Overview

overview

10

Static

static

1ae5c809ea...81.exe

windows7_x64

10

1ae5c809ea...81.exe

windows10-2004_x64

10

Resubmissions

19/01/2022, 16:33 UTC

220119-t2pzlabeh4 10

25/11/2021, 12:39 UTC

211125-pvmtfaaee9 10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    19/01/2022, 16:33 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ae5c809ea8fabce9c699c87416d73ba5ab619accef6deeb26c2c38f39323181.exe

  • Size

    6.2MB

  • MD5

    eaf0414732a32787b8c26e69af59bfa0

  • SHA1

    e313935ac46f141a3940236026cfe0eb0f4a1dcc

  • SHA256

    1ae5c809ea8fabce9c699c87416d73ba5ab619accef6deeb26c2c38f39323181

  • SHA512

    cc9dda5d5072e3ef01ee3e61fe23d0e753ca5957ff9f15e49377bd84a0be5b1f3606aaca9e6cbc7ff6fb67cf130da2d2174c32c5a2e5911706acf6b085706ab1

Score
10/10
amadeytrojan

Malware Config

Extracted

Family

amadey

Version

2.70

C2

185.215.113.45/g4MbvE/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 14 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ae5c809ea8fabce9c699c87416d73ba5ab619accef6deeb26c2c38f39323181.exe
    "C:\Users\Admin\AppData\Local\Temp\1ae5c809ea8fabce9c699c87416d73ba5ab619accef6deeb26c2c38f39323181.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Geeks3D\Fur Images Converter 3.3.2.0\install\4814FC9\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\1ae5c809ea8fabce9c699c87416d73ba5ab619accef6deeb26c2c38f39323181.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1642354238 " AI_EUIMSI=""
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Suspicious use of FindShellTrayWindow
      PID:744
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding E9F852242E8E5FA73471493FC06EE9CF C
      2⤵
      • Loads dropped DLL
      PID:1988
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7D0ED9B251F4AAD0ADD4D912A7CE51A5
      2⤵
      • Loads dropped DLL
      PID:288
    • C:\Users\Admin\AppData\Local\Temp\603c0340b4\furm-extensions.exe
      "C:\Users\Admin\AppData\Local\Temp\603c0340b4\furm-extensions.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1084
      • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
        "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1132
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2000
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
            5⤵
              PID:1692
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
            4⤵
            • Creates scheduled task(s)
            PID:1596
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {255E662F-142B-4E6D-A587-F98C2A5C4167} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
        C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1288

    Network

      No results found
    • 185.215.113.45:80
      sqtvvs.exe
      152 B
       3
    • 185.215.113.45:80
      sqtvvs.exe
      152 B
       3
    • 185.215.113.45:80
      sqtvvs.exe
      104 B
       2
    • 185.215.113.45:80
      sqtvvs.exe
      104 B
       2
    No results found

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1084-130-0x0000000001290000-0x00000000017B3000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/1356-58-0x000007FEFBCB1000-0x000007FEFBCB3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1464-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

      Filesize

      8KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.