Overview

overview

10

Static

static

3

e5f22154ac...0e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 01:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e5f22154ac46e09641ab21ba96c1055143f1fed824007812d712f65eb4ecf60e.exe

  • Size

    1.1MB

  • MD5

    e99d5e7b1e5e00cfa3cfda138bd73f6b

  • SHA1

    9e1a60007ebb0b1494f22762f050382c4e468bcd

  • SHA256

    e5f22154ac46e09641ab21ba96c1055143f1fed824007812d712f65eb4ecf60e

  • SHA512

    bef12945df55b53419816affec6c85584985619c568d3556f88251c4671d3be19c5e7a03833de5ae897d4bd05f00581a13b58aa26c05ea078a62b652de89c100

  • SSDEEP

    24576:eyJ+k70x3fVPfsHroBCGFt4WHQEhzoDkB5OCbljWwqcdT8v8BP7PC:tJ+k4Vf1f+roBRXzHvR1B5O4JWTcdT8q

Score
10/10
amadeyhealerredline9c0adbdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e5f22154ac46e09641ab21ba96c1055143f1fed824007812d712f65eb4ecf60e.exe
    "C:\Users\Admin\AppData\Local\Temp\e5f22154ac46e09641ab21ba96c1055143f1fed824007812d712f65eb4ecf60e.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dn544190.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dn544190.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ie541369.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ie541369.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RJ535990.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RJ535990.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4044
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\151649203.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\151649203.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2064
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282499955.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282499955.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1052
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1088
              6⤵
              • Program crash
              PID:4912
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\345977315.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\345977315.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4768
          • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1504
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2364
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2192
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2068
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4972
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1872
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4124
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3920
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:916
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\414510610.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\414510610.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3068
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1052 -ip 1052
    1⤵
      PID:1416
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:2684
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:1552

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dn544190.exe
      Filesize

      940KB

      MD5

      2b6a12eabdb825db00b3f9d4ebb4e164

      SHA1

      0ea67859bc9d890e529e7c589678ff2df49d5b7b

      SHA256

      ffabb141964f1ac6c61e7e944ba3b23b21de03c251b51740542d9c4056422424

      SHA512

      7811f051cbf754f0ed1a67fca56ee6f99f67f6fee92528d445ba3c552c7b8a8fa59fa9a386b4c18d8b35475649e5c487ea2bff85dbdf2f9e18086f219eb16d6d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\414510610.exe
      Filesize

      341KB

      MD5

      870e5f5d90747f49d66f840c564b068d

      SHA1

      ae6b926a5fb45e4c2f4c59ee5bcbab5a709a8646

      SHA256

      d71d54a969c58ea9dd125d6cf4580e3c2c0c452365b14c8abf531bf3275d9824

      SHA512

      9b65ff2793715d621896c18c48f54f8889bded74813546d483128f231d8c1c0433fa93ff015041241fc31c899af916abd396bfa9cb4a754743c61333e4e4fb96

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ie541369.exe
      Filesize

      586KB

      MD5

      0b03bf13bd3481d76e11a2138880f5f4

      SHA1

      eb29e38534f0533d09158a170414229b46296811

      SHA256

      236989a3af8ad7a742140649653cb181f50422a5a9fa39ca7f5f8447119642aa

      SHA512

      d4712592cb738a0342dc418a3147171c9a6ea03ebf4a1b60ab7726f2d1a298d444e71dfde252aa7109b5e90b0da5f159578c0c638149671d884b497a2290d89f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\345977315.exe
      Filesize

      204KB

      MD5

      1304f384653e08ae497008ff13498608

      SHA1

      d9a76ed63d74d4217c5027757cb9a7a0d0093080

      SHA256

      2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa

      SHA512

      4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RJ535990.exe
      Filesize

      414KB

      MD5

      31fc87427633c3faba23a8d07e6d762b

      SHA1

      32bcd134703ac1642975800db488da4c9c3f33b5

      SHA256

      e19b0e88ea5e96cba2df9574de6b89864c882b5822729ddf2db561b28f74f7b8

      SHA512

      09366bbded06386adcff7765181f71039e84a0afe207d4090e3f1ff9b1ebb90b167e2067993caa57afd3cf6d551b9953aff31f77fdeb68d60fbd9b0adf8632d7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\151649203.exe
      Filesize

      175KB

      MD5

      a165b5f6b0a4bdf808b71de57bf9347d

      SHA1

      39a7b301e819e386c162a47e046fa384bb5ab437

      SHA256

      68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

      SHA512

      3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\282499955.exe
      Filesize

      259KB

      MD5

      fb1e221d776821e7e1c7bff4cb0b353d

      SHA1

      4821c7881b01cc432cf11747d608a9f281c11ec5

      SHA256

      82149b98d3ac91c16dc48c80bbfb0b52c48f21ea74556111048391a2b7faf287

      SHA512

      f31650e377823999b19cce2516f647e5fd2a5c6609b634cfde84ae9b901ff62c602f4d3844d16da4fa7933869e73a5301f1c675562006238a5ac8f1e021584b1

      Download Submit

    • memory/1052-94-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/1052-92-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2064-38-0x0000000002530000-0x0000000002543000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2064-30-0x0000000002530000-0x0000000002548000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2064-52-0x0000000002530000-0x0000000002543000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2064-51-0x0000000002530000-0x0000000002543000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2064-48-0x0000000002530000-0x0000000002543000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2064-46-0x0000000002530000-0x0000000002543000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2064-44-0x0000000002530000-0x0000000002543000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2064-42-0x0000000002530000-0x0000000002543000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2064-40-0x0000000002530000-0x0000000002543000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2064-56-0x0000000002530000-0x0000000002543000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2064-34-0x0000000002530000-0x0000000002543000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2064-32-0x0000000002530000-0x0000000002543000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2064-31-0x0000000002530000-0x0000000002543000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2064-58-0x0000000002530000-0x0000000002543000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2064-36-0x0000000002530000-0x0000000002543000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2064-54-0x0000000002530000-0x0000000002543000-memory.dmp

      Filesize

      76KB

      Download

    • memory/2064-29-0x0000000004C00000-0x00000000051A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2064-28-0x0000000002300000-0x000000000231A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3068-112-0x0000000002580000-0x00000000025BC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3068-113-0x0000000002610000-0x000000000264A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/3068-119-0x0000000002610000-0x0000000002645000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3068-117-0x0000000002610000-0x0000000002645000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3068-115-0x0000000002610000-0x0000000002645000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3068-114-0x0000000002610000-0x0000000002645000-memory.dmp

      Filesize

      212KB

      Download

    • memory/3068-906-0x0000000007530000-0x0000000007B48000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3068-907-0x0000000007BF0000-0x0000000007C02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3068-908-0x0000000007C10000-0x0000000007D1A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3068-909-0x0000000007D30000-0x0000000007D6C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3068-910-0x00000000023D0000-0x000000000241C000-memory.dmp

      Filesize

      304KB

      Download