Overview

overview

10

Static

static

3

0d301494f1...b9.exe

windows10-2004-x64

10

17123cde24...76.exe

windows10-2004-x64

10

3513e5a1be...0b.exe

windows10-2004-x64

10

3548eb3ee0...c3.exe

windows10-2004-x64

10

37bb007e1a...b5.exe

windows10-2004-x64

10

3b8019115c...d8.exe

windows10-2004-x64

10

3ba16fdd2a...8a.exe

windows10-2004-x64

10

3c47d4d72a...e8.exe

windows10-2004-x64

10

5598d9028e...fd.exe

windows7-x64

10

5598d9028e...fd.exe

windows10-2004-x64

10

5d95f47641...f4.exe

windows10-2004-x64

10

61d857a524...a5.exe

windows10-2004-x64

10

64f004d4a2...36.exe

windows10-2004-x64

10

7787b07a17...49.exe

windows10-2004-x64

10

7cc3996906...7e.exe

windows10-2004-x64

10

825d0619a8...ce.exe

windows10-2004-x64

10

9e6f3fd3f7...c2.exe

windows10-2004-x64

10

a49c96afc3...92.exe

windows10-2004-x64

10

e2945d600c...9e.exe

windows10-2004-x64

10

eb8cedd00b...3b.exe

windows10-2004-x64

10

f9bdee7f3d...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e6f3fd3f785137a445cbe56ff06c292a6df24180f53811fc86132a2bd4859c2.exe

  • Size

    234KB

  • MD5

    2dfe4d2812a48ddbf22392cc3a90970b

  • SHA1

    4f1b63d32b90a492f98673c94646a42a6e853ac6

  • SHA256

    9e6f3fd3f785137a445cbe56ff06c292a6df24180f53811fc86132a2bd4859c2

  • SHA512

    8b30e6f60dc809e9411dd14439766ec61da1ce41170a987c6c917abfe8df3985d8d6870672b38e72c10317e178e032fdc94f1f36bc4c48cc79938ae9d7c9b6da

  • SSDEEP

    3072:KBy+bnr+O1H5GWp1icKAArDZz4N9GhbkrNEk1E6D5dMOt7WQqwuoFoX:KBy+bnr+Ap0yN90QENzDQqwS

Score
10/10
amadeyhealer88c8bbdropperevasionpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

Botnet

88c8bb

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e6f3fd3f785137a445cbe56ff06c292a6df24180f53811fc86132a2bd4859c2.exe
    "C:\Users\Admin\AppData\Local\Temp\9e6f3fd3f785137a445cbe56ff06c292a6df24180f53811fc86132a2bd4859c2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a8400544.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a8400544.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4760
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b7161503.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b7161503.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
        "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:3812
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1384
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:1040
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "pdates.exe" /P "Admin:N"
              5⤵
                PID:1556
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "pdates.exe" /P "Admin:R" /E
                5⤵
                  PID:548
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:1368
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\925e7e99c5" /P "Admin:N"
                    5⤵
                      PID:5012
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\925e7e99c5" /P "Admin:R" /E
                      5⤵
                        PID:4336
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:844
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:4768
                • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                  C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                  1⤵
                  • Executes dropped EXE
                  PID:3828
                • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                  C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1988

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a8400544.exe
                  Filesize

                  11KB

                  MD5

                  7e93bacbbc33e6652e147e7fe07572a0

                  SHA1

                  421a7167da01c8da4dc4d5234ca3dd84e319e762

                  SHA256

                  850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

                  SHA512

                  250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b7161503.exe
                  Filesize

                  235KB

                  MD5

                  bc91e6e768fd91095e2345589ee83b4a

                  SHA1

                  8d1b66b836cb0e5134a3f807e6f552068ae3e049

                  SHA256

                  d0ad15538e2a3f9aedb1b72fcd30581d83b8ca9e8e044f1a404cd3a71cc601a4

                  SHA512

                  2d8766287f50a95994a2c4496f09114406faa469baeb3719c061e08b323dd359338ba0a8fe526c2f7138fa1c8fa3018743ce2a26203626ecc5901e179d5224b1

                  Download Submit

                • memory/4760-7-0x00007FFAE8E23000-0x00007FFAE8E25000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4760-8-0x0000000000F60000-0x0000000000F6A000-memory.dmp

                  Filesize

                  40KB

                  Download