Overview

overview

10

Static

static

3

d659831f7d...1f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d659831f7d1e576995ff9251550ac1ca201bfa2aa17f96644ff3a7a9d919671f.exe

  • Size

    1.1MB

  • MD5

    28cb4c440a52207cf0135da5c110ca2a

  • SHA1

    d934ad7149ce469ea23bde108b09ba2a4a861df8

  • SHA256

    d659831f7d1e576995ff9251550ac1ca201bfa2aa17f96644ff3a7a9d919671f

  • SHA512

    be4d4ae2f720af348db25e7bcb7b959946cdade17b2ff635527bdb44177282c63ff5eb9c2c2e97cca64fa03b27f4bcebbff52fd6ab126d0210b52dfc3bd71640

  • SSDEEP

    24576:8y0toY5J3SbTvXyuYRyPdJG/wvL/DBhARUfbcvmhW2PwZ7qNfpjS:r0t158fCuY0PdDvbUi0L/pqRp

Score
10/10
amadeyhealerredline9c0adbdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 34 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d659831f7d1e576995ff9251550ac1ca201bfa2aa17f96644ff3a7a9d919671f.exe
    "C:\Users\Admin\AppData\Local\Temp\d659831f7d1e576995ff9251550ac1ca201bfa2aa17f96644ff3a7a9d919671f.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2108
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Eg208101.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Eg208101.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4088
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Uf524755.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Uf524755.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4868
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Au101175.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Au101175.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1560
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\174474396.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\174474396.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4804
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\207198573.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\207198573.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3676
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1084
              6⤵
              • Program crash
              PID:4936
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\323628542.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\323628542.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2300
          • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4124
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:3256
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:468
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2844
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3904
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3188
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1384
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3624
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2540
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\443907751.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\443907751.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1316
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3676 -ip 3676
    1⤵
      PID:3048
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:2908
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:3128

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Eg208101.exe
      Filesize

      994KB

      MD5

      d53969ca86ee234aefeea99a4381864e

      SHA1

      daab016d5da4a296672850adb8a90ddfa8676d32

      SHA256

      c25a38f9f58cf487b7c00c078ca7277f03bbc5a6fcd5e2915865c38e5fa015e2

      SHA512

      501467e621402f309cfb15a936e071b5cf908c2707015fccb9f4515a6405106c2daa9e98a6a32e7ba499705938f88aca7d711b9dd2393abb0d45723fd4954347

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\443907751.exe
      Filesize

      415KB

      MD5

      75097eaeba0a119d01505fc78eab9cfb

      SHA1

      a36912bfc2eb5c5d41918dadd712a7ced27248cc

      SHA256

      1e727209a4d2081b881100368a004c95f01eb4fedd24955be36ca4c40ff3bf70

      SHA512

      b483662a85cc8ffacb94c2ec703005888205194f826129b4aeb3e9a7e678aa99495a5deccb3bb11e1e9604fbc9890b2972aed9c923491aa7a65c12f95b4a400b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Uf524755.exe
      Filesize

      610KB

      MD5

      d8768ac3e8b2ac3ef67fc6a1f36bf314

      SHA1

      109478b5df4314c6d3e01293091cdd1ce77c0e60

      SHA256

      30ff155851541b333c2c618bd2d7a1549da2ff9a92d9a1f2c700b18b62c67bae

      SHA512

      8aed80262f2d62bb01ae601b833d7a697bc34b184188398f4b5f1bf69a5cf4a2b17f4f9ec934bb9079dadbe272ef2eb417ea935617721506b35d5ccded33bbb1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\323628542.exe
      Filesize

      204KB

      MD5

      57536bdb1b7c0e9dadf9d8fd3027d5a4

      SHA1

      ee83b57b1f405707dcbeef9b32d6a96686461d70

      SHA256

      e5033c7717160941b3aaa28b992204e3105e1fa42a361d9c4e3a3319386ab95c

      SHA512

      1d0d32dcef9453b8225e17d26e1a900e2dbc45ab26cbadb057507b45222cc9dc3667a9c28a0edc1ea368c4da46f62983b0bded58ca1eaeb7182b4f88c702c594

