Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 17:35

General

  • Target

    0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a.exe

  • Size

    515KB

  • MD5

    61851f50c158cd9fcc18c48feffee95c

  • SHA1

    f9926f92e902278822d4e8cc96ea0ad60df70fea

  • SHA256

    0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a

  • SHA512

    7ce29f03b9040535c75e9416bc8039f2282b66ba742a0dd2e08e752c4def86c531388cceea134f6da68261a87cfdb1f03544e07d8d6f186d35f8b4ca16348c5c

  • SSDEEP

    12288:AMrry90FXrxLoTcDl8UEJOwXdRVr3qmVRhSNF4+1uRte1:by2b9ccZ8UEJ1NvdA8+sRte1

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a.exe
    "C:\Users\Admin\AppData\Local\Temp\0ffce302b861da891640dc77cd56a5dc8949895381a445dab72f14f76999784a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3140559.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3140559.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4860
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2968486.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2968486.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3116
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0869362.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0869362.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2420
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8308802.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8308802.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:724
          • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
            "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4904
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:4708
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4344
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:3304
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:N"
                  7⤵
                    PID:4200
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "pdates.exe" /P "Admin:R" /E
                    7⤵
                      PID:2528
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:3020
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\925e7e99c5" /P "Admin:N"
                        7⤵
                          PID:972
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\925e7e99c5" /P "Admin:R" /E
                          7⤵
                            PID:1600
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4433994.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4433994.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    PID:1344
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1653468.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1653468.exe
                  2⤵
                  • Executes dropped EXE
                  PID:2844
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:980
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:4928

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d1653468.exe

                Filesize

                174KB

                MD5

                6465844a90fa05f3d45f8c8108a84670

                SHA1

                f80df1d6d7eb1bebca2fb91efb646a83ee5a9caf

                SHA256

                f74efae7d1faeb610d44dd89f2e61a99e01cf1e2b9c1a7faa817c23055151eeb

                SHA512

                1a6ddfe6b5a0fc3233245730a9f23551c505b2ed4837114efcb1b47b6c4e6da9e0bb63928ca67625c3596513c8597e301252840ed7001dd08b200c41a97987a5

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3140559.exe

                Filesize

                359KB

                MD5

                829b6c6ced5e89cbc5267ca4732d7f8f

                SHA1

                f0ada1c7598666359da9f1caca987b02b5888dfe

                SHA256

                04c7df80c9a520ba741cdb4245f8bb728ed31a5970a90924bb9984bad13c1d09

                SHA512

                63a7bbaa9731a9318b0a8c703e445424c77f12031fb4ab3f718f46a426b285ae7db7ccc4591c2055ede96cc015b713106ce7a9be6f7fc5e4677c53f3f2370659

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c4433994.exe

                Filesize

                35KB

                MD5

                5e08b4f966bda21f6e34f49f59ce29f0

                SHA1

                83dfb6cba2c8b318e5a61095fc7769a41e354296

                SHA256

                c28cce242a56daa7158ba4a0520df04a36b47fed2c0dd300d717293a78aaa3e4

                SHA512

                3db0d5f9bbe69b00274862b1452839db8f1bf7edc7bcfaa1a12b7dfab217d904a23d0e94a080b18dc23c68174e3912175b65259fb80d3f9ddf00b92a1b0b70e2

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2968486.exe

                Filesize

                234KB

                MD5

                f88bac73ec5e5f8b9d707194ba3a3b6c

                SHA1

                0181927195d8a9e5ff905a5e97e75ada5ae35259

                SHA256

                8cb650aa6c29e02c099c14f37fca10688bd921723c8300576fcbf1093a97faba

                SHA512

                a5c265329b3fa923fbdeff2eedc21baa815b89113331441b5dce8176a8324e5cc89fa3c58d704b8c11d568d86abbd76e64fd17354c4dd34705fd9f14691022a8

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0869362.exe

                Filesize

                11KB

                MD5

                ba447d378a1267606b1f361624acb6e8

                SHA1

                41ce7255de8d20141e4813e6ca50228c8622644b

                SHA256

                6ef1b37a60a7c7c234da28d5ae1ec21c4dbceab4088a121f0cd55eb163f75668

                SHA512

                7a8c8a548822f74c5b40c99284085939ff89a392ed73e100516aa5ac77511535d5d4563dbe9912e3e70472bf71b0d74581cc806db20fc9c79c1d519067e4c16f

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8308802.exe

                Filesize

                224KB

                MD5

                ac90754b60676e187253605f012db42a

                SHA1

                162c031c73480695d828ba8e1803a1caef8f3f79

                SHA256

                6284c6c4766710744f721f48e4dadf494f685f01956b0ae07793f39bf60a95d9

                SHA512

                6958753d3315d43648f7e7c2787abab3687162d8fb1bd3a8b90e96355d97752266cb961179bc3df6c075a58192437b2575326892c639b7ed772512fa2696f712

              • memory/1344-41-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              • memory/1344-40-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              • memory/2420-21-0x00007FFD83973000-0x00007FFD83975000-memory.dmp

                Filesize

                8KB

              • memory/2420-22-0x0000000000070000-0x000000000007A000-memory.dmp

                Filesize

                40KB

              • memory/2844-45-0x00000000001E0000-0x0000000000210000-memory.dmp

                Filesize

                192KB

              • memory/2844-46-0x0000000002500000-0x0000000002506000-memory.dmp

                Filesize

                24KB

              • memory/2844-47-0x0000000005310000-0x0000000005928000-memory.dmp

                Filesize

                6.1MB

              • memory/2844-48-0x0000000004E00000-0x0000000004F0A000-memory.dmp

                Filesize

                1.0MB

              • memory/2844-49-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

                Filesize

                72KB

              • memory/2844-50-0x0000000004D30000-0x0000000004D6C000-memory.dmp

                Filesize

                240KB

              • memory/2844-51-0x0000000004D70000-0x0000000004DBC000-memory.dmp

                Filesize

                304KB