amadey | b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-12-2022 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1883b1cf887b4748bcf5f6fd82a6dce3.exe
Size

342KB
MD5

1883b1cf887b4748bcf5f6fd82a6dce3
SHA1

0027119a3c92b25e6dac059d952c2298de29cc66
SHA256

b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f
SHA512

88f56c14b4517b1745e769c9995d3dd5f8ae804cb3ab4e861017a85837b967b88ece92c7cb5a16d50a1cb1d6189f38e75d971b3f28a6f506f061f6ce1d7c2edc
SSDEEP

6144:bkXpGtKOhRiO2etLe6ftHYoUJ2Kw4kN4SHyK1tjvoFSDtZQxW:bmpkKOXiO57ftHjJ4xzwWW

Score

10^/10

amadey systembc persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.60

85.209.135.11/gjend7w/index.php

Extracted

Family

systembc

89.22.236.225:4193

176.124.205.5:4193

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

gntuud.exeumciavi32.exe

pid process

612 gntuud.exe
1304 umciavi32.exe

pid	process
612	gntuud.exe
1304	umciavi32.exe

Loads dropped DLL 11 IoCs

Processes:

1883b1cf887b4748bcf5f6fd82a6dce3.exerundll32.exegntuud.exerundll32.exe

pid	process
1048	1883b1cf887b4748bcf5f6fd82a6dce3.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
1976	rundll32.exe
612	gntuud.exe
612	gntuud.exe
1068	rundll32.exe
1068	rundll32.exe
1068	rundll32.exe
1068	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gntuud.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\syncfiles.dll = "rundll32 C:\\Users\\Admin\\1000003062\\syncfiles.dll, rundll"	gntuud.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

rundll32.exe

pid process

1068 rundll32.exe
1068 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1136 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

1068 rundll32.exe

pid	process
1068	rundll32.exe
1068	rundll32.exe

pid	process
1136	schtasks.exe

pid	process
1068	rundll32.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

1883b1cf887b4748bcf5f6fd82a6dce3.exegntuud.execmd.exerundll32.exe

description	pid	process	target process
PID 1048 wrote to memory of 612	1048	1883b1cf887b4748bcf5f6fd82a6dce3.exe	gntuud.exe
PID 1048 wrote to memory of 612	1048	1883b1cf887b4748bcf5f6fd82a6dce3.exe	gntuud.exe
PID 1048 wrote to memory of 612	1048	1883b1cf887b4748bcf5f6fd82a6dce3.exe	gntuud.exe
PID 1048 wrote to memory of 612	1048	1883b1cf887b4748bcf5f6fd82a6dce3.exe	gntuud.exe
PID 612 wrote to memory of 1136	612	gntuud.exe	schtasks.exe
PID 612 wrote to memory of 1136	612	gntuud.exe	schtasks.exe
PID 612 wrote to memory of 1136	612	gntuud.exe	schtasks.exe
PID 612 wrote to memory of 1136	612	gntuud.exe	schtasks.exe
PID 612 wrote to memory of 1980	612	gntuud.exe	cmd.exe
PID 612 wrote to memory of 1980	612	gntuud.exe	cmd.exe
PID 612 wrote to memory of 1980	612	gntuud.exe	cmd.exe
PID 612 wrote to memory of 1980	612	gntuud.exe	cmd.exe
PID 1980 wrote to memory of 688	1980	cmd.exe	cmd.exe
PID 1980 wrote to memory of 688	1980	cmd.exe	cmd.exe
PID 1980 wrote to memory of 688	1980	cmd.exe	cmd.exe
PID 1980 wrote to memory of 688	1980	cmd.exe	cmd.exe
PID 1980 wrote to memory of 1572	1980	cmd.exe	cacls.exe
PID 1980 wrote to memory of 1572	1980	cmd.exe	cacls.exe
PID 1980 wrote to memory of 1572	1980	cmd.exe	cacls.exe
PID 1980 wrote to memory of 1572	1980	cmd.exe	cacls.exe
PID 1980 wrote to memory of 1844	1980	cmd.exe	cacls.exe
PID 1980 wrote to memory of 1844	1980	cmd.exe	cacls.exe
PID 1980 wrote to memory of 1844	1980	cmd.exe	cacls.exe
PID 1980 wrote to memory of 1844	1980	cmd.exe	cacls.exe
PID 1980 wrote to memory of 1708	1980	cmd.exe	cmd.exe
PID 1980 wrote to memory of 1708	1980	cmd.exe	cmd.exe
PID 1980 wrote to memory of 1708	1980	cmd.exe	cmd.exe
PID 1980 wrote to memory of 1708	1980	cmd.exe	cmd.exe
PID 1980 wrote to memory of 768	1980	cmd.exe	cacls.exe
PID 1980 wrote to memory of 768	1980	cmd.exe	cacls.exe
PID 1980 wrote to memory of 768	1980	cmd.exe	cacls.exe
PID 1980 wrote to memory of 768	1980	cmd.exe	cacls.exe
PID 1980 wrote to memory of 872	1980	cmd.exe	cacls.exe
PID 1980 wrote to memory of 872	1980	cmd.exe	cacls.exe
PID 1980 wrote to memory of 872	1980	cmd.exe	cacls.exe
PID 1980 wrote to memory of 872	1980	cmd.exe	cacls.exe
PID 612 wrote to memory of 1976	612	gntuud.exe	rundll32.exe
PID 612 wrote to memory of 1976	612	gntuud.exe	rundll32.exe
PID 612 wrote to memory of 1976	612	gntuud.exe	rundll32.exe
PID 612 wrote to memory of 1976	612	gntuud.exe	rundll32.exe
PID 612 wrote to memory of 1976	612	gntuud.exe	rundll32.exe
PID 612 wrote to memory of 1976	612	gntuud.exe	rundll32.exe
PID 612 wrote to memory of 1976	612	gntuud.exe	rundll32.exe
PID 1976 wrote to memory of 1068	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1068	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1068	1976	rundll32.exe	rundll32.exe
PID 1976 wrote to memory of 1068	1976	rundll32.exe	rundll32.exe
PID 612 wrote to memory of 1304	612	gntuud.exe	umciavi32.exe
PID 612 wrote to memory of 1304	612	gntuud.exe	umciavi32.exe
PID 612 wrote to memory of 1304	612	gntuud.exe	umciavi32.exe
PID 612 wrote to memory of 1304	612	gntuud.exe	umciavi32.exe

C:\Users\Admin\AppData\Local\Temp\1883b1cf887b4748bcf5f6fd82a6dce3.exe
"C:\Users\Admin\AppData\Local\Temp\1883b1cf887b4748bcf5f6fd82a6dce3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:1136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\acc0b83959" /P "Admin:N"&&CACLS "..\acc0b83959" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:688

C:\Windows\SysWOW64\cacls.exe
CACLS "gntuud.exe" /P "Admin:N"
4⤵
PID:1572

C:\Windows\SysWOW64\cacls.exe
CACLS "gntuud.exe" /P "Admin:R" /E
4⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1708

C:\Windows\SysWOW64\cacls.exe
CACLS "..\acc0b83959" /P "Admin:N"
4⤵
PID:768

C:\Windows\SysWOW64\cacls.exe
CACLS "..\acc0b83959" /P "Admin:R" /E
4⤵
PID:872

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\1000003062\syncfiles.dll, rundll
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\1000003062\syncfiles.dll, rundll
4⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1068

C:\Users\Admin\AppData\Roaming\1000019050\umciavi32.exe
"C:\Users\Admin\AppData\Roaming\1000019050\umciavi32.exe"
3⤵
- Executes dropped EXE
PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\1000003062\syncfiles.dll
Filesize
6.4MB

MD5
2f781ea76036a17bbd0c0f63be7cff12

SHA1
b9b4c756949a038e87f4efd3569ba12c41a8e810

SHA256
3acc979360b4496d3557182148b005a36f5334ea1b7efc42095c85aa0bf64372

SHA512
c2b89d8be8438b9234a4cfeee4bd46535ec15dbf599c7553b957f0d3a8703fbd9dada2d2baa3b1a25b2bc58907f6db2f271d9d1926cac89d69912fb9e4f83208

Download Submit
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
342KB

MD5
1883b1cf887b4748bcf5f6fd82a6dce3

SHA1
0027119a3c92b25e6dac059d952c2298de29cc66

SHA256
b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f

SHA512
88f56c14b4517b1745e769c9995d3dd5f8ae804cb3ab4e861017a85837b967b88ece92c7cb5a16d50a1cb1d6189f38e75d971b3f28a6f506f061f6ce1d7c2edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
342KB

MD5
1883b1cf887b4748bcf5f6fd82a6dce3

SHA1
0027119a3c92b25e6dac059d952c2298de29cc66

SHA256
b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f

SHA512
88f56c14b4517b1745e769c9995d3dd5f8ae804cb3ab4e861017a85837b967b88ece92c7cb5a16d50a1cb1d6189f38e75d971b3f28a6f506f061f6ce1d7c2edc

