Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    187s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 11:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    205KB

  • MD5

    329efa3db8a908218487fc3607b73df6

  • SHA1

    72a8b995f97eab399ccb22601fb3cf6df57e8a3b

  • SHA256

    ac1b14a61b42f49c95ef6e893877bec973d3108d827535ab4885b051e9fed090

  • SHA512

    058d418bab2b27612d840b52a1746ec88477326c02aeeeb200e40568a2e400219bf0ad42c9adeed8426dd55104843894699ee7e0d46a0417a978b4d5c1257e9a

  • SSDEEP

    3072:j5DwZqXmYh5wI1vmnN4zgQB8XnlWOi5tYPh65pYQ1:JyqXmPI1v8IBBQlDi5gYT

Score
10/10
amadeytrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

31.41.244.17/hfk3vK9/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
      "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:372
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1264
      2⤵
      • Program crash
      PID:380
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2972 -ip 2972
    1⤵
      PID:4916
    • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
      C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
      1⤵
      • Executes dropped EXE
      PID:4904
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 416
        2⤵
        • Program crash
        PID:1500
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4904 -ip 4904
      1⤵
        PID:920
      • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
        C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
        1⤵
        • Executes dropped EXE
        PID:2612
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 420
          2⤵
          • Program crash
          PID:3064
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2612 -ip 2612
        1⤵
          PID:4064

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
          Filesize

          205KB

          MD5

          329efa3db8a908218487fc3607b73df6

          SHA1

          72a8b995f97eab399ccb22601fb3cf6df57e8a3b

          SHA256

          ac1b14a61b42f49c95ef6e893877bec973d3108d827535ab4885b051e9fed090

          SHA512

          058d418bab2b27612d840b52a1746ec88477326c02aeeeb200e40568a2e400219bf0ad42c9adeed8426dd55104843894699ee7e0d46a0417a978b4d5c1257e9a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
          Filesize

          205KB

          MD5

          329efa3db8a908218487fc3607b73df6

          SHA1

          72a8b995f97eab399ccb22601fb3cf6df57e8a3b

          SHA256

          ac1b14a61b42f49c95ef6e893877bec973d3108d827535ab4885b051e9fed090

          SHA512

          058d418bab2b27612d840b52a1746ec88477326c02aeeeb200e40568a2e400219bf0ad42c9adeed8426dd55104843894699ee7e0d46a0417a978b4d5c1257e9a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
          Filesize

          205KB

          MD5

          329efa3db8a908218487fc3607b73df6

          SHA1

          72a8b995f97eab399ccb22601fb3cf6df57e8a3b

          SHA256

          ac1b14a61b42f49c95ef6e893877bec973d3108d827535ab4885b051e9fed090

          SHA512

          058d418bab2b27612d840b52a1746ec88477326c02aeeeb200e40568a2e400219bf0ad42c9adeed8426dd55104843894699ee7e0d46a0417a978b4d5c1257e9a

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
          Filesize

          205KB

          MD5

          329efa3db8a908218487fc3607b73df6

          SHA1

          72a8b995f97eab399ccb22601fb3cf6df57e8a3b

          SHA256

          ac1b14a61b42f49c95ef6e893877bec973d3108d827535ab4885b051e9fed090

          SHA512

          058d418bab2b27612d840b52a1746ec88477326c02aeeeb200e40568a2e400219bf0ad42c9adeed8426dd55104843894699ee7e0d46a0417a978b4d5c1257e9a

          Download Submit
        • memory/372-143-0x0000000000000000-mapping.dmp
          Download
        • memory/2612-149-0x0000000000400000-0x0000000000AE5000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/2612-148-0x0000000000C60000-0x0000000000C7F000-memory.dmp
          Filesize

          124KB

          Download
        • memory/2972-133-0x0000000000B60000-0x0000000000B9E000-memory.dmp
          Filesize

          248KB

          Download
        • memory/2972-134-0x0000000000400000-0x0000000000AE5000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/2972-132-0x0000000000D2D000-0x0000000000D4C000-memory.dmp
          Filesize

          124KB

          Download
        • memory/2972-141-0x0000000000D2D000-0x0000000000D4C000-memory.dmp
          Filesize

          124KB

          Download
        • memory/2972-142-0x0000000000400000-0x0000000000AE5000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/3684-135-0x0000000000000000-mapping.dmp
          Download
        • memory/3684-140-0x0000000000400000-0x0000000000AE5000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/3684-139-0x0000000000C30000-0x0000000000C6E000-memory.dmp
          Filesize

          248KB

          Download
        • memory/3684-138-0x0000000000E0C000-0x0000000000E2B000-memory.dmp
          Filesize

          124KB

          Download
        • memory/4904-145-0x0000000000B50000-0x0000000000B6F000-memory.dmp
          Filesize

          124KB

          Download
        • memory/4904-146-0x0000000000400000-0x0000000000AE5000-memory.dmp
          Filesize

          6.9MB

          Download