Overview

overview

10

Static

static

3

00dd845a27...d6.exe

windows10-2004-x64

10

0e4f6fa259...f8.exe

windows10-2004-x64

10

160cf91bb4...9b.exe

windows10-2004-x64

10

2469003f42...fb.exe

windows10-2004-x64

10

37d87e8c1a...0c.exe

windows10-2004-x64

10

4c3f025b17...a7.exe

windows10-2004-x64

10

4de214f155...f2.exe

windows10-2004-x64

10

4fe5ee134e...25.exe

windows10-2004-x64

10

5bc4a6b3d5...f6.exe

windows10-2004-x64

10

62325240aa...fc.exe

windows10-2004-x64

10

77ac4e5ef8...53.exe

windows10-2004-x64

10

78a2f3c49d...66.exe

windows10-2004-x64

10

7c1372b4b0...fc.exe

windows10-2004-x64

10

7cd3eb4cd6...0e.exe

windows10-2004-x64

10

7dee432d6d...a7.exe

windows10-2004-x64

10

a277894fe9...7d.exe

windows10-2004-x64

10

cd0d56c5ce...15.exe

windows10-2004-x64

10

d304eb3331...e2.exe

windows10-2004-x64

10

d3dd28146b...8b.exe

windows10-2004-x64

10

ece19c5d5c...54.exe

windows10-2004-x64

10

f9789caac1...5f.exe

windows7-x64

10

f9789caac1...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe

  • Size

    572KB

  • MD5

    1ac19b91e5253c091061691c660c70fb

  • SHA1

    7b113146e03c198d1cd4a7b1d10c2dad5bb6a909

  • SHA256

    77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053

  • SHA512

    6ed54774d55e8fc33480a56533c43f8eeffa64c225832e9e7aa932566c66bc80a0c1b9cf95db749f2a024316d57779255659151a483d7c5acc9c24e483e6af08

  • SSDEEP

    12288:6Mr9y90/DGsxoXIq17/+FrSBIEBOFgJdHsKPdg54J:HysGwo4cb+dSOA7rPfJ

Score
10/10
amadeyhealerredlinefb0fb8mrakdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe
    "C:\Users\Admin\AppData\Local\Temp\77ac4e5ef850f053915a6aca7fc85f62c897f29cc6bc77bfbb192062c7aa5053.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3880
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2121682.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2121682.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2849645.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2849645.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:372
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q7686010.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q7686010.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3108
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r7196851.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r7196851.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1400
          • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
            "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:808
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
              6⤵
              • Creates scheduled task(s)
              PID:3432
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1652
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                  PID:1004
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "explonde.exe" /P "Admin:N"
                  7⤵
                    PID:3376
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "explonde.exe" /P "Admin:R" /E
                    7⤵
                      PID:2696
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                      7⤵
                        PID:688
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\fefffe8cea" /P "Admin:N"
                        7⤵
                          PID:668
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\fefffe8cea" /P "Admin:R" /E
                          7⤵
                            PID:2592
                  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1871232.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1871232.exe
                    3⤵
                    • Executes dropped EXE
                    PID:4484
              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                1⤵
                • Executes dropped EXE
                PID:1432
              • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                1⤵
                • Executes dropped EXE
                PID:4692

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2121682.exe
                Filesize

                390KB

                MD5

                af64dd4608c03a5ccca7f0c55331acb2

                SHA1

                28225983cb51e94173ef73fa058fd6e27a3d4c30

                SHA256

                9e5e86873a0dd192be96daacd1c15a9d5231dd48887c55b1ad2b6580f4ecac5f

                SHA512

                30d3858d35fdfa9e269ebe72e7df341099d08791b708b14f848f1e05671d2cf8edee2e1d8f5229a6968fd464039e429744f03fa4e76bcce9ad47aa414496a226

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\s1871232.exe
                Filesize

                176KB

                MD5

                484aa8a994e4b0d4f6394de29572fedf

                SHA1

                136dd59824c115d7ed7177b1cd443d8aea19917e

                SHA256

                5f251747cc00b6519344a8eab58b8bc8d321280d88e27c5bff306f40a53df0b4

                SHA512

                984122db98e575fd3ec63a9198905bd24123620656345b76930d3428d5c1d88bf9ce7563b0f1212147a72ff8c16924a6c2259c9672bad511112c76893b07b8c4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2849645.exe
                Filesize

                234KB

                MD5

                45e93a000b07f25fe943fdf1f7b65357

                SHA1

                87725546f53447d680f47e63a0cc581dcd4503fa

                SHA256

                9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755

                SHA512

                83cb89078894b96f0bf1f7a8ef6b2983d7e21f60bd575004772267424c4603b75e18f9f805535634a9678aa58494f25eb83fdfc36553f25b3c80bdd4691b2c6d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\q7686010.exe
                Filesize

                12KB

                MD5

                05d44dca7da313a6875ab2e2ce15cf4c

                SHA1

                fb62bcfc8209d7246dce532fd00d4ea2d56ecb71

                SHA256

                b894a0dc444adc2774ca868edb76d306b089eccd9dbea910c9a5f8bb7f4dc50c

                SHA512

                01075dd204512cb35dcd4cb0f77fe2962ee2e8709ff48cf36b3e681b96caafe1c4edcb0b4cab6be77754f791907dfd368570b425e89f740231578f19e2fc3fb7

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r7196851.exe
                Filesize

                221KB

                MD5

                a179aaa8b2da45d6806e6a737696d101

                SHA1

                0d5e6174461ffb16368cd80216abca674d893660

                SHA256

                f13ad3f74496d3eb644233b1f70c1b9c10abdd4b777007daa0d391fbfdd44a73

                SHA512

                41b53c48d9f6ba2bb744e48654957b12c93493cb1f2bfc11bac85694eaac5642bb3480fbaea1d16d5a89b886289efcbfc527c762114a4d85f7cbbef7eac3d375

                Download Submit

              • memory/3108-21-0x00007FFBF72F3000-0x00007FFBF72F5000-memory.dmp

                Filesize

                8KB

                Download

              • memory/3108-22-0x00000000004D0000-0x00000000004DA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/4484-39-0x00000000000F0000-0x0000000000120000-memory.dmp

                Filesize

                192KB

                Download

              • memory/4484-40-0x0000000002390000-0x0000000002396000-memory.dmp

                Filesize

                24KB

                Download

              • memory/4484-41-0x0000000005090000-0x00000000056A8000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/4484-42-0x0000000004B80000-0x0000000004C8A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/4484-43-0x0000000004A70000-0x0000000004A82000-memory.dmp

                Filesize

                72KB

                Download

              • memory/4484-44-0x0000000004AD0000-0x0000000004B0C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/4484-45-0x0000000004B20000-0x0000000004B6C000-memory.dmp

                Filesize

                304KB

                Download