed8dff5c97978e38894baafb4

                  Download Submit

                • memory/212-21-0x0000000000F40000-0x0000000000F4A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/212-22-0x00007FFF15BE3000-0x00007FFF15BE5000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2288-41-0x0000000000400000-0x0000000000409000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/2288-39-0x0000000000400000-0x0000000000409000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/3684-45-0x0000000000F50000-0x0000000000F80000-memory.dmp

                  Filesize

                  192KB

                  Download

                • memory/3684-46-0x0000000003100000-0x0000000003106000-memory.dmp

                  Filesize

                  24KB

                  Download

                • memory/3684-47-0x0000000005E90000-0x00000000064A8000-memory.dmp

                  Filesize

                  6.1MB

                  Download

                • memory/3684-48-0x00000000059A0000-0x0000000005AAA000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/3684-49-0x00000000058E0000-0x00000000058F2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3684-50-0x0000000005940000-0x000000000597C000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/3684-51-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

                  Filesize

                  304KB

                  Download