Analysis

  • max time kernel
    141s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 09:54

General

  • Target

    208bd49be44846fa019a8a4b21da09b934676de6c05e6688624fa6608f3917cf.exe

  • Size

    812KB

  • MD5

    f7e69c620af0bbd5653d5fc8405ba587

  • SHA1

    73008bbde185403def406416c45415afe1cef642

  • SHA256

    208bd49be44846fa019a8a4b21da09b934676de6c05e6688624fa6608f3917cf

  • SHA512

    07be351902a0d7ba7fffc00fa18688a052df745c669439a03da3becfded56c445085848621951b3023cc1f145620a65a761fcb41472b5a50568366ee5e900e1b

  • SSDEEP

    24576:ryTEwKx9ELd2lTQ9TgFldOrHWzB3Ka6m:eUgLo5Q9Ttr2zBj6

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

C2

http://77.91.68.52

Attributes
  • install_dir

    fefffe8cea

  • install_file

    explonde.exe

  • strings_key

    916aae73606d7a9e02a1d3b47c199688

  • url_paths

    /mac/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\208bd49be44846fa019a8a4b21da09b934676de6c05e6688624fa6608f3917cf.exe
    "C:\Users\Admin\AppData\Local\Temp\208bd49be44846fa019a8a4b21da09b934676de6c05e6688624fa6608f3917cf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3364
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9304195.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9304195.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3494869.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3494869.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4164
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971693.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971693.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:724
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9127346.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9127346.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:3596
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7598939.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7598939.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:908
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4835343.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4835343.exe
              6⤵
              • Executes dropped EXE
              PID:2168
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9048188.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9048188.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4676
            • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
              "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3516
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
                7⤵
                • Creates scheduled task(s)
                PID:1652
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1924
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                    PID:4644
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "explonde.exe" /P "Admin:N"
                    8⤵
                      PID:380
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "explonde.exe" /P "Admin:R" /E
                      8⤵
                        PID:3532
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                        8⤵
                          PID:3528
                        • C:\Windows\SysWOW64\cacls.exe
                          CACLS "..\fefffe8cea" /P "Admin:N"
                          8⤵
                            PID:2436
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "..\fefffe8cea" /P "Admin:R" /E
                            8⤵
                              PID:2920
                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4248552.exe
                      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4248552.exe
                      4⤵
                      • Executes dropped EXE
                      PID:4608
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:3484
                • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4476
                • C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1608

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9304195.exe

                  Filesize

                  677KB

                  MD5

                  cac280b5885269da41baf8aecfb8fe6e

                  SHA1

                  24136fe18cc9499142f730cf3d0819f3de7b2bce

                  SHA256

                  da746ba29da48ff094d2cf04ad0fd4c4add09535e3d0b3fb4a5ac0a8f91e1aa2

                  SHA512

                  c44d23751c375b306e4da913864e28ff36c4a558cd5fb2a7911128faa59814ac3c767dfbd65d3415d0eac4b09420627701e7a5ab676f906ff845e18b79c9d009

                • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3494869.exe

                  Filesize

                  494KB

                  MD5

                  fef24f4ea1a396378565f6a2b6105d3c

                  SHA1

                  75a31bcb8a4dd570175b7bacc14afbbfc5aaa203

                  SHA256

                  866e293a736918cc90086406accb3b89fc7c3e997aecb9c9b2e72f03524673a6

                  SHA512

                  c6318f99b2f269726f0bda150120636c1c124d3ac7f26cedc6d166f7f52b0482bcc53e7c452432ee501a2ad19d282102969ef7fbcd965ac862dfe7973d12e957

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4248552.exe

                  Filesize

                  175KB

                  MD5

                  f6bbf7779c82f6d6d8e0b2c11270b580

                  SHA1

                  33e3537728ef5e7f82957467e799036fca7b5ba4

                  SHA256

                  2a31288a816e86852ae7752541335a4e27b713d736aa30bd90821736a684c80f

                  SHA512

                  1b9f44c971ef48c0968e8ce943c11b6a94a5b33d77d93b89f77e3c6e8c2e0cdbbdf89d1537d40d4f16184c56002ba7d50e4d7f47d7469825f06275c8cf998ff2

                • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6971693.exe

                  Filesize

                  339KB

                  MD5

                  7cdd58b5158a0182216027e21fd2607d

                  SHA1

                  c00d6dbe5e5dd5c238a5b13206915155747c4f4c

                  SHA256

                  fe4b13c65d97b1936c2302513a271a01e8ffed92f7a4fcfadf26075b6a0f4fed

                  SHA512

                  2f047fa3732359cf536e7f4f7d7860e9c019389150d3dabac237bdb6e6e2ef53ae205e81af99994c4caeab714c983815b7aad5e3d25a66ca18e8207fb173fdfc

                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9048188.exe

                  Filesize

                  219KB

                  MD5

                  fb5501aaada20cc2c23924482b9b773f

                  SHA1

                  aca06d91bfeb9691088f1568afe65af3546ecdcc

                  SHA256

                  8b70969ea4dc2a2c7dbed4e1e655c295de173e4b0a3680062f91746a08bc6f00

                  SHA512

                  5bfa8522410c1cab99fbd1bd8967eee7bf5a741cb527d48db187206821084faa75dac099f3e053b4c7ec8db5a57ee0d3239ae8405225f4227e194ba16234d3fc

                • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9127346.exe

                  Filesize

                  157KB

                  MD5

                  04b5188b64125c0892346056e16355a0

                  SHA1

                  dc461ff33be1894432476d98c4d2c09e0459f300

                  SHA256

                  5250e9e73ab8fbd060ce2d824b021f7b796646337bf33ca75cf164f48e53282b

                  SHA512

                  169670c8c3744dbd94dc4fd9585f9a1b5d2e415d3709235912496a767bd9636b41d6c534d95b5c3eccea663db708aa7a22ffb2402daf7da9c0f6e17e79b9dcb8

                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7598939.exe

                  Filesize

                  11KB

                  MD5

                  f53dad119013acb06f4fd3e93a724065

                  SHA1

                  f22fa1aacedb1d95a7c56b4d570b3a7a88b9f1bf

                  SHA256

                  4da084c70aac2e578fa72442175d8bcfe21e1fc04446922958c809fd783de34b

                  SHA512

                  f1b3e9229265d5b0383474a1e2d07c3caee0644ed2e7c44e97637b5a4f4313dd919a175d64b5855a0fb9785f35c68ec610295168250045b6427d45670aee0225

                • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4835343.exe

                  Filesize

                  36KB

                  MD5

                  8eea1af363eb4f0b7750cae836c9073d

                  SHA1

                  fcf7ded42777a83be47437dfe82cf0dfd3eb3d9b

                  SHA256

                  e0360fbf802b5009640d5f5e9df59e2026a4cfd84a794bc13d07daf910eca856

                  SHA512

                  434d2d3e3b779c75707bc6ad16bb8f1ebfb6a8689c68838b588b9ccf1d56f71c8e82874fe2758d6c41c12b99b2ee13dd4a622c1782519ba6fc2654a792346e9c

                • memory/908-35-0x0000000000550000-0x000000000055A000-memory.dmp

                  Filesize

                  40KB

                • memory/4608-55-0x0000000000DA0000-0x0000000000DD0000-memory.dmp

                  Filesize

                  192KB

                • memory/4608-56-0x0000000002FD0000-0x0000000002FD6000-memory.dmp

                  Filesize

                  24KB

                • memory/4608-57-0x0000000005EE0000-0x00000000064F8000-memory.dmp

                  Filesize

                  6.1MB

                • memory/4608-58-0x00000000059D0000-0x0000000005ADA000-memory.dmp

                  Filesize

                  1.0MB

                • memory/4608-59-0x0000000005650000-0x0000000005662000-memory.dmp

                  Filesize

                  72KB

                • memory/4608-60-0x00000000058C0000-0x00000000058FC000-memory.dmp

                  Filesize

                  240KB

                • memory/4608-61-0x0000000005910000-0x000000000595C000-memory.dmp

                  Filesize

                  304KB