Overview

overview

10

Static

static

3

9e1ecb0a89...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 22:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e1ecb0a8927783fc6a786ce25b091753bad2629ceb01282a3cf8932b83fdd96.exe

  • Size

    1.2MB

  • MD5

    4f3345afae6337e8cf65227ef6b5fa5d

  • SHA1

    122ec7ca8e3e477e2570678b949d3a503d9d04a0

  • SHA256

    9e1ecb0a8927783fc6a786ce25b091753bad2629ceb01282a3cf8932b83fdd96

  • SHA512

    63d94a68aad06594de76b35552493458fd1bc3213913ccd9431514ee00b53b83dec94f531f2c77f5187ca9ab82f4070e4d4527db0cb9fc491086e626ccc0300b

  • SSDEEP

    24576:MyNvDdcE3vGgqZYXauGghLf7sigZhrqczhrNN18M6assZEKikrQWCnM:7hBHvvqZ8aRghLf7d4FqG9PtsYEKiln

Score
10/10
amadeyhealerredline9c0adbdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 34 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e1ecb0a8927783fc6a786ce25b091753bad2629ceb01282a3cf8932b83fdd96.exe
    "C:\Users\Admin\AppData\Local\Temp\9e1ecb0a8927783fc6a786ce25b091753bad2629ceb01282a3cf8932b83fdd96.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3224
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gq928748.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gq928748.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4968
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YQ873003.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YQ873003.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1500
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jK582739.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jK582739.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3152
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123951224.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123951224.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3136
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\205604223.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\205604223.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2772
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1080
              6⤵
              • Program crash
              PID:2628
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\374410590.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\374410590.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1344
          • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4436
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:4068
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4416
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3236
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4816
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1368
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4028
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4784
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1608
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\484042975.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\484042975.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4108
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2772 -ip 2772
    1⤵
      PID:2412
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:4252
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:5032
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:3196

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gq928748.exe
      Filesize

      1.0MB

      MD5

      7ec1c998edf9d0db2f788d1b354eaed5

      SHA1

      507f5a0ba16d362ccecf4783250a274e13b89ee5

      SHA256

      5c29d3d408072b09f350c2b321301fc3e037028b606083cb279339c14dc7f14e

      SHA512

      17f752b7f9ef8c19771251eb828cc83eb181d2a645de9082be6239f52c192ec68036560bbbfe00f27218bb76776cf905c2250a1c08464ef451a1f7bccbb52c42

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\484042975.exe
      Filesize

      461KB

      MD5

      8f4c27b20778e001235ec7fb5a2ba00f

      SHA1

      da1f06ae2ef6a6bffc5f3b2d4eda9f1841b14f0b

      SHA256

      202bff3f794f67f0e85ee70259bef20b94c9f812ba28c6f493d36f785a7543ef

      SHA512

      d2fee15607e40321ace2390e4749a9b516dad42b6a51ac134e252fa9657dcdba264f13884152652012c85d6aa95f520543f4e8391703aefeaf46310cd1acfb64

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YQ873003.exe
      Filesize

      638KB

      MD5

      50d8508948444a83babdf409ab2e7bce

      SHA1

      42678ecf29075859db1a0f89128cfce456b6c8d8

      SHA256

      97d1808a250a47b80753a7c4bf1dd39643de294dd0eaa771c8c5aadddd88353a

      SHA512

      62b39f0328c38dd80d84814decba04065c7ecb4d54d29715833cc6b73f482e69c892712163499b6dbef0f51dca54543b7fadc652e878ccda79479858640ba052

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\374410590.exe
      Filesize

      204KB

      MD5

      a85e1fc75da19de0fd31a7d50fc115e1

      SHA1

      d5992e275dce88a11bf36eceb726a33926a29075

      SHA256

      01f0ae074a96a1ec86c1380563fa20dd0467cfbe40ca639559bdf533fd5b232d

      SHA512

      929ff4a4f0a470d294b9bfe96e9c60b14d809b7388a62092d66e792aafc9a374d3ad23a355691d8b69574e4b1094d26d9cae186fec20db8a2858b0f6d6388586