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Au101175.exe
      Filesize

      438KB

      MD5

      3f4777bc2722e8f36d4c8f486e6baa99

      SHA1

      a66ed58b5a99298453e9292eb3c640a256f6365f

      SHA256

      9d4e40820d278373e51bafaeeac290226a72e34778715eaca4ecb8bf27b2e492

      SHA512

      164505f9f5f7692d3395e35f4671ab7f0674ab0e6009511135864bc9ae674ea441079cc70827242f4d74c2285eb5ff3056842391d0d82f8b3a7b19acc1900cb3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\174474396.exe
      Filesize

      175KB

      MD5

      1306b3e0b8c0c5b7369619f8dd722836

      SHA1

      00db4d1e31c6e7f49820af47e79e382c9e97857a

      SHA256

      5ce1893624976db53f4eb2be857fcac00060589b9e857707e1bc75519e8f0d39

      SHA512

      275f1d23d481eb8d755f476308c8aebe77b3cc79696c5a333991764223e74ade11dc58a5425d30a536ab1a471f56536fca5e2bce0d520c22ae99cf4246527671

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\207198573.exe
      Filesize

      333KB

      MD5

      71adca55306d3a047a4f337b6dd4d4e2

      SHA1

      3c44e5311a8e36105f0897035270b978508708b9

      SHA256

      ed003c443d7f07adaff8fdc1763c0c114ab51bcd7a3974b88b59d33c3fb701cd

      SHA512

      ab3b16aa33cc2c9b8df66769ff5eaf1f5d44ba58fa5e6c8d5838eed0f360ed59039dfe467f54e674e36cf0f50d9a5333a31392b29c94b0c5a702cbdbfab8fe3b

      Download Submit

    • memory/1316-908-0x00000000075F0000-0x0000000007C08000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1316-909-0x0000000007C10000-0x0000000007C22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1316-116-0x00000000024E0000-0x0000000002515000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1316-117-0x00000000024E0000-0x0000000002515000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1316-119-0x00000000024E0000-0x0000000002515000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1316-121-0x00000000024E0000-0x0000000002515000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1316-115-0x00000000024E0000-0x000000000251A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1316-114-0x0000000002280000-0x00000000022BC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1316-910-0x0000000007C30000-0x0000000007D3A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1316-911-0x0000000007D40000-0x0000000007D7C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1316-912-0x0000000002450000-0x000000000249C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3676-66-0x00000000023F0000-0x0000000002402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3676-71-0x00000000023F0000-0x0000000002402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3676-96-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3676-94-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3676-67-0x00000000023F0000-0x0000000002402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3676-64-0x0000000002360000-0x000000000237A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3676-65-0x00000000023F0000-0x0000000002408000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3676-69-0x00000000023F0000-0x0000000002402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3676-75-0x00000000023F0000-0x0000000002402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3676-93-0x00000000023F0000-0x0000000002402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3676-91-0x00000000023F0000-0x0000000002402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3676-89-0x00000000023F0000-0x0000000002402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3676-87-0x00000000023F0000-0x0000000002402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3676-85-0x00000000023F0000-0x0000000002402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3676-83-0x00000000023F0000-0x0000000002402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3676-81-0x00000000023F0000-0x0000000002402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3676-79-0x00000000023F0000-0x0000000002402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3676-77-0x00000000023F0000-0x0000000002402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3676-73-0x00000000023F0000-0x0000000002402000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4804-46-0x0000000004F50000-0x0000000004F63000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4804-50-0x0000000004F50000-0x0000000004F63000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4804-38-0x0000000004F50000-0x0000000004F63000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4804-31-0x0000000004F50000-0x0000000004F63000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4804-32-0x0000000004F50000-0x0000000004F63000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4804-40-0x0000000004F50000-0x0000000004F63000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4804-42-0x0000000004F50000-0x0000000004F63000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4804-44-0x0000000004F50000-0x0000000004F63000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4804-36-0x0000000004F50000-0x0000000004F63000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4804-34-0x0000000004F50000-0x0000000004F63000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4804-48-0x0000000004F50000-0x0000000004F63000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4804-52-0x0000000004F50000-0x0000000004F63000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4804-56-0x0000000004F50000-0x0000000004F63000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4804-58-0x0000000004F50000-0x0000000004F63000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4804-54-0x0000000004F50000-0x0000000004F63000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4804-30-0x0000000004F50000-0x0000000004F68000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4804-29-0x0000000004960000-0x0000000004F04000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4804-28-0x00000000022B0000-0x00000000022CA000-memory.dmp

      Filesize

      104KB

      Download