Overview

overview

10

Static

static

3

1f210d4751...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 14:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f210d47513efff7a9a7d84e8bdbc490380fb3db0debdc06cab638be271070c1.exe

  • Size

    1.1MB

  • MD5

    56e9ca9cdc683f3f1c3ff00530b79b33

  • SHA1

    97f592e4b396789d829416ade431fd3f1b2d48f3

  • SHA256

    1f210d47513efff7a9a7d84e8bdbc490380fb3db0debdc06cab638be271070c1

  • SHA512

    582500183f7adac19b664592d7633e42d300cb3567fdf0a6f140ebf857888415fa1899a471c633e0003a146870ab26a242f089fcfc0163ac008f69f46dd9a7d1

  • SSDEEP

    24576:RyeztEsIwjbVrmsQQL+UsBPIn2a3oYhoGbP:EezzXjborvUsBPInJLOGb

Score
10/10
amadeyhealerredline9c0adbdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f210d47513efff7a9a7d84e8bdbc490380fb3db0debdc06cab638be271070c1.exe
    "C:\Users\Admin\AppData\Local\Temp\1f210d47513efff7a9a7d84e8bdbc490380fb3db0debdc06cab638be271070c1.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jx785589.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jx785589.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\up943755.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\up943755.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4368
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AC112618.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AC112618.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1548
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\175647176.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\175647176.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1840
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\267405756.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\267405756.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4900
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\267405756.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\267405756.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4952
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\358184266.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\358184266.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4588
          • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3612
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:4260
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4028
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3312
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1732
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2356
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4868
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:396
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4456
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\491155850.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\491155850.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4840
  • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    1⤵
    • Executes dropped EXE
    PID:4040
  • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    1⤵
    • Executes dropped EXE
    PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jx785589.exe
    Filesize

    941KB

    MD5

    abf1a4e31eb94aa14926b8ccaf0cebf4

    SHA1

    ea2a6c5e1a6d6c33d1007a957f50b661673d5bf4

    SHA256

    00b50da84b2558975477953e11fd721e9bdc8a30d82205ddb4ed3dad3677d132

    SHA512

    3cb55fb82e3f77064da57e4d107ba05f752dbc79c910eb3ecb510f9f8e4e6969bca726bc2a440085a9f1ad19d5cf9cc4037e95ae0d2d1d7ef8a86081a084acd8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\491155850.exe
    Filesize

    341KB

    MD5

    afbb67ffe85456beee77bf386d99acb7

    SHA1

    74e9d9570e81cbedcff3c55c6ec4952a14e0fedc

    SHA256

    773dff4d3e6ad0d4e44c11995cde113feab3d8d26d58644fe80e28c49a491734

    SHA512

    d756ebe3f4b55ca41a63f1dd70d1c85358cdd2900c9c495f422dfed0f7b2a4a32d71637f446e65b7de4452712fb42cc037ea791f35c7eb0713c81d2690987adc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\up943755.exe
    Filesize

    587KB

    MD5

    a5f04a3df1fb5e474ff53cbe8fea5dde

    SHA1

    bce5ed6d34516de48be9a98175cea428d60c6a9c

    SHA256

    be34d40b1cd35ac00e6acc146b32c832f2ec7d208b9edca65d4352dec3647b7c

    SHA512

    65e4fac65526e828b6485a0589d9e9c715c809122361f7eb92127d3ea589212ec3459b37debf9299cabafa7c303d95e0f96d2e2d82424026fae4107b0bf7e1b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\358184266.exe
    Filesize

    204KB

    MD5

    1304f384653e08ae497008ff13498608

    SHA1

    d9a76ed63d74d4217c5027757cb9a7a0d0093080

    SHA256

    2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa

    SHA512

    4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AC112618.exe
    Filesize

    415KB

    MD5

    8d394758944e0ebf75d3cbb59158d9ce

    SHA1

    e14965eec5351a6d1ac789c5b53f132fc30a09c0

    SHA256

    8af6191d7d6244f4ee293e9c1eecaa6fb86f39644c561e3dccea352e3c22b826

    SHA512

    b17ffd95ff6285c6dd96681096da709fa4315452297764730a4ab34aac1fd6f4d8caa53ed764a7167d7130102e3ef5b9b61867fe96dd24168e5275d03561ba9c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\175647176.exe
    Filesize

    175KB

    MD5

    a165b5f6b0a4bdf808b71de57bf9347d

    SHA1

    39a7b301e819e386c162a47e046fa384bb5ab437

    SHA256

    68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

    SHA512

    3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\267405756.exe
    Filesize

    259KB

    MD5

    95c77fa59791d5ef2cf9dcc363cd0cea

    SHA1

    368ab0eb2a95d44722ed2697b0c542493813f3f2

    SHA256

    910ab62c1f059f8e5fa59428b84aac9fc9385d847ea6ef4ca7423725bdbf94bb

    SHA512

    fbf638e5465aff456550ae704aac0fc869d92acebd53b092e8861e9dcb7a98a08713ac0edc1a2b3aec21974573f530391ecaad7bbf363b45071f3957ddd60100

    Download Submit

  • memory/1840-56-0x0000000002640000-0x0000000002653000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1840-30-0x0000000002640000-0x0000000002658000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1840-40-0x0000000002640000-0x0000000002653000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1840-54-0x0000000002640000-0x0000000002653000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1840-52-0x0000000002640000-0x0000000002653000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1840-50-0x0000000002640000-0x0000000002653000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1840-48-0x0000000002640000-0x0000000002653000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1840-46-0x0000000002640000-0x0000000002653000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1840-44-0x0000000002640000-0x0000000002653000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1840-42-0x0000000002640000-0x0000000002653000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1840-34-0x0000000002640000-0x0000000002653000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1840-38-0x0000000002640000-0x0000000002653000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1840-36-0x0000000002640000-0x0000000002653000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1840-32-0x0000000002640000-0x0000000002653000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1840-31-0x0000000002640000-0x0000000002653000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1840-58-0x0000000002640000-0x0000000002653000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1840-28-0x0000000002340000-0x000000000235A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1840-29-0x00000000049E0000-0x0000000004F84000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4840-116-0x0000000002510000-0x0000000002545000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4840-114-0x0000000002470000-0x00000000024AC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4840-115-0x0000000002510000-0x000000000254A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4840-117-0x0000000002510000-0x0000000002545000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4840-119-0x0000000002510000-0x0000000002545000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4840-908-0x0000000007580000-0x0000000007B98000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4840-909-0x0000000007BF0000-0x0000000007C02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4840-910-0x0000000007C10000-0x0000000007D1A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4840-911-0x0000000007D30000-0x0000000007D6C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4840-912-0x0000000002370000-0x00000000023BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4952-69-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4952-64-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4952-67-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download