Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 03:23
Static task
static1
General
-
Target
dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe
-
Size
582KB
-
MD5
c1f663969ee7a12775118aa6718a9025
-
SHA1
9d73232019d3742a2ca39cdc98f53ebdf40e00ac
-
SHA256
dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16
-
SHA512
191286a8e2f357069b7f0521a95652d14831554403cbe0d9f6e6356803c2149486cfe929df175febe4d05d2858e23ba4a1b08413d10fb9cad277b3466fbad399
-
SSDEEP
12288:9y90Mb4hkRNribGjpXIROqZuHDCGszjSwWz1fp:9yIh/SjpXphjCRjSvfp
Malware Config
Extracted
amadey
3.80
9c0adb
http://193.3.19.154
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
23b27c80db2465a8e1dc15491b69b82f
-
url_paths
/store/games/index.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/4728-15-0x0000000002250000-0x000000000226A000-memory.dmp healer behavioral1/memory/4728-18-0x00000000024F0000-0x0000000002508000-memory.dmp healer behavioral1/memory/4728-22-0x00000000024F0000-0x0000000002503000-memory.dmp healer behavioral1/memory/4728-44-0x00000000024F0000-0x0000000002503000-memory.dmp healer behavioral1/memory/4728-42-0x00000000024F0000-0x0000000002503000-memory.dmp healer behavioral1/memory/4728-41-0x00000000024F0000-0x0000000002503000-memory.dmp healer behavioral1/memory/4728-38-0x00000000024F0000-0x0000000002503000-memory.dmp healer behavioral1/memory/4728-46-0x00000000024F0000-0x0000000002503000-memory.dmp healer behavioral1/memory/4728-20-0x00000000024F0000-0x0000000002503000-memory.dmp healer behavioral1/memory/4728-19-0x00000000024F0000-0x0000000002503000-memory.dmp healer behavioral1/memory/4728-36-0x00000000024F0000-0x0000000002503000-memory.dmp healer behavioral1/memory/4728-34-0x00000000024F0000-0x0000000002503000-memory.dmp healer behavioral1/memory/4728-32-0x00000000024F0000-0x0000000002503000-memory.dmp healer behavioral1/memory/4728-30-0x00000000024F0000-0x0000000002503000-memory.dmp healer behavioral1/memory/4728-28-0x00000000024F0000-0x0000000002503000-memory.dmp healer behavioral1/memory/4728-26-0x00000000024F0000-0x0000000002503000-memory.dmp healer behavioral1/memory/4728-24-0x00000000024F0000-0x0000000002503000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 181183091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 181183091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 181183091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 258197172.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 258197172.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 258197172.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 181183091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 181183091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 181183091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 258197172.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 258197172.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 360635826.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 7 IoCs
pid Process 644 eH521242.exe 4728 181183091.exe 212 258197172.exe 2508 360635826.exe 1052 oneetx.exe 3092 oneetx.exe 4728 oneetx.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 181183091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 181183091.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 258197172.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" eH521242.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 928 212 WerFault.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 258197172.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 181183091.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eH521242.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 360635826.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5096 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4728 181183091.exe 4728 181183091.exe 212 258197172.exe 212 258197172.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4728 181183091.exe Token: SeDebugPrivilege 212 258197172.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2508 360635826.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 4768 wrote to memory of 644 4768 dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe 83 PID 4768 wrote to memory of 644 4768 dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe 83 PID 4768 wrote to memory of 644 4768 dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe 83 PID 644 wrote to memory of 4728 644 eH521242.exe 84 PID 644 wrote to memory of 4728 644 eH521242.exe 84 PID 644 wrote to memory of 4728 644 eH521242.exe 84 PID 644 wrote to memory of 212 644 eH521242.exe 93 PID 644 wrote to memory of 212 644 eH521242.exe 93 PID 644 wrote to memory of 212 644 eH521242.exe 93 PID 4768 wrote to memory of 2508 4768 dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe 98 PID 4768 wrote to memory of 2508 4768 dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe 98 PID 4768 wrote to memory of 2508 4768 dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe 98 PID 2508 wrote to memory of 1052 2508 360635826.exe 99 PID 2508 wrote to memory of 1052 2508 360635826.exe 99 PID 2508 wrote to memory of 1052 2508 360635826.exe 99 PID 1052 wrote to memory of 5096 1052 oneetx.exe 100 PID 1052 wrote to memory of 5096 1052 oneetx.exe 100 PID 1052 wrote to memory of 5096 1052 oneetx.exe 100 PID 1052 wrote to memory of 1280 1052 oneetx.exe 102 PID 1052 wrote to memory of 1280 1052 oneetx.exe 102 PID 1052 wrote to memory of 1280 1052 oneetx.exe 102 PID 1280 wrote to memory of 1756 1280 cmd.exe 104 PID 1280 wrote to memory of 1756 1280 cmd.exe 104 PID 1280 wrote to memory of 1756 1280 cmd.exe 104 PID 1280 wrote to memory of 3924 1280 cmd.exe 105 PID 1280 wrote to memory of 3924 1280 cmd.exe 105 PID 1280 wrote to memory of 3924 1280 cmd.exe 105 PID 1280 wrote to memory of 2740 1280 cmd.exe 106 PID 1280 wrote to memory of 2740 1280 cmd.exe 106 PID 1280 wrote to memory of 2740 1280 cmd.exe 106 PID 1280 wrote to memory of 232 1280 cmd.exe 107 PID 1280 wrote to memory of 232 1280 cmd.exe 107 PID 1280 wrote to memory of 232 1280 cmd.exe 107 PID 1280 wrote to memory of 984 1280 cmd.exe 108 PID 1280 wrote to memory of 984 1280 cmd.exe 108 PID 1280 wrote to memory of 984 1280 cmd.exe 108 PID 1280 wrote to memory of 1872 1280 cmd.exe 109 PID 1280 wrote to memory of 1872 1280 cmd.exe 109 PID 1280 wrote to memory of 1872 1280 cmd.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe"C:\Users\Admin\AppData\Local\Temp\dbaadcd406e143a9098ca0ec153676dc559fc119da980ee5c3394d9b388abe16.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eH521242.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eH521242.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\181183091.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258197172.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258197172.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 10804⤵
- Program crash
PID:928
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360635826.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\360635826.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5096
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
- System Location Discovery: System Language Discovery
PID:1756
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵
- System Location Discovery: System Language Discovery
PID:3924
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵
- System Location Discovery: System Language Discovery
PID:2740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
- System Location Discovery: System Language Discovery
PID:232
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"5⤵
- System Location Discovery: System Language Discovery
PID:984
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E5⤵
- System Location Discovery: System Language Discovery
PID:1872
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 212 -ip 2121⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:3092
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:4728
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
410KB
MD5f10f95d3c7c49e83bac3b952d6e7f751
SHA175f0709ab610d28dcf25588f04da50aee809193c
SHA25640bdbaec8f615fd9104ac3806c04771dad51e09ffe28094e12d5b37010828594
SHA512edcf5d5c595727524aaead9dd08ac6e10db35da062da05b2d910dcb7ec8851cc2d03e65d93977bdd094f4b1d5e10051644cd73d868dfe19df5870b5771f4df67
-
Filesize
175KB
MD53d10b67208452d7a91d7bd7066067676
SHA1e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA2565c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df
-
Filesize
263KB
MD53e1ea58c2982e65c58b171d455bbf3a0
SHA13a0114724522bdfe707da54708cc709417da2845
SHA2567e88add95114c88251940e8537fcf0a3fb1e9cbe001bcf35b2fab98553c5dc7e
SHA5121ef5a48c8bee768b97cb5a9f7497c6f0bb5d80af82f2b4f0a3ce27ff782db8daa71297137a09324f1e81e6c83e850c33e1b764aecab975aa90531324dd55ea56