Overview

overview

10

Static

static

e7dacdbd7e...61.exe

windows7-x64

10

e7dacdbd7e...61.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    188s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2022 03:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7dacdbd7e9b95a04785824ec417bd166d1aed5e2d502102ccdcc3c8ceecae61.exe

  • Size

    299KB

  • MD5

    cd4c96ec46c7c5e1f4c57532f3e6bb58

  • SHA1

    4bebd3f286874f7336a2155300086f6a2da79338

  • SHA256

    e7dacdbd7e9b95a04785824ec417bd166d1aed5e2d502102ccdcc3c8ceecae61

  • SHA512

    d0f79aa4c1d7d41868ada4eec52afe69f6fc114ff5296a401bbe023329a7b0b751fa62b0559db8ed773010ec20689f3974e755d42ed0d93c2e9488628a0bc838

  • SSDEEP

    6144:7aJg/BgxAvuJZYXp0NgTfaYW/l43CiMcZ8KabX4NuXkDKi:7ahAvurNU3CyE6u

Score
10/10
amadeytrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

31.41.244.237/jg94cVd30f/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7dacdbd7e9b95a04785824ec417bd166d1aed5e2d502102ccdcc3c8ceecae61.exe
    "C:\Users\Admin\AppData\Local\Temp\e7dacdbd7e9b95a04785824ec417bd166d1aed5e2d502102ccdcc3c8ceecae61.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
      "C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3584
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:732
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9c69749b54" /P "Admin:N"&&CACLS "..\9c69749b54" /P "Admin:R" /E&&Exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1056
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          4⤵
            PID:2036
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "gntuud.exe" /P "Admin:N"
            4⤵
              PID:4976
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "gntuud.exe" /P "Admin:R" /E
              4⤵
                PID:4892
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                4⤵
                  PID:4100
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\9c69749b54" /P "Admin:N"
                  4⤵
                    PID:4088
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\9c69749b54" /P "Admin:R" /E
                    4⤵
                      PID:3680
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1144
                  2⤵
                  • Program crash
                  PID:1724
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2244 -ip 2244
                1⤵
                  PID:3984
                • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                  C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4384
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 440
                    2⤵
                    • Program crash
                    PID:3036
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4384 -ip 4384
                  1⤵
                    PID:4856
                  • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                    C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                    1⤵
                    • Executes dropped EXE
                    PID:2144
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 416
                      2⤵
                      • Program crash
                      PID:1708
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2144 -ip 2144
                    1⤵
                      PID:2044

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Scheduled Task

                    1
                    T1053

                    Persistence

                    Scheduled Task

                    1
                    T1053

                    Privilege Escalation

                    Scheduled Task

                    1
                    T1053

                    Defense Evasion

                    Credential Access

                    Discovery

                    Query Registry

                    1
                    T1012

                    System Information Discovery

                    2
                    T1082

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                      Filesize

                      299KB

                      MD5

                      cd4c96ec46c7c5e1f4c57532f3e6bb58

                      SHA1

                      4bebd3f286874f7336a2155300086f6a2da79338

                      SHA256

                      e7dacdbd7e9b95a04785824ec417bd166d1aed5e2d502102ccdcc3c8ceecae61

                      SHA512

                      d0f79aa4c1d7d41868ada4eec52afe69f6fc114ff5296a401bbe023329a7b0b751fa62b0559db8ed773010ec20689f3974e755d42ed0d93c2e9488628a0bc838

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                      Filesize

                      299KB

                      MD5

                      cd4c96ec46c7c5e1f4c57532f3e6bb58

                      SHA1

                      4bebd3f286874f7336a2155300086f6a2da79338

                      SHA256

                      e7dacdbd7e9b95a04785824ec417bd166d1aed5e2d502102ccdcc3c8ceecae61

                      SHA512

                      d0f79aa4c1d7d41868ada4eec52afe69f6fc114ff5296a401bbe023329a7b0b751fa62b0559db8ed773010ec20689f3974e755d42ed0d93c2e9488628a0bc838

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                      Filesize

                      299KB

                      MD5

                      cd4c96ec46c7c5e1f4c57532f3e6bb58

                      SHA1

                      4bebd3f286874f7336a2155300086f6a2da79338

                      SHA256

                      e7dacdbd7e9b95a04785824ec417bd166d1aed5e2d502102ccdcc3c8ceecae61

                      SHA512

                      d0f79aa4c1d7d41868ada4eec52afe69f6fc114ff5296a401bbe023329a7b0b751fa62b0559db8ed773010ec20689f3974e755d42ed0d93c2e9488628a0bc838

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                      Filesize

                      299KB

                      MD5

                      cd4c96ec46c7c5e1f4c57532f3e6bb58

                      SHA1

                      4bebd3f286874f7336a2155300086f6a2da79338

                      SHA256

                      e7dacdbd7e9b95a04785824ec417bd166d1aed5e2d502102ccdcc3c8ceecae61

                      SHA512

                      d0f79aa4c1d7d41868ada4eec52afe69f6fc114ff5296a401bbe023329a7b0b751fa62b0559db8ed773010ec20689f3974e755d42ed0d93c2e9488628a0bc838

                      Download Submit
                    • memory/732-141-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1056-142-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2036-143-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2144-161-0x0000000000400000-0x0000000000468000-memory.dmp
                      Filesize

                      416KB

                      Download
                    • memory/2144-160-0x00000000006E4000-0x0000000000703000-memory.dmp
                      Filesize

                      124KB

                      Download
                    • memory/2244-153-0x0000000000400000-0x0000000000468000-memory.dmp
                      Filesize

                      416KB

                      Download
                    • memory/2244-152-0x0000000000722000-0x0000000000741000-memory.dmp
                      Filesize

                      124KB

                      Download
                    • memory/2244-136-0x00000000020B0000-0x00000000020EE000-memory.dmp
                      Filesize

                      248KB

                      Download
                    • memory/2244-137-0x0000000000400000-0x0000000000468000-memory.dmp
                      Filesize

                      416KB

                      Download
                    • memory/2244-135-0x0000000000722000-0x0000000000741000-memory.dmp
                      Filesize

                      124KB

                      Download
                    • memory/3584-149-0x0000000000600000-0x000000000063E000-memory.dmp
                      Filesize

                      248KB

                      Download
                    • memory/3584-150-0x0000000000400000-0x0000000000468000-memory.dmp
                      Filesize

                      416KB

                      Download
                    • memory/3584-148-0x00000000007F3000-0x0000000000812000-memory.dmp
                      Filesize

                      124KB

                      Download
                    • memory/3584-154-0x00000000007F3000-0x0000000000812000-memory.dmp
                      Filesize

                      124KB

                      Download
                    • memory/3584-155-0x0000000000400000-0x0000000000468000-memory.dmp
                      Filesize

                      416KB

                      Download
                    • memory/3584-138-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3680-151-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4088-147-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4100-146-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4384-157-0x00000000004D4000-0x00000000004F3000-memory.dmp
                      Filesize

                      124KB

                      Download
                    • memory/4384-158-0x0000000000400000-0x0000000000468000-memory.dmp
                      Filesize

                      416KB

                      Download
                    • memory/4892-145-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4976-144-0x0000000000000000-mapping.dmp
                      Download