Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 12:34

General

  • Target

    1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe

  • Size

    389KB

  • MD5

    2983d487675b8e857be5cc87ecf3a3f9

  • SHA1

    5dee58d99ebb08bee6f7210ab933e0adeed7930c

  • SHA256

    1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4

  • SHA512

    f547d694a853e4f0924f54cd7d22d7b384b15e58b45749947df5a5b44c9981d8319c6a537c8b3e517e1ece5de8be98bf95251aee51258bafd948bad269e8b866

  • SSDEEP

    6144:KOy+bnr+ep0yN90QE+d2iPWnGyF4ts9EO6GGvo5o8egBZ+t4nDSKWWE3k33GMC:iMruy904d2om56j6RegBYCnprKk3O

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe
    "C:\Users\Admin\AppData\Local\Temp\1d059ca891566e0006cb4534dc4ff845fedd1d3d468c12366e12f98a815ed7d4.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4636
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1560
        • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
          "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2952
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:4896
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3268
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:2340
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "pdates.exe" /P "Admin:N"
                6⤵
                  PID:596
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:R" /E
                  6⤵
                    PID:4956
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:5020
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\925e7e99c5" /P "Admin:N"
                      6⤵
                        PID:1492
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\925e7e99c5" /P "Admin:R" /E
                        6⤵
                          PID:4824
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe
                    3⤵
                    • Modifies Windows Defender Real-time Protection settings
                    • Executes dropped EXE
                    • Windows security modification
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5080
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe
                  2⤵
                  • Executes dropped EXE
                  PID:1768
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4460,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=2860 /prefetch:8
                1⤵
                  PID:2356
                • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                  C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                  1⤵
                  • Executes dropped EXE
                  PID:548
                • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                  C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                  1⤵
                  • Executes dropped EXE
                  PID:380

                Network

                • flag-us
                  DNS
                  8.8.8.8.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  8.8.8.8.in-addr.arpa
                  IN PTR
                  Response
                  8.8.8.8.in-addr.arpa
                  IN PTR
                  dnsgoogle
                • flag-be
                  GET
                  https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
                  Remote address:
                  2.17.107.122:443
                  Request
                  GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
                  host: www.bing.com
                  accept: */*
                  accept-encoding: gzip, deflate, br
                  user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
                  Response
                  HTTP/2.0 200
                  cache-control: public, max-age=2592000
                  content-type: image/png
                  access-control-allow-origin: *
                  access-control-allow-headers: *
                  access-control-allow-methods: GET, POST, OPTIONS
                  timing-allow-origin: *
                  report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
                  nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
                  content-length: 1107
                  date: Fri, 10 May 2024 12:36:08 GMT
                  alt-svc: h3=":443"; ma=93600
                  x-cdn-traceid: 0.766b1102.1715344568.3525ab1d
                • flag-us
                  DNS
                  73.31.126.40.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  73.31.126.40.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  73.31.126.40.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  73.31.126.40.in-addr.arpa
                  IN PTR
                • flag-us
                  DNS
                  79.190.18.2.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  79.190.18.2.in-addr.arpa
                  IN PTR
                  Response
                  79.190.18.2.in-addr.arpa
                  IN PTR
                  a2-18-190-79deploystaticakamaitechnologiescom
                • flag-us
                  DNS
                  79.190.18.2.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  79.190.18.2.in-addr.arpa
                  IN PTR
                • flag-us
                  DNS
                  26.35.223.20.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  26.35.223.20.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  122.107.17.2.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  122.107.17.2.in-addr.arpa
                  IN PTR
                  Response
                  122.107.17.2.in-addr.arpa
                  IN PTR
                  a2-17-107-122deploystaticakamaitechnologiescom
                • flag-us
                  DNS
                  122.107.17.2.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  122.107.17.2.in-addr.arpa
                  IN PTR
                • flag-us
                  DNS
                  48.229.111.52.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  48.229.111.52.in-addr.arpa
                  IN PTR
                  Response
                • flag-us
                  DNS
                  77.190.18.2.in-addr.arpa
                  Remote address:
                  8.8.8.8:53
                  Request
                  77.190.18.2.in-addr.arpa
                  IN PTR
                  Response
                  77.190.18.2.in-addr.arpa
                  IN PTR
                  a2-18-190-77deploystaticakamaitechnologiescom
                • 77.91.68.61:80
                  pdates.exe
                  260 B
                  5
                • 2.17.107.122:443
                  https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
                  tls, http2
                  1.5kB
                  6.3kB
                  17
                  11

