Overview

overview

10

Static

static

3

00dc3a43dd...78.exe

windows10-2004-x64

10

1b26ae68f4...45.exe

windows10-2004-x64

10

277f52adcf...94.exe

windows10-2004-x64

10

32df5b0360...59.exe

windows10-2004-x64

10

3d03f2fde9...00.exe

windows10-2004-x64

10

50be51fdd5...4b.exe

windows10-2004-x64

10

53b6f1fa7f...02.exe

windows7-x64

10

53b6f1fa7f...02.exe

windows10-2004-x64

10

6286d393c9...52.exe

windows7-x64

3

6286d393c9...52.exe

windows10-2004-x64

10

6547f1c95b...de.exe

windows10-2004-x64

10

6c066f3c43...19.exe

windows10-2004-x64

10

6fca9c5ffc...25.exe

windows10-2004-x64

10

9a3f5d3f84...b2.exe

windows10-2004-x64

10

ae66f2f071...07.exe

windows10-2004-x64

10

b11b1b57a3...06.exe

windows10-2004-x64

10

b7da28873d...d0.exe

windows10-2004-x64

10

d49a64853d...65.exe

windows7-x64

3

d49a64853d...65.exe

windows10-2004-x64

10

d599ef82af...3c.exe

windows10-2004-x64

10

d7873c75af...a3.exe

windows10-2004-x64

10

db2419395b...f8.exe

windows10-2004-x64

10

e7b8d2cb79...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707.exe

  • Size

    390KB

  • MD5

    bb002c60488c5ef7e62f582fbc73646f

  • SHA1

    0e67525e9d135927871ab92f6db6dd936b7e1b92

  • SHA256

    ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707

  • SHA512

    73d5f57444de77b0e4d52d9bb18dc58c3e715a69669412ada51dc7e978a1890db92f8257e014f3b774c2e25b9bb41bb175ed992e807a4c1afea6aa5944bebc74

  • SSDEEP

    6144:KNy+bnr+zp0yN90QE79p5+F4wAg0rKWKc5Fu048imlYLPrB:rMr3y90NQ4KCHKPolYLPrB

Score
10/10
amadeyhealerredlinelandedropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://5.42.92.67

Attributes
  • install_dir

    ebb444342c

  • install_file

    legola.exe

  • strings_key

    5680b049188ecacbfa57b1b29c2f35a7

  • url_paths

    /norm/index.php

rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707.exe
    "C:\Users\Admin\AppData\Local\Temp\ae66f2f0715075257fd7cda872646950fd845087e7735d1171fc72267d7c4707.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4575459.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4575459.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4080
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8160324.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8160324.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3068
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7057128.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7057128.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
          "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4532
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legola.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:2856
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legola.exe" /P "Admin:N"&&CACLS "legola.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2320
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:3168
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "legola.exe" /P "Admin:N"
                6⤵
                  PID:3492
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "legola.exe" /P "Admin:R" /E
                  6⤵
                    PID:1568
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:5020
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\ebb444342c" /P "Admin:N"
                      6⤵
                        PID:768
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\ebb444342c" /P "Admin:R" /E
                        6⤵
                          PID:968
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4774635.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4774635.exe
                  2⤵
                  • Executes dropped EXE
                  PID:4884
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
                1⤵
                  PID:1728
                • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                  C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                  1⤵
                  • Executes dropped EXE
                  PID:5032
                • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                  C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4528
                • C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                  C:\Users\Admin\AppData\Local\Temp\ebb444342c\legola.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4848

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\t4774635.exe
                  Filesize

                  174KB

                  MD5

                  a286f244579be57765882ea235a52ffe

                  SHA1

                  183bc33000f31407601c78381178d6ed4a760a2b

                  SHA256

                  2b26e1de50aa576e5fe5d4ae2226b82f388722cc467ece0443cfa91aa5008185

                  SHA512

                  9d084800d3551fbc9360ac6298baac3d33286a23d27ac84a1a9ee35f6cc0252a1d7c56ffe6e090eccd1a944656e80b3201d1a358796217cdca9961ad4497cc3f

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4575459.exe
                  Filesize

                  234KB

                  MD5

                  0fcf9bd4753b93185be2b31f52161be6

                  SHA1

                  21bae7d8090d81e8d411bc12cdac0b5f7476b5e2

                  SHA256

                  60769b17ad4bb4c6b3e44a8f222ca21f33b6167fe61ffd06e148a0d0235ab596

                  SHA512

                  a8415967a72b9012cd09822aeb9280e396704637a3298738c8b1093c9f552357c04bef3760fe62e7471539357cf41653f64d6f58559f918d8ed2d28494c67f9c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8160324.exe
                  Filesize

                  13KB

                  MD5

                  62e08f66fca3b5fc9a3f6624a38fd20f

                  SHA1

                  6f3b427d87e4f8c045e24a280c597fec9ab4c42c

                  SHA256

                  7059693aa2a0f89fb51d5de5c77c53340bd48e33895c28f8dcc604521dffbfa5

                  SHA512

                  d8566437800709c1e40da61eb7bfee0debd61a6f7c9331ed7929f6cf8ce30709b90903a235543d4a1d78dab99e5f6bed70695ce3b238b94392bb6f346a53387d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7057128.exe
                  Filesize

                  224KB

                  MD5

                  ed853abe6e4d7338966e053579ab227b

                  SHA1

                  e298af34158e3658d74e21d4edaf08b6ea63cb2d

                  SHA256

                  00f8ae6daf2664fb85f5d2d593d937617fa0e41c0e00108aa6a876f834b5ee3b

                  SHA512

                  42fc5e8f4d1c19be33618499db1a8c8230a95293d91ef37e0df235c8bd55d77b57e5bf380ec4a748084546eb3c599f4f08f83528f6e550803bb3b891d15c025b

                  Download Submit

                • memory/3068-14-0x00007FFFE4913000-0x00007FFFE4915000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/3068-15-0x00000000003A0000-0x00000000003AA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/4884-33-0x00000000004A0000-0x00000000004D0000-memory.dmp

                  Filesize

                  192KB

                  Download

                • memory/4884-34-0x0000000000D10000-0x0000000000D16000-memory.dmp

                  Filesize

                  24KB

                  Download

                • memory/4884-35-0x0000000005400000-0x0000000005A18000-memory.dmp

                  Filesize

                  6.1MB

                  Download

                • memory/4884-36-0x0000000004EF0000-0x0000000004FFA000-memory.dmp

                  Filesize

                  1.0MB

                  Download

                • memory/4884-37-0x0000000004E30000-0x0000000004E42000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/4884-38-0x0000000004E90000-0x0000000004ECC000-memory.dmp

                  Filesize

                  240KB

                  Download

                • memory/4884-39-0x0000000005000000-0x000000000504C000-memory.dmp

                  Filesize

                  304KB

                  Download