Overview

overview

10

Static

static

3

f1fa87f871...ca.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 04:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1fa87f8713bbac68ae4542d42b600fc55bb196ce8c0acbc2d13b565a4420cca.exe

  • Size

    1.2MB

  • MD5

    25521fbca17d1df979c83762f84f7752

  • SHA1

    ad9160058f870770b11a91c51c0f0aa76b08aa68

  • SHA256

    f1fa87f8713bbac68ae4542d42b600fc55bb196ce8c0acbc2d13b565a4420cca

  • SHA512

    667eedffe4de8b865a373d4d81ce851c29e087d9172a073393ac4cd3628dc856cfda2aaf78b92abf0ba07378a30a039b046dc98a20db44dd2e58ba7978d4df56

  • SSDEEP

    24576:5ydnGgdT9ojanBQtx/Bd3LdKVg8CFHEN+8z7O06WWO0B:sdnvLnGtJBd3L0uI/OnF

Score
10/10
amadeyhealerredline9c0adbgenadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

9c0adb

C2

http://193.3.19.154

Attributes
  • install_dir

    cb7ae701b3

  • install_file

    oneetx.exe

  • strings_key

    23b27c80db2465a8e1dc15491b69b82f

  • url_paths

    /store/games/index.php

rc4.plain

Extracted

Family

redline

Botnet

gena

C2

185.161.248.73:4164

Attributes
  • auth_value

    d05bf43eef533e262271449829751d07

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 5 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • Redline family
    redline
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1fa87f8713bbac68ae4542d42b600fc55bb196ce8c0acbc2d13b565a4420cca.exe
    "C:\Users\Admin\AppData\Local\Temp\f1fa87f8713bbac68ae4542d42b600fc55bb196ce8c0acbc2d13b565a4420cca.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kc335548.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kc335548.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4276
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pb466937.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pb466937.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3540
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a61672366.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a61672366.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1072
          • C:\Windows\Temp\1.exe
            "C:\Windows\Temp\1.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:6048
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b96367294.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b96367294.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:6136
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 1080
            5⤵
            • Program crash
            PID:5608
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c59980360.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c59980360.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:6032
        • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
          "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:776
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:3612
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1028
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1156
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "oneetx.exe" /P "Admin:N"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4340
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "oneetx.exe" /P "Admin:R" /E
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2916
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4048
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "..\cb7ae701b3" /P "Admin:N"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1388
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "..\cb7ae701b3" /P "Admin:R" /E
              6⤵
              • System Location Discovery: System Language Discovery
              PID:6092
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d33912739.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d33912739.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4116
      • C:\Windows\Temp\1.exe
        "C:\Windows\Temp\1.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3660
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 1296
        3⤵
        • Program crash
        PID:2944
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6136 -ip 6136
    1⤵
      PID:5432
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4116 -ip 4116
      1⤵
        PID:1264
      • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
        C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
        1⤵
        • Executes dropped EXE
        PID:5420
      • C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
        C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
        1⤵
        • Executes dropped EXE
        PID:2324

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Impair Defenses

      2
      T1562

      Disable or Modify Tools

      2
      T1562.001

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Kc335548.exe
        Filesize

        726KB

        MD5

        38c83491dfe8c0d7eb449720bea4caad

        SHA1

        70ab07a8347461a255d95e7e910a1f8a429a7775

        SHA256

        038294b0d735f89cfe5809d1053e9a8c3648b349a434b79961fc26c7430f54b8

        SHA512

        60ab0680d8ae5d00f650209cb6e1d7283442695ae20495ab6f384a8dc347d3f4f04273d7f9fc5806f58e9ad6a4fb5efbbc337c7023949baa682841396c26fb19

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d33912739.exe
        Filesize

        574KB

        MD5

        ddff2515f570ce764b51d1ff79f1600b

        SHA1

        33c45c9d9b5bb5a80935c3f13fc6d88e2af45cbe

        SHA256

        b5d1949a19d3997aaa1646ab4d281e44e008f4a682006581bbbe2c804bcbd03e

        SHA512

        d15fee9f70dba6357010ed9efa8e31dc3a47183a514bb0fdb00f9e1211c4bc2673098b0f7f828426c021c800afa71710d0f9ffa4842878ea5c249f1d73bce7fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pb466937.exe
        Filesize

        554KB

        MD5

        a8e6894efef3b6ece718676e412da916

        SHA1

        850aac0470562e193b73ac969491bec106c9c00a

        SHA256

        3c49eda4f4b1d7f333f5fd8239b8ea4af5af10bf65e074609d46e028abfb65e6

        SHA512

        b96a97357bd29083552f50a6a72a91d75b1d61c668412116c08bcfca6751fd5fc57bbd1f744d63194a5cd3db1300d6a06b642e49b7d9140bd6e49dff127a7525

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c59980360.exe
        Filesize

        205KB

        MD5

        2620314de17fd141747a1ab97161e2f3

        SHA1

        92f320ae220e55fc71a56c853adaebbac1f4ce9d

        SHA256

        eddbc8f8fd24905e9ed6963f16413f8ea997e8f0960b8ce5fcf229fd594172e4

        SHA512

        e371d95f89415b71f2e924a1ceebb2d7819e249feb2450dbb04c8a6ff5552bb5917d4905b0e092141692cd92b1ee45571f6eb1af82991fcff36d7c17378aceb5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a61672366.exe
        Filesize

        303KB

        MD5

        3707cf985d136dd397a835367da28162

        SHA1

        7181fa23f131ece7b32fc7f432865444670bbe95

        SHA256

        78de6a1d3dc0cc4e71e3b32dde4bae0f3c3e577e01f518bcc34e465bd54c5ba8

        SHA512

        2dd3c8ac71caaccc9df39363033239e01dcc0e831df2c9cf0a07cbf59e27203346c59d0f76dda868557cfcde8eec2861b0a1c93d55a0c84063dcf9e9152da152

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b96367294.exe
        Filesize

        391KB

        MD5

        884351babea33e2e7ce49ef427861f1f

        SHA1

        604bdc17e0e7fbf5a97d43ca7a84a0e615b66320

        SHA256

        1e716bcee0cecd5f1f116c386339472e42e16ea04b94986419c5b578ff20a4c2

        SHA512

        cbb98c3dee32d7d63d6af1a36b2ad3539b94de4481b63a669cc2a2192e17a0aeb5246229ddadf8779308d8ba8192f56946caa9355890475fb8b19b0e523dd61d

        Download Submit

      • C:\Windows\Temp\1.exe
        Filesize

        11KB

        MD5

        7e93bacbbc33e6652e147e7fe07572a0

        SHA1

        421a7167da01c8da4dc4d5234ca3dd84e319e762

        SHA256

        850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

        SHA512

        250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

        Download Submit

      • C:\Windows\Temp\1.exe
        Filesize

        168KB

        MD5

        f16fb63d4e551d3808e8f01f2671b57e

        SHA1

        781153ad6235a1152da112de1fb39a6f2d063575

        SHA256

        8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581

        SHA512

        fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

        Download Submit

      • memory/1072-53-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-43-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-87-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-77-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-59-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-41-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-85-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-83-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-81-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-80-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-75-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-73-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-71-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-69-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-67-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-65-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-63-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-61-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-57-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-55-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-22-0x0000000004BD0000-0x0000000005174000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1072-51-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-49-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-47-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-45-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-23-0x0000000004B20000-0x0000000004B76000-memory.dmp

        Filesize

        344KB

        Download

      • memory/1072-39-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-37-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-35-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-33-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-31-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-29-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-27-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-25-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-24-0x0000000004B20000-0x0000000004B71000-memory.dmp

        Filesize

        324KB

        Download

      • memory/1072-2152-0x0000000005430000-0x000000000543A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1072-21-0x0000000004A30000-0x0000000004A88000-memory.dmp

        Filesize

        352KB

        Download

      • memory/3660-4385-0x0000000004B90000-0x0000000004C9A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3660-4382-0x0000000000140000-0x000000000016E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/3660-4383-0x00000000021B0000-0x00000000021B6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/3660-4384-0x0000000005090000-0x00000000056A8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3660-4386-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3660-4387-0x0000000004B20000-0x0000000004B5C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3660-4389-0x0000000004CA0000-0x0000000004CEC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4116-4369-0x0000000005760000-0x0000000005792000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4116-2221-0x0000000004D40000-0x0000000004DA8000-memory.dmp

        Filesize

        416KB

        Download

      • memory/4116-2222-0x0000000005550000-0x00000000055B6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/6048-2166-0x0000000000560000-0x000000000056A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/6136-2170-0x00000000026B0000-0x00000000026CA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/6136-2171-0x0000000002A60000-0x0000000002A78000-memory.dmp

        Filesize

        96KB

        Download