Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 07:20

General

  • Target

    04039b10f21e5541098a3844fb34657b1c629e240f7690015e863e31ad3b816a.exe

  • Size

    636KB

  • MD5

    49e178a4e58eb5a35ef6cb6e916ac242

  • SHA1

    b09941c3e03b3077641bf42fccb21f746a2b9f82

  • SHA256

    04039b10f21e5541098a3844fb34657b1c629e240f7690015e863e31ad3b816a

  • SHA512

    1e0ef63db7d748e1fc2a9d918ea488ade0b526b6803db4c9c52488899f8c1b457e8c04cc6a21a4350b68e607c47c36adbada64d029b155f642dcfbabc71b4e87

  • SSDEEP

    12288:TMrvy90QJktJ732M46pHXju7vbK43zUjE/mHaPW9AZS1KveoHdWvBYMX8qET:gyfJ2oeCzbj3gjAmHaO9A6VJYMX8j

Malware Config

Extracted

Family

amadey

Version

3.86

Botnet

88c8bb

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

lodka

C2

77.91.124.156:19071

Attributes
  • auth_value

    76f99d6cc9332c02bb9728c3ba80d3a9

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Smokeloader family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04039b10f21e5541098a3844fb34657b1c629e240f7690015e863e31ad3b816a.exe
    "C:\Users\Admin\AppData\Local\Temp\04039b10f21e5541098a3844fb34657b1c629e240f7690015e863e31ad3b816a.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3317787.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3317787.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0467120.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0467120.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:212
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4048091.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4048091.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2108
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7543469.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7543469.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:868
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8780675.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8780675.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:4420
            • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
              "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2100
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2312
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4300
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1476
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:N"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3868
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:R" /E
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4216
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3332
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\925e7e99c5" /P "Admin:N"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1896
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\925e7e99c5" /P "Admin:R" /E
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1560
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2184120.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2184120.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks SCSI registry key(s)
          PID:1692
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0337151.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0337151.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:440
  • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    1⤵
    • Executes dropped EXE
    PID:3436
  • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    1⤵
    • Executes dropped EXE
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3317787.exe

    Filesize

    515KB

    MD5

    db4e1dfe8930ed5dccea001711c63d56

    SHA1

    4299c7f13791e3bc1141baebccd429a33cb4c52b

    SHA256

    47581331a3131785f2583c6170f53a35d25c19732eb5ec8449b9ca355ec52359

    SHA512

    04374db2ff32f6ea53cd6bd0bd4df6e334c9e1a6e88b6b87b685a7f1ea4930794aa8cf6c558a2ae51e1e047b000166867e189cd670716a1b7df3248fb800e16b

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0337151.exe

    Filesize

    173KB

    MD5

    e50a56a1dcd439b82a33cb5ef19faa26

    SHA1

    878219900dd930fb5b8112cdcc320424fbd6efaa

    SHA256

    c1874fde88e314e01d4d735743c745c314e0b0da18a3030ceadb41a42bc71560

    SHA512

    e1a02fba9a94fa4c1c9fdb453330bbe863b339dd9a89395758c97530c4c8d71017c05bd96d732328022de8b39d9c654b60da1372b78881a9e0b828b1688ca64a

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0467120.exe

    Filesize

    359KB

    MD5

    b09196c0549952ee80f333769629a6a1

    SHA1

    0f5c040303f9b1b65a982b661f3b0f28d1033449

    SHA256

    727c9678bb0d8dcb496134d76e2f86821a6b48655916059e55581167aec1585f

    SHA512

    54ade6891e2744e4689f5445f316ca71e1af6ccf5c9ef1d3a06a52c537149117eaecf1c30bd28db1520aa29b0d247a0ce8924b7af28537c6223b1d9c9f9bb00b

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2184120.exe

    Filesize

    38KB

    MD5

    4593cb95ac0ed500e8b3fcf42ca05b0d

    SHA1

    0e8da3433df6cbfd84baf99ddd466bf467268f5a

    SHA256

    cfd40a03e68cdd3abf91f7504425938bf78e43709c796d1e49ebada39fac47bb

    SHA512

    b03f9bee3f79810f7693eb59216e43be0cc3222456f1542287f8d40999d878d94aa848e29d78d4fca1e17d64c7d9750accd9ab26cea6829b911ed5fdbea173e2

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4048091.exe

    Filesize

    234KB

    MD5

    ff02a3ad0bc5f2f970fd25e7a8410b60

    SHA1

    4f0183d91e4033d918a37852b3cf8bec28ef3330

    SHA256

    d66ad29951bea00fa8f80206b751979ca9f6a6d25a85dce64daca2b0ecc3e62b

    SHA512

    4ecd6f584288a5c092b154fe97bfd233637892c2941972dfe6ddbd9d3241cc7cf2d10f4a477d7ec50cf5dd628d73c2a9bd6419d66b99c84bbc4ffb4e8d0e80cd

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7543469.exe

    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b8780675.exe

    Filesize

    229KB

    MD5

    66894387d7059239ea36fd5d983b03f5

    SHA1

    a2362c009491b74456083aa6d3c33c2ba5804f4c

    SHA256

    342baf6837b394c2f5c4ea5c0aa870b4a96cab165c4e9dec93ab73062769616e

    SHA512

    04d2041c30a43d189d8bf71dfd6d11a22c213169f30e3c91d4d1e376fd59de554566fe53016e7e21b3a3a5a3940ddb6be7c81f565b8b1a63dfc2f76bcb16e13d

  • memory/440-53-0x000000000A4C0000-0x000000000A5CA000-memory.dmp

    Filesize

    1.0MB

  • memory/440-50-0x00000000004F0000-0x0000000000520000-memory.dmp

    Filesize

    192KB

  • memory/440-51-0x00000000028C0000-0x00000000028C6000-memory.dmp

    Filesize

    24KB

  • memory/440-52-0x000000000A9D0000-0x000000000AFE8000-memory.dmp

    Filesize

    6.1MB

  • memory/440-54-0x000000000A3E0000-0x000000000A3F2000-memory.dmp

    Filesize

    72KB

  • memory/440-55-0x000000000A440000-0x000000000A47C000-memory.dmp

    Filesize

    240KB

  • memory/440-56-0x0000000000D00000-0x0000000000D4C000-memory.dmp

    Filesize

    304KB

  • memory/868-28-0x0000000000570000-0x000000000057A000-memory.dmp

    Filesize

    40KB

  • memory/1692-46-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB