Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
10-05-2024 14:40
General
-
Target
2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe
-
Size
514KB
-
MD5
ad9443ce5e431e8295fd202f57cf1d6d
-
SHA1
330ab81f8d5d8360f11e9e15f6829608c3ed666e
-
SHA256
2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc
-
SHA512
d6bfaf96f61d6055c4e368f22542ba85d8d9c77d652480195953db43eced505a7102d5b10d79842e76483f90b1bbfa22a0d2fd6d0a423166efc8c585c3f665fb
-
SSDEEP
12288:NMrby90ooS9jGwyQikPj16mcXt3Q+snYfeplV3:GyOSTJj143Q7nmebh
Malware Config
Extracted
amadey
3.86
http://77.91.68.61
-
install_dir
925e7e99c5
-
install_file
pdates.exe
-
strings_key
ada76b8b0e1f6892ee93c20ab8946117
-
url_paths
/rock/index.php
Extracted
redline
lande
77.91.124.84:19071
-
auth_value
9fa41701c47df37786234f3373f21208
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe"C:\Users\Admin\AppData\Local\Temp\2260e01650710f720d71241eb7bd5d4c48d8b8a009804752139cf762bcd962fc.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "pdates.exe" /P "Admin:R" /E7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\925e7e99c5" /P "Admin:R" /E7⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exeC:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d7760520.exeFilesize
175KB
MD5647971d0cadf19b3146ed9825e2e2791
SHA125435c9b63194809b1ddff2ea49f68336fa16673
SHA25648b9794032771dfe78fc2c2b15e43e4b0a43143a6d6d5f3cea6e64dbcb976a76
SHA51224aa9c1d3252a641cf4b4e74ba77d4fcf7a2d8023a71981ab514f0f9cc73bb387e54743dc2c4a17799b71608785292a0399e4c9a891479dcea18ad829b426b20
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1715175.exeFilesize
359KB
MD5061c406e23341bbcb1ff5e1801849cb3
SHA17ec3197388a3543dc54a754b526a21a74de567c3
SHA256ae86041c8e819499d71e4c6acc7674c2aa2d49c8bcf4772c06fdcabc12acf52a
SHA512176444ce621ff202d78fd397690322fa00d124b7ee51a6ef2cce205e5adc08205db4f4b30f866e8cb8132ef72e83462128cf4d124eeaf8c1d5992e5c18e98adb
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1053362.exeFilesize
36KB
MD5ce02f9d79dea88099619df5cb1312f35
SHA13c1679bf6d2ad4436f65458e679c66f79d6ae50f
SHA256855b0ca776047364d7a3d31a44d746dd673f3d6435723e4a5093a1b757584f54
SHA5126ace95a26369b298fe1b9cefdccea26cb2253a11c829836a51b47b9218fa291586aa6ebb652830d44c0a97b7d1e2caac43a93cad02c5182be21d537322db555d
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5470627.exeFilesize
234KB
MD576dddeb11de090d98b3d9edc3df979fe
SHA11400ec7994433f280da5b1d84c12d62d8c19702c
SHA256e13221cfa4276e8a340f3f13212b1fef45770843a843192a8387bbd99143938f
SHA51235384efa7caf27758daeb5d6f9a3f84c422116b77abed1e0bb0e978366cadaf2fc0d7fe15b1bb98bfe398c1eab3fb32eb9e3e1a582f5097a6779b4e2ab80f9c5
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a0410470.exeFilesize
13KB
MD53a21e5d379f54add2172d6948ca4e597
SHA1f2480642965b7c7a804ad8c62d7a623a815b1b02
SHA2562db95b60ef54ddb759464792be2f8a007214003a75cbca2de2a12f6d512900d8
SHA512010b8ac0ec852bbdc5e14f7409fecc81451c197281c1aff63df0acc98f46628151ce2dfabde6bde01e3c1e6b3c031637efee72edd44365afa78bafeaf63dda19
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b0689294.exeFilesize
225KB
MD54dcc519d9075200e24e18d1eb479b00e
SHA193a9cd97d0d7c6c98903391297530577e1228451
SHA256503f3735fdd75fa98e846ffc940735d1bc0f8c89c60de01dbcb852432d37e834
SHA512b1494415d70a3bfbabbd26361b68858c3c785121ec49b6c054e0487c5bb1dac33e8e8c0cc404b39b598b4b8458c48795ff9efab1d0bf60dabe50ba41bd6f8423
-
memory/544-21-0x00000000005C0000-0x00000000005CA000-memory.dmpFilesize
40KB
-
memory/544-22-0x00007FF9FF2E3000-0x00007FF9FF2E5000-memory.dmpFilesize
8KB
-
memory/1956-40-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3324-45-0x00000000006F0000-0x0000000000720000-memory.dmpFilesize
192KB
-
memory/3324-46-0x0000000000DA0000-0x0000000000DA6000-memory.dmpFilesize
24KB
-
memory/3324-47-0x000000000AB50000-0x000000000B168000-memory.dmpFilesize
6.1MB
-
memory/3324-48-0x000000000A640000-0x000000000A74A000-memory.dmpFilesize
1.0MB
-
memory/3324-49-0x0000000005110000-0x0000000005122000-memory.dmpFilesize
72KB
-
memory/3324-50-0x000000000A530000-0x000000000A56C000-memory.dmpFilesize
240KB
-
memory/3324-51-0x0000000004B00000-0x0000000004B4C000-memory.dmpFilesize
304KB