Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17-01-2025 12:51
General
-
Target
b93587ac3123356b4dcb8e66169b917ffe111c14076228306549f0a2e91d57d6.exe
-
Size
309KB
-
MD5
1565b3844f4694e2a4aca129fbdf8569
-
SHA1
3a0057f77db6e1f00a68f66752b787ac2f7faecb
-
SHA256
b93587ac3123356b4dcb8e66169b917ffe111c14076228306549f0a2e91d57d6
-
SHA512
f771fc9a694214901cffee5bde4d39f5be3cdd62b60fd750a80afd935a0cc057e4d7b4cccacbd77bf05198be06d8ac9cecc23df23dadf3c861ff66e78c22e6bd
-
SSDEEP
6144:KFy+bnr+6p0yN90QEeGqw767yWc74TbfWiSI0AIyfP:PMrey90TebRAyfP
Score
10/10
Malware Config
Extracted
Family
amadey
Version
3.69
Botnet
32c858
C2
http://77.91.124.242
Attributes
-
install_dir
550693dc87
-
install_file
oneetx.exe
-
strings_key
148c8260bc34f461da3708ace57fdffd
-
url_paths
/games/category/index.php
rc4.plain
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
Detects Healer an antivirus disabler dropper 2 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Healer family
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Windows security modification 2 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 26 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b93587ac3123356b4dcb8e66169b917ffe111c14076228306549f0a2e91d57d6.exe"C:\Users\Admin\AppData\Local\Temp\b93587ac3123356b4dcb8e66169b917ffe111c14076228306549f0a2e91d57d6.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\az181786.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\az181786.exe2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bu678177.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bu678177.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 6963⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 7843⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 8563⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 9603⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 9923⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 9723⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 12083⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 12523⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 13123⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 6924⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 9084⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 10724⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 10964⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 11084⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 11404⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 10884⤵
- Program crash
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 10124⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 7764⤵
- Program crash
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\550693dc87" /P "Admin:N"&&CACLS "..\550693dc87" /P "Admin:R" /E&&Exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\550693dc87" /P "Admin:N"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\550693dc87" /P "Admin:R" /E5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 13404⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 7524⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 13044⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 7604⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 11164⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 14283⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 860 -ip 8601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 860 -ip 8601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 860 -ip 8601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 860 -ip 8601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 860 -ip 8601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 860 -ip 8601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 860 -ip 8601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 860 -ip 8601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 860 -ip 8601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 860 -ip 8601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3156 -ip 31561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3156 -ip 31561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3156 -ip 31561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3156 -ip 31561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3156 -ip 31561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3156 -ip 31561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3156 -ip 31561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3156 -ip 31561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 3156 -ip 31561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 3156 -ip 31561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 3156 -ip 31561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 3156 -ip 31561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 3156 -ip 31561⤵
-
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exeC:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 3122⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 3152 -ip 31521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3156 -ip 31561⤵
-
C:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exeC:\Users\Admin\AppData\Local\Temp\550693dc87\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 2162⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 4480 -ip 44801⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD583914f9394959ccb9501c1eda5b9290e
SHA1af9730b7a0d439ba4196471d65f9fd2044917e37
SHA25660bfb07cb15cd0a9c9bf7b8c0861afdba3a40768a67f414931abff88cb196b15
SHA512145e2e3b09462b2ad4edfdf797a6ff5e81b607056aae9c5842bd89d2763656e6f4edfd8173fa7e185b3f1f59992cd1f943ecc8266d9dca26c884e5777826252e
-
Filesize
227KB
MD5a30a75340cbf4ec2d1e2959c5a88ff2f
SHA1d013cc3f70f6a9f1e31c3b91d0a9d9ffd56b1763
SHA256454d6304ecbdffb25ede38b315f2f39a3df8a443b120e0c1731ca5de7d9dcdb2
SHA512e1cc2747f047cff4d36b90095c389e795115cdb21dda4dffa31e2e45fda8c2082bfa1a8505162e13c7d67cd03e13d342d7195bd2fa50eb6d4d8b8c3022e63214
-
Filesize
244KB
-
Filesize
252KB
-
Filesize
668KB
-
Filesize
1024KB
-
Filesize
244KB
-
Filesize
252KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
40KB
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
668KB
-
Filesize
668KB