Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 17:57

General

  • Target

    9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe

  • Size

    514KB

  • MD5

    b2a6158e5066da9cdf80f68a45607dbf

  • SHA1

    9c0a1b48a8f821e1bfe1cb4266aed6fa30294c9c

  • SHA256

    9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9

  • SHA512

    c8a3d4dd40a4c1dcec017e78105426093d4be62bd931b72af4ab38cdce5cfef19eb3b74d2cd0c63e352bb6c3cd76ab08922f0ecc8c26f0bb159a7e393b914cf7

  • SSDEEP

    12288:7MrVy90uCP6AGluvgTtGOTN8F3a56b3WEwjXh:iyG6AGsgTtLma6b2h

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe
    "C:\Users\Admin\AppData\Local\Temp\9be0387d865bef272b66fe34363fa38f5c4e2be5b6b773526bfc1d14b4791eb9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7929989.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7929989.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0075279.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0075279.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1756
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8404512.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8404512.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4992
          • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
            "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1428
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:4192
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:624
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:972
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "danke.exe" /P "Admin:N"
                  7⤵
                    PID:4740
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "danke.exe" /P "Admin:R" /E
                    7⤵
                      PID:4904
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:4156
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\3ec1f323b5" /P "Admin:N"
                        7⤵
                          PID:5116
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\3ec1f323b5" /P "Admin:R" /E
                          7⤵
                            PID:2264
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7649135.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7649135.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    PID:3296
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3259425.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3259425.exe
                  2⤵
                  • Executes dropped EXE
                  PID:1016
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:3168
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:3216

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3259425.exe

                Filesize

                173KB

                MD5

                dad0a56b4a46dd107ee19b0841f142bf

                SHA1

                6fb7574d16cfe7930245c996dac1cb257e1b7580

                SHA256

                8fd81175d2e88f745ed105bb2676d61fc344cac6e2123458239e7f59e729b0c3

                SHA512

                8ac9950d75908f9d5f649d68b40e16d7b3561787a746316e58efec2d159e4de2f00b48d24b22c66754a281e4afc248f75fb20260a0d1d10803c8ca25bc360bdd

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7929989.exe

                Filesize

                359KB

                MD5

                e8a9f3d6ecb4c26bd6bc4e71f4b05a15

                SHA1

                dc1e9b1c73d4e69075851b0e5ce1b37a3fb6cdd7

                SHA256

                a19ced96b752290321528be8392b26ecfc18bc8ec036dfd0ee2f3688b6e70040

                SHA512

                b4443c8af6beca8ae5f837c9ab5db4b85c4656a9e0d541bcde462a94cac6a0ca8d30a77135202268fa07082248e0da0ae9987bea1f2d99091389ae65ef3565e1

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7649135.exe

                Filesize

                32KB

                MD5

                f4d46a7d58b62aa1e9aff531b58f0e01

                SHA1

                1d8584b61f64d6774fddff01b1846d3ddadce4c7

                SHA256

                ef5f0ad02d3591bb94f82ea5db1ecdd57de252068afd1e10dbd91de7f29fab3c

                SHA512

                c9824b40aa89c62cadf50efafa8e4f133ae28cfa0a405a2525bf77a322b3d6e105080891e84a629133cbac2258e2417b1e8709e9e2fb24ba0ff838b7061d5459

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0075279.exe

                Filesize

                234KB

                MD5

                88082d7552ff97ce093ec66b5673e820

                SHA1

                5782bd873b13b7d0a27138a3a6bed8b006aeac62

                SHA256

                b2b6d9ee0b8974e53102bf934aadfb3ac8bac356e845dda30459be570d5a49c0

                SHA512

                65559606241fe01d7389cf6ea00040563e70e2de51f8701418e33921859db6e6d6884f1d56f8bf9daf02a3710b40165919c6cc2661f2f377121b8d38e23372df

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1007008.exe

                Filesize

                14KB

                MD5

                9e3e1c1a3c2e043e04527d7893c74f75

                SHA1

                16488d45358b3be09e4a1f6c9ace7686dcd1c4cb

                SHA256

                2bda16ddd92a9e1e73f1ac0f3cbf821494cccffa7021e8aeeb0747b6b4afdd90

                SHA512

                508b5897414f39c92ffe58f2c8fcdd13066eb31798a827bac800a57a357e5dfc144ea902e2c0b6b49cfb1ea7927b01ee95032a94d70eea4fdde6af168fcb1ac2

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8404512.exe

                Filesize

                227KB

                MD5

                85a74569a8064684aa9b3270f294d22e

                SHA1

                b6d2cac2b9db6c71e7ea5ae3c14cf035049799a8

                SHA256

                756e1e7fc4a14d9b2a028fe8953405d103d4cac220a79f1d0ee9c85aae1c2ef9

                SHA512

                25942708ee0a4ab138bb3138655549388811c81c14beda1c9dd97d09fb792de3796c2a34d53e6d4a32ae055edf996346d5ef6d8ae6e792378b2ad048148d7cb9

              • memory/1016-51-0x0000000004930000-0x000000000497C000-memory.dmp

                Filesize

                304KB

              • memory/1016-48-0x000000000A480000-0x000000000A58A000-memory.dmp

                Filesize

                1.0MB

              • memory/1016-50-0x000000000A420000-0x000000000A45C000-memory.dmp

                Filesize

                240KB

              • memory/1016-49-0x000000000A3C0000-0x000000000A3D2000-memory.dmp

                Filesize

                72KB

              • memory/1016-45-0x00000000004D0000-0x0000000000500000-memory.dmp

                Filesize

                192KB

              • memory/1016-46-0x0000000004DF0000-0x0000000004DF6000-memory.dmp

                Filesize

                24KB

              • memory/1016-47-0x000000000A910000-0x000000000AF28000-memory.dmp

                Filesize

                6.1MB

              • memory/1756-22-0x00007FFCEB7C3000-0x00007FFCEB7C5000-memory.dmp

                Filesize

                8KB

              • memory/1756-21-0x0000000000ED0000-0x0000000000EDA000-memory.dmp

                Filesize

                40KB

              • memory/3296-41-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              • memory/3296-40-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB