Overview

overview

10

Static

static

3

f7d3686efa...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 10:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7d3686efacf69adda24ec0f03a74c0df316559f424aa266525fdb48948c990a.exe

  • Size

    641KB

  • MD5

    fca90e9ef7eeb6d32f8191d9e01c6d46

  • SHA1

    70964808f0990d0b54f65b3e25672069d5f885ca

  • SHA256

    f7d3686efacf69adda24ec0f03a74c0df316559f424aa266525fdb48948c990a

  • SHA512

    02569acbff68c71896d648ef383f7501fdd9752277167187d78838dd94b8f1328f5fa740aa143f181bf9782fcdbba9e81e71a213479552f2f598d65d163d8e33

  • SSDEEP

    12288:oMrdy90r0tTjITWm6zYJ8v2z+Hm7Rf93rIQComdEUn7N:lyFv2hlf9bvCoIR7N

Score
10/10
amadeyhealerredlinesmokeloader88c8bbgotadbackdoordiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

Botnet

88c8bb

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

gotad

C2

77.91.124.84:19071

Attributes
  • auth_value

    3fb7c1f3fcf68bc377eae3f6f493a684

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Smokeloader family
    smokeloader
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7d3686efacf69adda24ec0f03a74c0df316559f424aa266525fdb48948c990a.exe
    "C:\Users\Admin\AppData\Local\Temp\f7d3686efacf69adda24ec0f03a74c0df316559f424aa266525fdb48948c990a.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8338597.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8338597.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4994155.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4994155.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5108
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0822912.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0822912.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9514684.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9514684.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:512
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4283338.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4283338.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:116
            • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
              "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1912
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:536
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1624
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1484
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:N"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2976
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:R" /E
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1016
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2180
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\925e7e99c5" /P "Admin:N"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3148
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\925e7e99c5" /P "Admin:R" /E
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1444
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3197320.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3197320.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks SCSI registry key(s)
          PID:4892
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1439210.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1439210.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:440
  • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    1⤵
    • Executes dropped EXE
    PID:2364
  • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    1⤵
    • Executes dropped EXE
    PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8338597.exe
    Filesize

    514KB

    MD5

    c298a4967328047f132dd5e3a2e073ce

    SHA1

    cfdb13aee350f608248170cc8437768f3d956f88

    SHA256

    4871f3398e86e331902320982400a476179fe8e2bb4ab986a9452c7fcfb990c3

    SHA512

    b8115abc6fbc0cb6ad16bec1fefbe116555293c0285ef054216a98a7cb5f547062083228ae4cc7b70c8c8516aa30cbd4baf801a96a8d20c51a19570086084dec

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1439210.exe
    Filesize

    172KB

    MD5

    b5aa329eeb7c6e2707f57896c8245c23

    SHA1

    74f5941c22f83fa70e3e215e7e7528bda36eb00b

    SHA256

    52ab6bf1b7d5c124054023e8dd38dbed4fdc783216c883cf0fd926ae48cd2e68

    SHA512

    69bfa3bbde6a1b4390319488d2f2be260334b61c8db6e922e01e61721a92df25f58afc7ece85245984079078b81ca19ca8214336f6fd30e018efc57d72ca29f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4994155.exe
    Filesize

    359KB

    MD5

    6d4954975883400b63ad6c813e54f43f

    SHA1

    30c0e529ef758a7f00585c64df30b87c1c236bec

    SHA256

    84ccd4a2a7e410f6dddae2cf37dbd04a714691b8f9270d93a2caab2b35e066f0

    SHA512

    63cc9acbc9113c730c052305e50f4427936d1669f300c85ea516c12590b68cd6972826ab8ef3731b0754c388ff92d401b303a64d9c3fbe317818ec1f5dffa0f9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3197320.exe
    Filesize

    36KB

    MD5

    7d4b9779a72be43f1b7c22dfadebcd50

    SHA1

    7626ef5d43e1add68ee11370492d4e39718fd62c

    SHA256

    82df02161c5cfc32c40513d6ffa8aa6dad877ab362628e09840388adfdbc4730

    SHA512

    abd277cd4134fb2a401f0e77939fd198143427746221220864d68d9a51db91a3ce4b81a0d8d77a0eb4792905b4e4ddf872ac5858494e28011333ae8506455efb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0822912.exe
    Filesize

    234KB

    MD5

    d2d46495643f816114e97bf343588156

    SHA1

    404726fe59bf0fbc98e76d66ca9123f4b6e518e8

    SHA256

    36150971a9266744cf9a05fda39776103a12488f62e1823be0fcbda4e182d040

    SHA512

    9b1d86dc225193ca8e1314849a619a17dad1ee950954b5a9c373c0bf880cf77a06989f6af8e0d479078b172240eae987374c5b6f1946286d1bf6549b7f2cde25

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9514684.exe
    Filesize

    11KB

    MD5

    299231cb5aa7387acba039725b52f6af

    SHA1

    4d66492072929aa56df495a928f98ce8225e0901

    SHA256

    300f44a09d74ac717bf5a12e59262a048638dabdf99c86c1c9908bdfa6e4c60b

    SHA512

    71957e882d6f5459c24435341bd5e0247572419bb2c654d0e8fa08a0dfffa4706fd20089c1930ba6d5bf9b903679db443fb40ffc01a2562636d441fb6a3dff84

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4283338.exe
    Filesize

    226KB

    MD5

    4543c0c572986613fa9f66e61ca45624

    SHA1

    a31a4cb7ddef9b4193b2fe5501def79876429acf

    SHA256

    a632f26b5022a4b153d04eed5549e161a852a7eaac3e9f6eaec4b3841eacf24a

    SHA512

    8d6860e21de782546f708d25b3ba7561cb068bd3aca575d932846ff9a8c66e6f79511c1c60a06f0b1aa38a9f1c03956b6e084611b4f8f60f78db34512e79e02b

    Download Submit

  • memory/440-55-0x000000000A750000-0x000000000A762000-memory.dmp

    Filesize

    72KB

    Download

  • memory/440-57-0x0000000002AF0000-0x0000000002B3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/440-56-0x000000000A7B0000-0x000000000A7EC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/440-51-0x00000000009A0000-0x00000000009D0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/440-52-0x0000000002D30000-0x0000000002D36000-memory.dmp

    Filesize

    24KB

    Download

  • memory/440-53-0x000000000AD40000-0x000000000B358000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/440-54-0x000000000A830000-0x000000000A93A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/512-28-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4892-47-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4892-46-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download