Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 14:40

General

  • Target

    2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe

  • Size

    514KB

  • MD5

    ad9443ce5e431e8295fd202f57cf1d6d

  • SHA1

    330ab81f8d5d8360f11e9e15f6829608c3ed666e

  • SHA256

    2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc

  • SHA512

    d6bfaf96f61d6055c4e368f22542ba85d8d9c77d652480195953db43eced505a7102d5b10d79842e76483f90b1bbfa22a0d2fd6d0a423166efc8c585c3f665fb

  • SSDEEP

    12288:NMrby90ooS9jGwyQikPj16mcXt3Q+snYfeplV3:GyOSTJj143Q7nmebh

Malware Config

Extracted

Family

amadey

Version

3.86

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain
1
006700e5a2ab05704bbb0c589b88924d

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe
    "C:\Users\Admin\AppData\Local\Temp\2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:844
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:544
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:5020
          • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
            "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2840
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:4176
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4832
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:5104
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:N"
                  7⤵
                    PID:4512
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "pdates.exe" /P "Admin:R" /E
                    7⤵
                      PID:2396
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:2420
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\925e7e99c5" /P "Admin:N"
                        7⤵
                          PID:3304
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\925e7e99c5" /P "Admin:R" /E
                          7⤵
                            PID:4948
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exe
                    3⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    PID:1956
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exe
                  2⤵
                  • Executes dropped EXE
                  PID:3324
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:768
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:3996

              Network

              • flag-us
                DNS
                8.8.8.8.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                8.8.8.8.in-addr.arpa
                IN PTR
                Response
                8.8.8.8.in-addr.arpa
                IN PTR
                dnsgoogle
              • flag-us
                DNS
                48.229.111.52.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                48.229.111.52.in-addr.arpa
                IN PTR
                Response
              • flag-us
                DNS
                122.10.44.20.in-addr.arpa
                Remote address:
                8.8.8.8:53
                Request
                122.10.44.20.in-addr.arpa
                IN PTR
                Response
              • 77.91.68.61:80
                pdates.exe
                260 B
                5
              • 77.91.124.84:19071
                d7760520.exe
                260 B
                5
              • 77.91.68.61:80
                pdates.exe
                260 B
                5
              • 77.91.124.84:19071
                d7760520.exe
                260 B
                5
              • 77.91.68.61:80
                pdates.exe
                260 B
                5
              • 77.91.124.84:19071
                d7760520.exe
                260 B
                5
              • 77.91.124.84:19071
                d7760520.exe
                260 B
                5
              • 77.91.124.84:19071
                d7760520.exe
                156 B
                3
              • 8.8.8.8:53
                8.8.8.8.in-addr.arpa
                dns
                66 B
                90 B
                1
                1

                DNS Request

                8.8.8.8.in-addr.arpa

              • 8.8.8.8:53
                48.229.111.52.in-addr.arpa
                dns
                72 B
                158 B
                1
                1

                DNS Request

                48.229.111.52.in-addr.arpa

              • 8.8.8.8:53
                122.10.44.20.in-addr.arpa
                dns
                71 B
                145 B
                1
                1

                DNS Request

                122.10.44.20.in-addr.arpa

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exe

                Filesize

                175KB

                MD5

                647971d0cadf19b3146ed9825e2e2791

                SHA1

                25435c9b63194809b1ddff2ea49f68336fa16673

                SHA256

                48b9794032771dfe78fc2c2b15e43e4b0a43143a6d6d5f3cea6e64dbcb976a76

                SHA512

                24aa9c1d3252a641cf4b4e74ba77d4fcf7a2d8023a71981ab514f0f9cc73bb387e54743dc2c4a17799b71608785292a0399e4c9a891479dcea18ad829b426b20

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exe

                Filesize

                359KB

                MD5

                061c406e23341bbcb1ff5e1801849cb3

                SHA1

                7ec3197388a3543dc54a754b526a21a74de567c3

                SHA256

                ae86041c8e819499d71e4c6acc7674c2aa2d49c8bcf4772c06fdcabc12acf52a

                SHA512

                176444ce621ff202d78fd397690322fa00d124b7ee51a6ef2cce205e5adc08205db4f4b30f866e8cb8132ef72e83462128cf4d124eeaf8c1d5992e5c18e98adb

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exe

                Filesize

                36KB

                MD5

                ce02f9d79dea88099619df5cb1312f35

                SHA1

                3c1679bf6d2ad4436f65458e679c66f79d6ae50f

                SHA256

                855b0ca776047364d7a3d31a44d746dd673f3d6435723e4a5093a1b757584f54

                SHA512

                6ace95a26369b298fe1b9cefdccea26cb2253a11c829836a51b47b9218fa291586aa6ebb652830d44c0a97b7d1e2caac43a93cad02c5182be21d537322db555d

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exe

                Filesize

                234KB

                MD5

                76dddeb11de090d98b3d9edc3df979fe

                SHA1

                1400ec7994433f280da5b1d84c12d62d8c19702c

                SHA256

                e13221cfa4276e8a340f3f13212b1fef45770843a843192a8387bbd99143938f

                SHA512

                35384efa7caf27758daeb5d6f9a3f84c422116b77abed1e0bb0e978366cadaf2fc0d7fe15b1bb98bfe398c1eab3fb32eb9e3e1a582f5097a6779b4e2ab80f9c5

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe

                Filesize

                13KB

                MD5

                3a21e5d379f54add2172d6948ca4e597

                SHA1

                f2480642965b7c7a804ad8c62d7a623a815b1b02

                SHA256

                2db95b60ef54ddb759464792be2f8a007214003a75cbca2de2a12f6d512900d8

                SHA512

                010b8ac0ec852bbdc5e14f7409fecc81451c197281c1aff63df0acc98f46628151ce2dfabde6bde01e3c1e6b3c031637efee72edd44365afa78bafeaf63dda19

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exe

                Filesize

                225KB

                MD5

                4dcc519d9075200e24e18d1eb479b00e

                SHA1

                93a9cd97d0d7c6c98903391297530577e1228451

                SHA256

                503f3735fdd75fa98e846ffc940735d1bc0f8c89c60de01dbcb852432d37e834

                SHA512

                b1494415d70a3bfbabbd26361b68858c3c785121ec49b6c054e0487c5bb1dac33e8e8c0cc404b39b598b4b8458c48795ff9efab1d0bf60dabe50ba41bd6f8423

              • memory/544-21-0x00000000005C0000-0x00000000005CA000-memory.dmp

                Filesize

                40KB

              • memory/544-22-0x00007FF9FF2E3000-0x00007FF9FF2E5000-memory.dmp

                Filesize

                8KB

              • memory/1956-40-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              • memory/3324-45-0x00000000006F0000-0x0000000000720000-memory.dmp

                Filesize

                192KB

              • memory/3324-46-0x0000000000DA0000-0x0000000000DA6000-memory.dmp

                Filesize

                24KB

              • memory/3324-47-0x000000000AB50000-0x000000000B168000-memory.dmp

                Filesize

                6.1MB

              • memory/3324-48-0x000000000A640000-0x000000000A74A000-memory.dmp

                Filesize

                1.0MB

              • memory/3324-49-0x0000000005110000-0x0000000005122000-memory.dmp

                Filesize

                72KB

              • memory/3324-50-0x000000000A530000-0x000000000A56C000-memory.dmp

                Filesize

                240KB

              • memory/3324-51-0x0000000004B00000-0x0000000004B4C000-memory.dmp

                Filesize

                304KB

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.