Analysis

  • max time kernel
    159s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 12:28

General

  • Target

    c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe

  • Size

    390KB

  • MD5

    163816fafd3946cc9e0b0a56dbb544e0

  • SHA1

    a9306aaebf9e16c1e6d97130dcf711017894c10e

  • SHA256

    c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe

  • SHA512

    5c88643b23d96c41ec903e804077f9ec6e49cb54752a5c2b1a5476f284c43c859803bcd9cea53a9816752cc392a5b2dd16920f21c37ef5101b746f5cc80fea07

  • SSDEEP

    6144:KKy+bnr+kp0yN90QEU3oZDwSSJAvVcQlPRAbR4SHgUTyxrDumDiaobYNZTBCo9V9:2Mrcy90oe8Fk5ARkFrivbYrBCHPtEb

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe
    "C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1748
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        PID:4832
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3612 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe

      Filesize

      234KB

      MD5

      93ffa00468934287166af15b60356eeb

      SHA1

      35e9d895a966d897ba33251c2d2b5a7014319ee7

      SHA256

      6bc35ed67d1cea02ceff4819bc69c44423c7d1a8436a72eeb44b7f1af9651176

      SHA512

      4c9ceb360842454e36d5f13b6d9b5bdc9325406079bc12805af8d56013b00af5d5c84f83e4ee608f6fa8758527cb6086bd4f484860ddc49a8f11bf758d85c23f

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe

      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe

      Filesize

      223KB

      MD5

      aea234064483f651010cf9d981f59fea

      SHA1

      002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6

      SHA256

      58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503

      SHA512

      eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

    • memory/1748-14-0x00007FFE5F7E3000-0x00007FFE5F7E5000-memory.dmp

      Filesize

      8KB

    • memory/1748-15-0x00000000005A0000-0x00000000005AA000-memory.dmp

      Filesize

      40KB