Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 16:32

General

  • Target

    e6bbc186fed5adf0594150e939200ac62d2a5fa972eaa5bcba4da4e9c6ecf9ff.exe

  • Size

    642KB

  • MD5

    34074d5c5cd00ca3134915c79df914f7

  • SHA1

    ad0d8874a03e73af5f7cc10828d505157538cb22

  • SHA256

    e6bbc186fed5adf0594150e939200ac62d2a5fa972eaa5bcba4da4e9c6ecf9ff

  • SHA512

    de6950fbd3719e73a18899fdce771a6ee18852d8e310faf8e0031b7c1faec91f8b3c91c300419d94998a87862b44b89e7340cbc60ff276b8c5bd1ea24e871807

  • SSDEEP

    12288:5MrXy90nB4XJmWHWYcND6xMHZWoQ5xTj:iyHXJFHWYC0AIoCxTj

Malware Config

Extracted

Family

amadey

Version

3.86

Botnet

88c8bb

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

lodka

C2

77.91.124.156:19071

Attributes
  • auth_value

    76f99d6cc9332c02bb9728c3ba80d3a9

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Amadey family
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Smokeloader family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6bbc186fed5adf0594150e939200ac62d2a5fa972eaa5bcba4da4e9c6ecf9ff.exe
    "C:\Users\Admin\AppData\Local\Temp\e6bbc186fed5adf0594150e939200ac62d2a5fa972eaa5bcba4da4e9c6ecf9ff.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5327032.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5327032.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3728
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6247435.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6247435.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4004
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3103241.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3103241.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4532
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4538749.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4538749.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4740
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6891470.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6891470.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:4424
            • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
              "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1864
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:3352
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:736
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2216
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:N"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1332
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "pdates.exe" /P "Admin:R" /E
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2088
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1716
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\925e7e99c5" /P "Admin:N"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3004
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\925e7e99c5" /P "Admin:R" /E
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3336
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4022260.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4022260.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks SCSI registry key(s)
          PID:4240
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1720967.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1720967.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3312
  • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    1⤵
    • Executes dropped EXE
    PID:1428
  • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    1⤵
    • Executes dropped EXE
    PID:2140

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5327032.exe

    Filesize

    515KB

    MD5

    231df38636fb4ddc33b1b9d8bcb72d42

    SHA1

    ed4cacaa212e712ec44d68f0dc1c5d68f8e79ebf

    SHA256

    fe938fc800d31995001d7fe9fa41beee4b9a0464ab8b7e1f5871b665b8f31f2d

    SHA512

    5dec40510c180f09ce7b2b1b9ea9225c53889695861df6c62a4c5331a574aae51c104e68018493781bd6b2b88d0b168bacf3758db5d0f64f06052d5f0f604656

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1720967.exe

    Filesize

    173KB

    MD5

    a5191c43ccae6e8cfe9f533ad8f7ce42

    SHA1

    b632e78833effa836af15a1dc45912936fa31151

    SHA256

    992a2145accb7ad49ac130d78ce8c23b60266b55b08d05e6620782be41329814

    SHA512

    304d77e2702e77a6f72bf444c5c6a318c17d600e21003ba358d46a82003612ff968dd165d626bf14c8773624a45a42e95530bc1c0d46f9a09b80f0eb20485eec

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6247435.exe

    Filesize

    359KB

    MD5

    faee10de9f3bacf52e9002e4089e6043

    SHA1

    c382fcccda46a162700ceba9362ae4bcee205701

    SHA256

    8f1777fb850c600a3f599a34647b6b4b9c7ff04f195f4596e763ec669d23ae2f

    SHA512

    d2e80bcda958763a2568fd9a5e636829e5bc8408b550642456ad39f1bd15549fcb1b21b3c93d26522710a26ec5f8ee07e365786e4702b1d2d9d389cab1483851

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4022260.exe

    Filesize

    38KB

    MD5

    b937898cfb9877bf2169044fd115d2fc

    SHA1

    e520d0f8d5f19e4f762b31aa553ad3b6786d1f6f

    SHA256

    a39c60fcf5263ad90eff1f2808e79d650e786d006b1d6c5f061a1870b9a13533

    SHA512

    72365d13f79f93808247c24c2cf0bc33fbde74f1c5c7f2b1b675f555eeb2d139ff689289a12035a2180b8b1cb2472b9ae215e3ab714d0e8093693c3796a9703d

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3103241.exe

    Filesize

    234KB

    MD5

    6cdee1ab93cf033e99f91966ca74baee

    SHA1

    18968d9f904a1ea43671f54bdbb93d369abe6ebd

    SHA256

    1382ea724d392de396a147de055f68da2f088e2f3de6f9010ffafac20060233d

    SHA512

    f87dadf2cc48432bb2c4361d2d0b66099268aa071a4a0150048ad3ae2ee393eab19bc19ad031b837e069f15d862db10a2f458326ede567ab891c15c7aaba8ccd

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4538749.exe

    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6891470.exe

    Filesize

    229KB

    MD5

    2fd0a8cd3ac2549ad54614373e534ce2

    SHA1

    f7f1c9928e85f740d855a533375c5d1e5ffea0a0

    SHA256

    eb4d6321c7b83200cfb2dce848cc957d5570540a0ac7316a80651191d29eee4f

    SHA512

    9d7903f6695aa902558251d4f1d221691208c889c9972d68ef3f4cf66c1fe74ed971090bbf6814f9cb6ce161af47de108cdcbd19a8864d051b210deebbaed70d

  • memory/3312-53-0x000000000A2E0000-0x000000000A3EA000-memory.dmp

    Filesize

    1.0MB

  • memory/3312-50-0x0000000000460000-0x0000000000490000-memory.dmp

    Filesize

    192KB

  • memory/3312-51-0x0000000000D60000-0x0000000000D66000-memory.dmp

    Filesize

    24KB

  • memory/3312-52-0x000000000A7B0000-0x000000000ADC8000-memory.dmp

    Filesize

    6.1MB

  • memory/3312-54-0x000000000A210000-0x000000000A222000-memory.dmp

    Filesize

    72KB

  • memory/3312-55-0x000000000A270000-0x000000000A2AC000-memory.dmp

    Filesize

    240KB

  • memory/3312-56-0x00000000047B0000-0x00000000047FC000-memory.dmp

    Filesize

    304KB

  • memory/4240-46-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4740-28-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB