amadey | fb68898fc1ee1968d2f438649408cbb8854551c7efa6458a5175c462f02fda63

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe
Size

572KB
MD5

1ac19b91e5253c091061691c660c70fb
SHA1

7b113146e03c198d1cd4a7b1d10c2dad5bb6a909
SHA256

77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053
SHA512

6ed54774d55e8fc33480a56533c43f8eeffa64c225832e9e7aa932566c66bc80a0c1b9cf95db749f2a024316d57779255659151a483d7c5acc9c24e483e6af08
SSDEEP

12288:6Mr9y90/DGsxoXIq17/+FrSBIEBOFgJdHsKPdg54J:HysGwo4cb+dSOA7rPfJ

Score

10^/10

amadey healer redline fb0fb8 mrak dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q7686010.exe	healer
behavioral11/memory/2576-21-0x0000000000CF0000-0x0000000000CFA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

q7686010.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q7686010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q7686010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q7686010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q7686010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q7686010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q7686010.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1871232.exe	family_redline
behavioral11/memory/3424-39-0x0000000000500000-0x0000000000530000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

r7196851.exeexplonde.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	r7196851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	explonde.exe

Executes dropped EXE 9 IoCs

Processes:

z2121682.exez2849645.exeq7686010.exer7196851.exeexplonde.exes1871232.exeexplonde.exeexplonde.exeexplonde.exe

pid	process
4596	z2121682.exe
3444	z2849645.exe
2576	q7686010.exe
2672	r7196851.exe
4868	explonde.exe
3424	s1871232.exe
4956	explonde.exe
8	explonde.exe
3664	explonde.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

q7686010.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q7686010.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q7686010.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exez2121682.exez2849645.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2121682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2849645.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4728 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4112 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

q7686010.exe

pid process

2576 q7686010.exe
2576 q7686010.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

q7686010.exe

description pid process

Token: SeDebugPrivilege 2576 q7686010.exe

pid	process
4728	sc.exe

pid	process
4112	schtasks.exe

pid	process
2576	q7686010.exe
2576	q7686010.exe

description	pid	process
Token: SeDebugPrivilege	2576	q7686010.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exez2121682.exez2849645.exer7196851.exeexplonde.execmd.exe

description	pid	process	target process
PID 2904 wrote to memory of 4596	2904	77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe	z2121682.exe
PID 2904 wrote to memory of 4596	2904	77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe	z2121682.exe
PID 2904 wrote to memory of 4596	2904	77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe	z2121682.exe
PID 4596 wrote to memory of 3444	4596	z2121682.exe	z2849645.exe
PID 4596 wrote to memory of 3444	4596	z2121682.exe	z2849645.exe
PID 4596 wrote to memory of 3444	4596	z2121682.exe	z2849645.exe
PID 3444 wrote to memory of 2576	3444	z2849645.exe	q7686010.exe
PID 3444 wrote to memory of 2576	3444	z2849645.exe	q7686010.exe
PID 3444 wrote to memory of 2672	3444	z2849645.exe	r7196851.exe
PID 3444 wrote to memory of 2672	3444	z2849645.exe	r7196851.exe
PID 3444 wrote to memory of 2672	3444	z2849645.exe	r7196851.exe
PID 2672 wrote to memory of 4868	2672	r7196851.exe	explonde.exe
PID 2672 wrote to memory of 4868	2672	r7196851.exe	explonde.exe
PID 2672 wrote to memory of 4868	2672	r7196851.exe	explonde.exe
PID 4596 wrote to memory of 3424	4596	z2121682.exe	s1871232.exe
PID 4596 wrote to memory of 3424	4596	z2121682.exe	s1871232.exe
PID 4596 wrote to memory of 3424	4596	z2121682.exe	s1871232.exe
PID 4868 wrote to memory of 4112	4868	explonde.exe	schtasks.exe
PID 4868 wrote to memory of 4112	4868	explonde.exe	schtasks.exe
PID 4868 wrote to memory of 4112	4868	explonde.exe	schtasks.exe
PID 4868 wrote to memory of 3488	4868	explonde.exe	cmd.exe
PID 4868 wrote to memory of 3488	4868	explonde.exe	cmd.exe
PID 4868 wrote to memory of 3488	4868	explonde.exe	cmd.exe
PID 3488 wrote to memory of 1364	3488	cmd.exe	cmd.exe
PID 3488 wrote to memory of 1364	3488	cmd.exe	cmd.exe
PID 3488 wrote to memory of 1364	3488	cmd.exe	cmd.exe
PID 3488 wrote to memory of 2820	3488	cmd.exe	cacls.exe
PID 3488 wrote to memory of 2820	3488	cmd.exe	cacls.exe
PID 3488 wrote to memory of 2820	3488	cmd.exe	cacls.exe
PID 3488 wrote to memory of 1432	3488	cmd.exe	cacls.exe
PID 3488 wrote to memory of 1432	3488	cmd.exe	cacls.exe
PID 3488 wrote to memory of 1432	3488	cmd.exe	cacls.exe
PID 3488 wrote to memory of 4048	3488	cmd.exe	cmd.exe
PID 3488 wrote to memory of 4048	3488	cmd.exe	cmd.exe
PID 3488 wrote to memory of 4048	3488	cmd.exe	cmd.exe
PID 3488 wrote to memory of 1504	3488	cmd.exe	cacls.exe
PID 3488 wrote to memory of 1504	3488	cmd.exe	cacls.exe
PID 3488 wrote to memory of 1504	3488	cmd.exe	cacls.exe
PID 3488 wrote to memory of 4304	3488	cmd.exe	cacls.exe
PID 3488 wrote to memory of 4304	3488	cmd.exe	cacls.exe
PID 3488 wrote to memory of 4304	3488	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe
"C:\Users\Admin\AppData\Local\Temp\77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2904

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2121682.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2121682.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2849645.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2849645.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3444

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q7686010.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q7686010.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r7196851.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r7196851.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
6⤵
- Creates scheduled task(s)
PID:4112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1364

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:N"
7⤵
PID:2820

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:R" /E
7⤵
PID:1432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4048

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:1504

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1871232.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1871232.exe
3⤵
- Executes dropped EXE
PID:3424

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:8

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4728

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:3664

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2121682.exe
Filesize
390KB

MD5
af64dd4608c03a5ccca7f0c55331acb2

SHA1
28225983cb51e94173ef73fa058fd6e27a3d4c30

SHA256
9e5e86873a0dd192be96daacd1c15a9d5231dd48887c55b1ad2b6580f4ecac5f

SHA512
30d3858d35fdfa9e269ebe72e7df341099d08791b708b14f848f1e05671d2cf8edee2e1d8f5229a6968fd464039e429744f03fa4e76bcce9ad47aa414496a226

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1871232.exe
Filesize
176KB

MD5
484aa8a994e4b0d4f6394de29572fedf

SHA1
136dd59824c115d7ed7177b1cd443d8aea19917e

SHA256
5f251747cc00b6519344a8eab58b8bc8d321280d88e27c5bff306f40a53df0b4

SHA512
984122db98e575fd3ec63a9198905bd24123620656345b76930d3428d5c1d88bf9ce7563b0f1212147a72ff8c16924a6c2259c9672bad511112c76893b07b8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2849645.exe
Filesize
234KB

MD5
45e93a000b07f25fe943fdf1f7b65357

SHA1
87725546f53447d680f47e63a0cc581dcd4503fa

SHA256
9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755

SHA512
83cb89078894b96f0bf1f7a8ef6b2983d7e21f60bd575004772267424c4603b75e18f9f805535634a9678aa58494f25eb83fdfc36553f25b3c80bdd4691b2c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q7686010.exe
Filesize
12KB

MD5
05d44dca7da313a6875ab2e2ce15cf4c

SHA1
fb62bcfc8209d7246dce532fd00d4ea2d56ecb71

SHA256
b894a0dc444adc2774ca868edb76d306b089eccd9dbea910c9a5f8bb7f4dc50c

SHA512
01075dd204512cb35dcd4cb0f77fe2962ee2e8709ff48cf36b3e681b96caafe1c4edcb0b4cab6be77754f791907dfd368570b425e89f740231578f19e2fc3fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r7196851.exe
Filesize
221KB

MD5
a179aaa8b2da45d6806e6a737696d101

SHA1
0d5e6174461ffb16368cd80216abca674d893660

SHA256
f13ad3f74496d3eb644233b1f70c1b9c10abdd4b777007daa0d391fbfdd44a73

SHA512
41b53c48d9f6ba2bb744e48654957b12c93493cb1f2bfc11bac85694eaac5642bb3480fbaea1d16d5a89b886289efcbfc527c762114a4d85f7cbbef7eac3d375

Download Submit
memory/2576-21-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/2576-22-0x00007FFE5F563000-0x00007FFE5F565000-memory.dmp

Filesize
8KB

Download
memory/3424-39-0x0000000000500000-0x0000000000530000-memory.dmp

Filesize
192KB

Download
memory/3424-40-0x0000000004DE0000-0x0000000004DE6000-memory.dmp

Filesize
24KB

Download
memory/3424-41-0x000000000A810000-0x000000000AE28000-memory.dmp

Filesize
6.1MB

Download
memory/3424-42-0x000000000A370000-0x000000000A47A000-memory.dmp

Filesize
1.0MB

Download
memory/3424-43-0x000000000A2A0000-0x000000000A2B2000-memory.dmp

Filesize
72KB

Download
memory/3424-44-0x000000000A300000-0x000000000A33C000-memory.dmp

Filesize
240KB

Download
memory/3424-45-0x0000000002780000-0x00000000027CC000-memory.dmp

Filesize
304KB

Download