Overview

overview

10

Static

static

3

bc90c42076...4e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc90c420764b62e909e2af822250e0e41d1799ff46e30ba885a1f34770d9fa4e.exe

  • Size

    1.1MB

  • MD5

    f4f230141227f91300d7af759fa7f2cb

  • SHA1

    8a70114b5e5c0ea51c7e3cd2e82a26b1c0c37764

  • SHA256

    bc90c420764b62e909e2af822250e0e41d1799ff46e30ba885a1f34770d9fa4e

  • SHA512

    f074558f0582a9c71c0fd03e851a7302c9c667623df71a2f3d90e59560705b05fffbfa57e7753bbf77ea23743abec027dd19b4cdd5cdaf43e69dd87ec8afdfc7

  • SSDEEP

    24576:5ygtZCWOT1AhjesmuqMeDUlC5y4P9ugbYG6mcacvmGW3dwNOzwQ7:s/WOhAssmAeYld4luwYG6fqq8zwQ

Score
10/10
amadeyhealerredline9c0adbdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 34 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 6 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc90c420764b62e909e2af822250e0e41d1799ff46e30ba885a1f34770d9fa4e.exe
    "C:\Users\Admin\AppData\Local\Temp\bc90c420764b62e909e2af822250e0e41d1799ff46e30ba885a1f34770d9fa4e.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4296
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cr924929.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cr924929.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pQ674946.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pQ674946.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3180
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nw886907.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nw886907.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4932
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\132273793.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\132273793.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4904
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\256788342.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\256788342.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4648
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 1032
              6⤵
              • Program crash
              PID:1508
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340779392.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340779392.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:448
          • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
            "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5016
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1636
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:392
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1672
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4388
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "oneetx.exe" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:388
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3444
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1004
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\cb7ae701b3" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3576
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\431021932.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\431021932.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1168
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4648 -ip 4648
    1⤵
      PID:540
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:1360
    • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
      1⤵
      • Executes dropped EXE
      PID:4584
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:5112

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Impair Defenses

    2
    T1562

    Disable or Modify Tools

    2
    T1562.001

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cr924929.exe
      Filesize

      994KB

      MD5

      9910f84fcf5a623e1808fe6544e5572b

      SHA1

      977ac1a389cefe8cfb74bc3b22650da5c73471b1

      SHA256

      50c89a7ef04c7c51532214b8d261cf8b71876648caeae5e09811fd51e5167cf1

      SHA512

      494b85c4d553b26145abce2fc6f1e6c5bcaf14e52f89eee1686effe6e266a8e163427b7674dc85840390f158dbd64322b5eb7a7946b7ff3d8f77f2b1cb6ed2f1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\431021932.exe
      Filesize

      415KB

      MD5

      1e3debdf9ad241053e088868d4c7495e

      SHA1

      bdc392ec4b026fc8daf449a935086de3602f9ea6

      SHA256

      c9db4147192395a4264b61f97b29a862fd36be810da5a1578d6ab180389b6071

      SHA512

      c929f16508090c7d709021e6c0fdcd3c9c4b2abb45edf3b77eb06a1dcd264497d3091317461653aa5ced12fe6fb9c4e2a2076e9982241ffd2ea93096474a621d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pQ674946.exe
      Filesize

      610KB

      MD5

      9daf9e112a8a7890db7a5fb9eb9116ba

      SHA1

      f9e2bf201c91d2203e7c117a00b568977580b2ea

      SHA256

      0ecd7995ed64db3ae3fb47ca56ec0ec811d933b93143eab16271f310269c0d72

      SHA512

      5d3556fdb44657fc95d4ae176186ebe01ea95ddd258204e5cd676a76bfba2104a8308035b5ff6dcc9a60abc9169a297d69ed9d61e7e4b0e76d90000412a72c67

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\340779392.exe
      Filesize

