Analysis

  • max time kernel
    112s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23/01/2023, 09:26

General

  • Target

    ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc.exe

  • Size

    235KB

  • MD5

    ebd584e9c1a400cd5d4bafa0e7936468

  • SHA1

    d263c62902326425ed17855d49d35003abcd797b

  • SHA256

    ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

  • SHA512

    e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

  • SSDEEP

    6144:pLUoeyDABOdDubDXqgraG0JzSRuVyL+VYLQqgE:plu0LgwJ4uVyaVqJ

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.88/9vdVVVjsw/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 15 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc.exe
    "C:\Users\Admin\AppData\Local\Temp\ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
      "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:1480
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:628
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          4⤵
            PID:1120
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "nbveek.exe" /P "Admin:N"
            4⤵
              PID:1968
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "nbveek.exe" /P "Admin:R" /E
              4⤵
                PID:1688
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                4⤵
                  PID:524
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\9e0894bcc4" /P "Admin:N"
                  4⤵
                    PID:1684
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\9e0894bcc4" /P "Admin:R" /E
                    4⤵
                      PID:1164
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                    3⤵
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:1904
                    • C:\Windows\system32\rundll32.exe
                      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                      4⤵
                      • Loads dropped DLL
                      • Suspicious use of WriteProcessMemory
                      PID:1000
                      • C:\Windows\system32\WerFault.exe
                        C:\Windows\system32\WerFault.exe -u -p 1000 -s 344
                        5⤵
                        • Loads dropped DLL
                        • Program crash
                        PID:1100
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
                    3⤵
                    • Loads dropped DLL
                    PID:2020
              • C:\Windows\system32\taskeng.exe
                taskeng.exe {283DE68E-682B-43D2-AFA9-6BCD494B02DF} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:1536
                • C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
                  C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
                  2⤵
                  • Executes dropped EXE
                  PID:1072
                • C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
                  C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe
                  2⤵
                  • Executes dropped EXE
                  PID:964

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

                Filesize

                235KB

                MD5

                ebd584e9c1a400cd5d4bafa0e7936468

                SHA1

                d263c62902326425ed17855d49d35003abcd797b

                SHA256

                ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

                SHA512

                e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

              • C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

                Filesize

                235KB

                MD5

                ebd584e9c1a400cd5d4bafa0e7936468

                SHA1

                d263c62902326425ed17855d49d35003abcd797b

                SHA256

                ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

                SHA512

                e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

              • C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

                Filesize

                235KB

                MD5

                ebd584e9c1a400cd5d4bafa0e7936468

                SHA1

                d263c62902326425ed17855d49d35003abcd797b

                SHA256

                ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

                SHA512

                e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

              • C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

                Filesize

                235KB

                MD5

                ebd584e9c1a400cd5d4bafa0e7936468

                SHA1

                d263c62902326425ed17855d49d35003abcd797b

                SHA256

                ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

                SHA512

                e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

              • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                Filesize

                89KB

                MD5

                e1fe62c436de6b2c3bf0fd32e0f779c1

                SHA1

                dbaadf172ed878592ae299e27eb98e2614b7b36b

                SHA256

                3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405

                SHA512

                e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

              • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

                Filesize

                1.0MB

                MD5

                d1eb5caae43e95e1f369ca373a5e192d

                SHA1

                bafa865f8f2cb5bddf951357e70af9fb011d6ac2

                SHA256

                cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

                SHA512

                e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

              • \Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe

                Filesize

                235KB

                MD5

                ebd584e9c1a400cd5d4bafa0e7936468

                SHA1

                d263c62902326425ed17855d49d35003abcd797b

                SHA256

                ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b

                SHA512

                e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010

              • \Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                Filesize

                89KB

                MD5

                e1fe62c436de6b2c3bf0fd32e0f779c1

                SHA1

                dbaadf172ed878592ae299e27eb98e2614b7b36b

                SHA256

                3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405

                SHA512

                e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

              • \Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                Filesize

                89KB

                MD5

                e1fe62c436de6b2c3bf0fd32e0f779c1

                SHA1

                dbaadf172ed878592ae299e27eb98e2614b7b36b

                SHA256

                3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405

                SHA512

                e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

              • \Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                Filesize

                89KB

                MD5

                e1fe62c436de6b2c3bf0fd32e0f779c1

                SHA1

                dbaadf172ed878592ae299e27eb98e2614b7b36b

                SHA256

                3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405

                SHA512

                e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

              • \Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

                Filesize

                89KB

                MD5

                e1fe62c436de6b2c3bf0fd32e0f779c1

                SHA1

                dbaadf172ed878592ae299e27eb98e2614b7b36b

                SHA256

                3492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405

                SHA512

                e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee

              • \Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

                Filesize

                1.0MB

                MD5

                d1eb5caae43e95e1f369ca373a5e192d

                SHA1

                bafa865f8f2cb5bddf951357e70af9fb011d6ac2

                SHA256

                cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

                SHA512

                e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

              • \Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

                Filesize

                1.0MB

                MD5

                d1eb5caae43e95e1f369ca373a5e192d

                SHA1

                bafa865f8f2cb5bddf951357e70af9fb011d6ac2

                SHA256

                cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

                SHA512

                e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

              • \Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

                Filesize

                1.0MB

                MD5

                d1eb5caae43e95e1f369ca373a5e192d

                SHA1

                bafa865f8f2cb5bddf951357e70af9fb011d6ac2

                SHA256

                cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

                SHA512

                e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

              • \Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

                Filesize

                1.0MB

                MD5

                d1eb5caae43e95e1f369ca373a5e192d

                SHA1

                bafa865f8f2cb5bddf951357e70af9fb011d6ac2

                SHA256

                cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

                SHA512

                e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

              • \Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

                Filesize

                1.0MB

                MD5

                d1eb5caae43e95e1f369ca373a5e192d

                SHA1

                bafa865f8f2cb5bddf951357e70af9fb011d6ac2

                SHA256

                cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

                SHA512

                e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

              • \Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

                Filesize

                1.0MB

                MD5

                d1eb5caae43e95e1f369ca373a5e192d

                SHA1

                bafa865f8f2cb5bddf951357e70af9fb011d6ac2

                SHA256

                cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

                SHA512

                e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

              • \Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

                Filesize

                1.0MB

                MD5

                d1eb5caae43e95e1f369ca373a5e192d

                SHA1

                bafa865f8f2cb5bddf951357e70af9fb011d6ac2

                SHA256

                cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

                SHA512

                e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

              • \Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

                Filesize

                1.0MB

                MD5

                d1eb5caae43e95e1f369ca373a5e192d

                SHA1

                bafa865f8f2cb5bddf951357e70af9fb011d6ac2

                SHA256

                cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

                SHA512

                e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

              • \Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

                Filesize

                1.0MB

                MD5

                d1eb5caae43e95e1f369ca373a5e192d

                SHA1

                bafa865f8f2cb5bddf951357e70af9fb011d6ac2

                SHA256

                cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

                SHA512

                e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

              • \Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

                Filesize

                1.0MB

                MD5

                d1eb5caae43e95e1f369ca373a5e192d

                SHA1

                bafa865f8f2cb5bddf951357e70af9fb011d6ac2

                SHA256

                cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0

                SHA512

                e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a

              • memory/1108-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

                Filesize

                8KB