Overview

overview

10

Static

static

3

297a2ead63...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 00:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    297a2ead631792e1f2e0eac675e95924a999ed5d837cc4a8f19734a80871514b.exe

  • Size

    1.1MB

  • MD5

    e5df08d565529d220a36d0ec9b30654a

  • SHA1

    011d9f6e3412cd923ebc917498548b369e72c6cf

  • SHA256

    297a2ead631792e1f2e0eac675e95924a999ed5d837cc4a8f19734a80871514b

  • SHA512

    642925ef265cd87e7ae8bafefcaaf561b2e063f5df8d23d13ea4f935b163aa59b68bfb54f2cd052734970c48da1a43378cf90b5f696a066c65173a8d5b99c3c3

  • SSDEEP

    24576:6y1UTCwhrn2uP80HSzOBl+47xY32d5rl4d55KsYhss:B+TCmBPbHS6b+4dYej4des

Score
10/10
amadeyhealerredline9c0adbdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\297a2ead631792e1f2e0eac675e95924a999ed5d837cc4a8f19734a80871514b.exe
    "C:\Users\Admin\AppData\Local\Temp\297a2ead631792e1f2e0eac675e95924a999ed5d837cc4a8f19734a80871514b.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nc030008.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nc030008.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dh031331.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dh031331.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4304
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo037418.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo037418.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4772
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125571055.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125571055.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2520
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\202170387.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\202170387.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3408
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 1084
              6⤵
              • Program crash
              PID:1884
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\386248157.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\386248157.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3080
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:4092
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1392
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4068
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1892
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4424
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3092
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3404
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4532
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\464986580.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\464986580.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5068
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3408 -ip 3408
    1⤵
      PID:4664
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:3148
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:2564
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:5644

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nc030008.exe
      Filesize

      930KB

      MD5

      d0efa49756f95c01ee00c8348243e61c

      SHA1

      9d3789cc9be6622647cc2a65a6e843e91dfacbeb

      SHA256

      c304c8719139df6b32f3ebf8c92b3662367d1d75cbeb73e4f82fc3dcb0b59181

      SHA512

      81d65d746ac340ea1830218467b18a7df6adc1b04f2a4706d870b066e2528be3dac7a2f2afb56d670e74b0a71ea8770b6015145d7b3b1b328adfad0ce54fc2b7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\464986580.exe
      Filesize

      340KB

      MD5

      41a372b0f0d5072c7b2b22a27e064797

      SHA1

      ec043229ed762edb46e7da35acad768e90836f9a

      SHA256

      817345d04c0e77bdbbda80976ca2b599b92916e79b96e0481b7c41c2a9cad642

      SHA512

      f97d347bab943a347b9dacb3e9073156205de99e62a85716ce5b1296801e17c5f5a5d70df0cc3db8a90acdf26b5ffb1216523f25bce94b512a6232a9f91fd6cf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dh031331.exe
      Filesize

      578KB

      MD5

      aa527e10d7dcc8ae337bec2de0cb0e0c

      SHA1

      930830fe1f17b6750b4cc322d4bc4cc3dee351b1

      SHA256

      afc73b99541a4c79b1f91b05f482f646b67c3ec388474606f2741e3c13f1ea4d

      SHA512

      0e2073201d8d594d67e3486633a16fa4e2af063e8ee77f72029203b224b52fcfdec8682c060411e0fbd147d5dc6e7d46b880c0f6b494690572f0724de0208bb5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\386248157.exe
      Filesize

      204KB

      MD5

      1304f384653e08ae497008ff13498608

      SHA1

      d9a76ed63d74d4217c5027757cb9a7a0d0093080

      SHA256

      2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa

      SHA512

      4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Wo037418.exe
      Filesize

      406KB

      MD5

      8298a90704346fa3a1e4c128eb5c8763

      SHA1

      af17b3bab5ca590c46d11385296f9fd2ccae481d

      SHA256

      7053a1a85f072797de0066de9ba1f0e9aa55c40a9082ba8062be79d3041e5c2f

      SHA512

      1d4dd21a4ff7e5bd6f942989453e6d8eeb572b873bba7f24a9c8fc3edd70ca90ebde8601ee82205460f1ea71ff782d684b367170c03c61ac1ff6859cebafa86a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\125571055.exe
      Filesize

      176KB

      MD5

      2b71f4b18ac8214a2bff547b6ce2f64f

      SHA1

      b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5

      SHA256

      f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc

      SHA512

      33518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\202170387.exe
      Filesize

      258KB

      MD5

      16c60a53e9517b8b804c08a44a37b234

      SHA1

      87b8bb9ce4b8968a7934354d2ea97d2f09ca03fd

      SHA256

      39547304c27aa86fac6e707cf6eefce647fd11eab220c2059dc4012060201b91

      SHA512

      4ca69f308c7cc2d21766da6e62d18166c5a5b97fceeb6dcb4486263c9e38aa486532f62fcce374e882670308e10331cf20cccb8f70f0a4f5f6b3f1443af52ddf

      Download Submit

    • memory/2520-36-0x0000000002540000-0x0000000002553000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2520-30-0x0000000002540000-0x0000000002558000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2520-54-0x0000000002540000-0x0000000002553000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2520-52-0x0000000002540000-0x0000000002553000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2520-50-0x0000000002540000-0x0000000002553000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2520-46-0x0000000002540000-0x0000000002553000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2520-58-0x0000000002540000-0x0000000002553000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2520-44-0x0000000002540000-0x0000000002553000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2520-42-0x0000000002540000-0x0000000002553000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2520-40-0x0000000002540000-0x0000000002553000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2520-38-0x0000000002540000-0x0000000002553000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2520-48-0x0000000002540000-0x0000000002553000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2520-34-0x0000000002540000-0x0000000002553000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2520-32-0x0000000002540000-0x0000000002553000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2520-31-0x0000000002540000-0x0000000002553000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2520-56-0x0000000002540000-0x0000000002553000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2520-28-0x00000000023B0000-0x00000000023CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2520-29-0x0000000004B20000-0x00000000050C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3408-93-0x0000000000400000-0x0000000002B9B000-memory.dmp

      Filesize

      39.6MB

      Download

    • memory/5068-112-0x0000000004BB0000-0x0000000004BEC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5068-113-0x0000000007740000-0x000000000777A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/5068-119-0x0000000007740000-0x0000000007775000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5068-117-0x0000000007740000-0x0000000007775000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5068-115-0x0000000007740000-0x0000000007775000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5068-114-0x0000000007740000-0x0000000007775000-memory.dmp

      Filesize

      212KB

      Download

    • memory/5068-906-0x000000000A290000-0x000000000A8A8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/5068-907-0x0000000009D10000-0x0000000009D22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/5068-908-0x0000000009D30000-0x0000000009E3A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/5068-909-0x0000000009E50000-0x0000000009E8C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5068-910-0x0000000004B20000-0x0000000004B6C000-memory.dmp

      Filesize

      304KB

      Download