Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 12:28

General

  • Target

    2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe

  • Size

    515KB

  • MD5

    11c22c7a24b8f0576c3470af1561a6e9

  • SHA1

    47ba63be9cdf137c5356465791cca7e8d26048f9

  • SHA256

    2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368

  • SHA512

    acef19e6e351f779b034509e7eeff3eedebae468702c75c6b3a6c844b9024c84dffd25e768a8214df451fb33d094f979ad458bd0ad80d1a25bc312338b4d071e

  • SSDEEP

    12288:AMrpy90pbhdTlggxZzkUrC7pfy4NHWisj53QEEXOsM0:ZyGzlgrUGPWjhQR

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

news

C2

77.91.68.68:19071

Attributes
  • auth_value

    99ba2ffe8d72ebe9fdc7e758c94db148

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe
    "C:\Users\Admin\AppData\Local\Temp\2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4608
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3760
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2436
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2300
          • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
            "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3756
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:4504
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:676
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:1192
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "danke.exe" /P "Admin:N"
                  7⤵
                    PID:3240
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "danke.exe" /P "Admin:R" /E
                    7⤵
                      PID:3112
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:1828
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\3ec1f323b5" /P "Admin:N"
                        7⤵
                          PID:2472
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\3ec1f323b5" /P "Admin:R" /E
                          7⤵
                            PID:2480
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    PID:3224
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe
                  2⤵
                  • Executes dropped EXE
                  PID:540
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:1184
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:1988

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6125712.exe

                Filesize

                174KB

                MD5

                5857ee0726d73781a91d8e82eaa75062

                SHA1

                2af364ed6f7f7612b5c7fdff981d547d13518a1d

                SHA256

                9b96fd6fb35d86dbf485be9d03649a67f4e19ec2eacf97b63c1ff5f71495ecc7

                SHA512

                50468fa0a187a446ce3e58aaa2c59ec04f8df55a588a7ae75674976cff5acf1f3c92b27bbe431ebad7f8dbd0125d664f38bade9df34a7fb79c658c5ec27dceb2

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5031831.exe

                Filesize

                359KB

                MD5

                64914ff9bf5be388b673a4c159e81f0d

                SHA1

                e50e480364a0efb07a0b3619a35706a338cec43d

                SHA256

                d86e1af67ea1610cd582ea0dee48a2b98bc078d11b39de4f18e1df0e2b904d06

                SHA512

                073712b4a0aa9be3e81d83aa8ed42366e4962b767846172b0e1b33a784d75776c62b703b324a126334aac3b787ba4f94aa592752ca9c98f3c3691649f5177b49

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c9593912.exe

                Filesize

                34KB

                MD5

                28b567d6d377880e6336770aa32966c6

                SHA1

                44e450e5488cd710318a62c30ecd3c2b0e5ce405

                SHA256

                970dc870f858c266ae0f4b8f2d1e8cdd971896b7ceba28f8edd18bd341b360b6

                SHA512

                1d7bbc36c404de957393268d1fba3a547b8a1b7535cc6f444bcba8393259e24db8144aeb85b2ca0de1e95196eba7d7693e35e2c7319886d42e5b6515b81bf7d5

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5473069.exe

                Filesize

                235KB

                MD5

                47c57a08974e981716c8ebc94e73cef6

                SHA1

                f3a2cc808f85bb7fc40c1814e76cf7ecbc3e76eb

                SHA256

                c42d18d5dcc41dd560469e1c68b7955501ec3b2545ee8322a1f7dde7d7a90ad8

                SHA512

                b6f25499399d4d5738e9b103fe1438705700236656d9242a62194228c69eb70945066fd829191d50e2d8f59aed12cc2bbb5e8daa7961864d81ccb1b8bf7e27e4

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a5970039.exe

                Filesize

                13KB

                MD5

                b9f7307f3344963173587f481cf79702

                SHA1

                d1771c11330d7f05b465837268f1993d16a50ef9

                SHA256

                3f1deb49ae3b7e8074b543490e6a24045c16a73102668c09729a4decb3260068

                SHA512

                ef449c472223eddfd606b5035962564da2b3b47e46dd7bb796e8565f14349bc1edd9e716d4b288d65dda044d47f1ee527554d130f0de6b6cf4d78a1b2e0741f5

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4024066.exe

                Filesize

                230KB

                MD5

                b4e48d49180a5de33de9a468850dd56d

                SHA1

                a813b19d1b7ca147c0bf19394d85dbb5e68e2499

                SHA256

                848b8ac51ed5492cc8dbf0db13d11166b3f40984d335c441ad0370fa1c6efaf4

                SHA512

                aeba44dbea2fd4d2cd72139e1f3a02be121237909bce8eef15fa36c66903bcae2231c0cb527e3aece354b50412a8ebae4dcce8898b66c1608a7643a45f49905f

              • memory/540-51-0x0000000004420000-0x000000000446C000-memory.dmp

                Filesize

                304KB

              • memory/540-50-0x0000000009EE0000-0x0000000009F1C000-memory.dmp

                Filesize

                240KB

              • memory/540-49-0x0000000009E80000-0x0000000009E92000-memory.dmp

                Filesize

                72KB

              • memory/540-48-0x0000000009F40000-0x000000000A04A000-memory.dmp

                Filesize

                1.0MB

              • memory/540-45-0x00000000000D0000-0x0000000000100000-memory.dmp

                Filesize

                192KB

              • memory/540-46-0x0000000002270000-0x0000000002276000-memory.dmp

                Filesize

                24KB

              • memory/540-47-0x000000000A3F0000-0x000000000AA08000-memory.dmp

                Filesize

                6.1MB

              • memory/2436-21-0x0000000000DB0000-0x0000000000DBA000-memory.dmp

                Filesize

                40KB

              • memory/2436-22-0x00007FFCF97E3000-0x00007FFCF97E5000-memory.dmp

                Filesize

                8KB

              • memory/3224-41-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              • memory/3224-39-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB