Overview

overview

10

Static

static

7

cdeeb0f1b8...73.exe

windows7_x64

10

cdeeb0f1b8...73.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    164s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    15-02-2022 06:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cdeeb0f1b8c30d1e55998094064f46c523d637776a16fea2ef92aeefd79f7073.exe

  • Size

    2.5MB

  • MD5

    3d01438bfca0d5786c9e473f087c4c56

  • SHA1

    ec905150408d52283b26c1b283fbf537d9423114

  • SHA256

    cdeeb0f1b8c30d1e55998094064f46c523d637776a16fea2ef92aeefd79f7073

  • SHA512

    ea236c2b5308345dbe49eab90615a0c9a7d53f6781b427d899de45e3a54236036d352079b7896101c8eea3ff6f1300e758857d8e86d2054a72219c2030c499a6

Score
10/10
amadeyevasionthemidatrojan

Malware Config

Extracted

Family

amadey

Version

2.50

C2

depressionk1d.ug/k8FppT/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 3 IoCs
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Themida packer 16 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cdeeb0f1b8c30d1e55998094064f46c523d637776a16fea2ef92aeefd79f7073.exe
    "C:\Users\Admin\AppData\Local\Temp\cdeeb0f1b8c30d1e55998094064f46c523d637776a16fea2ef92aeefd79f7073.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe
      "C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks computer location settings
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\5c436eadc6\
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3140
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\5c436eadc6\
          4⤵
            PID:3320
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe" /F
          3⤵
          • Creates scheduled task(s)
          PID:984
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:2828
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:3628
    • C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe
      C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe
      1⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2168
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3364
    • C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe
      C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe
      1⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1748

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\15217907144981549421
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\15217907144981549421
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\15217907144981549421
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe
      MD5

      3d01438bfca0d5786c9e473f087c4c56

      SHA1

      ec905150408d52283b26c1b283fbf537d9423114

      SHA256

      cdeeb0f1b8c30d1e55998094064f46c523d637776a16fea2ef92aeefd79f7073

      SHA512

      ea236c2b5308345dbe49eab90615a0c9a7d53f6781b427d899de45e3a54236036d352079b7896101c8eea3ff6f1300e758857d8e86d2054a72219c2030c499a6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe
      MD5

      3d01438bfca0d5786c9e473f087c4c56

      SHA1

      ec905150408d52283b26c1b283fbf537d9423114

      SHA256

      cdeeb0f1b8c30d1e55998094064f46c523d637776a16fea2ef92aeefd79f7073

      SHA512

      ea236c2b5308345dbe49eab90615a0c9a7d53f6781b427d899de45e3a54236036d352079b7896101c8eea3ff6f1300e758857d8e86d2054a72219c2030c499a6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe
      MD5

      3d01438bfca0d5786c9e473f087c4c56

      SHA1

      ec905150408d52283b26c1b283fbf537d9423114

      SHA256

      cdeeb0f1b8c30d1e55998094064f46c523d637776a16fea2ef92aeefd79f7073

      SHA512

      ea236c2b5308345dbe49eab90615a0c9a7d53f6781b427d899de45e3a54236036d352079b7896101c8eea3ff6f1300e758857d8e86d2054a72219c2030c499a6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\5c436eadc6\rnyuf.exe
      MD5

      3d01438bfca0d5786c9e473f087c4c56

      SHA1

      ec905150408d52283b26c1b283fbf537d9423114

      SHA256

      cdeeb0f1b8c30d1e55998094064f46c523d637776a16fea2ef92aeefd79f7073

      SHA512

      ea236c2b5308345dbe49eab90615a0c9a7d53f6781b427d899de45e3a54236036d352079b7896101c8eea3ff6f1300e758857d8e86d2054a72219c2030c499a6

      Download Submit
    • memory/1400-133-0x0000000000950000-0x0000000000FD8000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1400-130-0x0000000077204000-0x0000000077206000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1400-132-0x0000000000950000-0x0000000000FD8000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1400-131-0x0000000000950000-0x0000000000FD8000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1748-146-0x0000000000370000-0x00000000009F8000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1748-147-0x0000000000370000-0x00000000009F8000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/1748-148-0x0000000000370000-0x00000000009F8000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2168-141-0x0000000000370000-0x00000000009F8000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2168-142-0x0000000000370000-0x00000000009F8000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2168-143-0x0000000000370000-0x00000000009F8000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2536-138-0x0000000000370000-0x00000000009F8000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2536-136-0x0000000000370000-0x00000000009F8000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2536-137-0x0000000000370000-0x00000000009F8000-memory.dmp
      Filesize

      6.5MB

      Download