Overview

overview

10

Static

static

3

3b5bd420b2...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b5bd420b211b26dac93b287ada20ad42ee48583561c6e7c0eebdfc665e1c408.exe

  • Size

    1.2MB

  • MD5

    fd3ee3e48dd9eb3c5ce1311876e68615

  • SHA1

    44b6d3a55f2279e4a716f2074f609e57241bb9c9

  • SHA256

    3b5bd420b211b26dac93b287ada20ad42ee48583561c6e7c0eebdfc665e1c408

  • SHA512

    951113f5292df5557dd372d6e979741be2c81222644bb84e052335fea8a24468f4c19fdb0605fcb7f516decba0f954bbd926f13a0d478b9a1c119ceabcdaa4be

  • SSDEEP

    24576:cyNN2N9BDTDwgp85Wbcv600vXhewmplEL5O5XIqDo7sl:LNN2jJDw2yWbcvn6X3uEL4dIq

Score
10/10
amadeyhealerredline9c0adbdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 34 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b5bd420b211b26dac93b287ada20ad42ee48583561c6e7c0eebdfc665e1c408.exe
    "C:\Users\Admin\AppData\Local\Temp\3b5bd420b211b26dac93b287ada20ad42ee48583561c6e7c0eebdfc665e1c408.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yA133929.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yA133929.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1440
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ty610437.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ty610437.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4616
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Al695610.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Al695610.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5036
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\152975410.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\152975410.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1000
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\269148369.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\269148369.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:624
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 1140
              6⤵
              • Program crash
              PID:4108
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\317007509.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\317007509.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:428
          • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1640
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:4876
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3768
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1672
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4444
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2624
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1632
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3904
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:112
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\429520107.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\429520107.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:868
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 624 -ip 624
    1⤵
      PID:3544
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:3788
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:2848

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yA133929.exe
      Filesize

      1.0MB

      MD5

      2725ba0cae9d50d104754a10bafb3665

      SHA1

      0ff586ffc8e588d5a969ba1e3ff8b3ef32a48e40

      SHA256

      e52084cc780038bb53e7e1105a46aa702578a25b3f1fdd96f4b800133a467b38

      SHA512

      d30248fae890e08e3ce6c5fd4b433cc45bef9ab722b07329c28412d973b6268769f5ef25ebb809ec475c4796102b66acf867c6f0c2d5c94d9d87553a6b2e8a17

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\429520107.exe
      Filesize

      461KB

      MD5

      f937c27acbbb851d1360d779346c5a8d

      SHA1

      5b164dc4062608e98139f3a3912354dd90f9323b

      SHA256

      8926fddee482b272de564c8c36c7de5b3589d96a2527f3c558425490edeb02aa

      SHA512

      0839f950b158ab9740fcf06f6c6c8ce6411fb693116c0e6c1a206c46ddf5f659aa6fe7a2859c7e2c852bdd2ef98943db46197128bb25f0e717bb3c6cb113a5fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ty610437.exe
      Filesize

      639KB

      MD5

      19ab1089ddd3640d36b4f4ab65f9ca92

      SHA1

      06707389d9b5ec0bbdf285279792497b1a5556f6

      SHA256

      a5aac751f348ae4d95d9197d0d60af72d050b7fdeabbe556684bfbadf79e3705

      SHA512

      35876524c18a51fc443d7bee7be5301721d37bf5473fe5cb175c3ec5339f2456a07017eb6b5cd3df56311b5553d9720ddf03016c5c4a79ab97a71f9a4d749c6b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\317007509.exe
      Filesize

      204KB

      MD5

      14b2ed5ced0c7d26f4f20ef6a16ce1b4

      SHA1

      c1316d319ed5004540626252079bcbdc946199e4

      SHA256

      d8ae84771fac8370d8126ee2eae3e7fd9cb363beaae36f403af54cfab8428f96

      SHA512

      7f202f9c2faf237bc35d6f14c6bd1b5e2a7d90e87874484746698a064573d21c9324968b0a8e756d74d83a22a0598ac7e843b844b51bfba8609e6cc835f6e7e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Al695610.exe
      Filesize

      467KB

      MD5

      1bb4d3baf75c10c0f9ad8d770f2b48ab

      SHA1

      32f3022433da8fef73f9ae4ba5089c443ad51fba

      SHA256

      56850addecde396ced9715c644f5d35a11ab10525844d7788d7bce4bf189f8ed

      SHA512

      daee57c9b176fefda66b0063fbd808b51df727dd98324026560a7161f6f27fb3f484acff04f49087cdd7d0a4f4b876f2cea681d427cf33174746901de088d802

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\152975410.exe
      Filesize

      176KB

      MD5

      4fb09bc0c3880be466781988bfe98dd7

      SHA1

      25230ecefc2da502fb97baae88e8a61baabac836

      SHA256

      75b7c26a47b08532385889d6250587a000fbd1421fbb3458077654069d5b783d

      SHA512

      5366f477e10a3ffd55a52534e3682e61612d24bb97781c2d7a0d53e772d90fbc4377b83ff5f19f4f7162e9e45ebf563941dcf2a36117076ac8feb1812cbd5c4e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\269148369.exe
      Filesize

      378KB

      MD5

      a8e1c0bab205eab336d93105e3f3afd7

      SHA1

      c22aa3d2f4002f4476492c3f599c3fcd395a9cb0

      SHA256

      a7c4cf0a974cffe900b6f6f86af8c9a3115699e1c5ca70f1a0de8e8ac5d2b5e2

      SHA512

      8dab4106a44da152ab483d2eddcff097f6cfc4d002637c6d61b4fb86544220a9b323dde13356d257fd740d2f829f448d90999e228f6b2ddac540d2c2e60c244a

      Download Submit

    • memory/624-67-0x00000000028D0000-0x00000000028E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/624-89-0x00000000028D0000-0x00000000028E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/624-77-0x00000000028D0000-0x00000000028E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/624-79-0x00000000028D0000-0x00000000028E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/624-81-0x00000000028D0000-0x00000000028E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/624-84-0x00000000028D0000-0x00000000028E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/624-85-0x00000000028D0000-0x00000000028E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/624-88-0x00000000028D0000-0x00000000028E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/624-75-0x00000000028D0000-0x00000000028E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/624-92-0x00000000028D0000-0x00000000028E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/624-93-0x00000000028D0000-0x00000000028E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/624-73-0x00000000028D0000-0x00000000028E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/624-66-0x00000000028D0000-0x00000000028E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/624-95-0x0000000000400000-0x0000000000803000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/624-69-0x00000000028D0000-0x00000000028E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/624-72-0x00000000028D0000-0x00000000028E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/624-64-0x00000000023C0000-0x00000000023DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/624-65-0x00000000028D0000-0x00000000028E8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/868-114-0x00000000028D0000-0x000000000290C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/868-115-0x0000000004E10000-0x0000000004E4A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/868-121-0x0000000004E10000-0x0000000004E45000-memory.dmp

      Filesize

      212KB

      Download

    • memory/868-119-0x0000000004E10000-0x0000000004E45000-memory.dmp

      Filesize

      212KB

      Download

    • memory/868-116-0x0000000004E10000-0x0000000004E45000-memory.dmp

      Filesize

      212KB

      Download

    • memory/868-117-0x0000000004E10000-0x0000000004E45000-memory.dmp

      Filesize

      212KB

      Download

    • memory/868-908-0x0000000007F60000-0x0000000008578000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/868-909-0x0000000007980000-0x0000000007992000-memory.dmp

      Filesize

      72KB

      Download

    • memory/868-910-0x00000000079A0000-0x0000000007AAA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/868-911-0x0000000007AC0000-0x0000000007AFC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/868-912-0x0000000002720000-0x000000000276C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1000-34-0x00000000024A0000-0x00000000024B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1000-38-0x00000000024A0000-0x00000000024B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1000-31-0x00000000024A0000-0x00000000024B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1000-30-0x00000000024A0000-0x00000000024B8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1000-32-0x00000000024A0000-0x00000000024B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1000-29-0x0000000004B60000-0x0000000005104000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1000-28-0x00000000021A0000-0x00000000021BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1000-36-0x00000000024A0000-0x00000000024B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1000-40-0x00000000024A0000-0x00000000024B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1000-42-0x00000000024A0000-0x00000000024B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1000-44-0x00000000024A0000-0x00000000024B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1000-46-0x00000000024A0000-0x00000000024B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1000-48-0x00000000024A0000-0x00000000024B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1000-50-0x00000000024A0000-0x00000000024B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1000-52-0x00000000024A0000-0x00000000024B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1000-54-0x00000000024A0000-0x00000000024B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1000-56-0x00000000024A0000-0x00000000024B3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1000-58-0x00000000024A0000-0x00000000024B3000-memory.dmp

      Filesize

      76KB

      Download