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jK582739.exe
      Filesize

      467KB

      MD5

      a864ebc13c079cefdf0063f307ec15bf

      SHA1

      5f0148f5dc6f7b73ab4365070461fd5bf1be56b3

      SHA256

      5c98b17de59d8bcf8e882a17ef7a092bf69061273e393afbf92e9bec36f97c77

      SHA512

      783ec11419fed823d54b8aa94b91af595f20da934153276c5a0d024135c454adc90e74994edf014188af39bb48d70b0f8be023f920879f0bcdee980eba02d1e1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\123951224.exe
      Filesize

      176KB

      MD5

      6de70f4ee122c0b4c63ed6c03568e5a2

      SHA1

      f8f966b8d5c920a1f67fe67e2ba662c65f4b6d86

      SHA256

      73bf9f345cfafe3e70e2ad14bad8489db4244a222d1910bf854b3aa730005da7

      SHA512

      4d2f15fd62cdd666bb62285d5398c02d88d920ed2d2376b150f2a9acc00fb13a26ecfaeddaf4f5b4a658313840f1d1ae97ae790c795059254d6797d5c45e0c88

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\205604223.exe
      Filesize

      377KB

      MD5

      daa13aafb2b8344df87917f29b61761a

      SHA1

      66027cfc771377c97df3729a781d8bf97ba30f97

      SHA256

      d5c8b922dc31a97d1404f4421c37a836777576b0b3b25f81184d60808ba63fde

      SHA512

      b553d143a438f89610f46f8522519e7e92c2112f5bc7d1f95beca5153d59a3d6c11c970690757db2208da3b34ce65de2c3fdb1d0c6b1c65a629bdeedac0bd6bb

      Download Submit

    • memory/2772-67-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2772-66-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2772-95-0x0000000000400000-0x0000000000802000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2772-69-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2772-71-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2772-73-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2772-75-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2772-79-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2772-81-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2772-83-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2772-85-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2772-87-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2772-89-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2772-91-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2772-93-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2772-77-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2772-64-0x00000000026D0000-0x00000000026EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2772-65-0x0000000004DA0000-0x0000000004DB8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3136-34-0x00000000023B0000-0x00000000023C3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3136-54-0x00000000023B0000-0x00000000023C3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3136-31-0x00000000023B0000-0x00000000023C3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3136-32-0x00000000023B0000-0x00000000023C3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3136-56-0x00000000023B0000-0x00000000023C3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3136-36-0x00000000023B0000-0x00000000023C3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3136-38-0x00000000023B0000-0x00000000023C3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3136-40-0x00000000023B0000-0x00000000023C3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3136-42-0x00000000023B0000-0x00000000023C3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3136-44-0x00000000023B0000-0x00000000023C3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3136-46-0x00000000023B0000-0x00000000023C3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3136-48-0x00000000023B0000-0x00000000023C3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3136-50-0x00000000023B0000-0x00000000023C3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3136-52-0x00000000023B0000-0x00000000023C3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3136-30-0x00000000023B0000-0x00000000023C8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3136-58-0x00000000023B0000-0x00000000023C3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/3136-29-0x0000000004AF0000-0x0000000005094000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3136-28-0x00000000020B0000-0x00000000020CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4108-114-0x00000000028E0000-0x000000000291C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4108-115-0x0000000004E50000-0x0000000004E8A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4108-117-0x0000000004E50000-0x0000000004E85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4108-116-0x0000000004E50000-0x0000000004E85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4108-121-0x0000000004E50000-0x0000000004E85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4108-119-0x0000000004E50000-0x0000000004E85000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4108-908-0x0000000007930000-0x0000000007F48000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4108-909-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4108-910-0x0000000007FC0000-0x00000000080CA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4108-911-0x00000000080E0000-0x000000000811C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4108-912-0x0000000002500000-0x000000000254C000-memory.dmp

      Filesize

      304KB

      Download