Analysis

  • max time kernel
    161s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 12:28

General

  • Target

    7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exe

  • Size

    390KB

  • MD5

    118c662f820166afa9227a295d5e2cc2

  • SHA1

    a2b6493129c6fa84aa662e694cdaee7685aa51b3

  • SHA256

    7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea

  • SHA512

    cddcd80647224fd43dfb4c2cf76675c9fe5b4cce16947cc45b638e07fa4fea9c31d9c1fc488a07840880f61a559f24d307243b4cc1113e1b82c7a68efcb52666

  • SSDEEP

    12288:HMr+y90/RJg07IvDFwhm5YY2sRO/vUCA:5y4OVvnL2sk3UCA

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exe
    "C:\Users\Admin\AppData\Local\Temp\7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8837515.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8837515.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5084
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5000
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4637560.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4637560.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        PID:540
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3132

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8837515.exe

      Filesize

      234KB

      MD5

      27ff8bcfbd69753a89dca3cb0dcb4793

      SHA1

      0fc68e6d513f53da20e129cabe4c67431924fafd

      SHA256

      1ca048e8af553f43feb76af02ecd336aa40f1c1a25d3f47e92597fe40393771c

      SHA512

      4b5bbe988e9e9f58915b68040e2a62b733836357fad25b689eef6e3550ca405126a01d19f21a296b3dabef20444e331f4dcf7924d3f96ba14cdf927238756653

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe

      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4637560.exe

      Filesize

      223KB

      MD5

      aea234064483f651010cf9d981f59fea

      SHA1

      002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6

      SHA256

      58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503

      SHA512

      eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

    • memory/5000-14-0x00007FFC8C1C3000-0x00007FFC8C1C5000-memory.dmp

      Filesize

      8KB

    • memory/5000-15-0x0000000000670000-0x000000000067A000-memory.dmp

      Filesize

      40KB