amadey | 49a50984850c9f0ddb7e50596fa38c97f86915635a2d83c9c1f53e5e72ba9701

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49a50984850c9f0ddb7e50596fa38c97f86915635a2d83c9c1f53e5e72ba9701_NeikiAnalytics.exe
Size

433KB
MD5

6ceecba79d0895eb3d914391ca2cc2c0
SHA1

c2a2387735af8ec9e73178f5294387e14771ab6f
SHA256

49a50984850c9f0ddb7e50596fa38c97f86915635a2d83c9c1f53e5e72ba9701
SHA512

aec66aa9227e074578a53b936f9b532a8748bfa05e8bfdff89a90ccdf1441432c6abb16a8b69b631d1685f88174dfe7b83327bfe25e875b78bd8fc14acc1f345
SSDEEP

12288:jMr8y90e4boilTG1au4t+h5jAXqrrc7v1:TyT+oSG5jA9Z

Score

10^/10

amadey healer redline 59b440 mrak dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

Botnet

59b440

http://77.91.68.18

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe
url_paths
/nice/index.php

rc4.plain

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000002342b-12.dat	healer
behavioral1/memory/5024-15-0x0000000000820000-0x000000000082A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7904488.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7904488.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7904488.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7904488.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7904488.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7904488.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023428-30.dat	family_redline
behavioral1/memory/4692-32-0x0000000000110000-0x0000000000140000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	saves.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	b8709862.exe

Executes dropped EXE 7 IoCs

pid	Process
4024	v5702059.exe
5024	a7904488.exe
3692	b8709862.exe
4780	saves.exe
4692	c9155475.exe
2888	saves.exe
100	saves.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7904488.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	49a50984850c9f0ddb7e50596fa38c97f86915635a2d83c9c1f53e5e72ba9701_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5702059.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5024	a7904488.exe
5024	a7904488.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5024	a7904488.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4024	2808	49a50984850c9f0ddb7e50596fa38c97f86915635a2d83c9c1f53e5e72ba9701_NeikiAnalytics.exe	82
PID 2808 wrote to memory of 4024	2808	49a50984850c9f0ddb7e50596fa38c97f86915635a2d83c9c1f53e5e72ba9701_NeikiAnalytics.exe	82
PID 2808 wrote to memory of 4024	2808	49a50984850c9f0ddb7e50596fa38c97f86915635a2d83c9c1f53e5e72ba9701_NeikiAnalytics.exe	82
PID 4024 wrote to memory of 5024	4024	v5702059.exe	83
PID 4024 wrote to memory of 5024	4024	v5702059.exe	83
PID 4024 wrote to memory of 3692	4024	v5702059.exe	92
PID 4024 wrote to memory of 3692	4024	v5702059.exe	92
PID 4024 wrote to memory of 3692	4024	v5702059.exe	92
PID 3692 wrote to memory of 4780	3692	b8709862.exe	93
PID 3692 wrote to memory of 4780	3692	b8709862.exe	93
PID 3692 wrote to memory of 4780	3692	b8709862.exe	93
PID 2808 wrote to memory of 4692	2808	49a50984850c9f0ddb7e50596fa38c97f86915635a2d83c9c1f53e5e72ba9701_NeikiAnalytics.exe	95
PID 2808 wrote to memory of 4692	2808	49a50984850c9f0ddb7e50596fa38c97f86915635a2d83c9c1f53e5e72ba9701_NeikiAnalytics.exe	95
PID 2808 wrote to memory of 4692	2808	49a50984850c9f0ddb7e50596fa38c97f86915635a2d83c9c1f53e5e72ba9701_NeikiAnalytics.exe	95
PID 4780 wrote to memory of 1784	4780	saves.exe	97
PID 4780 wrote to memory of 1784	4780	saves.exe	97
PID 4780 wrote to memory of 1784	4780	saves.exe	97
PID 4780 wrote to memory of 4076	4780	saves.exe	98
PID 4780 wrote to memory of 4076	4780	saves.exe	98
PID 4780 wrote to memory of 4076	4780	saves.exe	98
PID 4076 wrote to memory of 1516	4076	cmd.exe	101
PID 4076 wrote to memory of 1516	4076	cmd.exe	101
PID 4076 wrote to memory of 1516	4076	cmd.exe	101
PID 4076 wrote to memory of 760	4076	cmd.exe	102
PID 4076 wrote to memory of 760	4076	cmd.exe	102
PID 4076 wrote to memory of 760	4076	cmd.exe	102
PID 4076 wrote to memory of 4336	4076	cmd.exe	103
PID 4076 wrote to memory of 4336	4076	cmd.exe	103
PID 4076 wrote to memory of 4336	4076	cmd.exe	103
PID 4076 wrote to memory of 5096	4076	cmd.exe	104
PID 4076 wrote to memory of 5096	4076	cmd.exe	104
PID 4076 wrote to memory of 5096	4076	cmd.exe	104
PID 4076 wrote to memory of 1056	4076	cmd.exe	105
PID 4076 wrote to memory of 1056	4076	cmd.exe	105
PID 4076 wrote to memory of 1056	4076	cmd.exe	105
PID 4076 wrote to memory of 952	4076	cmd.exe	106
PID 4076 wrote to memory of 952	4076	cmd.exe	106
PID 4076 wrote to memory of 952	4076	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\49a50984850c9f0ddb7e50596fa38c97f86915635a2d83c9c1f53e5e72ba9701_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\49a50984850c9f0ddb7e50596fa38c97f86915635a2d83c9c1f53e5e72ba9701_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5702059.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5702059.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7904488.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7904488.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5024
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8709862.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8709862.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
      "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1784
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1516
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:N"
        6⤵
        
