Analysis
-
max time kernel
159s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
10-05-2024 12:28
General
-
Target
c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe
-
Size
390KB
-
MD5
163816fafd3946cc9e0b0a56dbb544e0
-
SHA1
a9306aaebf9e16c1e6d97130dcf711017894c10e
-
SHA256
c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe
-
SHA512
5c88643b23d96c41ec903e804077f9ec6e49cb54752a5c2b1a5476f284c43c859803bcd9cea53a9816752cc392a5b2dd16920f21c37ef5101b746f5cc80fea07
-
SSDEEP
6144:KKy+bnr+kp0yN90QEU3oZDwSSJAvVcQlPRAbR4SHgUTyxrDumDiaobYNZTBCo9V9:2Mrcy90oe8Fk5ARkFrivbYrBCHPtEb
Malware Config
Extracted
amadey
3.86
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Executes dropped EXE 3 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe"C:\Users\Admin\AppData\Local\Temp\c29b675475cb8428efab71268c98263fcbf9de29cfb64f21bf49b0a28c5982fe.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exe3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3612 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9244876.exeFilesize
234KB
MD593ffa00468934287166af15b60356eeb
SHA135e9d895a966d897ba33251c2d2b5a7014319ee7
SHA2566bc35ed67d1cea02ceff4819bc69c44423c7d1a8436a72eeb44b7f1af9651176
SHA5124c9ceb360842454e36d5f13b6d9b5bdc9325406079bc12805af8d56013b00af5d5c84f83e4ee608f6fa8758527cb6086bd4f484860ddc49a8f11bf758d85c23f
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1098789.exeFilesize
11KB
MD57e93bacbbc33e6652e147e7fe07572a0
SHA1421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0555264.exeFilesize
223KB
MD5aea234064483f651010cf9d981f59fea
SHA1002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6
SHA25658b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503
SHA512eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434
-
memory/1748-14-0x00007FFE5F7E3000-0x00007FFE5F7E5000-memory.dmpFilesize
8KB
-
memory/1748-15-0x00000000005A0000-0x00000000005AA000-memory.dmpFilesize
40KB