Overview

overview

10

Static

static

3

1823689cb5...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2024, 14:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1823689cb5b5f03c880cbf2655c7319681f9ce505d110cc96c5c1c7e92cdc120.exe

  • Size

    515KB

  • MD5

    8c6440a9a75209f3da85480374878822

  • SHA1

    2cc396352a7555299163da4221bee9814ed96efc

  • SHA256

    1823689cb5b5f03c880cbf2655c7319681f9ce505d110cc96c5c1c7e92cdc120

  • SHA512

    28cffcdb9e699370dcaddc3870f9a701682d4ffb0747db454dd66efb6b24479e86787bc879b10fc0518b5c205f6d7b0db54519e2524af77437ad31dbd743dbbf

  • SSDEEP

    12288:LMrhy90cTXOc996gsV781xh7LWqpWJIojDI:ayzTd9c677StVU

Score
10/10
amadeyhealerredlinesmokeloader88c8bblandebackdoordiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

Botnet

88c8bb

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

lande

C2

77.91.124.84:19071

Attributes
  • auth_value

    9fa41701c47df37786234f3373f21208

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Smokeloader family
    smokeloader
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1823689cb5b5f03c880cbf2655c7319681f9ce505d110cc96c5c1c7e92cdc120.exe
    "C:\Users\Admin\AppData\Local\Temp\1823689cb5b5f03c880cbf2655c7319681f9ce505d110cc96c5c1c7e92cdc120.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9893878.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9893878.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2785730.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2785730.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3660
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6765803.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6765803.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5024
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1298103.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1298103.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1400
          • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
            "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2780
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:4132
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1676
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3596
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "pdates.exe" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1780
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "pdates.exe" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2040
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1052
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\925e7e99c5" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4812
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\925e7e99c5" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1492
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7750813.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7750813.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks SCSI registry key(s)
        PID:2356
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4424731.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4424731.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4564
  • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    1⤵
    • Executes dropped EXE
    PID:4876
  • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    1⤵
    • Executes dropped EXE
    PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d4424731.exe
    Filesize

    174KB

    MD5

    ddf008433e511674009b3d7501936cd3

    SHA1

    580ccbc59627cfc8fd0633a1ea619f4b6c2f9d97

    SHA256

    44fc73aadee9793ba3f60328aabd120ae3b97e8c8b632d6afef38f585b30a76a

    SHA512

    20c9a6404a4f1995a5fbb48b0ebeb050a01c57d136cae305de89b60427a842905b65dbe74d517eeb8a356ac92e050b26c4a34e0080178bde8c8eff1e96a4adec

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9893878.exe
    Filesize

    359KB

    MD5

    c34863ce83facc6116a0e964759aa9ad

    SHA1

    201aa536454a186b54357a5dc76ff968788c9ad2

    SHA256

    8ce374c5e844ff3b5f099ff2d49ce489d71c647d86d092dfbcf9a8c0149f7abd

    SHA512

    439687f52fd55d8d5d4b51dc6140fba12ea1fcf5a3bc8014e528731d5f9215c209bda547ac97c882de00f0ee9bf9f571f38a325b51ec2dcda1624c2c9ae44dfa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c7750813.exe
    Filesize

    36KB

    MD5

    bac01433d6cc78b67156714749845380

    SHA1

    b542f73ee9e3a49d1e662d6093c7620b5f8a5586

    SHA256

    59631b50a39a03eb2df731abed519056cf5b91bea9113cb2d03bd2e33c5a063d

    SHA512

    c47ec98df0b1a0d118a4d6d3ea222d5b66c52c9dfe008b5b4234123a0319b2250873f81e99d3c290e27f8e9b1db8c1cc34ac40b7f78e995ba5d6dff8eceb888b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2785730.exe
    Filesize

    234KB

    MD5

    147725f7c7572241c8c99c4168f975b3

    SHA1

    612f9e1f063ca3e0646a10502925f17307c21776

    SHA256

    d4e5922153070eb43488ed6be71d701aae6ac466bccb643722349e062d4444f6

    SHA512

    e542a8629cc905afc2e50371ec41a91c3dbf3b96bfbc0d67615dca1feb02aedb3327098d218e4427fb73842f4a0dde05c23fb1a6ae209e6076ce71a0b88ccb99

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a6765803.exe
    Filesize

    13KB

    MD5

    984021f542dc10f3d72009dc6a15711c

    SHA1

    c1f6fef10938138f1c4a378058b5acebfe8baceb

    SHA256

    f078c8f334ac36711faec74167a3422558f4e0abb2d5fd42639d500e9494c680

    SHA512

    88d943224775f922aec1ef5ac9e6c3a44b97f796d7791dd739cf4219365f738514074eb187d7ff60a2549334a73404a0ba28aa3d7c63faceebfb008f2ddd6446

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1298103.exe
    Filesize

    225KB

    MD5

    b5ee9eedcae6bfc036759997e6326b39

    SHA1

    fb904515635b81a94a3160a27b31c993852b2f0f

    SHA256

    97d7c30e0a1287b2c462a5471e7576a80fc74acb4ced62201fd2852c1843a0d8

    SHA512

    7aa6c95e9f802d4dc2c34eedba266ef967faff54868b28c213ffbd15e03661f9007fbcde8a27a62351b11b36796799f17916e2fdfb398f45b87fb6fec7abffdb

    Download Submit

  • memory/2356-41-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4564-47-0x000000000AC30000-0x000000000B248000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4564-45-0x0000000000880000-0x00000000008B0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4564-46-0x0000000001130000-0x0000000001136000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4564-48-0x000000000A720000-0x000000000A82A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4564-49-0x000000000A630000-0x000000000A642000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4564-50-0x000000000A690000-0x000000000A6CC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4564-51-0x0000000004B50000-0x0000000004B9C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5024-23-0x00007FFD41343000-0x00007FFD41345000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5024-22-0x0000000000D70000-0x0000000000D7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5024-21-0x00007FFD41343000-0x00007FFD41345000-memory.dmp

    Filesize

    8KB

    Download