Analysis
-
max time kernel
161s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
10-05-2024 23:58
General
-
Target
33afe0d9831bf1b5c5f68486a6b78b70_NeikiAnalytics.exe
-
Size
1.7MB
-
MD5
33afe0d9831bf1b5c5f68486a6b78b70
-
SHA1
b8072fe876bbb198eaa3585b23f893d01aa333b8
-
SHA256
1ce34eb3e4f496807e4fc1b26909664c47bf47918645aee30725f2e02409d519
-
SHA512
c8b5c03666bb47649a006aa9aa04fce75a59bf5a41650d58893eff7e1b99d82a8c08172c8079054c3a9edbd221e691aa97f2276cc0d1d1fa4de6c24d7be5fb64
-
SSDEEP
49152:MyymmE0wLtAeK7aL5maghzJlLbZMa+K6:M94tAHC5/6lLNHH
Malware Config
Extracted
amadey
3.80
http://193.3.19.154
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
23b27c80db2465a8e1dc15491b69b82f
-
url_paths
/store/games/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper 3 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\33afe0d9831bf1b5c5f68486a6b78b70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\33afe0d9831bf1b5c5f68486a6b78b70_NeikiAnalytics.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iv140670.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iv140670.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TI634819.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TI634819.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gd512424.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gd512424.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jU902903.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jU902903.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48536905.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48536905.exe6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\1.exe"C:\Windows\Temp\1.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b61318478.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b61318478.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 12607⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c03133251.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c03133251.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E8⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"8⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"8⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d11260793.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d11260793.exe4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3916 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5448 -ip 54481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iv140670.exeFilesize
1.4MB
MD526ffb52098ca91ff899327526b10cd9f
SHA1145a65ccb6ffa7c9c010a8babca132e905b10c20
SHA25673d846782405f0f6037941c7b86bf2122b1ab9ba2fcf60415a43712a1a075eaf
SHA51213b7d9e5e32d119b8e4a16a5875c6f9871468d447ffa945fbaae2f26299dd69b55ab9ca8571c38fe9a47aa2a9fa4e7d2a4501070f3a50e6695eb16da43569ea4
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TI634819.exeFilesize
1.3MB
MD508a9319732cbe8f346adaa4a63e2a1ac
SHA11b91af8d81e2ebc9ca33845045664b896f9a10dc
SHA256f2c2ecdae01e8006e6e0383ce5c1ac2209ba685c707234ec7df7dad21d048a73
SHA5125504b4fecacfa787e0344c043bf0f9b9fd0623d17f5e51d42d967175742d8d9b891e5fc5454b14e625337dd24f98da2b62641f81a4ae16d82f6ce51ba212b69e
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d11260793.exeFilesize
582KB
MD50344cb53a5ae4ffedd1d30dbd2ef607d
SHA15516bd1b8f75b1852f2175f3fcafb51b0fdb4bc2
SHA256f3dc7f949de8c06da3f521ba5d69d2dc699ac9b3301685ac5339575479bf03df
SHA5125e73ca977348e0fc0bafd0b1b39913ad32f0e2440bd19a83f8ab9d0d7cd4c8ac8fe9f0b1830e72deeaa57eb04e05860d2ad8e1f21ea1c79e2d735633ae0c8395
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gd512424.exeFilesize
851KB
MD56ff87fbd3728e8890f734aed576a66af
SHA15396eeb01bd18cc8a5a25a6fcc2bfa51d53e3c66
SHA2568fb9265e46e24ed76f9e0c5845fb1fca104be9f786e476e0ca4823167a0af28f
SHA5120b4ee56ef372056b6621af50d906c286ee9e8eefcb038c8b9eb58b9babbc1144e322588811e9aeb598634528c415a103b3024325eca3d8aeef746aac7134ca78
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c03133251.exeFilesize
205KB
MD590709cf5c75ac704c978e83d4676b329
SHA1124c7f7dc9b85521d0447bb47d70454a87526710
SHA25604cc1ef2da0804c42bad3b00e63b351810059df4be950954391bfd5d88afb0b0
SHA51268b0a87a2ddc38c4c8bbe800d8b29e035e2c33280d5384d7889c9acd5a981c067211a8b16d335bfb9488497ce927f4fd20ff3dba1de830805693e8a237f59f2d
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jU902903.exeFilesize
679KB
MD5874d5940cf48af52f3bd32b94c1b99af
SHA1f76adb4d98c08cb7fe4b016cc264bb61666052cf
SHA2568d38c6963c22ec8357c4c9dc7ddd2f9dd792e4ada150a79aff6389902174b326
SHA5120efc5e9e56ad211e76764ee33054d1089192efc3ac3eb3e723e996b337d86e0639b2874abc84f8f774b7ef89eca300351cfb3a998105f3548af234796e24a15d
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a48536905.exeFilesize
301KB
MD577330d32b268aae7e9a54c98213557ec
SHA1284b239010c180e9f9ee865949f4a485a46b47d0
SHA2566bc20f2235597b07cf888e388ba76aaa84eaa2b7612638db84ad47c6eec3e96c
SHA512ea24b95c5eeb234bb88c06448d0a0992fbfc5833dfdd030c26084eee97d1f44d4b858f2a1e40c7450243d13bf6f97ea1c375c99d1d8a1357159544c713ca8ebe
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b61318478.exeFilesize
521KB
MD5dd55ac91c7100607fb7c1a214d0654b6
SHA19fa81d7c258ee01275708c6603ce48f4560ecb51
SHA25644e8dbc157ae86062136f07cfe4918c902df651ed40ef835c85fb0ee57dc233f
SHA51259a07b85897abdcdc8baba2a2ab90df3a0554938c3fb27a9c0baccf6e7a956d00cd820f00f7a4b03cd6e209670b1e92477d09f4129e5248c765f04d0645dffdb
-
C:\Windows\Temp\1.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
memory/2848-79-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-65-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-37-0x00000000049F0000-0x0000000004A46000-memory.dmpFilesize
344KB
-
memory/2848-39-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-47-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-101-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-99-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-97-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-95-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-93-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-89-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-87-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-85-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-83-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-81-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-35-0x0000000002500000-0x0000000002558000-memory.dmpFilesize
352KB
-
memory/2848-77-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-73-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-71-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-69-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-67-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-36-0x0000000004BB0000-0x0000000005154000-memory.dmpFilesize
5.6MB
-
memory/2848-63-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-61-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-57-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-55-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-51-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-49-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-45-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-43-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-41-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-91-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-75-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-59-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-53-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-38-0x00000000049F0000-0x0000000004A41000-memory.dmpFilesize
324KB
-
memory/2848-2166-0x0000000000560000-0x000000000056A000-memory.dmpFilesize
40KB
-
memory/5448-4312-0x0000000005890000-0x0000000005922000-memory.dmpFilesize
584KB
-
memory/5452-2183-0x0000000000A80000-0x0000000000A8A000-memory.dmpFilesize
40KB
-
memory/5964-4334-0x0000000004E90000-0x0000000004EF8000-memory.dmpFilesize
416KB
-
memory/5964-4335-0x0000000005510000-0x0000000005576000-memory.dmpFilesize
408KB