amadey | 3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2022 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

225KB
MD5

6a59c469713da7bb9abc4b8f2e8ac6da
SHA1

e87a23b50b3f3a41c50d62e558153d3a3010a02b
SHA256

3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d
SHA512

16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65
SSDEEP

3072:Lz08R/4F+88pD4EkNimqFDF6D2lhPBhQuzpw1H4Oc/1dcK4sRPID6bM0mQt0:x4QRnkgZFDFNPouzpw1H4O9NDCP0

Score

10^/10

amadey persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.60

193.42.33.28/game0ver/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
3488	WinComService.exe
4620	super9.exe
3640	WinComService.exe
4892	WinComService.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WinComService.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\super9 = "C:\\Users\\Admin\\AppData\\Roaming\\super9.exe"	super9.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2080	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4620	super9.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 3488	4800	file.exe	80
PID 4800 wrote to memory of 3488	4800	file.exe	80
PID 4800 wrote to memory of 3488	4800	file.exe	80
PID 3488 wrote to memory of 2080	3488	WinComService.exe	81
PID 3488 wrote to memory of 2080	3488	WinComService.exe	81
PID 3488 wrote to memory of 2080	3488	WinComService.exe	81
PID 3488 wrote to memory of 4420	3488	WinComService.exe	83
PID 3488 wrote to memory of 4420	3488	WinComService.exe	83
PID 3488 wrote to memory of 4420	3488	WinComService.exe	83
PID 4420 wrote to memory of 1916	4420	cmd.exe	85
PID 4420 wrote to memory of 1916	4420	cmd.exe	85
PID 4420 wrote to memory of 1916	4420	cmd.exe	85
PID 4420 wrote to memory of 2176	4420	cmd.exe	86
PID 4420 wrote to memory of 2176	4420	cmd.exe	86
PID 4420 wrote to memory of 2176	4420	cmd.exe	86
PID 4420 wrote to memory of 1532	4420	cmd.exe	87
PID 4420 wrote to memory of 1532	4420	cmd.exe	87
PID 4420 wrote to memory of 1532	4420	cmd.exe	87
PID 4420 wrote to memory of 2948	4420	cmd.exe	88
PID 4420 wrote to memory of 2948	4420	cmd.exe	88
PID 4420 wrote to memory of 2948	4420	cmd.exe	88
PID 4420 wrote to memory of 1360	4420	cmd.exe	89
PID 4420 wrote to memory of 1360	4420	cmd.exe	89
PID 4420 wrote to memory of 1360	4420	cmd.exe	89
PID 4420 wrote to memory of 2816	4420	cmd.exe	90
PID 4420 wrote to memory of 2816	4420	cmd.exe	90
PID 4420 wrote to memory of 2816	4420	cmd.exe	90
PID 3488 wrote to memory of 4620	3488	WinComService.exe	93
PID 3488 wrote to memory of 4620	3488	WinComService.exe	93

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe
  "C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN WinComService.exe /TR "C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "WinComService.exe" /P "Admin:N"&&CACLS "WinComService.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a4e2bd6d47" /P "Admin:N"&&CACLS "..\a4e2bd6d47" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "WinComService.exe" /P "Admin:N"
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "WinComService.exe" /P "Admin:R" /E
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2948
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\a4e2bd6d47" /P "Admin:N"
      4⤵
      PID:1360
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\a4e2bd6d47" /P "Admin:R" /E
      4⤵
      PID:2816
- - C:\Users\Admin\AppData\Local\Temp\1000040001\super9.exe
    "C:\Users\Admin\AppData\Local\Temp\1000040001\super9.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:4620

C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe
1⤵
- Executes dropped EXE
PID:3640

C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe
1⤵
- Executes dropped EXE
PID:4892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000040001\super9.exe

Filesize
45KB

MD5
4439bff7fec557da1fb9ed754a838be7

SHA1
1aac2acba06be9d26209fe5b8b236315a0f8f387

SHA256
0283da2469f040a2aadcb65856947035f98dca525639670e658f7bdbe9d4f912

SHA512
c277587bb27d13ac18edc1eadf2ba1e1638ba027de7303d45857ece5e3104b4eb9f7f1e67043f02c0a9785893827960e40c35a0661a02d28dfd0d7674db4a243

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000040001\super9.exe

Filesize
45KB

MD5
4439bff7fec557da1fb9ed754a838be7

SHA1
1aac2acba06be9d26209fe5b8b236315a0f8f387

SHA256
0283da2469f040a2aadcb65856947035f98dca525639670e658f7bdbe9d4f912

SHA512
c277587bb27d13ac18edc1eadf2ba1e1638ba027de7303d45857ece5e3104b4eb9f7f1e67043f02c0a9785893827960e40c35a0661a02d28dfd0d7674db4a243

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe

Filesize
225KB

MD5
6a59c469713da7bb9abc4b8f2e8ac6da

SHA1
e87a23b50b3f3a41c50d62e558153d3a3010a02b

SHA256
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

SHA512
16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe

Filesize
225KB

MD5
6a59c469713da7bb9abc4b8f2e8ac6da

SHA1
e87a23b50b3f3a41c50d62e558153d3a3010a02b

SHA256
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

SHA512
16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe

Filesize
225KB

MD5
6a59c469713da7bb9abc4b8f2e8ac6da

SHA1
e87a23b50b3f3a41c50d62e558153d3a3010a02b

SHA256
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

SHA512
16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4e2bd6d47\WinComService.exe

Filesize
225KB

MD5
6a59c469713da7bb9abc4b8f2e8ac6da

SHA1
e87a23b50b3f3a41c50d62e558153d3a3010a02b

SHA256
3d21285ae1a22e1954c31393ce1a7238054d9a78b5ec7560235261cb99df918d

SHA512
16e7c44c8026016439f2c2eac8ae05a7f0ae6115882897d885837a6f5c37c3b19f5cba53202e691a11e632615d921adb50979077d0e50898cce49d2fbe7bca65

Download Submit
memory/4620-146-0x0000000000F70000-0x0000000000F82000-memory.dmp

Filesize
72KB

Download
memory/4620-147-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download
memory/4620-148-0x00007FF9A9160000-0x00007FF9A9C21000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads