Overview

overview

10

Static

static

3

7d92590f73...1e.exe

windows10-ltsc 2021-x64

10

Resubmissions

06-01-2025 07:36

250106-jfgqzssphq 10

10-11-2024 20:22

241110-y5rd2sthpk 10

10-11-2024 20:19

241110-y34xcstmfz 10

Analysis

  • max time kernel
    37s
  • max time network
    42s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    10-11-2024 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7d92590f737289782fe5b7ede951364751df3a2247020cbae34310b82da9571e.exe

  • Size

    726KB

  • MD5

    fdd2f331e1db9a18195c1f0526a7cfee

  • SHA1

    392566b780e71f753143b23d6f5605bca3c5b17c

  • SHA256

    7d92590f737289782fe5b7ede951364751df3a2247020cbae34310b82da9571e

  • SHA512

    29d7190b85cf43450609e862b6bfa4aca329a8d71167e4884d58b5c9aaa3bcf769f759f12cd6a7eef23baa216319c375886dafc8af93548deeaf699a2c4c173c

  • SSDEEP

    12288:Zy90+68F8orpSTIGB/42kKYteK6AFhgye2sVyrDG+KMHiKUFFwlFat3:ZytNVru+JtfUysYOvpFFUS3

Score
10/10
amadeyhealer9c0adbdiscoverydropperevasionpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 5 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d92590f737289782fe5b7ede951364751df3a2247020cbae34310b82da9571e.exe
    "C:\Users\Admin\AppData\Local\Temp\7d92590f737289782fe5b7ede951364751df3a2247020cbae34310b82da9571e.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oB572042.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oB572042.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a75386788.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a75386788.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2424
        • C:\Windows\Temp\1.exe
          "C:\Windows\Temp\1.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1920
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b98473584.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b98473584.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5968
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 1212
          4⤵
          • Program crash
          PID:5380
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c73513741.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c73513741.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3732
      • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
        "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1220
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4296
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5360
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5668
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "oneetx.exe" /P "Admin:N"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5720
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "oneetx.exe" /P "Admin:R" /E
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5772
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2808
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "..\cb7ae701b3" /P "Admin:N"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3184
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "..\cb7ae701b3" /P "Admin:R" /E
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4304
  • C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\GrantNew.ps1"
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:2080
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5968 -ip 5968
    1⤵
      PID:5272
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
      1⤵
      • Executes dropped EXE
      PID:3548

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c73513741.exe
      Filesize

      205KB

      MD5

      c0f3e16b7835c3509e02f2b10e4842a7

      SHA1

      7554fdbafc2a8cfce6e0da1f374051eef7ec20f3

      SHA256

      bd1ec029ee262347fa00d8ba373f5b98ff8065fc5f9c72a6c2af1ed8226376bf

      SHA512

      12f7f49a81b948cba6db65a52cf612c66e7699a9583f583880a5a24c437ee747e4ad8cef1f6b0a48f24bd2f3bc3209969cd1713ba2f33a6044a95ea3d97a0845

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oB572042.exe
      Filesize

      554KB

      MD5

      0ac2f085f095d5221f17cf86abf74f74

      SHA1

      a99be0095b942f1b7814a37dc4450bf7028ba3ad

      SHA256

      b1e2514af449153b55cdd4e173e164ddf62cf7a4fdf7b9af37933c47b7057d49

      SHA512

      ee6e5578b43f1a97f9475be52c35edf007ef5f8c82b0c29b53063ed90207f3b90bdf7477209a04f42af5523504fa69a864d63614a03c67be26d03ad21f798c3a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a75386788.exe
      Filesize

      303KB

      MD5

      f4c9d997b5b571231598486e0dbdc13f

      SHA1

      87d70445606133aa26664d2f20260a134a7701f9

      SHA256

      99c9e0c9c5e0054d51960c56da7003d4f3003bf7279d1d253883bf5d52ef0003

      SHA512

      4ffed8141409ab592fdc3fc67d9ccd275f810dd137342cfd12a8efa7d11787c243f5158824ee386ee3a37c4d2a6ab0212d04b6221cd7b54b4990749dc2dadf17

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b98473584.exe
      Filesize

      391KB

      MD5

      d7da11dd2fddb539d8700e738f0f6be1

      SHA1

      933a977bf4b614576f16bdd0e2e6716f87eb02c1

      SHA256

      9287230cd4ec5e44c5426fb2f778558677818a58e480bdf41326aaac2e3990ef

      SHA512

      63abf9ebdfbe777a92e931c9fd9e4b3bbbb803166ceab2f59efeaab45a5ada2cbfc38b8d781597aaaf5e4caebfea869fc31a0ae92268eff1cbd2532cbf600e90

      Download Submit

    • C:\Windows\Temp\1.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • memory/1920-2166-0x00000000000D0000-0x00000000000DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2424-14-0x000000007411E000-0x000000007411F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-15-0x0000000004990000-0x00000000049E8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2424-16-0x0000000074110000-0x00000000748C1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2424-17-0x0000000074110000-0x00000000748C1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2424-18-0x0000000074110000-0x00000000748C1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2424-19-0x0000000004B70000-0x0000000005116000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2424-20-0x0000000005120000-0x0000000005176000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2424-40-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-84-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-82-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-81-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-78-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-76-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-74-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-72-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-70-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-68-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-66-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-64-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-62-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-58-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-56-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-54-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-52-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-50-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-48-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-46-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-44-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-42-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-38-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-36-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-34-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-32-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-30-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-60-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-28-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-26-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-24-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-22-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-21-0x0000000005120000-0x0000000005171000-memory.dmp

      Filesize

      324KB

      Download

    • memory/2424-2149-0x0000000005420000-0x000000000542A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2424-2151-0x0000000074110000-0x00000000748C1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2424-2167-0x0000000074110000-0x00000000748C1000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5968-2172-0x00000000028D0000-0x00000000028EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/5968-2173-0x0000000004DA0000-0x0000000004DB8000-memory.dmp

      Filesize

      96KB

      Download