Overview

overview

10

Static

static

3

tvMvqaTxQ3...b5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-01-2025 17:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tvMvqaTxQ3VVhww4U2r5p1b5.exe

  • Size

    514KB

  • MD5

    61c9381b6c813cbb6cefa076bed31d8a

  • SHA1

    341dd0c0375dff8d5d255b419218bc8969edc4f3

  • SHA256

    004d58bf34da683aacf652abc4bf89317d4f0333b0aa0f134b257c4cc95fbcfa

  • SHA512

    d1366ebdc9253e7fcc2fceba3c3ed5eceb9e223c0089b2cea2ff00a000f1e1dd750a6758d3addad6ed698b935de2aa8073631cb6019dbbe0599349a051240673

  • SSDEEP

    12288:oMrry90IsqzgHkl/vq+19VsBUUiNyiTQ+E7ovoRHpA:Tynscli+rWSNPTQ+EUMHpA

Score
10/10
amadeyhealerredlinesmokeloader88c8bbkrastbackdoordefense_evasiondiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

amadey

Version

3.86

Botnet

88c8bb

C2

http://77.91.68.61

Attributes
  • install_dir

    925e7e99c5

  • install_file

    pdates.exe

  • strings_key

    ada76b8b0e1f6892ee93c20ab8946117

  • url_paths

    /rock/index.php

rc4.plain

Extracted

Family

redline

Botnet

krast

C2

77.91.68.68:19071

Attributes
  • auth_value

    9059ea331e4599de3746df73ccb24514

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Smokeloader family
    smokeloader
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tvMvqaTxQ3VVhww4U2r5p1b5.exe
    "C:\Users\Admin\AppData\Local\Temp\tvMvqaTxQ3VVhww4U2r5p1b5.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3288
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6240371.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6240371.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4900
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7144898.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7144898.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4326138.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4326138.exe
          4⤵
          • Modifies Windows Defender DisableAntiSpyware settings
          • Modifies Windows Defender Real-time Protection settings
          • Modifies Windows Defender TamperProtection settings
          • Modifies Windows Defender notification settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4120
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2142649.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2142649.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4020
          • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
            "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3676
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1228
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2608
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1828
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "pdates.exe" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3744
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "pdates.exe" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1960
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1320
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\925e7e99c5" /P "Admin:N"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3296
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\925e7e99c5" /P "Admin:R" /E
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2144
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3938692.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3938692.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks SCSI registry key(s)
        PID:808
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3273119.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3273119.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4232
  • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    1⤵
    • Executes dropped EXE
    PID:1416
  • C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
    1⤵
    • Executes dropped EXE
    PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

5
T1562

Disable or Modify Tools

5
T1562.001

Modify Registry

6
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d3273119.exe
    Filesize

    173KB

    MD5

    55984930bdb53dfd857a1f5f341b6416

    SHA1

    84705ca441a0d675586eb209b928306532389669

    SHA256

    392b75a020b74ef9642495817e3ceb3eb2efdf1c92f5da72bb6f3e592f8afcb3

    SHA512

    3a14415e362d0309f4d2d00dea0ddb2b9ea45b7007bc266304d5b08916bb8294345534afaa99b6a48606b9b1bd838ca4e4d1a59c97fa88ea26a5381e207c1cff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6240371.exe
    Filesize

    359KB

    MD5

    fdb89ee30e5f00c8a2dc170e819a4ddf

    SHA1

    7ddfd3aabd1dcd7624846f883978f78e460466dc

    SHA256

    3456b77611c137ccede6291ae88dca2b535ae5593c8842db3cee8c9742f3660b

    SHA512

    13ac85d2103ca8bb5c95565a1ec6fa7781fc88370e0a718b89bc1171fd3d97e381d5a901eac258a8a362215f0a8fc0227d32bb50e1d1d58586c7d59faa3808c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c3938692.exe
    Filesize

    35KB

    MD5

    6bf266050d554a65c61d85cf98558032

    SHA1

    34a234bb3bd5a75fc708a95f1c1c5a61ea4687a7

    SHA256

    61a2330ee11441fcf0e633aab6b0a0979f8cd3d62bfa894069478d5cc6b30798

    SHA512

    047862d2c904a20c0d88f1697dcc466349493b5e25e9884729c387c6df4ae8ee45c0a9479a0a7cf4abbb034b64acc524847ba30dbd81453ad70281475d1b1857

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7144898.exe
    Filesize

    234KB

    MD5

    56584930533091ccb7453a21ef2ac0ad

    SHA1

    dcaa8c6b270bd9685642ebb7ad1ec9747e259446

    SHA256

    0e0372526bfe3a43d8dc3cb8af10f60914ccacd20597189b54f7c38e317e0bdb

    SHA512

    fe89c28131efdf309c518340d59890f8568a28c7c7b3deec30c5972917e38a7b65ee678e0bc933e002d7496906b35e75206f5e497174bcb2ee475c0057e04bc8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4326138.exe
    Filesize

    11KB

    MD5

    52be802c6b06a586dc2e8a4fccc6d075

    SHA1

    76904ad8f17c83d0cc1233407540b6b331ba0284

    SHA256

    0fcb74c81aba859b155329895f2e8485ead4404ac9ccc8e182da55d8702abe02

    SHA512

    152413ee88e7f0cce9b7f1b163bfd9ceb78b3c14041a3cea1a5fac9e9408f17cc3b9f1e49b6b817b24b91faa3626ee4a03fd35ee8bbef55d79599fc191098959

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b2142649.exe
    Filesize

    224KB

    MD5

    95c08c6bdade25e84a4536396760af3a

    SHA1

    2135bdd1c6de0e38e5c5814f8aed95d26e7534a3

    SHA256

    97756a3aba636c16c10852a994291250619678bc677fadbe358487d95309ecaa

    SHA512

    bef843c0b30a149ba1fb702cd680fb3a4839429b44343124363324153ffa011ea27e512703e16456f3291932911a4d5dab58b76d0446cc502b6666caafe80ca7

    Download Submit

  • memory/808-41-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4120-22-0x0000000000470000-0x000000000047A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4120-24-0x00007FFA105F3000-0x00007FFA105F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4120-21-0x00007FFA105F3000-0x00007FFA105F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4232-45-0x0000000000D10000-0x0000000000D40000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4232-46-0x0000000002FA0000-0x0000000002FA6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4232-47-0x000000000B150000-0x000000000B768000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4232-48-0x000000000ACC0000-0x000000000ADCA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4232-49-0x000000000AC00000-0x000000000AC12000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4232-50-0x000000000AC60000-0x000000000AC9C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4232-51-0x0000000002F20000-0x0000000002F6C000-memory.dmp

    Filesize

    304KB

    Download