Overview

overview

10

Static

static

3

08e3939d2c...aN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08e3939d2c2d3ae9fc722a14fdd39d7254a186d4d5aaecb112ecffdc5d69530aN.exe

  • Size

    940KB

  • MD5

    c2309d30537869aa5f80324c23d9e03f

  • SHA1

    a0a7d396a1edf00bc8e00dbabecd855e182e3935

  • SHA256

    5edd8d7c54962fcc3807109937802f7597bb894cbc06bda3b599f5be3aa59384

  • SHA512

    7acdd4889490a71418e86ad35e0491814d16c2f8f6b2b744214e31a648c7fe2b1662e362ef015929fd6ea0a06d1ba51254a41e0df0b4d69f28a808f1327f8e0f

  • SSDEEP

    24576:9yjYIbNfd+0cDxAgEmzKDsIj38IVSeb3UMwI90T0mseFO:Yj7BExdA/I9Ib8IAsEMb90T01eo

Score
10/10
amadeyhealerredline9c0adbdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08e3939d2c2d3ae9fc722a14fdd39d7254a186d4d5aaecb112ecffdc5d69530aN.exe
    "C:\Users\Admin\AppData\Local\Temp\08e3939d2c2d3ae9fc722a14fdd39d7254a186d4d5aaecb112ecffdc5d69530aN.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4576
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jw655940.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jw655940.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3504
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Oe680115.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Oe680115.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4488
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\143501758.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\143501758.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1736
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\259937434.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\259937434.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2156
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1084
            5⤵
            • Program crash
            PID:3932
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\355461945.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\355461945.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
          "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:512
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:4448
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:996
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:116
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "oneetx.exe" /P "Admin:N"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2300
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "oneetx.exe" /P "Admin:R" /E
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1724
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2192
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "..\cb7ae701b3" /P "Admin:N"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2916
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "..\cb7ae701b3" /P "Admin:R" /E
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3176
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\480563366.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\480563366.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4124
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2156 -ip 2156
    1⤵
      PID:656
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:3032
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:3132

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\480563366.exe
      Filesize

      341KB

      MD5

      63c165a3330d421779ed52bc85bc283e

      SHA1

      a721b0e5c53fbc1ea8348fe84b9918d0fe2a7ce5

      SHA256

      7da18b0e4b5c2432504baad8127c8a544ae04337e729b1b56f478461fe7e98bb

      SHA512

      3917a0672c3a659b2c459df41bb654e8bcf19db0e40f49ca479919d054ad686f8ed64f9cb3e1bd3fc43e837da1beddaa210b806a85b4ae2000aaf0bece2637d9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jw655940.exe
      Filesize

      586KB

      MD5

      4b770f2301adf2ab4efeaf939d2e027e

      SHA1

      5d890b64eaa99700d2634f3af658dfe9b7fdb927

      SHA256

      64344882a3e44b346b34a9f3c9856a6e3a172a05df45066ac863330a9544900f

      SHA512

      5f3861c5ce88c95c060fc2b236f61a210d2fcbd9d13a623a4b3ee98c69acc09d92324b1bd6e3313e3abd4417cf98452b9321ff124643f7cb797541836e091ccb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\355461945.exe
      Filesize

      204KB

      MD5

      1304f384653e08ae497008ff13498608

      SHA1

      d9a76ed63d74d4217c5027757cb9a7a0d0093080

      SHA256

      2a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa

      SHA512

      4138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Oe680115.exe
      Filesize

      414KB

      MD5

      2bb9234e2be5f0220254d0940423ade6

      SHA1

      1e2dd73b12f62699dd8b9ae3dbb09cfac5a6b843

      SHA256

      13d560a15af41e0dcc32ffa03152b921628ba69bc8592143c9d71f37644d4958

      SHA512

      394a72a20b4f2f9ba984636ffb9b4c52fba9557f5be1c408fd5814f2501f80da2703c6191d0f343700a767a00836a4428e9189cad8bd2c13cbb7881362d1d270

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\143501758.exe
      Filesize

      175KB

      MD5

      a165b5f6b0a4bdf808b71de57bf9347d

      SHA1

      39a7b301e819e386c162a47e046fa384bb5ab437

      SHA256

      68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a

      SHA512

      3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\259937434.exe
      Filesize

      259KB

      MD5

      739dd1dea8bb82e4693ff942f1d003b9

      SHA1

      b83eb3ca9366c8dbb863145cd7e50a4a1d814e73

      SHA256

      c2a8b0408f0ddcb44eb784039e9f2a0250e0c6e012af2f5e1af576f0e89e14c9

      SHA512

      b790a4dc074f65a59f49fdf9479f498a4afd9b40cdceec230980e3fe4f87a4dc8c2cd30cb048906b18a00c094d7b90229686dd0179144aec9a8427b7913f655c

      Download Submit

    • memory/1736-27-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1736-23-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1736-50-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1736-47-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1736-45-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1736-44-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1736-41-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1736-39-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1736-37-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1736-35-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1736-33-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1736-31-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1736-29-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1736-25-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1736-24-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1736-51-0x0000000004AC0000-0x0000000004AD3000-memory.dmp

      Filesize

      76KB

      Download

    • memory/1736-21-0x0000000002360000-0x000000000237A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1736-22-0x0000000004B00000-0x00000000050A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2156-87-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/2156-85-0x0000000000400000-0x0000000000455000-memory.dmp

      Filesize

      340KB

      Download

    • memory/4124-108-0x00000000024E0000-0x0000000002515000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4124-106-0x00000000024E0000-0x000000000251A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4124-112-0x00000000024E0000-0x0000000002515000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4124-110-0x00000000024E0000-0x0000000002515000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4124-105-0x0000000002310000-0x000000000234C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4124-107-0x00000000024E0000-0x0000000002515000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4124-899-0x00000000075B0000-0x0000000007BC8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4124-900-0x0000000007BF0000-0x0000000007C02000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4124-901-0x0000000007C10000-0x0000000007D1A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4124-902-0x0000000007D30000-0x0000000007D6C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4124-903-0x0000000002210000-0x000000000225C000-memory.dmp

      Filesize

      304KB

      Download