amadey | 21675cef02c5d516a93f59d70c16d083ffa8be9792fa8f40e53212708d321c6d

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d.exe
Size

433KB
MD5

cdd196694c11df773e31372b1e3f6578
SHA1

f013a3c818024ea0e771ff51c981e90a00fcbad9
SHA256

972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d
SHA512

34c9a0e50a4e6360535108ddb53e802716dce6b69cf1978274620d744cf91221d039994d6edc80ae05ea06cf1c5cce3c9161a66268c25ceb5ed5c11665587b99
SSDEEP

12288:9Mroy90XNx2BiXTV2NhmyP7U1Jqr1oX0:dyaNwGa57wJYmX0

Score

10^/10

amadey healer redline 59b440 mrak dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1953252.exe	healer
behavioral16/memory/4048-14-0x0000000000750000-0x000000000075A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

g1953252.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	g1953252.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g1953252.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g1953252.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g1953252.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g1953252.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g1953252.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i8264383.exe	family_redline
behavioral16/memory/2744-32-0x0000000000B30000-0x0000000000B60000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

h4513594.exesaves.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	h4513594.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	saves.exe

Executes dropped EXE 7 IoCs

Processes:

x2209358.exeg1953252.exeh4513594.exesaves.exei8264383.exesaves.exesaves.exe

pid process

2124 x2209358.exe
4048 g1953252.exe
3744 h4513594.exe
4576 saves.exe
2744 i8264383.exe
5080 saves.exe
2920 saves.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

g1953252.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" g1953252.exe

pid	process
2124	x2209358.exe
4048	g1953252.exe
3744	h4513594.exe
4576	saves.exe
2744	i8264383.exe
5080	saves.exe
2920	saves.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	g1953252.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x2209358.exe972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2209358.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2328 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2516 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

g1953252.exe

pid process

4048 g1953252.exe
4048 g1953252.exe
4048 g1953252.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

g1953252.exe

description pid process

Token: SeDebugPrivilege 4048 g1953252.exe

pid	process
2328	sc.exe

pid	process
2516	schtasks.exe

pid	process
4048	g1953252.exe
4048	g1953252.exe
4048	g1953252.exe

description	pid	process
Token: SeDebugPrivilege	4048	g1953252.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d.exex2209358.exeh4513594.exesaves.execmd.exe

description	pid	process	target process
PID 3052 wrote to memory of 2124	3052	972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d.exe	x2209358.exe
PID 3052 wrote to memory of 2124	3052	972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d.exe	x2209358.exe
PID 3052 wrote to memory of 2124	3052	972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d.exe	x2209358.exe
PID 2124 wrote to memory of 4048	2124	x2209358.exe	g1953252.exe
PID 2124 wrote to memory of 4048	2124	x2209358.exe	g1953252.exe
PID 2124 wrote to memory of 3744	2124	x2209358.exe	h4513594.exe
PID 2124 wrote to memory of 3744	2124	x2209358.exe	h4513594.exe
PID 2124 wrote to memory of 3744	2124	x2209358.exe	h4513594.exe
PID 3744 wrote to memory of 4576	3744	h4513594.exe	saves.exe
PID 3744 wrote to memory of 4576	3744	h4513594.exe	saves.exe
PID 3744 wrote to memory of 4576	3744	h4513594.exe	saves.exe
PID 3052 wrote to memory of 2744	3052	972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d.exe	i8264383.exe
PID 3052 wrote to memory of 2744	3052	972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d.exe	i8264383.exe
PID 3052 wrote to memory of 2744	3052	972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d.exe	i8264383.exe
PID 4576 wrote to memory of 2516	4576	saves.exe	schtasks.exe
PID 4576 wrote to memory of 2516	4576	saves.exe	schtasks.exe
PID 4576 wrote to memory of 2516	4576	saves.exe	schtasks.exe
PID 4576 wrote to memory of 4600	4576	saves.exe	cmd.exe
PID 4576 wrote to memory of 4600	4576	saves.exe	cmd.exe
PID 4576 wrote to memory of 4600	4576	saves.exe	cmd.exe
PID 4600 wrote to memory of 2684	4600	cmd.exe	cmd.exe
PID 4600 wrote to memory of 2684	4600	cmd.exe	cmd.exe
PID 4600 wrote to memory of 2684	4600	cmd.exe	cmd.exe
PID 4600 wrote to memory of 4584	4600	cmd.exe	cacls.exe
PID 4600 wrote to memory of 4584	4600	cmd.exe	cacls.exe
PID 4600 wrote to memory of 4584	4600	cmd.exe	cacls.exe
PID 4600 wrote to memory of 2524	4600	cmd.exe	cacls.exe
PID 4600 wrote to memory of 2524	4600	cmd.exe	cacls.exe
PID 4600 wrote to memory of 2524	4600	cmd.exe	cacls.exe
PID 4600 wrote to memory of 1484	4600	cmd.exe	cmd.exe
PID 4600 wrote to memory of 1484	4600	cmd.exe	cmd.exe
PID 4600 wrote to memory of 1484	4600	cmd.exe	cmd.exe
PID 4600 wrote to memory of 3176	4600	cmd.exe	cacls.exe
PID 4600 wrote to memory of 3176	4600	cmd.exe	cacls.exe
PID 4600 wrote to memory of 3176	4600	cmd.exe	cacls.exe
PID 4600 wrote to memory of 3024	4600	cmd.exe	cacls.exe
PID 4600 wrote to memory of 3024	4600	cmd.exe	cacls.exe
PID 4600 wrote to memory of 3024	4600	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d.exe
"C:\Users\Admin\AppData\Local\Temp\972fcfe5872ab4a6b837384811a9bbe0624c3035a9a24dcd95984caca2e3b81d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2209358.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2209358.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1953252.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1953252.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4513594.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4513594.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
      "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2516
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4600
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2684
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        6⤵
        
