Overview

overview

10

Static

static

3

752203d8fa...1c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 21:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    752203d8fa53e0ecc24042c38b26455b33de84c1d21f590a10ee8cb1eb84f61c.exe

  • Size

    1.2MB

  • MD5

    b674a4ee44a5dcfa0edd5f8a835fae44

  • SHA1

    a6f7e292faadcf3b141ebc0c464a7bd2c51d5eab

  • SHA256

    752203d8fa53e0ecc24042c38b26455b33de84c1d21f590a10ee8cb1eb84f61c

  • SHA512

    eb0b7246e0deaee64a3acaa5d9005e895ca5b55ec837b0f76914dcd89ab6151922a802111f605526cc9e5a109ec294f1f8eb21236dd051963d492cad9d832f65

  • SSDEEP

    24576:6ytnhg3qnOK3y/KFR11pXrhxWy26BfF46le1VTT/FSvYnS:BVK2Ouy/MTbHWPWVEnTdJ

Score
10/10
amadeyhealerredline9c0adbdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 34 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\752203d8fa53e0ecc24042c38b26455b33de84c1d21f590a10ee8cb1eb84f61c.exe
    "C:\Users\Admin\AppData\Local\Temp\752203d8fa53e0ecc24042c38b26455b33de84c1d21f590a10ee8cb1eb84f61c.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1592
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RR827303.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RR827303.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:916
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cQ565257.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cQ565257.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3896
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CE862910.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CE862910.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4252
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119610036.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119610036.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4476
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\238789710.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\238789710.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1588
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350849783.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350849783.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3856
          • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5052
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:4616
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3968
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4504
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4920
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4324
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3460
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4432
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4436
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\430932194.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\430932194.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5024
  • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    1⤵
    • Executes dropped EXE
    PID:3500
  • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
    1⤵
    • Executes dropped EXE
    PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RR827303.exe
    Filesize

    1.0MB

    MD5

    82860a83e49761f66ab1f3ebea1e6cf3

    SHA1

    6aa22b12e15294b0828833479b24acbcf8755083

    SHA256

    b0c9e9c3bf6c08fc6cd64a6bab12d5d4da1d1452f99cc52a1a1d751daa9d15f0

    SHA512

    3b4e488cea55c69f46d8e3d1646b40fbbef69e4b7faf0e158c1ca475a2cd7e8c63c62fe98aed7659c5579c3ca2fc85e558ebc860232ac506a3ff961318871342

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\430932194.exe
    Filesize

    460KB

    MD5

    3b1c20eafb90c45f06025740aa1d64a9

    SHA1

    688f3bd418f2191a77ecbfc9c9c795a19546592f

    SHA256

    1f0802eb71b975fee6be5288673ed62bbe75ee118b57cee5ec1ce9484aab70d0

    SHA512

    d921088fcb88852b375c6619eb337462a5fe64679eff3f3e5a1f3a9d071ae2ea876d894cb0d590531e43b4203eab1d36c8f5197d407ab774533c8add8002ab78

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\cQ565257.exe
    Filesize

    637KB

    MD5

    03e2e93117a138d91de947512c86febb

    SHA1

    b91e0ca7aef6cb141b12207018911cd57025673a

    SHA256

    015e630e4d788ea12156dcf5b81b2b197faeb5ec5702f11079dd29c30ad660d3

    SHA512

    883c9de068164de88ff9edb7d5c512667cd0e5d216f39e61adb995d546cd495bb98bd54d3cecf55a458806a738924f03d5fa69de1dec242e8b623fc602a8d09e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\350849783.exe
    Filesize

    204KB

    MD5

    3e09dbf602641b5e95428ce11fafd260

    SHA1

    d33d03188c077595c92e8adb1c17ec6ba647129e

    SHA256

    33faa5822f4df94dd736d9c3f633959c4e54a1df218d5ca699721e69b00e6477

    SHA512

    ff89e07b7f4f4b131a79628542aab45ec238f2af3433685100962a5fc84d9c9e64e1467e8ebf10ad8fe4d51d716e0a8d3a2ca7234f306ecf307e930a1e75a239

