Overview

overview

10

Static

static

3

d1af52bb30...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 03:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1af52bb30dcf7d7654a29439ccf3c349bf40b1987485bb914f1de7eebd15305.exe

  • Size

    642KB

  • MD5

    5abe86873dc4ebc6bb41db7915e0de05

  • SHA1

    232f972ffcc0a11be1d23129cba195c774147dd7

  • SHA256

    d1af52bb30dcf7d7654a29439ccf3c349bf40b1987485bb914f1de7eebd15305

  • SHA512

    2e553b66d6b708e73b4de27a5e459a3847397db42f94ef62d7a6884ceb9df0a9f0bd381bff6811fcdd9a0b0d4b9c2e2102a9ad2e0ef029915faf477f62b99e72

  • SSDEEP

    12288:6Mr7y90bkgLZCFUGzREhidbXeK5Wtrs2wHoeJZ+7+VlJEDCN+:Ry8LBGzcidbXX5WCxHJrV/EDCM

Score
10/10
amadeyhealerredlinesmokeloader88c8bblodkabackdoordiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

Botnet

88c8bb

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

lodka

C2

77.91.124.156:19071

Attributes
  • auth_value

    76f99d6cc9332c02bb9728c3ba80d3a9

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Smokeloader family
    smokeloader
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1af52bb30dcf7d7654a29439ccf3c349bf40b1987485bb914f1de7eebd15305.exe
    "C:\Users\Admin\AppData\Local\Temp\d1af52bb30dcf7d7654a29439ccf3c349bf40b1987485bb914f1de7eebd15305.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3400
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4518261.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4518261.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3868
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2688527.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2688527.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2040
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1621275.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1621275.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3016
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4717171.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4717171.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4360
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7362321.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7362321.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:2612
            • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
              "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3624
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:4988
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:948
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1032
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:N"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1340
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:R" /E
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1628
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:5088
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\925e7e99c5" /P "Admin:N"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1556
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\925e7e99c5" /P "Admin:R" /E
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:5060
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9358843.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9358843.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks SCSI registry key(s)
          PID:4864
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3764537.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3764537.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1316
  • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    1⤵
    • Executes dropped EXE
    PID:4876
  • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    1⤵
    • Executes dropped EXE
    PID:3656
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4518261.exe
    Filesize

    514KB

    MD5

    e9acf4e7f65fcefc9b241f517471e99d

    SHA1

    8edcc4a9662f09b4dc55661418a184e87ed2fe7f

    SHA256

    73ef7469585e66723d1211dc4800088e0e93d2d218fce89b6ff026ddd89eaaca

    SHA512

    031ffbdf0c0ba076251e1102a21621983f4c2be183488d1a7d924ba9cca3a6990a0855b9c9b16eccda6e7c0b3f9930376489e5358ef524854589f5d658b9d0b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3764537.exe
    Filesize

    173KB

    MD5

    852358bd73791e0684e03eeaeeffac3c

    SHA1

    4093508eaaf5b6677ecae7747ec964a8ae1cc593

    SHA256

    60070f5ef329c1925924cd37d00ba94274a0d8ad24920b9310e2e9e5d83bbe47

    SHA512

    dcfb6c95fddc8027071d25b9a32d73fdd343f04357eb23b7cd8f12be147d8a94308200fd54376ad7eeba691a6e6ab54ae268de70d812084d64cd41911a8632e2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2688527.exe
    Filesize

    359KB

    MD5

    3a7448b02e899a528ff5633baa3a6bdd

    SHA1

    873262df0c248206b6fdbc92b02f7551a66e0e1d

    SHA256

    b849ccaf5cf5bf779d6bcf2bb6efa0d8b726c9d2e601699b0056b48f7d96a7fe

    SHA512

    f56438d181afb6910914800c8bad6116c5f54d4cd13ca6052bf2ffd9e6fc76d77f4bbb8cfd85c3a712f23cd1f45055acabb6704887f9e9e965579db90cc73383

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9358843.exe
    Filesize

    38KB

    MD5

    427aa69ff8d80790480a120eec07155e

    SHA1

    7fab14f66fd9c1e4452d745a9493cf23a2f65709

    SHA256

    d06e2c633ed67b4b7e2e94f442a6a7c5a7c3a25d9390f3d275a1caee91b378ca

    SHA512

    f31dbabe3b0e7348b7e1c6f39d101cbffb045c2654dee029c0b0c9a851d583559329675c2ed8fb9b719f8a4830e49e70726a7a504b94d02d083cfa7095ca971b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1621275.exe
    Filesize

    234KB

    MD5

    a6ba0f56364d34116c06129fa2583c2d

    SHA1

    1bd31ea9ee4eb747801dac610b520924a10ee0ab

    SHA256

    f8bb6f577654d7dd8b0ec5dbd9ee2401990ca235f09d9b80a369557344f5c7a7

    SHA512

    fe41756792aac51276b3fb4d64044e6661d2a1423d340d82df00adde8f5f5fe509d58527eabbc0987940ca016a56a308b69806ceaec37b5a0fd28473bbcc7f5d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4717171.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7362321.exe
    Filesize

    229KB

    MD5

    a9ebd9c53cf5d6dbf9f378836d88a31a

    SHA1

    ca9c0d85264e67b6cdb7e5dad2f0a62a9afbac17

    SHA256

    1879cc826c6ca6a6f4f2c9bcbf5f4c147c33ae2bb28447251a6ad4df4ce0250c

    SHA512

    7391e654b9c2e066db861fced50a598541e57791499dcd4af244892566e39ceda38f20029fbd8df534a51472df6f996edce215533b5d56a0c4e3434618131843

    Download Submit

  • memory/1316-53-0x000000000A0B0000-0x000000000A1BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1316-50-0x0000000000100000-0x0000000000130000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1316-51-0x0000000004A20000-0x0000000004A26000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1316-52-0x000000000A550000-0x000000000AB68000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1316-54-0x0000000009FF0000-0x000000000A002000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1316-55-0x000000000A050000-0x000000000A08C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1316-56-0x0000000002390000-0x00000000023DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4360-28-0x0000000000FD0000-0x0000000000FDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4864-46-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download