                  HTTP Request

                  GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

                  HTTP Response

                  200
                • 77.91.68.68:19071
                  j7773066.exe
                  260 B
                  5
                • 77.91.68.68:19071
                  j7773066.exe
                  260 B
                  5
                • 77.91.68.61:80
                  pdates.exe
                  260 B
                  5
                • 77.91.68.68:19071
                  j7773066.exe
                  260 B
                  5
                • 77.91.68.61:80
                  pdates.exe
                  260 B
                  5
                • 77.91.68.68:19071
                  j7773066.exe
                  260 B
                  5
                • 77.91.68.68:19071
                  j7773066.exe
                  260 B
                  5
                • 77.91.68.68:19071
                  j7773066.exe
                  208 B
                  4
                • 8.8.8.8:53
                  8.8.8.8.in-addr.arpa
                  dns
                  66 B
                  90 B
                  1
                  1

                  DNS Request

                  8.8.8.8.in-addr.arpa

                • 8.8.8.8:53
                  73.31.126.40.in-addr.arpa
                  dns
                  142 B
                  157 B
                  2
                  1

                  DNS Request

                  73.31.126.40.in-addr.arpa

                  DNS Request

                  73.31.126.40.in-addr.arpa

                • 8.8.8.8:53
                  79.190.18.2.in-addr.arpa
                  dns
                  140 B
                  133 B
                  2
                  1

                  DNS Request

                  79.190.18.2.in-addr.arpa

                  DNS Request

                  79.190.18.2.in-addr.arpa

                • 8.8.8.8:53
                  26.35.223.20.in-addr.arpa
                  dns
                  71 B
                  157 B
                  1
                  1

                  DNS Request

                  26.35.223.20.in-addr.arpa

                • 8.8.8.8:53
                  122.107.17.2.in-addr.arpa
                  dns
                  142 B
                  135 B
                  2
                  1

                  DNS Request

                  122.107.17.2.in-addr.arpa

                  DNS Request

                  122.107.17.2.in-addr.arpa

                • 8.8.8.8:53
                  48.229.111.52.in-addr.arpa
                  dns
                  72 B
                  158 B
                  1
                  1

                  DNS Request

                  48.229.111.52.in-addr.arpa

                • 8.8.8.8:53
                  77.190.18.2.in-addr.arpa
                  dns
                  70 B
                  133 B
                  1
                  1

                  DNS Request

                  77.190.18.2.in-addr.arpa

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\j7773066.exe

                  Filesize

                  173KB

                  MD5

                  03486d7d10f8be93fb55a5a125d79353

                  SHA1

                  1926c46e2a3ba3f22d2b9a3ec6ff8314bd0d9527

                  SHA256

                  ae95cc3dad2258838bab37078d58f17b2cad2b6a60c313168261a564185745bc

                  SHA512

                  8e380b3e029485f352fc97c51cc1a3d0de69fb7ea83112449390ff0959752849fde05abd72b8439a487a1e3e7d06980bdc90066387fe5d349c7a700e67db335b

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4707813.exe

                  Filesize

                  234KB

                  MD5

                  8f60ba120e19ad8816b6be6fba6df1c8

                  SHA1

                  cfce501aefdaf27580c3c267c18dc40d388fe9f8

                  SHA256

                  18c735c8cb1cefb78e97a96795b953e64ace0111065000dcc15624852066d0e5

                  SHA512

                  9e3cae60814cdb4ad60e9fb8ccf39d9ad0d9cc2750683c4c6e3da9551f645e0f3d8bd9ce9c551b7ddc9d79c60b2911dee5981a297a9fad36d769d1d924238559

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6769642.exe

                  Filesize

                  223KB

                  MD5

                  aea234064483f651010cf9d981f59fea

                  SHA1

                  002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6

                  SHA256

                  58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503

                  SHA512

                  eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6299789.exe

                  Filesize

                  11KB

                  MD5

                  7e93bacbbc33e6652e147e7fe07572a0

                  SHA1

                  421a7167da01c8da4dc4d5234ca3dd84e319e762

                  SHA256

                  850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

                  SHA512

                  250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

                • memory/1768-32-0x0000000000CB0000-0x0000000000CE0000-memory.dmp

                  Filesize

                  192KB

                • memory/1768-33-0x0000000005590000-0x0000000005596000-memory.dmp

                  Filesize

                  24KB

                • memory/1768-34-0x000000000AFA0000-0x000000000B5B8000-memory.dmp

                  Filesize

                  6.1MB

                • memory/1768-35-0x000000000AB20000-0x000000000AC2A000-memory.dmp

                  Filesize

                  1.0MB

                • memory/1768-36-0x000000000AA60000-0x000000000AA72000-memory.dmp

                  Filesize

                  72KB

                • memory/1768-37-0x000000000AAC0000-0x000000000AAFC000-memory.dmp

                  Filesize

                  240KB

                • memory/1768-38-0x0000000004F80000-0x0000000004FCC000-memory.dmp

                  Filesize

                  304KB

                • memory/5080-27-0x00000000002C0000-0x00000000002CA000-memory.dmp

                  Filesize

                  40KB

                We care about your privacy.

                This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.