Overview

overview

10

Static

static

3

072894a720...70.exe

windows10-2004-x64

10

075e0048e6...e5.exe

windows10-2004-x64

10

131b78a330...7b.exe

windows10-2004-x64

10

56b0ed98e3...54.exe

windows10-2004-x64

10

807255749f...62.exe

windows7-x64

10

807255749f...62.exe

windows10-2004-x64

10

8a8433aeba...ed.exe

windows10-2004-x64

10

8cae2c42df...9a.exe

windows7-x64

10

8cae2c42df...9a.exe

windows10-2004-x64

10

d730c48963...34.exe

windows10-2004-x64

10

e98954290c...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    075e0048e616f67de702a289e630f2df2651249474b3366d424d5bfefc2071e5.exe

  • Size

    234KB

  • MD5

    7dafcde60491fa34e526c8eaafac0f01

  • SHA1

    d0c0ff3f2e2b66559d99dc660540f0a8dd83cc67

  • SHA256

    075e0048e616f67de702a289e630f2df2651249474b3366d424d5bfefc2071e5

  • SHA512

    75fed00edb3d5811cf0b70b07c789f59be7aad30579779dfa70376b82268b0e52d599792b741c954c97c8d8d10100d5cee7c3835d2250023b9060c329090d14c

  • SSDEEP

    6144:KUy+bnr+5c3pxeXjyqu+Oeu+Oeu+OeuJZp5JZp5JZp5JZp5QgwAQgwAQgwAQSp0J:IMrWc3pxeXjyqu+Oeu+Oeu+OeuJZp5JO

Score
10/10
amadeyhealerfb0fb8dropperevasionpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\075e0048e616f67de702a289e630f2df2651249474b3366d424d5bfefc2071e5.exe
    "C:\Users\Admin\AppData\Local\Temp\075e0048e616f67de702a289e630f2df2651249474b3366d424d5bfefc2071e5.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g1168736.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g1168736.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4756
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h2359162.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h2359162.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:3460
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5044
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:1664
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "explonde.exe" /P "Admin:N"
              5⤵
                PID:1852
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "explonde.exe" /P "Admin:R" /E
                5⤵
                  PID:2472
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:2312
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\fefffe8cea" /P "Admin:N"
                    5⤵
                      PID:1340
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\fefffe8cea" /P "Admin:R" /E
                      5⤵
                        PID:3108
              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                1⤵
                • Executes dropped EXE
                PID:4872
              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                1⤵
                • Executes dropped EXE
                PID:936

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g1168736.exe
                Filesize

                12KB

                MD5

                622aca29e6938ecba7251328f5938be2

                SHA1

                4f83f8bb25a50e47b74ba9ce1a12501ed04b3595

                SHA256

                fc0ff6a526373f9683b2da1e941444ee33bee4c20c85d05a360c53514614e305

                SHA512

                a5ee3b0d5f784e83c36e774d5d487c33f15ec119ef2c369cd983bf6778ee779bb4e3fecf5b15b5e7ed50213e8a124045736bb0c07f9b25ba2ab18ebc2983bd59

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h2359162.exe
                Filesize

                221KB

                MD5

                667e0226856c8dad973491cd9d01ab0f

                SHA1

                478743051ed38fba9307ff30f779ce239f4e211c

                SHA256

                de64170f9c90b697d61e830a288300ee58b70958c1fd7cf60d284af991569a0b

                SHA512

                6ffed32f8473fb92193b06f1132c3b77cac82a0c21ab02ca88d5f6aba9bb672fea643e0d80580bd8f3600edce503aed4ffb013f95a30df0c2f4f8af12e7caad8

                Download Submit

              • memory/4756-8-0x00007FFCBF2A3000-0x00007FFCBF2A5000-memory.dmp

                Filesize

                8KB

                Download

              • memory/4756-7-0x0000000000240000-0x000000000024A000-memory.dmp

                Filesize

                40KB

                Download