Analysis
-
max time kernel
112s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 11:51
Static task
static1
General
-
Target
4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe
-
Size
577KB
-
MD5
331a06b447b3fb8ccceb0eda94665bc0
-
SHA1
cd5265eeeb5e53debd1cdc3b6fe6278fc015cd73
-
SHA256
4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cd
-
SHA512
8788d623ab2de334b5c8a38878e863ca6a4ca08396364b83636e9f9b05a40267add6c94db9f95044463e622aba665dd0fc6599f47f90f4e9c7ec04453172b691
-
SSDEEP
6144:wCp0yN90QE4KdXXCwwoYPuuIlsdmXiXwnk9t2s11CwD0m8yFwiPIABa+WytZaVMD:Ey90vdL/+Ddt311CebwxA0es02S
Malware Config
Extracted
amadey
3.80
9c0adb
http://193.3.19.154
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
23b27c80db2465a8e1dc15491b69b82f
-
url_paths
/store/games/index.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/3100-15-0x00000000023E0000-0x00000000023FA000-memory.dmp healer behavioral1/memory/3100-19-0x0000000004980000-0x0000000004998000-memory.dmp healer behavioral1/memory/3100-47-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/3100-45-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/3100-43-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/3100-41-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/3100-39-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/3100-37-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/3100-35-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/3100-33-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/3100-31-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/3100-29-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/3100-27-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/3100-25-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/3100-23-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/3100-21-0x0000000004980000-0x0000000004993000-memory.dmp healer behavioral1/memory/3100-20-0x0000000004980000-0x0000000004993000-memory.dmp healer -
Healer family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 296865278.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 133249119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 133249119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 133249119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 133249119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 133249119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 133249119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 296865278.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 296865278.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 296865278.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 296865278.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 352125291.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 7 IoCs
pid Process 880 fL620478.exe 3100 133249119.exe 4020 296865278.exe 4992 352125291.exe 2960 oneetx.exe 2004 oneetx.exe 4060 oneetx.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 133249119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 133249119.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 296865278.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" fL620478.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 740 4020 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 352125291.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 296865278.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fL620478.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 133249119.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1092 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3100 133249119.exe 3100 133249119.exe 4020 296865278.exe 4020 296865278.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3100 133249119.exe Token: SeDebugPrivilege 4020 296865278.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4992 352125291.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2580 wrote to memory of 880 2580 4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe 84 PID 2580 wrote to memory of 880 2580 4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe 84 PID 2580 wrote to memory of 880 2580 4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe 84 PID 880 wrote to memory of 3100 880 fL620478.exe 86 PID 880 wrote to memory of 3100 880 fL620478.exe 86 PID 880 wrote to memory of 3100 880 fL620478.exe 86 PID 880 wrote to memory of 4020 880 fL620478.exe 89 PID 880 wrote to memory of 4020 880 fL620478.exe 89 PID 880 wrote to memory of 4020 880 fL620478.exe 89 PID 2580 wrote to memory of 4992 2580 4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe 94 PID 2580 wrote to memory of 4992 2580 4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe 94 PID 2580 wrote to memory of 4992 2580 4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe 94 PID 4992 wrote to memory of 2960 4992 352125291.exe 95 PID 4992 wrote to memory of 2960 4992 352125291.exe 95 PID 4992 wrote to memory of 2960 4992 352125291.exe 95 PID 2960 wrote to memory of 1092 2960 oneetx.exe 96 PID 2960 wrote to memory of 1092 2960 oneetx.exe 96 PID 2960 wrote to memory of 1092 2960 oneetx.exe 96 PID 2960 wrote to memory of 4140 2960 oneetx.exe 98 PID 2960 wrote to memory of 4140 2960 oneetx.exe 98 PID 2960 wrote to memory of 4140 2960 oneetx.exe 98 PID 4140 wrote to memory of 1840 4140 cmd.exe 100 PID 4140 wrote to memory of 1840 4140 cmd.exe 100 PID 4140 wrote to memory of 1840 4140 cmd.exe 100 PID 4140 wrote to memory of 2304 4140 cmd.exe 101 PID 4140 wrote to memory of 2304 4140 cmd.exe 101 PID 4140 wrote to memory of 2304 4140 cmd.exe 101 PID 4140 wrote to memory of 4824 4140 cmd.exe 102 PID 4140 wrote to memory of 4824 4140 cmd.exe 102 PID 4140 wrote to memory of 4824 4140 cmd.exe 102 PID 4140 wrote to memory of 4360 4140 cmd.exe 103 PID 4140 wrote to memory of 4360 4140 cmd.exe 103 PID 4140 wrote to memory of 4360 4140 cmd.exe 103 PID 4140 wrote to memory of 3744 4140 cmd.exe 104 PID 4140 wrote to memory of 3744 4140 cmd.exe 104 PID 4140 wrote to memory of 3744 4140 cmd.exe 104 PID 4140 wrote to memory of 1412 4140 cmd.exe 105 PID 4140 wrote to memory of 1412 4140 cmd.exe 105 PID 4140 wrote to memory of 1412 4140 cmd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe"C:\Users\Admin\AppData\Local\Temp\4a47e9004818b0ef470d023d10c041e5ef3758055ded80f3ffdbae9fd4a389cdN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL620478.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fL620478.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\133249119.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\296865278.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\296865278.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 10844⤵
- Program crash
PID:740
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\352125291.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\352125291.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1092
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
- System Location Discovery: System Language Discovery
PID:1840
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵
- System Location Discovery: System Language Discovery
PID:2304
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵
- System Location Discovery: System Language Discovery
PID:4824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
- System Location Discovery: System Language Discovery
PID:4360
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"5⤵
- System Location Discovery: System Language Discovery
PID:3744
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E5⤵
- System Location Discovery: System Language Discovery
PID:1412
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4020 -ip 40201⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:2004
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:4060
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
406KB
MD5d316d0cc264213b48624ff29845536e7
SHA12277438596f198c20440153e4e16dc908924f394
SHA256f098d07c08b8752f46db720e5423047b015e1718d1c17432158c5c81d2c11ea6
SHA51236e2dd15690a440b497dd20fffb3d78ee2f11abf916223224f130919e18f975f85ce9e7d113b50b8a9188037eb6c6c59a6cafaa12f9fcb6b81dd484f8a074e3e
-
Filesize
176KB
MD52b71f4b18ac8214a2bff547b6ce2f64f
SHA1b8f2f25139a7b2e8d5e8fbc024eb5cac518bc6a5
SHA256f7eedf3aec775a62c265d1652686b30a8a45a953523e2fb3cfc1fac3c6a66fbc
SHA51233518eff768610bf54f9888d9d0d746b0c3500dc5f2b8fd5f1641d5a264f657a8311b40364f70932512581183b244fec3feb535e21c13e0ec8adec9994175177
-
Filesize
258KB
MD5a03d5d915ad17d3a703b28609194244a
SHA18c843bf4d225521fa2e46d4824674700c19b66ce
SHA25629eb2bd63937e743c04e6c615cdc8be743b8a204ad3538cac93456f589ab34dc
SHA512fa175ff570310b2fdff109f53206289e4a7afa7ca83fff3b66edaf2a115117cea4b048569702f9818022faa85035425381626d9a149dae3c0f9ec097103db49c