Download Submit
C:\Users\Admin\AppData\Roaming\1000019050\umciavi32.exe
Filesize
1.6MB

MD5
69a3014aa137c526dfd131460f458241

SHA1
f0c6afa51de99f657d4d005615d6cb290dca4540

SHA256
35c6d144c1b40b1914e7a16856af6e05eccccae04545bb04716b0f1f186ee7ff

SHA512
132429678f8c1d60eb09a1d7239161bf4232303ad63b8fcee8fa98173721ecb6c8909749153681f738725f2850e969ad12b5c904cd96cfb8fe146d46f246cdac

Download Submit
C:\Users\Admin\AppData\Roaming\1000019050\umciavi32.exe
Filesize
1.6MB

MD5
69a3014aa137c526dfd131460f458241

SHA1
f0c6afa51de99f657d4d005615d6cb290dca4540

SHA256
35c6d144c1b40b1914e7a16856af6e05eccccae04545bb04716b0f1f186ee7ff

SHA512
132429678f8c1d60eb09a1d7239161bf4232303ad63b8fcee8fa98173721ecb6c8909749153681f738725f2850e969ad12b5c904cd96cfb8fe146d46f246cdac

Download Submit
\Users\Admin\1000003062\syncfiles.dll
Filesize
6.4MB

MD5
2f781ea76036a17bbd0c0f63be7cff12

SHA1
b9b4c756949a038e87f4efd3569ba12c41a8e810

SHA256
3acc979360b4496d3557182148b005a36f5334ea1b7efc42095c85aa0bf64372

SHA512
c2b89d8be8438b9234a4cfeee4bd46535ec15dbf599c7553b957f0d3a8703fbd9dada2d2baa3b1a25b2bc58907f6db2f271d9d1926cac89d69912fb9e4f83208

Download Submit
\Users\Admin\1000003062\syncfiles.dll
Filesize
6.4MB

MD5
2f781ea76036a17bbd0c0f63be7cff12

SHA1
b9b4c756949a038e87f4efd3569ba12c41a8e810

SHA256
3acc979360b4496d3557182148b005a36f5334ea1b7efc42095c85aa0bf64372

SHA512
c2b89d8be8438b9234a4cfeee4bd46535ec15dbf599c7553b957f0d3a8703fbd9dada2d2baa3b1a25b2bc58907f6db2f271d9d1926cac89d69912fb9e4f83208

Download Submit
\Users\Admin\1000003062\syncfiles.dll
Filesize
6.4MB

MD5
2f781ea76036a17bbd0c0f63be7cff12

SHA1
b9b4c756949a038e87f4efd3569ba12c41a8e810

SHA256
3acc979360b4496d3557182148b005a36f5334ea1b7efc42095c85aa0bf64372

SHA512
c2b89d8be8438b9234a4cfeee4bd46535ec15dbf599c7553b957f0d3a8703fbd9dada2d2baa3b1a25b2bc58907f6db2f271d9d1926cac89d69912fb9e4f83208

Download Submit
\Users\Admin\1000003062\syncfiles.dll
Filesize
6.4MB

MD5
2f781ea76036a17bbd0c0f63be7cff12

SHA1
b9b4c756949a038e87f4efd3569ba12c41a8e810

SHA256
3acc979360b4496d3557182148b005a36f5334ea1b7efc42095c85aa0bf64372

SHA512
c2b89d8be8438b9234a4cfeee4bd46535ec15dbf599c7553b957f0d3a8703fbd9dada2d2baa3b1a25b2bc58907f6db2f271d9d1926cac89d69912fb9e4f83208

Download Submit
\Users\Admin\1000003062\syncfiles.dll
Filesize
6.4MB

MD5
2f781ea76036a17bbd0c0f63be7cff12

SHA1
b9b4c756949a038e87f4efd3569ba12c41a8e810

SHA256
3acc979360b4496d3557182148b005a36f5334ea1b7efc42095c85aa0bf64372

SHA512
c2b89d8be8438b9234a4cfeee4bd46535ec15dbf599c7553b957f0d3a8703fbd9dada2d2baa3b1a25b2bc58907f6db2f271d9d1926cac89d69912fb9e4f83208