      204KB

      MD5

      8803961fc89f52fdebce65503f51a001

      SHA1

      2d91ae1903467addca8e312a06b6e7e36a982aea

      SHA256

      092406a9055e4f15dbae409213a5e578ea861e6d64e5a85e65b147a91d9663ed

      SHA512

      7c9e2aba507b972b8f7876c9efcdb6424fe2c0cfc8f01161f840b40a33002d147303d63b7861b9a9c7c2f77e29a17d7a0289cbc9117e3ba61a3b5d1f5b3e544f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nw886907.exe
      Filesize

      438KB

      MD5

      478ff444e9607558f6d0869c23ee66e3

      SHA1

      ba0ef467ff318366da943d07ed3166f3db56a9cf

      SHA256

      87036c390322b769a45f076cbe56395726423799a860167a2a3b5dce459d7402

      SHA512

      d77dead3c5814bf9237c50afb361050e3a449535e9e0378b716353696a92dd905b7e3c27715f9b949a3c27d23cad93de8555be78ec4a8f44bb81294a841a68b7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\132273793.exe
      Filesize

      176KB

      MD5

      da12c20160e1f5985e07ec16d68e010e

      SHA1

      f145126019568a16a9d218e79b7435c03418072d

      SHA256

      d26178256626fbcc9bdd908391698175d8694695833e3cbf0ff05d3d7705a4c4

      SHA512

      7e7e66d95640108e0f0fb294c42a99c8da74e7bf34a893dba68fe035c282a8abe8ccb1f02d4f4b92ee76a3b7fff47420877c536812abe398d09bb1d94ce8b9d4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\256788342.exe
      Filesize

      333KB

      MD5

      e793a86a1405c43cc0016ad75a8c2b58

      SHA1

      a6108f7f4faad49d055e89c40e8427c28fd3655d

      SHA256

      66ac9bcd58819dec5cad8598ca37af5f7ba0294777ef0634ecaf2f7c7661511b

      SHA512

      e5e59d7b0bcaf1378c29c993c1c49eaefbd3c8d24a633eb60ca215c398532a6f67c17a16782a4e2b329c20e79c76e368fcb7228251c83b30aec9a417e2eddab4

      Download Submit

    • memory/1168-908-0x0000000007580000-0x0000000007B98000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1168-909-0x0000000007C00000-0x0000000007C12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1168-116-0x0000000002560000-0x0000000002595000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1168-117-0x0000000002560000-0x0000000002595000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1168-119-0x0000000002560000-0x0000000002595000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1168-121-0x0000000002560000-0x0000000002595000-memory.dmp

      Filesize

      212KB

      Download

    • memory/1168-115-0x0000000002560000-0x000000000259A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1168-114-0x00000000023A0000-0x00000000023DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1168-910-0x0000000007C20000-0x0000000007D2A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1168-911-0x0000000007D40000-0x0000000007D7C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1168-912-0x00000000045D0000-0x000000000461C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4648-66-0x0000000002390000-0x00000000023A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-71-0x0000000002390000-0x00000000023A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-95-0x0000000000400000-0x0000000000466000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4648-67-0x0000000002390000-0x00000000023A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-87-0x0000000002390000-0x00000000023A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-64-0x00000000022F0000-0x000000000230A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4648-65-0x0000000002390000-0x00000000023A8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4648-75-0x0000000002390000-0x00000000023A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-93-0x0000000002390000-0x00000000023A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-91-0x0000000002390000-0x00000000023A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-89-0x0000000002390000-0x00000000023A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-85-0x0000000002390000-0x00000000023A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-84-0x0000000002390000-0x00000000023A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-81-0x0000000002390000-0x00000000023A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-79-0x0000000002390000-0x00000000023A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-77-0x0000000002390000-0x00000000023A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-73-0x0000000002390000-0x00000000023A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-69-0x0000000002390000-0x00000000023A2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4904-48-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4904-32-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4904-50-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4904-52-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4904-31-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4904-40-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4904-42-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4904-46-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4904-28-0x00000000048C0000-0x00000000048DA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4904-36-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4904-38-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4904-54-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4904-56-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4904-58-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4904-44-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4904-30-0x0000000004980000-0x0000000004998000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4904-29-0x0000000004AC0000-0x0000000005064000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4904-35-0x0000000004980000-0x0000000004993000-memory.dmp

      Filesize

      76KB

      Download