Overview

overview

10

Static

static

3

99b91ad09a...06.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99b91ad09ad87fc1386187c2aa8467d6ed3ab1aa4c2c0f1d4c7f3e1c4c672906.exe

  • Size

    1.2MB

  • MD5

    b8b49211fcb5a4f759f980d052f417a2

  • SHA1

    9148ffdb540e10a13bd49b69239fb1d2ad55fe6f

  • SHA256

    99b91ad09ad87fc1386187c2aa8467d6ed3ab1aa4c2c0f1d4c7f3e1c4c672906

  • SHA512

    361d8923e501e73e8d94863964168e0c8350f42c6732d5165bf665a60d177a62662074faeba49b588d673ee010dd6a855c92948310ce3b160958153e94518a5f

  • SSDEEP

    24576:iy2Yf0WM6MwjBqfKotjgc0RQQPqkhZyihFIQoSjnFv0aqWfKFsNEFRs31Y5MO:Jff0WDVjBatXU3JFfosh0aqWjNEDs3w

Score
10/10
amadeyhealerredline9c0adbdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 34 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99b91ad09ad87fc1386187c2aa8467d6ed3ab1aa4c2c0f1d4c7f3e1c4c672906.exe
    "C:\Users\Admin\AppData\Local\Temp\99b91ad09ad87fc1386187c2aa8467d6ed3ab1aa4c2c0f1d4c7f3e1c4c672906.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4864
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr792534.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr792534.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4616
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ga956116.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ga956116.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lo995797.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lo995797.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4908
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\183782900.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\183782900.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1800
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\261009874.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\261009874.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4764
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1076
              6⤵
              • Program crash
              PID:5080
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359882392.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359882392.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4876
          • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2112
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:3980
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4772
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4784
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4624
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3124
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2596
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1912
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1860
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\498678143.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\498678143.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2356
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4764 -ip 4764
    1⤵
      PID:2136
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:5356
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:5040
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:3956

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pr792534.exe
      Filesize

      1.0MB

      MD5

      011484cfdca15ad52f7e729e12a350b9

      SHA1

      d786c3a1f4e188814a99eaeb24c525c3266f9a5a

      SHA256

      1e16153dcbf3b3875f33d0e9d0552cc0c39ff7c481bc82e487128b5a2129a3f9

      SHA512

      871a709668d3ecf0d150cfc6a796c08be2f65e1e812cc0606af2ef05f208ed7a334e5dd3cc04994eaf84cb2cb0f76a7f16d9841889db31e915cb0cbe62fd98ed

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\498678143.exe
      Filesize

      461KB

      MD5

      804edc70cd8a8e1ca868232b1e9957cd

      SHA1

      f2cb140e97ac3947b313ef72e6c905d6b0dfa07d

      SHA256

      27a7366a7fce30755eff55d5adb9e9acc0670a1b922f7a3aabbb151051717611

      SHA512

      bec99453b4df5da473db7c7b163e0106ead4de48124729b12f4dabfcd1536a9700cde277e6398a95789ef9a740f2da04644120d2e34bc53a4f1afc6978480453

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ga956116.exe
      Filesize

      637KB

      MD5

      c6cd49ef31e23b856f75cc7d74f9242f

      SHA1

      894fe2238d9f2842dac19cff040534c5c606ca8e

      SHA256

      a0cdcc32b69466bbf99042e74b36b965fbe2c7e92bf0d1adeb056d2aafe4e6fc

      SHA512

      b815c24fa6b188d00ff31c8c0032292ce77098b9db9d02e901800e28b276efd8759c28bc3cba35545714220ce5f61fb211863009be0159903428d5ee6869b6b6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\359882392.exe
      Filesize

      205KB

      MD5

      4a27874f248e56ce7a25ba3a1ee17960

      SHA1

      34c07326d84ab24bdab8d57953db60756fd21236

      SHA256

      3fdb73d762377d4a41043b02806fb6dd85263a6eb3f1469cc8e7d7aed86e5d53

      SHA512

      33c9b7130c27365095150fb65c68a40d5c6eae25bb7598e1e3cfb51672f5b3adbfc3c552e0d5ad5bce22ce87d80f7eea97cb66cc87ce6ff268099a45d9798f7d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lo995797.exe
      Filesize

