Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 13:07

General

  • Target

    cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe

  • Size

    514KB

  • MD5

    2993a209322f7d93406fd78632f4a545

  • SHA1

    e141503a5dc185ee91e131b8404ee5f563ff1cd1

  • SHA256

    cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3

  • SHA512

    cb8d9e79b3ed4ba5711cd8933590ce1dd9e349f7a399c38650a1b3611c4a50a415f0b7de91701f3e77e8297d38bb433fc7fb3d53cfd1e46e76f99772aeabfc3b

  • SSDEEP

    12288:cMrzy90i9beiGTgODcYq3pB/npmVb66azq:vy/bhGT5Pq3Lhm/

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe
    "C:\Users\Admin\AppData\Local\Temp\cfdc6cd562d69f4233d6d8bcde44d4bd5e6825bd17383e6bb2f76b9fd006ead3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2208
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4876
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4564
          • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
            "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:5028
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:1720
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1456
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:2228
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "danke.exe" /P "Admin:N"
                  7⤵
                    PID:3836
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "danke.exe" /P "Admin:R" /E
                    7⤵
                      PID:1832
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:3180
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\3ec1f323b5" /P "Admin:N"
                        7⤵
                          PID:3092
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\3ec1f323b5" /P "Admin:R" /E
                          7⤵
                            PID:1752
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    PID:2416
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe
                  2⤵
                  • Executes dropped EXE
                  PID:2072
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:3548
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:4176

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d8501327.exe

                Filesize

                173KB

                MD5

                12c1ab680089f44c182ab0d1f4a95ae1

                SHA1

                4a9cfa25e4810ff2428356308e3317aee191d541

                SHA256

                4a62ceddedc8c2a3cd54f23196890111038241c4f792ebd949d80385cad0f3f5

                SHA512

                46682624d94f3131db1b196d6bb47ac6e367045fc779a309d8433fc54e6f9ef6edbf99479f976437e5601b9e5f479909bbb46a353f07416790892641c64764ff

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4435054.exe

                Filesize

                359KB

                MD5

                91933e51696584a07d7c09e2e13141f5

                SHA1

                0f24a6ac68fb31fb27b7c2a0710ad37019447204

                SHA256

                51b3eccbb193d1455e060d100fcbf91133f137aebc267fb4b9a4b91952126498

                SHA512

                ccaf03c65b0ae52dad65d5395d16aedb6abe777962a4c6f5cfeb1831d41ed0d0bba6c2d6e62071337b5bfcb34996d68e94ece6bb56110c88f49719d7be2c45c8

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c6942777.exe

                Filesize

                32KB

                MD5

                ecaccb61a433da4a9745317a688738ed

                SHA1

                54aad35ff3dbb45a12263306af2a409e56ffa5a0

                SHA256

                35c335eb5c241a978210148f6886ca0ee20bcd368b17bbaf15eaac5465d14132

                SHA512

                d4379e9fad838589d447b1a7494f5fff9e9c8797e24bdab00fe3a9f5704135e6263e15432b3dc1fa6c719e93a20271962be87f3be0873f78d7b83d0a4f31dea0

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6076158.exe

                Filesize

                235KB

                MD5

                0711e5b846ebcd95fdcce83aa82ee27d

                SHA1

                87975557ea8e9efda716a9377dde46b57a7662e8

                SHA256

                06193190d3c01ff9e2fa5eafb338a958d74abbe89259f7f70391df0721f9a332

                SHA512

                26fbf12831309e5dd644a73743cd518afff4e9a582893302588ac60552c191e3d21dcd5c2e3cd13fc70ede345aa7ae2e05785e10cd2fc23d0d78cb61153f0c1e

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0825239.exe

                Filesize

                14KB

                MD5

                7142af778ac7df1f47ee0f67c5969d10

                SHA1

                1c951387ce612014321c82bb225b7ca674bc3dd8

                SHA256

                bbcf2054c9add3d18e308671ee5b1f3cebe898baf3634394b5bbb4c3855c512c

                SHA512

                d96b464e2e156dbb4afd6cde6f916398db0a6883914a71e682d4170e14b0047a8e59b0b1a5762addeff2b54ef0347cf6dde4e7032bd54d3845ba610616dfa17d

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4802302.exe

                Filesize

                227KB

                MD5

                270a148b44bad929ed1a4adc8cbd94a2

                SHA1

                55a61daf7fa7f81317d3bacf86064cf27eab3649

                SHA256

                f125c5d00d3075ed916a60e58897b960eee948a141f793577ad013c85cb91809

                SHA512

                e9ae358b7e659403326f4da5196217636e24dc09b68c487bd62523d3390ed727247b9a74ecad802277b9d831f95e645e7b40bfe162cf08f6fd3340eb82109c59

              • memory/2072-48-0x0000000009FD0000-0x000000000A0DA000-memory.dmp

                Filesize

                1.0MB

              • memory/2072-44-0x0000000000020000-0x0000000000050000-memory.dmp

                Filesize

                192KB

              • memory/2072-45-0x0000000004800000-0x0000000004806000-memory.dmp

                Filesize

                24KB

              • memory/2072-47-0x000000000A460000-0x000000000AA78000-memory.dmp

                Filesize

                6.1MB

              • memory/2072-49-0x0000000009F10000-0x0000000009F22000-memory.dmp

                Filesize

                72KB

              • memory/2072-50-0x0000000009F70000-0x0000000009FAC000-memory.dmp

                Filesize

                240KB

              • memory/2072-51-0x00000000042E0000-0x000000000432C000-memory.dmp

                Filesize

                304KB

              • memory/2416-40-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              • memory/4876-22-0x00000000008D0000-0x00000000008DA000-memory.dmp

                Filesize

                40KB

              • memory/4876-21-0x00007FFD6E5B3000-0x00007FFD6E5B5000-memory.dmp

                Filesize

                8KB