Overview

overview

10

Static

static

3

006388190d...bb.exe

windows10-2004-x64

10

0254882920...b5.exe

windows10-2004-x64

10

059acceaf9...4e.exe

windows10-2004-x64

10

23e52eabfc...16.exe

windows10-2004-x64

10

346c48a087...17.exe

windows10-2004-x64

10

3a559db9fb...76.exe

windows10-2004-x64

10

3bd30de35b...fb.exe

windows10-2004-x64

10

4563b46d64...3c.exe

windows10-2004-x64

10

45ab0e1069...0f.exe

windows10-2004-x64

10

545f251975...f8.exe

windows10-2004-x64

10

5bd9b291d7...ab.exe

windows10-2004-x64

10

5e70f35516...00.exe

windows10-2004-x64

10

7348ee4e4e...6d.exe

windows10-2004-x64

10

8b460dc8cc...29.exe

windows10-2004-x64

10

928c96df1b...ca.exe

windows10-2004-x64

10

972fcfe587...1d.exe

windows10-2004-x64

10

a025c0e619...2e.exe

windows10-2004-x64

10

bc0667bb8d...75.exe

windows10-2004-x64

10

cf82c35e0a...89.exe

windows10-2004-x64

10

fbe2b19c30...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7348ee4e4ed1a5e949c6ba0b2c8eaee7bf5d5f120e8c79c61accf44a24e12c6d.exe

  • Size

    234KB

  • MD5

    f49341a76d3b4070cf58c0081196772f

  • SHA1

    193bb28846d75d8c250304787027969b9b69b622

  • SHA256

    7348ee4e4ed1a5e949c6ba0b2c8eaee7bf5d5f120e8c79c61accf44a24e12c6d

  • SHA512

    7a831be3a1c121d3dbc4f292a9782394bc25c486f38bf0c5000058726e97b3ec6e46112dcff8b87dda33b8c39974c5dee670285dc67883f6d58432e9c21b9235

  • SSDEEP

    3072:Key+bnr+O175GWp1icKAArDZz4N9GhbkrNEk1M7CZBmbxwUPiPdvuQtokpBQyvU6:Key+bnr+Ip0yN90QEtC/cO/TBpwo+

Score
10/10
amadeyhealerfb0fb8dropperevasionpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7348ee4e4ed1a5e949c6ba0b2c8eaee7bf5d5f120e8c79c61accf44a24e12c6d.exe
    "C:\Users\Admin\AppData\Local\Temp\7348ee4e4ed1a5e949c6ba0b2c8eaee7bf5d5f120e8c79c61accf44a24e12c6d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q6415621.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q6415621.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3500
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r9112135.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r9112135.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2596
      • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1664
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:4308
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4940
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:2332
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "explonde.exe" /P "Admin:N"
              5⤵
                PID:5044
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "explonde.exe" /P "Admin:R" /E
                5⤵
                  PID:2752
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:2796
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\fefffe8cea" /P "Admin:N"
                    5⤵
                      PID:2276
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\fefffe8cea" /P "Admin:R" /E
                      5⤵
                        PID:3168
              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                1⤵
                • Executes dropped EXE
                PID:2136
              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                1⤵
                • Executes dropped EXE
                PID:4628

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q6415621.exe
                Filesize

                12KB

                MD5

                15a15134f3a6e55f7b03639811cc71b7

                SHA1

                1cc154fcd448833a63affb9403195c46a1324bdf

                SHA256

                2c85db1034a9d1211a4fd37b5496ed3c0e19d4a5bb5e2578ac1072d5bae1df12

                SHA512

                d7ebbb60f2c9cf5e8a5345ef76b64386eba5cbaacef92d3ae9aac34fcd0ea02614d30fa233c4943d7cefaf04c2f7b7b5026e33bb16f6f23c2a20cb23bfee007f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r9112135.exe
                Filesize

                220KB

                MD5

                ef1824b0ea0bd0d5a29da0be8eb7f403

                SHA1

                dd44ff8acb60f1b624c245429561ccf171df2a7c

                SHA256

                99d0aa7558558fc862cc710ebf912becf8cb8e4b04fb58fceffc4aee33b0ba20

                SHA512

                b3fb0b35f5be6319d3a96036e7ec041ba55960de35fc3b9d6eb75f9f39e6a92de143a33fce0063ac086140622877526423d37411bdae290f093abaafe5ea0ec5

                Download Submit

              • memory/3500-7-0x0000000000D80000-0x0000000000D8A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/3500-8-0x00007FFAE9523000-0x00007FFAE9525000-memory.dmp

                Filesize

                8KB

                Download