Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 17:57

General

  • Target

    2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe

  • Size

    514KB

  • MD5

    ad9443ce5e431e8295fd202f57cf1d6d

  • SHA1

    330ab81f8d5d8360f11e9e15f6829608c3ed666e

  • SHA256

    2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc

  • SHA512

    d6bfaf96f61d6055c4e368f22542ba85d8d9c77d652480195953db43eced505a7102d5b10d79842e76483f90b1bbfa22a0d2fd6d0a423166efc8c585c3f665fb

  • SSDEEP

    12288:NMrby90ooS9jGwyQikPj16mcXt3Q+snYfeplV3:GyOSTJj143Q7nmebh

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe
    "C:\Users\Admin\AppData\Local\Temp\2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4496
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3056
          • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
            "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1240
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:4056
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2732
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:1688
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:N"
                  7⤵
                    PID:1580
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "pdates.exe" /P "Admin:R" /E
                    7⤵
                      PID:2232
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:1984
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\925e7e99c5" /P "Admin:N"
                        7⤵
                          PID:3280
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\925e7e99c5" /P "Admin:R" /E
                          7⤵
                            PID:1980
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    PID:4516
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exe
                  2⤵
                  • Executes dropped EXE
                  PID:3780
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:2612
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:1820

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exe

                Filesize

                175KB

                MD5

                647971d0cadf19b3146ed9825e2e2791

                SHA1

                25435c9b63194809b1ddff2ea49f68336fa16673

                SHA256

                48b9794032771dfe78fc2c2b15e43e4b0a43143a6d6d5f3cea6e64dbcb976a76

                SHA512

                24aa9c1d3252a641cf4b4e74ba77d4fcf7a2d8023a71981ab514f0f9cc73bb387e54743dc2c4a17799b71608785292a0399e4c9a891479dcea18ad829b426b20

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exe

                Filesize

                359KB

                MD5

                061c406e23341bbcb1ff5e1801849cb3

                SHA1

                7ec3197388a3543dc54a754b526a21a74de567c3

                SHA256

                ae86041c8e819499d71e4c6acc7674c2aa2d49c8bcf4772c06fdcabc12acf52a

                SHA512

                176444ce621ff202d78fd397690322fa00d124b7ee51a6ef2cce205e5adc08205db4f4b30f866e8cb8132ef72e83462128cf4d124eeaf8c1d5992e5c18e98adb

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exe

                Filesize

                36KB

                MD5

                ce02f9d79dea88099619df5cb1312f35

                SHA1

                3c1679bf6d2ad4436f65458e679c66f79d6ae50f

                SHA256

                855b0ca776047364d7a3d31a44d746dd673f3d6435723e4a5093a1b757584f54

                SHA512

                6ace95a26369b298fe1b9cefdccea26cb2253a11c829836a51b47b9218fa291586aa6ebb652830d44c0a97b7d1e2caac43a93cad02c5182be21d537322db555d

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exe

                Filesize

                234KB

                MD5

                76dddeb11de090d98b3d9edc3df979fe

                SHA1

                1400ec7994433f280da5b1d84c12d62d8c19702c

                SHA256

                e13221cfa4276e8a340f3f13212b1fef45770843a843192a8387bbd99143938f

                SHA512

                35384efa7caf27758daeb5d6f9a3f84c422116b77abed1e0bb0e978366cadaf2fc0d7fe15b1bb98bfe398c1eab3fb32eb9e3e1a582f5097a6779b4e2ab80f9c5

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe

                Filesize

                13KB

                MD5

                3a21e5d379f54add2172d6948ca4e597

                SHA1

                f2480642965b7c7a804ad8c62d7a623a815b1b02

                SHA256

                2db95b60ef54ddb759464792be2f8a007214003a75cbca2de2a12f6d512900d8

                SHA512

                010b8ac0ec852bbdc5e14f7409fecc81451c197281c1aff63df0acc98f46628151ce2dfabde6bde01e3c1e6b3c031637efee72edd44365afa78bafeaf63dda19

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exe

                Filesize

                225KB

                MD5

                4dcc519d9075200e24e18d1eb479b00e

                SHA1

                93a9cd97d0d7c6c98903391297530577e1228451

                SHA256

                503f3735fdd75fa98e846ffc940735d1bc0f8c89c60de01dbcb852432d37e834

                SHA512

                b1494415d70a3bfbabbd26361b68858c3c785121ec49b6c054e0487c5bb1dac33e8e8c0cc404b39b598b4b8458c48795ff9efab1d0bf60dabe50ba41bd6f8423

              • memory/3780-48-0x000000000AC50000-0x000000000AD5A000-memory.dmp

                Filesize

                1.0MB

              • memory/3780-45-0x0000000000CA0000-0x0000000000CD0000-memory.dmp

                Filesize

                192KB

              • memory/3780-46-0x00000000055C0000-0x00000000055C6000-memory.dmp

                Filesize

                24KB

              • memory/3780-47-0x000000000B0E0000-0x000000000B6F8000-memory.dmp

                Filesize

                6.1MB

              • memory/3780-49-0x000000000AB90000-0x000000000ABA2000-memory.dmp

                Filesize

                72KB

              • memory/3780-50-0x000000000ABF0000-0x000000000AC2C000-memory.dmp

                Filesize

                240KB

              • memory/3780-51-0x00000000050B0000-0x00000000050FC000-memory.dmp

                Filesize

                304KB

              • memory/4496-21-0x0000000000170000-0x000000000017A000-memory.dmp

                Filesize

                40KB

              • memory/4496-22-0x00007FFAF4AA3000-0x00007FFAF4AA5000-memory.dmp

                Filesize

                8KB

              • memory/4516-40-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB