Overview

overview

10

Static

static

3

2ae72cafa8...de.exe

windows10-2004-x64

10

2d225565e0...be.exe

windows10-2004-x64

10

5f94dabf69...6d.exe

windows10-2004-x64

10

65296f4680...95.exe

windows7-x64

3

65296f4680...95.exe

windows10-2004-x64

10

7618ddb9e4...07.exe

windows10-2004-x64

10

8865ec3f94...5a.exe

windows10-2004-x64

10

8d796a364d...e4.exe

windows10-2004-x64

10

aabdc92d30...96.exe

windows10-2004-x64

10

bae99364dc...55.exe

windows10-2004-x64

10

cc35c0b2bc...24.exe

windows10-2004-x64

10

d63c4114c3...86.exe

windows10-2004-x64

10

d65bb810cc...a7.exe

windows10-2004-x64

10

d764830962...c8.exe

windows10-2004-x64

10

d9124df1a4...d1.exe

windows10-2004-x64

10

e1564be8f1...ad.exe

windows10-2004-x64

10

e7ee230707...d5.exe

windows10-2004-x64

10

e8a7f5f2b3...4b.exe

windows10-2004-x64

10

e8bf7b5c22...96.exe

windows10-2004-x64

10

eb214d5f58...c6.exe

windows10-2004-x64

10

edacb614f4...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d9124df1a48c55317dd58c4ab328c969efa7a2d673ba2134c19648e01de841d1.exe

  • Size

    390KB

  • MD5

    3af121030f860f8cdb00df0f76d33eee

  • SHA1

    d08b4343f323e65e7276951b6234b00b63b61fc1

  • SHA256

    d9124df1a48c55317dd58c4ab328c969efa7a2d673ba2134c19648e01de841d1

  • SHA512

    cd358c9c9fe57e9849d6180c324b05ee2a8d62feae2cfac7a80afb3661ae1a7d5d880095cdd35b50a6567d613506ffc78eb5455ae6d95f009cfa1637a118e1b9

  • SSDEEP

    6144:Kdy+bnr+Sp0yN90QEmyvzJ8b9UCTqnV1lS+yyMmmLrMZjWAuGGDPR8I:rMrey90B8b2xVTS+FzWVfRh

Score
10/10
amadeyhealerredline88c8bbmaxikdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

Botnet

88c8bb

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

maxik

C2

77.91.124.156:19071

Attributes
  • auth_value

    a7714e1bc167c67e3fc8f9e368352269

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d9124df1a48c55317dd58c4ab328c969efa7a2d673ba2134c19648e01de841d1.exe
    "C:\Users\Admin\AppData\Local\Temp\d9124df1a48c55317dd58c4ab328c969efa7a2d673ba2134c19648e01de841d1.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3148
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9010925.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9010925.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7907616.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7907616.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3732
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8336775.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8336775.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2504
        • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
          "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3300
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
            5⤵
            • Creates scheduled task(s)
            PID:3848
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4892
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
                PID:4516
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "pdates.exe" /P "Admin:N"
                6⤵
                  PID:2732
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:R" /E
                  6⤵
                    PID:5100
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    6⤵
                      PID:3496
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\925e7e99c5" /P "Admin:N"
                      6⤵
                        PID:1172
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "..\925e7e99c5" /P "Admin:R" /E
                        6⤵
                          PID:1628
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5283023.exe
                  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5283023.exe
                  2⤵
                  • Executes dropped EXE
                  PID:2632
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:4868
              • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
                1⤵
                • Executes dropped EXE
                PID:3328
              • C:\Windows\system32\sc.exe
                C:\Windows\system32\sc.exe start wuauserv
                1⤵
                • Launches sc.exe
                PID:4864

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m5283023.exe
                Filesize

                173KB

                MD5

                4c3e0e9421633de0ebb0ed417e57bf81

                SHA1

                f0f6faf74cb490dd46056298021d6ee12c062534

                SHA256

                f3a835a8ef2729adf4993fc1f71ee3756d0afd43f06f1a1932c88d78cf579e13

                SHA512

                8eb21fd8fb2ed8b7ab0a339be22da8a1c2fb3bf6e7c915d9af99ce61d92f29f1f07b307a4a6396a4d52269dbc1e8396dda288f6652c5a324443a1ab4f6775df0

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9010925.exe
                Filesize

                234KB

                MD5

                bdaa31e58ff32bfd21d3a869da09113b

                SHA1

                86be7d2ae0254a3c0ec114dd047c4eaae48f9f4d

                SHA256

                23c79f0e2c8a386aa9fb01ce42c547b6cb876959fe98e2843af2202290c0065b

                SHA512

                b60a96aa57f0de445888d59d04f7db25ffbfeba00d23b3e0d6a1cfb0c0d2d68e26640ec079c0cb100d96402d1fca3e349d73fc25d748f0353bd80886c1b69d66

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7907616.exe
                Filesize

                11KB

                MD5

                7e93bacbbc33e6652e147e7fe07572a0

                SHA1

                421a7167da01c8da4dc4d5234ca3dd84e319e762

                SHA256

                850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

                SHA512

                250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8336775.exe
                Filesize

                223KB

                MD5

                aea234064483f651010cf9d981f59fea

                SHA1

                002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6

                SHA256

                58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503

                SHA512

                eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

                Download Submit

              • memory/2632-36-0x00000000050C0000-0x00000000051CA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/2632-33-0x0000000000470000-0x00000000004A0000-memory.dmp

                Filesize

                192KB

                Download

              • memory/2632-34-0x0000000000BA0000-0x0000000000BA6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/2632-35-0x00000000055D0000-0x0000000005BE8000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/2632-37-0x0000000004F30000-0x0000000004F42000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2632-38-0x0000000004FB0000-0x0000000004FEC000-memory.dmp

                Filesize

                240KB

                Download

              • memory/2632-39-0x0000000004FF0000-0x000000000503C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/3732-15-0x0000000000520000-0x000000000052A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/3732-14-0x00007FF8D81B3000-0x00007FF8D81B5000-memory.dmp

                Filesize

                8KB

                Download