Analysis

  • max time kernel
    140s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 01:44

General

  • Target

    af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600.exe

  • Size

    1021KB

  • MD5

    2fc2b9485c01739f8735abf08505912c

  • SHA1

    57eb96ba5097799dbf46ba046c3af3bc20d201f5

  • SHA256

    af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600

  • SHA512

    5806270557fa93e5ca7b126a98be711529611b06b43065de53b44cdc11fd03885780f88c285cfa24364d0f2884d20a81082e2261695ad69cb66e04a5d0345d75

  • SSDEEP

    24576:9yBx6EEHWYKBCHDEsRozdhlpBfLmnucLx:Y76EerKBek3nBfL8L

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Detects Healer an antivirus disabler dropper 19 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600.exe
    "C:\Users\Admin\AppData\Local\Temp\af930b3b97cb07bdad46e482df7000753cbf8822861cf7d043dde2678e5c0600.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3084
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5072
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1496
            • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
              "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3064
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:736
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1084
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1072
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "oneetx.exe" /P "Admin:N"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1396
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "oneetx.exe" /P "Admin:R" /E
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2784
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1780
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\cb7ae701b3" /P "Admin:N"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2000
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\cb7ae701b3" /P "Admin:R" /E
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2752
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2312
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 240
            5⤵
            • Program crash
            PID:2400
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft521733.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft521733.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1368
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2312 -ip 2312
    1⤵
      PID:3568
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:3344
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:2000
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:2300

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki827564.exe

      Filesize

      658KB

      MD5

      9a3422d1de526c4443427574a7f204cc

      SHA1

      e4136974c42ad2f118abd45aa2c33ec558cd95f3

      SHA256

      cc9f6a95d91a91f1ddaa776a10449e67616cccf70d992616f31f48a4c397f8cb

      SHA512

      94396e140f74f5bc5fd22a485d64757eeea253ac3fcb0d9fed55aa450d75940aed26592401ec09a2e4f39ce3e31ed3e08c3cb803e0f44dbfb194debb0e4923b3

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ft521733.exe

      Filesize

      136KB

      MD5

      fe0bc4d1c8ecc23179c4bd4acd72942c

      SHA1

      b31181d30dee3416b562daed2bc558e2cbad7139

      SHA256

      fe7719c0d2688d99f6791f933c4ba149ad1edfe11e8b331e4cd2464f9a35f717

      SHA512

      e2b11c71e9958b3bfa923e67ec8e4518d98c0004a89e4aff344c7fbe0fbd47f8d870aa64d1e13b2994ef3f43d3709099892162ad3ad825ca49a46ce48b4b182b

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki394480.exe

      Filesize

      503KB

      MD5

      306979b7cc1b7b42489f3c4297615fcb

      SHA1

      a87a36cf9a4c3f7976f9f2c9bd12df826974c4b9

      SHA256

      a8e1fe4973b61e3190128fa35d7b9ae57baf130a785837208fef9ecc73e69380

      SHA512

      0e4610d057a16e7dc918a846627a84fb5f762df29c25a21520d9a090277901bcd766a34e255f4350ac444d294a8c91c01bf6e2029eea2d122eab0f57d1e7daf7

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cf074053.exe

      Filesize

      299KB

      MD5

      63a3b1a520594e3eed2a3b35561f04ca

      SHA1

      bf5afb1b4a3000392e7739f64d986ebba471de50

      SHA256

      2b38ca9762b6627743a2d7965a382f8d3ec57b897acb27cb44f34da73a43f555

      SHA512

      b1ef1a28d27d214ea9a0180258d973f7b56ec746f0067d921bade2bc58be1e559071880de4a1ecf7e8ccc2c7b8da27e5fe17ded902c28d6e8fd55d885adc4e9b

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki956587.exe

      Filesize

      223KB

      MD5

      2a2fad583afa734a9699073547e49348

      SHA1

      1ebe3a7a69210fe0ac39d5c22603fd2b53398aa7

      SHA256

      67363e7e9e9edcc47b9d13d0374674880ecc6b1cca783af14fb967fbe0b56b9b

      SHA512

      9feb57d2e3355eec0f9b8c7aa3778825dd18665273bae2cc99a9b2d95e0939dc003226ccb1c8ae71a2fa4f00bad8fac55dffec96be7253c5627b691b4a78e7a0

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az477708.exe

      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu376061.exe

      Filesize

      204KB

      MD5

      1304f384653e08ae497008ff13498608

      SHA1

      d9a76ed63d74d4217c5027757cb9a7a0d0093080

      SHA256

      2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa

      SHA512

      4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

    • memory/1368-88-0x0000000007700000-0x000000000773C000-memory.dmp

      Filesize

      240KB

    • memory/1368-87-0x00000000077D0000-0x00000000078DA000-memory.dmp

      Filesize

      1.0MB

    • memory/1368-86-0x0000000007660000-0x0000000007672000-memory.dmp

      Filesize

      72KB

    • memory/1368-85-0x0000000007C20000-0x0000000008238000-memory.dmp

      Filesize

      6.1MB

    • memory/1368-84-0x0000000000940000-0x0000000000968000-memory.dmp

      Filesize

      160KB

    • memory/1368-89-0x00000000029F0000-0x0000000002A3C000-memory.dmp

      Filesize

      304KB

    • memory/2312-69-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

    • memory/2312-51-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

    • memory/2312-71-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

    • memory/2312-75-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

    • memory/2312-68-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

    • memory/2312-65-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

    • memory/2312-63-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

    • memory/2312-61-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

    • memory/2312-57-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

    • memory/2312-55-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

    • memory/2312-53-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

    • memory/2312-74-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

    • memory/2312-78-0x0000000000400000-0x0000000002BB5000-memory.dmp

      Filesize

      39.7MB

    • memory/2312-77-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

    • memory/2312-59-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

    • memory/2312-50-0x0000000007160000-0x0000000007172000-memory.dmp

      Filesize

      72KB

    • memory/2312-49-0x0000000007160000-0x0000000007178000-memory.dmp

      Filesize

      96KB

    • memory/2312-48-0x0000000007210000-0x00000000077B4000-memory.dmp

      Filesize

      5.6MB

    • memory/2312-80-0x0000000000400000-0x0000000002BB5000-memory.dmp

      Filesize

      39.7MB

    • memory/2312-47-0x0000000004B70000-0x0000000004B8A000-memory.dmp

      Filesize

      104KB

    • memory/5072-28-0x0000000000050000-0x000000000005A000-memory.dmp

      Filesize

      40KB