Overview

overview

10

Static

static

3

2fd2c62c22...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 00:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2fd2c62c2216ed4d10cfd7f457b8e00e54ba6c609188b943dce981d32a163523.exe

  • Size

    1.2MB

  • MD5

    c67ca591c5a4c0f24c3eb4f692731d63

  • SHA1

    afdca9c96b641e5204c1097568c60c17f33215b6

  • SHA256

    2fd2c62c2216ed4d10cfd7f457b8e00e54ba6c609188b943dce981d32a163523

  • SHA512

    f6095d97cfc9c5537c74e678543a09a8137fc11397c64330113dafff7d0888e59414e921cf3d630b4596fa8dfb127dbdb3e1ba941ea8b3fb2940f900458cadf0

  • SSDEEP

    24576:eyTHAtQ94SKR0tUZRCF3RcrCvsOquxHqaC/oX1K/Mg:tTHSckR0t4CE2vYu1lN1sM

Score
10/10
amadeyhealerredline9c0adbdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 34 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2fd2c62c2216ed4d10cfd7f457b8e00e54ba6c609188b943dce981d32a163523.exe
    "C:\Users\Admin\AppData\Local\Temp\2fd2c62c2216ed4d10cfd7f457b8e00e54ba6c609188b943dce981d32a163523.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gg251679.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gg251679.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MF094862.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MF094862.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:628
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pt027451.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pt027451.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:852
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129952268.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129952268.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2380
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\275500857.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\275500857.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:724
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 1076
              6⤵
              • Program crash
              PID:2780
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\328157629.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\328157629.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1540
          • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4420
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:3420
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:4364
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1800
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3232
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1016
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:452
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1428
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:212
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448504094.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448504094.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1552
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 724 -ip 724
    1⤵
      PID:392
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:4724
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:5576

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gg251679.exe
      Filesize

      1.0MB

      MD5

      eeefaea9a64642b6f038033d233c29e3

      SHA1

      eb8aaecf6bef2fddc96db1e5d2ff127ae547ee82

      SHA256

      a5a0ee37b9d2e5d711711f0cee460718bd7c62c27032402c84b64fc4d4eee014

      SHA512

      bc807de5eb15572bba940faf88abcedcfe3fa9a814d334009fa2931dd6860c8a3bcf4c9290c41040685eeb11fc58bc9185ea49ba29e3000a73ef26a4599a6827

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\448504094.exe
      Filesize

      461KB

      MD5

      97a65931a81e7f937c4250251494a030

      SHA1

      2cacbe9b9c83f833cf251dc5af785cdb30755c28

      SHA256

      49ff23ca0045cfca121a8d0d1110cfd8939650223394fdef5cb95c10a45401e6

      SHA512

      140b504dc83cd2d658b77c5f7691bd90b31df88f1ef05868d009225585b32ca2f3ffae4b29c4c02dab3e07a7b62d17d2f0aa01f0eeea0be794b782bca41a306f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MF094862.exe
      Filesize

      636KB

      MD5

      a6ecebbacdf36161b021a84f7041dbd3

      SHA1

      0d4006458125087c0d99ada161040c36d4a0c729

      SHA256

      741edf6398052d81b34f32298f1eabc9e68cf5393ef185bf006078712f39ffb0

      SHA512

      1cbf322986f5b485c86854dab86ae58d3fad758797a22d7e46ef13dcb7eded49a6f3e1f759cd9a7cd2d6da127e7013c84c8e9eaef2a45c76d483dbf6b984dcac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\328157629.exe
      Filesize

      205KB

      MD5

      985b67c885ba9558e250b292633f96d7

      SHA1

      7c5b678a7ebd3366ceab93cee885aab2fd0a05b9

      SHA256

      2156a18750dc6a6f171d814ed61fb9486a0a5c606b75628ef1ab95a49664cd3d

      SHA512

      48fbcdd8e9bef3bfcdae838d517e51f4b44aac60a3a4d094ec81890891c206b0b193380a6923f3d4067c68d555213c496e90cc523ea3896301f24bc539e188e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Pt027451.exe
      Filesize

