Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 19:04

General

  • Target

    58fadac0148f4700691a27abba4e41a0df870120ca131083c61a9404cf59cd99.exe

  • Size

    277KB

  • MD5

    a34f98dd943b8cccb2f645b07d52ca76

  • SHA1

    7883bc8dd3e33c9d96fe217aa46a09c1b0e3d605

  • SHA256

    58fadac0148f4700691a27abba4e41a0df870120ca131083c61a9404cf59cd99

  • SHA512

    00ee5bd0c09a349cab2b8589db5582d52b8d7b58036508bc65359f376bfd4d808478daf33eb8735ec09c8a7aa2d1b962c36e0e77940a24463378939096c9a041

  • SSDEEP

    6144:KIy+bnr+Gp0yN90QEiILYVudMMgcemAPMinb7ZtaFS:kMray90QIUVumMgcrAPMinuFS

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

C2

http://77.91.68.18

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

  • url_paths

    /nice/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58fadac0148f4700691a27abba4e41a0df870120ca131083c61a9404cf59cd99.exe
    "C:\Users\Admin\AppData\Local\Temp\58fadac0148f4700691a27abba4e41a0df870120ca131083c61a9404cf59cd99.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6850388.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6850388.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2372
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h8653206.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h8653206.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
        "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3616
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:2312
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5040
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:864
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "saves.exe" /P "Admin:N"
              5⤵
                PID:2112
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "saves.exe" /P "Admin:R" /E
                5⤵
                  PID:4636
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:4600
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\b40d11255d" /P "Admin:N"
                    5⤵
                      PID:1568
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\b40d11255d" /P "Admin:R" /E
                      5⤵
                        PID:4672
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:916
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4708
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe start wuauserv
                1⤵
                • Launches sc.exe
                PID:2652

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6850388.exe

                Filesize

                11KB

                MD5

                db880bd51eddd881f8d451ea5ab34138

                SHA1

                0d9b6db84da30017658c152bd5edee88aa9482bb

                SHA256

                8f5e93ebc4b7d0d799607aa74b072ef4d9d0911f0e16cc3c004afc005bd070c5

                SHA512

                814dd075e594810b8c2b589686d97339cea200f82482d0b9a1a9d4477b30233218d814046c216fc503a3d99d0775484ed58a7b09f9ec2059e85eb82f58a87d98

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h8653206.exe

                Filesize

                338KB

                MD5

                a527d7e86075c3f97022dd39a7b9c2c2

                SHA1

                12c79fe349f1f8c69b6cd5e61e9e84bcc8ec5d79

                SHA256

                93ba5343fcb962d0558f3c4078bac1b46f27c2f77c6fa67511e4c231f40710c3

                SHA512

                4859b56d437fb749f80829e6507b9c9ffec11219c662375e7c620c84286133c291ff92d1e30cb0892c335741af92cd72e57c0638c5dd6e64e9f258b36f09ee1e

              • memory/2372-7-0x0000000000760000-0x000000000076A000-memory.dmp

                Filesize

                40KB

              • memory/2372-8-0x00007FFA74DB3000-0x00007FFA74DB5000-memory.dmp

                Filesize

                8KB