Download Submit
\Users\Admin\1000003062\syncfiles.dll
Filesize
6.4MB

MD5
2f781ea76036a17bbd0c0f63be7cff12

SHA1
b9b4c756949a038e87f4efd3569ba12c41a8e810

SHA256
3acc979360b4496d3557182148b005a36f5334ea1b7efc42095c85aa0bf64372

SHA512
c2b89d8be8438b9234a4cfeee4bd46535ec15dbf599c7553b957f0d3a8703fbd9dada2d2baa3b1a25b2bc58907f6db2f271d9d1926cac89d69912fb9e4f83208

Download Submit
\Users\Admin\1000003062\syncfiles.dll
Filesize
6.4MB

MD5
2f781ea76036a17bbd0c0f63be7cff12

SHA1
b9b4c756949a038e87f4efd3569ba12c41a8e810

SHA256
3acc979360b4496d3557182148b005a36f5334ea1b7efc42095c85aa0bf64372

SHA512
c2b89d8be8438b9234a4cfeee4bd46535ec15dbf599c7553b957f0d3a8703fbd9dada2d2baa3b1a25b2bc58907f6db2f271d9d1926cac89d69912fb9e4f83208

Download Submit
\Users\Admin\1000003062\syncfiles.dll
Filesize
6.4MB

MD5
2f781ea76036a17bbd0c0f63be7cff12

SHA1
b9b4c756949a038e87f4efd3569ba12c41a8e810

SHA256
3acc979360b4496d3557182148b005a36f5334ea1b7efc42095c85aa0bf64372

SHA512
c2b89d8be8438b9234a4cfeee4bd46535ec15dbf599c7553b957f0d3a8703fbd9dada2d2baa3b1a25b2bc58907f6db2f271d9d1926cac89d69912fb9e4f83208

Download Submit
\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe
Filesize
342KB

MD5
1883b1cf887b4748bcf5f6fd82a6dce3

SHA1
0027119a3c92b25e6dac059d952c2298de29cc66

SHA256
b50a455b38340055fe28091525b17a3b9de0ed0a3c0a8bb6d8337850ea3bb81f

SHA512
88f56c14b4517b1745e769c9995d3dd5f8ae804cb3ab4e861017a85837b967b88ece92c7cb5a16d50a1cb1d6189f38e75d971b3f28a6f506f061f6ce1d7c2edc

Download Submit
\Users\Admin\AppData\Roaming\1000019050\umciavi32.exe
Filesize
1.6MB

MD5
69a3014aa137c526dfd131460f458241

SHA1
f0c6afa51de99f657d4d005615d6cb290dca4540

SHA256
35c6d144c1b40b1914e7a16856af6e05eccccae04545bb04716b0f1f186ee7ff

SHA512
132429678f8c1d60eb09a1d7239161bf4232303ad63b8fcee8fa98173721ecb6c8909749153681f738725f2850e969ad12b5c904cd96cfb8fe146d46f246cdac

Download Submit
\Users\Admin\AppData\Roaming\1000019050\umciavi32.exe
Filesize
1.6MB

MD5
69a3014aa137c526dfd131460f458241

SHA1
f0c6afa51de99f657d4d005615d6cb290dca4540

SHA256
35c6d144c1b40b1914e7a16856af6e05eccccae04545bb04716b0f1f186ee7ff

SHA512
132429678f8c1d60eb09a1d7239161bf4232303ad63b8fcee8fa98173721ecb6c8909749153681f738725f2850e969ad12b5c904cd96cfb8fe146d46f246cdac

Download Submit
memory/612-63-0x00000000001F0000-0x0000000000234000-memory.dmp

Filesize
272KB

Download
memory/612-57-0x0000000000000000-mapping.dmp

Download
memory/688-65-0x0000000000000000-mapping.dmp

Download
memory/768-70-0x0000000000000000-mapping.dmp

Download
memory/872-71-0x0000000000000000-mapping.dmp

Download
memory/1048-59-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1048-54-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1048-55-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1068-79-0x0000000000000000-mapping.dmp

Download
memory/1068-90-0x000007FEF56E0000-0x000007FEF60DD000-memory.dmp

Filesize
10.0MB

Download
memory/1136-62-0x0000000000000000-mapping.dmp

Download
memory/1304-82-0x0000000000000000-mapping.dmp

Download
memory/1572-66-0x0000000000000000-mapping.dmp

Download
memory/1708-69-0x0000000000000000-mapping.dmp

Download
memory/1844-68-0x0000000000000000-mapping.dmp

Download
memory/1976-72-0x0000000000000000-mapping.dmp

Download
memory/1980-64-0x0000000000000000-mapping.dmp

Download