        PID:4584
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        6⤵
        
        PID:2524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1484
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        6⤵
        
        PID:3176
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        6⤵
        
        PID:3024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i8264383.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i8264383.exe
  2⤵
  - Executes dropped EXE
  PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4624,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8
1⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:2920

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i8264383.exe

Filesize
174KB

MD5
240028b8ed70e54fa601ae595107966b

SHA1
9b022a2765e6af05537945b091449f4f43d6d884

SHA256
31011cff094eb67a9d3651ac3418badf23a8ee281bdc2fbec3bcae00cad937ec

SHA512
de8a88469a25c5993f39ddf3bdc2b66b3c8aae2e55604ed7b44b763d503ea2cc6a38ca3672befe5e2ffc462f4f7e012f11ab1f40f262dac67118f4e2af94b246

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2209358.exe

Filesize
277KB

MD5
edcd86431ccf4525d9cb888abd4d98f7

SHA1
cf8033afea91aa447bc3885a021993900e71ada8

SHA256
1f1890adbd283c8cb6f4e5cd647f148533c576942e22c1c531ddcac860588242

SHA512
b3d49373923cd32f4af9cbcf1a638232a9561d4785ffb78626f86739b371d449dc31bb8f32aa8f9fec41441e1e326db905f3287a11c6dc0f57fa60a0e9572403

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1953252.exe

Filesize
11KB

MD5
4d71ecf8aade0e6f8b129593ac3ad598

SHA1
e2a8053e910c4a6a0f33f1e192b0089782716212

SHA256
2948fd08e50a6641950acb3f99f2214bdd51ed1048a30b8db46674c487fea607

SHA512
55bbafb3ca1f4df88dde30aed7deda763c9a83dfaaabb13329da44642d6d8210996092caacb6add997fc1b01026679a6b327f67805a0141e87fa92405d28ce8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4513594.exe

Filesize
337KB

MD5
859f4232b6765a222f40f777d6e44672

SHA1
eda87a8c746caba72f4ad5137c62d61b67c9f518

SHA256
e862aed41ba9827e4d73271b75ff8973cb488721e4ddc38cd916eada92380e94

SHA512
cc75d121d870127ae101d8d47a97f3c0e911d028ae9b1bffd3caf2fed6cc4c06b5bb26ac7c9bcf15348629fe5407760f9c8571d7dd0c698236fcbc2f6faafa88

Download Submit
memory/2744-35-0x00000000055F0000-0x00000000056FA000-memory.dmp

Filesize
1.0MB

Download
memory/2744-32-0x0000000000B30000-0x0000000000B60000-memory.dmp

Filesize
192KB

Download
memory/2744-33-0x0000000002DA0000-0x0000000002DA6000-memory.dmp

Filesize
24KB

Download
memory/2744-34-0x0000000005B00000-0x0000000006118000-memory.dmp

Filesize
6.1MB

Download
memory/2744-36-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/2744-37-0x0000000005520000-0x000000000555C000-memory.dmp

Filesize
240KB

Download
memory/2744-38-0x0000000005560000-0x00000000055AC000-memory.dmp

Filesize
304KB

Download
memory/4048-14-0x0000000000750000-0x000000000075A000-memory.dmp

Filesize
40KB

Download
memory/4048-15-0x00007FFFE57D3000-0x00007FFFE57D5000-memory.dmp

Filesize
8KB

Download