        PID:760
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "saves.exe" /P "Admin:R" /E
        6⤵
        
        PID:4336
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:5096
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:N"
        6⤵
        
        PID:1056
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b40d11255d" /P "Admin:R" /E
        6⤵
        
        PID:952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c9155475.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c9155475.exe
  2⤵
  - Executes dropped EXE
  PID:4692

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:2888

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
1⤵
- Executes dropped EXE
PID:100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c9155475.exe

Filesize
175KB

MD5
6be3c54c7d9910fd3120148b6730cc3b

SHA1
6aa57ae1b226bc2ce99c696973be440229b8c724

SHA256
9047d8a9a0a32396dfaba8edeba41c4f273be36b3111547b76a66363c57b4390

SHA512
3e8bfc081cab88194f8ea3f752193af432bf7ce7517991c8a3192978253d69e94191666ccc4faf3be476f0fd8add5d570523371430c4b4906367df1ac1f8ab26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5702059.exe

Filesize
277KB

MD5
7091d9dfed0ca80f9cd4f4a810501e91

SHA1
225b5893280f3284c7c1db4d8c125d5511f4ad72

SHA256
47468185a9c0fada4d543f71f58bdebbe0a86977fb8493f8ace554b7f1656b8c

SHA512
50fb27aaefbd429374b40e62c62a8a799379c78690a60c8bd45c0f6bfaf5ca0e0f210428280d875fe5ff2f28a3d6dc633026663b82c3fab0b75c93680b7fe08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7904488.exe

Filesize
11KB

MD5
16e7cc807f53ce38eb67dad191a7c3a4

SHA1
9c4140d8e70d69e66a9ed3e663579a1391fd5725

SHA256
89bbab4c734612c2db9625463044573d30d03f2cd515ed05ddbcad56b8c43e79

SHA512
2c6df5b3ae8c11ff710320de231ba6fa0ac7326ac32507550f574a0c824bc521c017992706f7277a3f34c688b7fa9e5732e9aaf7e1d1db263d433bcfa6efb98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8709862.exe

Filesize
338KB

MD5
d2b8675eaf4b13e54a8de89354e02104

SHA1
e5d070a6e58d11b3532dbe6541d9a8942f6e9990

SHA256
eed3fda9f7a57b8bf1ff15c84fcec1ff761eee04c680cad8f7f8d69e237c1d31

SHA512
bdc510eda3db331ba74aabcf69cdc1ad387ff93cd97d4a92c878dbd447efb1c7b0f99c891d15713bbe6348e358e8bdae9c57eac4a50430911becedc6c6a165cc

Download Submit
memory/4692-35-0x0000000004D30000-0x0000000004E3A000-memory.dmp

Filesize
1.0MB

Download
memory/4692-32-0x0000000000110000-0x0000000000140000-memory.dmp

Filesize
192KB

Download
memory/4692-33-0x0000000004B70000-0x0000000004B76000-memory.dmp

Filesize
24KB

Download
memory/4692-34-0x0000000005240000-0x0000000005858000-memory.dmp

Filesize
6.1MB

Download
memory/4692-36-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4692-37-0x0000000004C60000-0x0000000004C9C000-memory.dmp

Filesize
240KB

Download
memory/4692-38-0x0000000004CA0000-0x0000000004CEC000-memory.dmp

Filesize
304KB

Download
memory/5024-15-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/5024-14-0x00007FFA50063000-0x00007FFA50065000-memory.dmp

Filesize
8KB

Download