      465KB

      MD5

      e8e4f481ed257d251fc07838ff4a68a5

      SHA1

      f4c2ab1e2194111cba41b482af7d68d13ce2039b

      SHA256

      a54a91e7d1bcca520899acf8f88b53d099af4e872ffabae72ccc1b70369f8fea

      SHA512

      2c72516958a1038f8cb0cb6689d6d7f2a94d002caff23e54d57b95eb9e4524f27045c5bfaf5ce88a78fa451b0d36bbaaabd3d1fd9c83040b503f26ed90ab2ad5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\183782900.exe
      Filesize

      177KB

      MD5

      ccb22c2b245dd34b81f51fff59db569c

      SHA1

      b22ca193d2448ca73e0dda944a1de5f23bf0d05f

      SHA256

      2e421a4204f4b58e125a2083b2f8dc4044d88865d850ef74637ed982cab548e5

      SHA512

      68f98c7c9fecd34e3e53c94aaba5e1ca4f3173c01351feb3537b825fb0d63f2d9a2059662399fd9dee047b991865b032040f2c8e27c809957129a2c2326ae008

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\261009874.exe
      Filesize

      377KB

      MD5

      769d463033b33d8d511068838333012b

      SHA1

      fb545253843b3b6062fa3fffb8ea704cef6b4823

      SHA256

      d0e6ae1710fee32f963e932d88cf14765a1b0a718729c921942928278959e4e0

      SHA512

      5c88d06d85eddfe427be3045dc5ca9dfa2907b17fe2b9731332cd5acef94cb006c6cecaa20575194b7c87965f73387189c1d23816efa77ab7be79c44284dba13

      Download Submit

    • memory/1800-28-0x00000000023B0000-0x00000000023CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1800-29-0x0000000004970000-0x0000000004F14000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1800-30-0x0000000004F40000-0x0000000004F58000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1800-34-0x0000000004F40000-0x0000000004F53000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1800-32-0x0000000004F40000-0x0000000004F53000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1800-42-0x0000000004F40000-0x0000000004F53000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1800-58-0x0000000004F40000-0x0000000004F53000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1800-56-0x0000000004F40000-0x0000000004F53000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1800-52-0x0000000004F40000-0x0000000004F53000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1800-50-0x0000000004F40000-0x0000000004F53000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1800-47-0x0000000004F40000-0x0000000004F53000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1800-44-0x0000000004F40000-0x0000000004F53000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1800-40-0x0000000004F40000-0x0000000004F53000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1800-38-0x0000000004F40000-0x0000000004F53000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1800-36-0x0000000004F40000-0x0000000004F53000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1800-55-0x0000000004F40000-0x0000000004F53000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1800-48-0x0000000004F40000-0x0000000004F53000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1800-31-0x0000000004F40000-0x0000000004F53000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2356-115-0x0000000004E50000-0x0000000004E8A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2356-119-0x0000000004E50000-0x0000000004E85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2356-912-0x0000000004940000-0x000000000498C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2356-911-0x0000000007AC0000-0x0000000007AFC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2356-910-0x00000000079A0000-0x0000000007AAA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2356-909-0x0000000007980000-0x0000000007992000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2356-908-0x0000000007F40000-0x0000000008558000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2356-116-0x0000000004E50000-0x0000000004E85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2356-114-0x0000000002580000-0x00000000025BC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2356-117-0x0000000004E50000-0x0000000004E85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2356-121-0x0000000004E50000-0x0000000004E85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4764-91-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4764-81-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4764-77-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4764-75-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4764-73-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4764-83-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4764-85-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4764-89-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4764-93-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4764-79-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4764-66-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4764-67-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4764-65-0x0000000004DA0000-0x0000000004DB8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4764-64-0x0000000002380000-0x000000000239A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4764-71-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4764-69-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4764-87-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4764-95-0x0000000000400000-0x0000000000803000-memory.dmp

      Filesize

      4.0MB

      Download