Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12/11/2024, 14:16
Static task
static1
General
-
Target
c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe
-
Size
585KB
-
MD5
6a819e1d268abb9a53fb023016f3fbb0
-
SHA1
94b2f16e81f8c4bf961627975ebbe351f6566ad8
-
SHA256
c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afc
-
SHA512
ab256cd3b757a662d5c718b78b328fee1b56d3a6f84f53a5d5f4bf3ae3507f145cafc22b896bd1490c20989cf1d723d0a467174e6f8918c50512d4993b31d608
-
SSDEEP
12288:Ly90g5SA/4t7qGjpXfrCuQt5F+7pNasIcI:LyiAe/jpXKl+7HEcI
Malware Config
Extracted
amadey
3.80
9c0adb
http://193.3.19.154
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
23b27c80db2465a8e1dc15491b69b82f
-
url_paths
/store/games/index.php
Signatures
-
Amadey family
-
Detects Healer an antivirus disabler dropper 17 IoCs
resource yara_rule behavioral1/memory/116-15-0x0000000002190000-0x00000000021AA000-memory.dmp healer behavioral1/memory/116-19-0x00000000023D0000-0x00000000023E8000-memory.dmp healer behavioral1/memory/116-48-0x00000000023D0000-0x00000000023E3000-memory.dmp healer behavioral1/memory/116-46-0x00000000023D0000-0x00000000023E3000-memory.dmp healer behavioral1/memory/116-44-0x00000000023D0000-0x00000000023E3000-memory.dmp healer behavioral1/memory/116-42-0x00000000023D0000-0x00000000023E3000-memory.dmp healer behavioral1/memory/116-40-0x00000000023D0000-0x00000000023E3000-memory.dmp healer behavioral1/memory/116-38-0x00000000023D0000-0x00000000023E3000-memory.dmp healer behavioral1/memory/116-36-0x00000000023D0000-0x00000000023E3000-memory.dmp healer behavioral1/memory/116-34-0x00000000023D0000-0x00000000023E3000-memory.dmp healer behavioral1/memory/116-32-0x00000000023D0000-0x00000000023E3000-memory.dmp healer behavioral1/memory/116-30-0x00000000023D0000-0x00000000023E3000-memory.dmp healer behavioral1/memory/116-28-0x00000000023D0000-0x00000000023E3000-memory.dmp healer behavioral1/memory/116-26-0x00000000023D0000-0x00000000023E3000-memory.dmp healer behavioral1/memory/116-24-0x00000000023D0000-0x00000000023E3000-memory.dmp healer behavioral1/memory/116-22-0x00000000023D0000-0x00000000023E3000-memory.dmp healer behavioral1/memory/116-21-0x00000000023D0000-0x00000000023E3000-memory.dmp healer -
Healer family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 145857953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 145857953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 145857953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 258810809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 258810809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 145857953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 145857953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 145857953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 258810809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 258810809.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 258810809.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation 369908799.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation oneetx.exe -
Executes dropped EXE 7 IoCs
pid Process 4432 OO309956.exe 116 145857953.exe 2948 258810809.exe 1108 369908799.exe 4540 oneetx.exe 860 oneetx.exe 1772 oneetx.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 145857953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 145857953.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 258810809.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" OO309956.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3680 2948 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 258810809.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OO309956.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 145857953.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 369908799.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2768 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 116 145857953.exe 116 145857953.exe 2948 258810809.exe 2948 258810809.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 116 145857953.exe Token: SeDebugPrivilege 2948 258810809.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1108 369908799.