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\CE862910.exe
    Filesize

    466KB

    MD5

    96e8a1ff17bad95d366f2e01678e62b9

    SHA1

    0cc292bfcb4e0e2b1de114f8f4c0d5262349e159

    SHA256

    48744437e85122ff2ef671d99cf05e0e643312d308204f28786aece2f2496cbe

    SHA512

    65d495eec7e9cb42ad8c82c0ed22603b3d788d9b09316b9b718433900b1d2222d69061b0e2241423dbc68d29680ba7d4888d52888b134ea4420086f487d9575a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\119610036.exe
    Filesize

    176KB

    MD5

    368b8d0ddf361f485c5b044d451b58ea

    SHA1

    fdee7f32c0a5f006b7f5f71bc1fca4ddaff1029e

    SHA256

    a36763c005c027d5c448bc1c23545b29c9ecc5a7571c54db5cc3380b0f58a384

    SHA512

    a16bfbc03aba6202c6c341d55c5e05f3c61c1b70d83fc732da37c14046150f7264c937877a1e836d4e283ab77ba8b8c918a24d98a782f71d530ec8b4616be1bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\238789710.exe
    Filesize

    378KB

    MD5

    fc126663c3508a9991e5aeb6c437374c

    SHA1

    7be3b4729c5f706271ef5471f67d81766c8fd8f1

    SHA256

    7f5810de466030a8254c0b72e9890fa6082fd0af864ab3fa2c9f296f38cbb105

    SHA512

    bcbd7ff32200a99151d25bc98394c45f3db4e4f30d8c6eac0dbadaa329b7fc653b4b4bed9a674d43c53ecdc4a2f0537c99079a013d7804e03f7035186c4ebf63

    Download Submit

  • memory/1588-66-0x00000000027E0000-0x00000000027F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1588-67-0x00000000027E0000-0x00000000027F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1588-95-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1588-73-0x00000000027E0000-0x00000000027F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1588-81-0x00000000027E0000-0x00000000027F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1588-69-0x00000000027E0000-0x00000000027F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1588-75-0x00000000027E0000-0x00000000027F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1588-77-0x00000000027E0000-0x00000000027F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1588-79-0x00000000027E0000-0x00000000027F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1588-83-0x00000000027E0000-0x00000000027F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1588-85-0x00000000027E0000-0x00000000027F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1588-93-0x00000000027E0000-0x00000000027F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1588-87-0x00000000027E0000-0x00000000027F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1588-89-0x00000000027E0000-0x00000000027F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1588-91-0x00000000027E0000-0x00000000027F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1588-71-0x00000000027E0000-0x00000000027F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1588-64-0x0000000002690000-0x00000000026AA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1588-65-0x00000000027E0000-0x00000000027F8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4476-35-0x0000000002500000-0x0000000002513000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4476-56-0x0000000002500000-0x0000000002513000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4476-31-0x0000000002500000-0x0000000002513000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4476-32-0x0000000002500000-0x0000000002513000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4476-58-0x0000000002500000-0x0000000002513000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4476-36-0x0000000002500000-0x0000000002513000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4476-38-0x0000000002500000-0x0000000002513000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4476-40-0x0000000002500000-0x0000000002513000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4476-43-0x0000000002500000-0x0000000002513000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4476-46-0x0000000002500000-0x0000000002513000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4476-48-0x0000000002500000-0x0000000002513000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4476-50-0x0000000002500000-0x0000000002513000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4476-52-0x0000000002500000-0x0000000002513000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4476-54-0x0000000002500000-0x0000000002513000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4476-30-0x0000000002500000-0x0000000002518000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4476-44-0x0000000002500000-0x0000000002513000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4476-29-0x0000000004BC0000-0x0000000005164000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4476-28-0x00000000022E0000-0x00000000022FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5024-114-0x0000000002650000-0x000000000268C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5024-115-0x0000000005520000-0x000000000555A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/5024-116-0x0000000005520000-0x0000000005555000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5024-121-0x0000000005520000-0x0000000005555000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5024-119-0x0000000005520000-0x0000000005555000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5024-117-0x0000000005520000-0x0000000005555000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5024-908-0x0000000007A20000-0x0000000008038000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5024-909-0x00000000080A0000-0x00000000080B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5024-910-0x00000000080C0000-0x00000000081CA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5024-911-0x00000000081E0000-0x000000000821C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5024-912-0x0000000002930000-0x000000000297C000-memory.dmp

    Filesize

    304KB

    Download