Overview

overview

10

Static

static

d8eaf76f6b...74.exe

windows7-x64

10

d8eaf76f6b...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    292s
  • max time network
    336s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 16:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8eaf76f6b75f4b4b7a38712ad9a4174.exe

  • Size

    232KB

  • MD5

    d8eaf76f6b75f4b4b7a38712ad9a4174

  • SHA1

    aa74ec9a6f5c543b5464359a6244d14048d83405

  • SHA256

    48c1869ef95bc7164e5e185ea4c4124ee90d7bddbb6326b37718dc59a84042b1

  • SHA512

    880abb93dcb9df0a6e23b6c8f78e1848f3ad94ff0fb592eaba57ebf53d0f238a12af272c9eaa5c0c57a6d0b5960317ada63b95d3a00d41154b1f872a4f2220f5

  • SSDEEP

    3072:jR/lxNqg0bujxHo5+KaAcLfbFHc6d17vFdf70pb4nIFr2cTjno8JiXTkt7H:9syN/Hld17vFdf7Isq2gjo4iGH

Score
10/10
amadeytrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.194/h49vlBP/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8eaf76f6b75f4b4b7a38712ad9a4174.exe
    "C:\Users\Admin\AppData\Local\Temp\d8eaf76f6b75f4b4b7a38712ad9a4174.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4172
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:3632
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 896
      2⤵
      • Program crash
      PID:3680
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3204 -ip 3204
    1⤵
      PID:4188

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      Filesize

      232KB

      MD5

      d8eaf76f6b75f4b4b7a38712ad9a4174

      SHA1

      aa74ec9a6f5c543b5464359a6244d14048d83405

      SHA256

      48c1869ef95bc7164e5e185ea4c4124ee90d7bddbb6326b37718dc59a84042b1

      SHA512

      880abb93dcb9df0a6e23b6c8f78e1848f3ad94ff0fb592eaba57ebf53d0f238a12af272c9eaa5c0c57a6d0b5960317ada63b95d3a00d41154b1f872a4f2220f5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
      Filesize

      232KB

      MD5

      d8eaf76f6b75f4b4b7a38712ad9a4174

      SHA1

      aa74ec9a6f5c543b5464359a6244d14048d83405

      SHA256

      48c1869ef95bc7164e5e185ea4c4124ee90d7bddbb6326b37718dc59a84042b1

      SHA512

      880abb93dcb9df0a6e23b6c8f78e1848f3ad94ff0fb592eaba57ebf53d0f238a12af272c9eaa5c0c57a6d0b5960317ada63b95d3a00d41154b1f872a4f2220f5

      Download Submit

    • memory/3204-132-0x000000000076E000-0x000000000078D000-memory.dmp

      Filesize

      124KB

      Download

    • memory/3204-133-0x0000000002480000-0x00000000024BE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3204-134-0x000000000076E000-0x000000000078D000-memory.dmp

      Filesize

      124KB

      Download

    • memory/3204-135-0x0000000000400000-0x000000000071C000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3204-142-0x0000000000400000-0x000000000071C000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3632-143-0x0000000000000000-mapping.dmp

      Download

    • memory/4172-136-0x0000000000000000-mapping.dmp

      Download

    • memory/4172-139-0x0000000000A2C000-0x0000000000A4B000-memory.dmp

      Filesize

      124KB

      Download

    • memory/4172-140-0x00000000008A0000-0x00000000008DE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4172-141-0x0000000000400000-0x000000000071C000-memory.dmp

      Filesize

      3.1MB

      Download