Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
09-05-2024 18:26
General
-
Target
678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exe
-
Size
514KB
-
MD5
1e6d11e2a9a40c2d205a289ef607ae24
-
SHA1
f26f81b52bed31e6603334652139784d0a8bfaac
-
SHA256
678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33
-
SHA512
be2d827e7ad204b3b92c2c83f67a02e62cf4748c6b322493db36b282374d2c53aeb774a6a0f1eb465215e8ce6f956f6ee9f437da9606c8bf1dfc47a036b43d72
-
SSDEEP
12288:aMray90Q3D/EZvDisHKwoWljc/MistLDMn2OxRfsfO0lNKc:AyfEyMY/MiKLDqHRfsfO8Nn
Malware Config
Extracted
amadey
3.86
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
krast
77.91.68.68:19071
-
auth_value
9059ea331e4599de3746df73ccb24514
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exe"C:\Users\Admin\AppData\Local\Temp\678b5c88fa07f2f823b7edf52683e4214bda0273e380b7a5d2d8c4b6bac35f33.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2156243.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2156243.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4542108.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4542108.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a8697821.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7297296.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b7297296.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F6⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:R" /E7⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:N"7⤵
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:R" /E7⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6702400.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6702400.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4301600.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4301600.exe2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173KB
MD509ff9e8194b9ad0696f1a83a1e45a8bd
SHA1bc6cc14f54612d4fb9a8c8cfd911b4c6c465622b
SHA256a4c56e11f4141a85fc9f59202fdca3d1efedc3df744d5ae2cf6f513cbb2a598d
SHA51293724ca75fc0d74f1e02155dbea45d6340f89914a7c22f4ce96518f3aa1214d506b2ceb6771a1501b74ac59e32a0a11bb070d09d17b91ed434f8a58ea5326125
-
Filesize
359KB
MD5f8b39bfd052a81ec0d573ebcaac1c566
SHA193d9f8e6c5dcc5b8b95f039298a5fb58f1d1e968
SHA256e9cb245bfea68f9bf09c96927a2039e0179748356419234cf5d7074ec2dc3fcf
SHA51264326fb13e0cf0ba39aa31fbc7d51e2552b7effec63bf1532a64503497e740238b41f74bfa77d12fce480d59e193735be5c330c2b47225ee9b25102bf4f1a49b
-
Filesize
35KB
MD5022c289b67255f1cae9a045e1ac11c7e
SHA163df7122392ecf04adee9d7b50146871eb860724
SHA25682e2550165ef2417b2b73e68d53b4b2044edff94d615c3cc2e221cb878ffcfd6
SHA5124f26f34a95ad5490ed491079ac38f645b48487cb0e0b7b5abffbb51d49e5294fb498d8c73ed7cd4cecc874dc259ec9d529d8eb4f542d3416ef07a5d7986b2148
-
Filesize
234KB
MD514fe65ca4c39b12df68426389b633aed
SHA10536ff02c6028e3c48420555be37554fc6201c00
SHA256b17e58f21b1a6a41ad1128690f0d562a055d70d0426ba4c394c57c792473e90f
SHA5120b17c1d010132aaae35d58cfc7fe33df11f308d4589b2d48c737c444e77073d3e22f26050b647dbb520728d049cbd2b2eaf3477f893c84ae54dfd22816ceca9d
-
Filesize
11KB
MD51767dda783c36bda069190df01c7467d
SHA14abc5215b48c67b2737aa8b103624cdc11c606c4
SHA25600935df1dc707bc0a575565e8a67f077182679d20e76142d949f1131ada74dca
SHA512a85598f6320fcccae160e7b37b44c572d66e52bc5b8efdcbe581fa3f51fbc4da9995d09415ad2ed4fc1d92dc8008925152a56f0b9703d9add5403dc20fe73208
-
Filesize
223KB
MD53251e050d74c269024a1f95e7c8bb02a
SHA197fea2859babf20a7284918694c62acb9c44ef43
SHA256bd784f2a39cba15491697a55fc222dd825a52729e77fe151621f1d296bab8cb3
SHA512b091edb615306fbb905d90cbb4ffdd5e0b324cba8a2521070997eb733f971bb6b34c65da61b47e752b29f3bbc9a27fd3ed7ab5da385c0a340e556c59e635996a
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB