Overview

overview

10

Static

static

3

0e13a10fd6...cb.exe

windows10-2004-x64

10

1d089addfe...b5.exe

windows10-2004-x64

10

35d50aca92...42.exe

windows10-2004-x64

10

3ab23a3036...c6.exe

windows10-2004-x64

10

58ac39bbc6...9e.exe

windows10-2004-x64

10

64792ffeec...35.exe

windows10-2004-x64

10

654aa4d5e8...3b.exe

windows10-2004-x64

10

677afbc183...fd.exe

windows7-x64

3

677afbc183...fd.exe

windows10-2004-x64

10

71d1420ff1...80.exe

windows10-2004-x64

10

7a08e2a624...2b.exe

windows10-2004-x64

10

8c7a2623ea...7d.exe

windows10-2004-x64

10

c64d3873d4...2e.exe

windows10-2004-x64

10

cbd8058875...48.exe

windows7-x64

3

cbd8058875...48.exe

windows10-2004-x64

10

ec20c35511...9b.exe

windows10-2004-x64

10

eca60134d9...3f.exe

windows10-2004-x64

10

ecc005f21f...de.exe

windows10-2004-x64

f0fb625894...03.exe

windows10-2004-x64

10

f66a0103e4...71.exe

windows10-2004-x64

10

ffa14d4c0b...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 14:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ffa14d4c0be8bc789970a81ab0d1c4ceb689e261224f173a8dbd9609a9b45102.exe

  • Size

    359KB

  • MD5

    3e6c4929a82b142d398d5b1a60a93857

  • SHA1

    478ba0a29fcab3a9674f20c5b28f66a0fcc53795

  • SHA256

    ffa14d4c0be8bc789970a81ab0d1c4ceb689e261224f173a8dbd9609a9b45102

  • SHA512

    3e292fdc2d2f52d9942fc732e66c4dbc50656a22b758c7e67377077d8461d0c18170cb50634d07d199957bb5cb5e728c7fa5ed9c5c71018b17945e184e5714e4

  • SSDEEP

    6144:K1y+bnr+op0yN90QEdx1i6EoKZ8J+gY4OUsKOK/Apfn6l+ZMFIPXewY:XMrIy90nMUzOUsKOK4p9PpY

Score
10/10
amadeyhealersmokeloaderbackdoordropperevasionpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.85

C2

http://77.91.68.3

Attributes
  • install_dir

    3ec1f323b5

  • install_file

    danke.exe

  • strings_key

    827021be90f1e85ab27949ea7e9347e8

  • url_paths

    /home/love/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ffa14d4c0be8bc789970a81ab0d1c4ceb689e261224f173a8dbd9609a9b45102.exe
    "C:\Users\Admin\AppData\Local\Temp\ffa14d4c0be8bc789970a81ab0d1c4ceb689e261224f173a8dbd9609a9b45102.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3676
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8196308.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8196308.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3984
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6793074.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6793074.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4876
        • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
          "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4672
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN danke.exe /TR "C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:4044
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "danke.exe" /P "Admin:N"&&CACLS "danke.exe" /P "Admin:R" /E&&echo Y|CACLS "..\3ec1f323b5" /P "Admin:N"&&CACLS "..\3ec1f323b5" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4640
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:4924
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "danke.exe" /P "Admin:N"
                6⤵
                  PID:2204
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "danke.exe" /P "Admin:R" /E
                  6⤵
                    PID:2040
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:4036
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\3ec1f323b5" /P "Admin:N"
                      6⤵
                        PID:432
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\3ec1f323b5" /P "Admin:R" /E
                        6⤵
                          PID:2800
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c0831593.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c0831593.exe
                  2⤵
                  • Executes dropped EXE
                  • Checks SCSI registry key(s)
                  PID:3316
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:1968
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:968
              • C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                C:\Users\Admin\AppData\Local\Temp\3ec1f323b5\danke.exe
                1⤵
                • Executes dropped EXE
                PID:1072

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c0831593.exe
                Filesize

                34KB

                MD5

                e0962336c2979b69b35e807b972ab7a7

                SHA1

                f0ffc3dd41cef5b927b09979d29ff19f8c5f29c2

                SHA256

                51915b1d4671195490768c8d1353aed43ddf5905a602f40ed37e07aa22aa6617

                SHA512

                559f9ed55177abd42ae20443ccfd0d2203be2d7422b856e13039c3128d68ad358946200c85add22f8a5888d0fc2ec78ccc01670968e1fc53a78a97b33fe7d86d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8196308.exe
                Filesize

                235KB

                MD5

                ee03504d4df12f8504069171a5a7b538

                SHA1

                eb202a9a59b80577a3a4f7f1988fdec688f84d61

                SHA256

                c5b4910e7fa298cd6f52d6baa8f32cd68d40a48bc5d1ad0c73afcf8ee963a200

                SHA512

                879fc98d6a6d726599987b334340934b148429d4871553e217befe9f636fc39c5f418717c3f80a7095fe8ae4f154db59707fced7931e7e4776f28afce8f35f67

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9850776.exe
                Filesize

                12KB

                MD5

                b20f8d8ed9871d6bdc9521778966edda

                SHA1

                d67137a8019d52c2b2ad602a3794520723a2f3cf

                SHA256

                5b41c00e640b6fd13a0b11698443188ed640c24d7d0ced938d8578759e2e2ab0

                SHA512

                709545a06fb2fb46658147c397244a1e80baa08257a0547b29136c40175394d7974605ead8917d8168b76e1f18d050067457dc8240dfd535780a2811cc228b8a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6793074.exe
                Filesize

                230KB

                MD5

                32c3db3657c1b1f406f85913a2cfa133

                SHA1

                6a7c1e1c0b4f121a0082b6f4f76ce31752ebc836

                SHA256

                91b4b43f1de55e344cb418755aa6cef1c4bcb8fbd0b59495992e4ac1474c4b6e

                SHA512

                1d78376e57f06b10b250992857739d4e1e6b97d3bf4fa2e76874f6de9bdad185d24b3abeac197a3dd74ed6122e9a08001239ed05a98810740ea1e5214cb35817

                Download Submit

              • memory/3316-33-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/3984-14-0x00007FFCBE9E3000-0x00007FFCBE9E5000-memory.dmp

                Filesize

                8KB

                Download

              • memory/3984-15-0x00000000007A0000-0x00000000007AA000-memory.dmp

                Filesize

                40KB

                Download