      465KB

      MD5

      0e84e5ebbf7bdd1478c5b7cd176cb8e6

      SHA1

      708b9aad210d4e40df2e27c208c65e2848756936

      SHA256

      06979f931921d907009c24c9768755f57dda3200afa599fb24703d36026b989a

      SHA512

      da10812852c7f1b353ec9dfd3a68db7a1d9bb72ebdc351f160713a978f3de939528053be382723c6861b8289345bc3c6a118aae31eb21de6f825f24a64fbc884

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\129952268.exe
      Filesize

      177KB

      MD5

      60553c73820ff2bdcd8913207509349a

      SHA1

      cb31b002db80cbb1677e27fe46310c932335a5da

      SHA256

      fd2a73cb12d4e39a1772ddc4a08d410731fd4e8cff7e2dbaa9e496f76caef4b1

      SHA512

      ca8c3e9033bf005d72e110a930dc029a2562ce642725537db7d3259dbd215440e98d787dd8fea979e8ed19b83af15670b9f32cd7f3a0240002d46f0f529ff84e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\275500857.exe
      Filesize

      377KB

      MD5

      b5af834fdd5e0763653ba85aec9c4416

      SHA1

      e0b2209a574c315d34e047ba7870186246a65e95

      SHA256

      56d1940c9710a26c53ce7fcaf00bf6492d87a5a5fbd4f67f07a9ab7a05d87c5b

      SHA512

      d3e5c6e5ffdb1570197e6852d9def56533ab594a8b53a1f2d86cb458eb2c6a1e1824e13e1a55fa8a99736cd2083be56576d32b47137931045484ea4ad4a097ff

      Download Submit

    • memory/724-67-0x0000000002590000-0x00000000025A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/724-89-0x0000000002590000-0x00000000025A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/724-78-0x0000000002590000-0x00000000025A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/724-79-0x0000000002590000-0x00000000025A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/724-81-0x0000000002590000-0x00000000025A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/724-83-0x0000000002590000-0x00000000025A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/724-85-0x0000000002590000-0x00000000025A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/724-87-0x0000000002590000-0x00000000025A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/724-75-0x0000000002590000-0x00000000025A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/724-92-0x0000000002590000-0x00000000025A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/724-93-0x0000000002590000-0x00000000025A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/724-71-0x0000000002590000-0x00000000025A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/724-66-0x0000000002590000-0x00000000025A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/724-95-0x0000000000400000-0x0000000000803000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/724-69-0x0000000002590000-0x00000000025A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/724-73-0x0000000002590000-0x00000000025A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/724-64-0x0000000000DD0000-0x0000000000DEA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/724-65-0x0000000002590000-0x00000000025A8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1552-114-0x0000000002600000-0x000000000263C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1552-115-0x00000000029C0000-0x00000000029FA000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1552-117-0x00000000029C0000-0x00000000029F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1552-121-0x00000000029C0000-0x00000000029F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1552-120-0x00000000029C0000-0x00000000029F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1552-116-0x00000000029C0000-0x00000000029F5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1552-908-0x00000000078E0000-0x0000000007EF8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1552-909-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1552-910-0x0000000007FC0000-0x00000000080CA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1552-911-0x00000000080E0000-0x000000000811C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1552-912-0x00000000028F0000-0x000000000293C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2380-36-0x0000000002410000-0x0000000002423000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2380-31-0x0000000002410000-0x0000000002423000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2380-32-0x0000000002410000-0x0000000002423000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2380-30-0x0000000002410000-0x0000000002428000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2380-34-0x0000000002410000-0x0000000002423000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2380-29-0x0000000004BC0000-0x0000000005164000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2380-28-0x0000000002080000-0x000000000209A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2380-48-0x0000000002410000-0x0000000002423000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2380-39-0x0000000002410000-0x0000000002423000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2380-40-0x0000000002410000-0x0000000002423000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2380-42-0x0000000002410000-0x0000000002423000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2380-44-0x0000000002410000-0x0000000002423000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2380-46-0x0000000002410000-0x0000000002423000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2380-50-0x0000000002410000-0x0000000002423000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2380-52-0x0000000002410000-0x0000000002423000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2380-57-0x0000000002410000-0x0000000002423000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2380-58-0x0000000002410000-0x0000000002423000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2380-54-0x0000000002410000-0x0000000002423000-memory.dmp

      Filesize

      76KB

      Download