Overview
overview
10Static
static
31238663077...be.exe
windows10-2004-x64
102176dd1779...68.exe
windows10-2004-x64
1025c57e6714...48.exe
windows7-x64
1025c57e6714...48.exe
windows10-2004-x64
103931c3ca01...c1.exe
windows10-2004-x64
10611b640fd7...5e.exe
windows10-2004-x64
1061ec6f7f31...74.exe
windows10-2004-x64
106c15f1899d...ed.exe
windows10-2004-x64
1075997a0972...ce.exe
windows7-x64
375997a0972...ce.exe
windows10-2004-x64
107a4ee83882...ea.exe
windows10-2004-x64
107b22e6cc31...ce.exe
windows10-2004-x64
108a68d5e2ce...71.exe
windows10-2004-x64
109a72ed316b...b3.exe
windows10-2004-x64
10b2abc74f29...1f.exe
windows10-2004-x64
10b577c897b2...2b.exe
windows10-2004-x64
10ba5c9d840c...7b.exe
windows10-2004-x64
10ba769ab008...cb.exe
windows10-2004-x64
10be7c09289a...43.exe
windows10-2004-x64
10c29b675475...fe.exe
windows10-2004-x64
10f5875e99d2...63.exe
windows7-x64
3f5875e99d2...63.exe
windows10-2004-x64
10fd5bd6afc5...4f.exe
windows10-2004-x64
10Analysis
-
max time kernel
159s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 12:28
Static task
static1
Behavioral task
behavioral1
Sample
1238663077477c73376048d8230b1c33b6f5f6a62da8a6c1274721591dac70be.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
2176dd177933f7067296700761e340f0aada8c29c352796e3aeb0be5db5e1368.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
25c57e67144c4603cb7936eb9ad62fb4a4b313d0acb99262c66c4792f6ecdf48.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
3931c3ca01cc35353f3a071c6ef787511253396b8e24e12cdf7dbbe451ac80c1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
611b640fd7c9e06cb4ffde1db21b1f9ace29ac4c504fc14569faf426b234ec5e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
61ec6f7f3198f2f73155461b5544c1c55e467d0faa1776e05504a411b0530974.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
6c15f1899ddb76b31fda1ef8a7d18f02ebe3c6f0dc3202cb51c180fecb4fcfed.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral12
Sample
7b22e6cc31710809bbb88f27afa15ad45784dd0ccd3da27be9b6ca3b039a15ce.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
8a68d5e2cebc81b87ef22282e4eb9af0b0776fe47cb4a1e39aaed96f3b5fa171.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral14
Sample
9a72ed316bbd2e389eb2ecd7243e5841d041badae874aa11f831b452a7cff8b3.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
b2abc74f29ed52ec7d83d19dcdda578b75bfabfe3cb6be161acad9d570a9601f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
b577c897b2be38c4bed293104f5424d9cc6213dcbf6ee85b26b1d55373ce3f2b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
ba5c9d840c93ebc6710e647c2536f2c811d7af83c76d5eda892fe21495932d7b.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral18
Sample
ba769ab00897d4fb55dffd961262aca94281c6efccb3b806cc40b3c0bfa64fcb.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
be7c09289a731533f9a2ca91d21b2f010905c445c8710ce84ae829cfe48d3343.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
f5875e99d264d6dc6b9a95473f93dd4b60f4562283d31642caef4eb5c5823363.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
fd5bd6afc507aad0acace57fc3b77a0de443e12efcdb3857d899395a962a3b4f.exe
Resource
win10v2004-20240508-en
General
-
Target
c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe
-
Size
390KB
-
MD5
163816fafd3946cc9e0b0a56dbb544e0
-
SHA1
a9306aaebf9e16c1e6d97130dcf711017894c10e
-
SHA256
c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe
-
SHA512
5c88643b23d96c41ec903e804077f9ec6e49cb54752a5c2b1a5476f284c43c859803bcd9cea53a9816752cc392a5b2dd16920f21c37ef5101b746f5cc80fea07
-
SSDEEP
6144:KKy+bnr+kp0yN90QEU3oZDwSSJAvVcQlPRAbR4SHgUTyxrDumDiaobYNZTBCo9V9:2Mrcy90oe8Fk5ARkFrivbYrBCHPtEb
Malware Config
Extracted
amadey
3.86
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Signatures
-
Detects Healer an antivirus disabler dropper 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe healer behavioral20/memory/1748-15-0x00000000005A0000-0x00000000005AA000-memory.dmp healer -
Processes:
k1098789.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" k1098789.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" k1098789.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" k1098789.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" k1098789.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection k1098789.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" k1098789.exe -
Executes dropped EXE 3 IoCs
Processes:
y9244876.exek1098789.exel0555264.exepid process 1728 y9244876.exe 1748 k1098789.exe 4832 l0555264.exe -
Processes:
k1098789.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k1098789.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
y9244876.exec29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" y9244876.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
k1098789.exepid process 1748 k1098789.exe 1748 k1098789.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
k1098789.exedescription pid process Token: SeDebugPrivilege 1748 k1098789.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
l0555264.exepid process 4832 l0555264.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exey9244876.exedescription pid process target process PID 3080 wrote to memory of 1728 3080 c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe y9244876.exe PID 3080 wrote to memory of 1728 3080 c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe y9244876.exe PID 3080 wrote to memory of 1728 3080 c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe y9244876.exe PID 1728 wrote to memory of 1748 1728 y9244876.exe k1098789.exe PID 1728 wrote to memory of 1748 1728 y9244876.exe k1098789.exe PID 1728 wrote to memory of 4832 1728 y9244876.exe l0555264.exe PID 1728 wrote to memory of 4832 1728 y9244876.exe l0555264.exe PID 1728 wrote to memory of 4832 1728 y9244876.exe l0555264.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe"C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4832
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3612 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:3980
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
234KB
MD593ffa00468934287166af15b60356eeb
SHA135e9d895a966d897ba33251c2d2b5a7014319ee7
SHA2566bc35ed67d1cea02ceff4819bc69c44423c7d1a8436a72eeb44b7f1af9651176
SHA5124c9ceb360842454e36d5f13b6d9b5bdc9325406079bc12805af8d56013b00af5d5c84f83e4ee608f6fa8758527cb6086bd4f484860ddc49a8f11bf758d85c23f
-
Filesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
Filesize
223KB
MD5aea234064483f651010cf9d981f59fea
SHA1002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA25658b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434