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 3924 wrote to memory of 4432 3924 c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe 83 PID 3924 wrote to memory of 4432 3924 c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe 83 PID 3924 wrote to memory of 4432 3924 c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe 83 PID 4432 wrote to memory of 116 4432 OO309956.exe 84 PID 4432 wrote to memory of 116 4432 OO309956.exe 84 PID 4432 wrote to memory of 116 4432 OO309956.exe 84 PID 4432 wrote to memory of 2948 4432 OO309956.exe 96 PID 4432 wrote to memory of 2948 4432 OO309956.exe 96 PID 4432 wrote to memory of 2948 4432 OO309956.exe 96 PID 3924 wrote to memory of 1108 3924 c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe 101 PID 3924 wrote to memory of 1108 3924 c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe 101 PID 3924 wrote to memory of 1108 3924 c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe 101 PID 1108 wrote to memory of 4540 1108 369908799.exe 102 PID 1108 wrote to memory of 4540 1108 369908799.exe 102 PID 1108 wrote to memory of 4540 1108 369908799.exe 102 PID 4540 wrote to memory of 2768 4540 oneetx.exe 103 PID 4540 wrote to memory of 2768 4540 oneetx.exe 103 PID 4540 wrote to memory of 2768 4540 oneetx.exe 103 PID 4540 wrote to memory of 1480 4540 oneetx.exe 105 PID 4540 wrote to memory of 1480 4540 oneetx.exe 105 PID 4540 wrote to memory of 1480 4540 oneetx.exe 105 PID 1480 wrote to memory of 3396 1480 cmd.exe 107 PID 1480 wrote to memory of 3396 1480 cmd.exe 107 PID 1480 wrote to memory of 3396 1480 cmd.exe 107 PID 1480 wrote to memory of 3292 1480 cmd.exe 108 PID 1480 wrote to memory of 3292 1480 cmd.exe 108 PID 1480 wrote to memory of 3292 1480 cmd.exe 108 PID 1480 wrote to memory of 4156 1480 cmd.exe 109 PID 1480 wrote to memory of 4156 1480 cmd.exe 109 PID 1480 wrote to memory of 4156 1480 cmd.exe 109 PID 1480 wrote to memory of 3120 1480 cmd.exe 110 PID 1480 wrote to memory of 3120 1480 cmd.exe 110 PID 1480 wrote to memory of 3120 1480 cmd.exe 110 PID 1480 wrote to memory of 4680 1480 cmd.exe 111 PID 1480 wrote to memory of 4680 1480 cmd.exe 111 PID 1480 wrote to memory of 4680 1480 cmd.exe 111 PID 1480 wrote to memory of 2928 1480 cmd.exe 112 PID 1480 wrote to memory of 2928 1480 cmd.exe 112 PID 1480 wrote to memory of 2928 1480 cmd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe"C:\Users\Admin\AppData\Local\Temp\c2ddd2393dd304f588f3cea7627740ef14c2fc25c5d9aa4ee21c8e04810b4afcN.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OO309956.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OO309956.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\145857953.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:116
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258810809.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\258810809.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 10804⤵
- Program crash
PID:3680
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\369908799.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\369908799.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2768
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
- System Location Discovery: System Language Discovery
PID:3396
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵
- System Location Discovery: System Language Discovery
PID:3292
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵
- System Location Discovery: System Language Discovery
PID:4156
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
- System Location Discovery: System Language Discovery
PID:3120
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"5⤵
- System Location Discovery: System Language Discovery
PID:4680
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E5⤵
- System Location Discovery: System Language Discovery
PID:2928
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2948 -ip 29481⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:860
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe1⤵
- Executes dropped EXE
PID:1772
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD51304f384653e08ae497008ff13498608
SHA1d9a76ed63d74d4217c5027757cb9a7a0d0093080
SHA2562a9dabab35fb09085750e1cc762e32b0fe4cbd7ed4276ef7e68ba159ae330eaa
SHA5124138217fd538e827c89db5c0cd4ea21bd8c8d3a7196d2eabf10412caf7b929479e768747df5fd92fc022d758f1840474530ba82dcb7e8672cc6eb88caeaf38c1
-
Filesize
414KB
MD561d90663421fb32b684f6cbd80ac1b3f
SHA129ad2e61bc9a40076e0af3215df0ae008e078738
SHA256cb12d593fb0000ab7cf8ad21e1450f5c59404cabc347c1fed9871193cb1b8088
SHA51257d6b82483cc14e6e5e63ae1a86803e2faad001248cbd2017106bbff869dc56ff0e300351c61405b6be0f5023a29e1e7f44e812962b54a9c537df98d103c1c55
-
Filesize
175KB
MD53d10b67208452d7a91d7bd7066067676
SHA1e6c3ab7b6da65c8cc7dd95351f118caf3a50248d
SHA2565c8ae96739bd9454a59e92b5eb6965647030e87453f7c417dbd7d53ebd837302
SHA512b86d5ff4f55c90922a890401ae4301da7e71eb5e546a82536073cc58780ce55585214cff39ec9b52f70704580ad36c1fa95ebee1515dd2e7ea313cb670f2b4df
-
Filesize
259KB
MD5166c3a38d67502c4341a59ddd044c986
SHA106315016c2725ffaf989707cf2e0cac83f84520a
SHA256cdf7e3b30be8fec731d6a859a557cfb9c1a89fec7805059676b5f20e0a1d02a9
SHA512eebcd083cdd2ba04091f5ff1406bb2a0002a13ea917331358182b8170fd9d7b6c9a738848be24cd2df00858736f1505a3761dee0b72ab22098a690c1d9a630af