Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
10-05-2024 13:21
General
-
Target
05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe
-
Size
515KB
-
MD5
311bcc98621f1612a7a0bae8b412dd21
-
SHA1
e6208f01069780dfb69fc831895e3b97cd900842
-
SHA256
05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729
-
SHA512
84aaeae41c97293674a99209e67e09ee915f6c533ef735792493981f7ce8cb6e66b69fa403c6d7fb9a0b9d8041af71484affe045c6582ce98337a4479d596059
-
SSDEEP
12288:LMrhy90ADACn1dQ4Hr1nEb3crjgrngFOW:Syf1dQ4Hreb3crsr0OW
Malware Config
Extracted
amadey
3.86
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
news
77.91.68.68:19071
-
auth_value
99ba2ffe8d72ebe9fdc7e758c94db148
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe"C:\Users\Admin\AppData\Local\Temp\05b48b2909386e117184a0bdde8c6718992cf21d07674042c9d076292b260729.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:R" /E7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:R" /E7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6192642.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6192642.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d6192642.exeFilesize
175KB
MD5660c745e3bc446aebd5e95bea410993b
SHA1c46d33504bc5ef550542d07f74bd4f1e7826da03
SHA256bb97c8811add79cf2f4a231939bd29e2ef398b6c747a6810263782a90f7b9ef5
SHA512a61ab6e6f9ab0bb17d1306967fcd6f6c9647c0d101ab1686451edccb641d7bb75acccb0ec13482f87d505d1508d56577ce7c22ae0102e4e4e526cbf6fdea08fa
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9124773.exeFilesize
359KB
MD51969cc55ecdb4ba432f9df129b085fde
SHA1578c239149aa29ea2edad5c751a86d57b145e3f0
SHA25677f32b63d23c002e89fbbe13bd4a1cf8b005e7d988f6f580d58526a7882eb10f
SHA512358147fba496d3222ad4bf76b7edba4121005a7413dc423db3b438b38f3ad33e979645961a5d0b4661f5557dc66ee0e1a4bdacbe4feb475df747f2a8397125ed
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c2505651.exeFilesize
35KB
MD5ba117cdee0f70dde00678528d15b0c49
SHA1003a382b1a54b86999d15334ab118792f8313399
SHA25665ba81cbbf5db895c8091707aec81f6c8390339700187299312c1b9c7ac8b0a0
SHA512d395155fe71ba9073ef3154a03f974df8205c8fb7a57c11fcbab93209e862a12f4bcd8d51ce96f3095fa8cfb9cf7978f160065534dc01dc942b7a2458562f6d7
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4716388.exeFilesize
234KB
MD54f02a923ce0a518b99841b16da953969
SHA171b2bd669764fe784c80b0433dafe5e9e1564e5b
SHA256e12ecc6f8d8bc6e6c5ec72b084e0391fb9d6e2b23619536b9453e5a83feca66f
SHA512ff0f59f919005ec79a075dae8b13c07f508047c37eced3c7ad5c0c6c1199e74bf99f0c327e6c6536a451822397cc10e7d0231110e90d46aebafc093804e50ef5
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7651019.exeFilesize
13KB
MD5864b6322ef4be9192d857e078e2a69d8
SHA124680c8fa196f0a1bf8cf51814149441f138f453
SHA2561deb97c02d57f4c00871baa9e93d96541a9419c22cdcfb4cb5d7c152f957b07b
SHA512365f2222be84643e5008ba5999bfd38623787a92fc58b10194775275b5fb1804736206c47739438bae44c6ad5ae502a5bf1f3ce7823d594606f409bb2420a5cb
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4041009.exeFilesize
223KB
MD58c118872da7c5c6359306afdf405fb02
SHA14caf741d452520d043d7010380149a25d9f44bd5
SHA256ac1cd3a1d8a1f854838b8a97fed679078f7d4295ebba95f5a2e7e90bd687845d
SHA512f2037cf9435b1f976e43d6f5c737b50477c03d345054bfccf53075c75ee6de9c343bb55407078bf76fa4c0bad8c3ae13572edf85e34833dba952be507dc8c43c
-
memory/3176-47-0x000000000ADC0000-0x000000000AECA000-memory.dmpFilesize
1.0MB
-
memory/3176-44-0x0000000000E10000-0x0000000000E40000-memory.dmpFilesize
192KB
-
memory/3176-45-0x00000000031A0000-0x00000000031A6000-memory.dmpFilesize
24KB
-
memory/3176-46-0x000000000B2C0000-0x000000000B8D8000-memory.dmpFilesize
6.1MB
-
memory/3176-48-0x000000000AD00000-0x000000000AD12000-memory.dmpFilesize
72KB
-
memory/3176-49-0x000000000AD60000-0x000000000AD9C000-memory.dmpFilesize
240KB
-
memory/3176-50-0x0000000003120000-0x000000000316C000-memory.dmpFilesize
304KB
-
memory/3692-40-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/5092-22-0x00000000007B0000-0x00000000007BA000-memory.dmpFilesize
40KB
-
memory/5092-21-0x00007FFCBFEC3000-0x00007FFCBFEC5000-memory.dmpFilesize
8KB