amadey | 680519f8a1fb07b0c5d9e7479b69814522c8018281db3782cdbc53c68730e4c0

Analysis

max time kernel
152s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
09/02/2023, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

526KB
MD5

f1d9bd1d8f4c2932a917233165c8bde9
SHA1

a6488817ce9a198155a83f8a0d0b3c699cbcae70
SHA256

680519f8a1fb07b0c5d9e7479b69814522c8018281db3782cdbc53c68730e4c0
SHA512

1819ae0df65e46d1ed561e6ed48507996201206ac4a38ef1b5bdfba1f8194833a4b26ddf74c351e8c5c176b16a8119a05115de7a7beab844fe65ea05cc267eb2
SSDEEP

12288:wMrcy90P0TAOg0Z6sLmxyLYbWmhHe7FVNFF7r9j+XT:8yDZ+syCYbWmH0FJOD

Score

10^/10

amadey evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.66

62.204.41.4/Gol478Ns/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	aAxl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	aAxl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	aAxl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	nika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	nika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	nika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	nika.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	aAxl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	aAxl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	aAxl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	nika.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	nika.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	xriv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	mnolyk.exe

Executes dropped EXE 6 IoCs

pid	Process
4092	bAxg.exe
3996	aAxl.exe
3508	nika.exe
2160	xriv.exe
404	mnolyk.exe
2652	mnolyk.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	aAxl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	aAxl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	nika.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bAxg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	bAxg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3640	3996	WerFault.exe	81

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3996	aAxl.exe
3996	aAxl.exe
3508	nika.exe
3508	nika.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3996	aAxl.exe
Token: SeDebugPrivilege	3508	nika.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 4092	4180	file.exe	80
PID 4180 wrote to memory of 4092	4180	file.exe	80
PID 4180 wrote to memory of 4092	4180	file.exe	80
PID 4092 wrote to memory of 3996	4092	bAxg.exe	81
PID 4092 wrote to memory of 3996	4092	bAxg.exe	81
PID 4092 wrote to memory of 3996	4092	bAxg.exe	81
PID 4092 wrote to memory of 3508	4092	bAxg.exe	87
PID 4092 wrote to memory of 3508	4092	bAxg.exe	87
PID 4180 wrote to memory of 2160	4180	file.exe	88
PID 4180 wrote to memory of 2160	4180	file.exe	88
PID 4180 wrote to memory of 2160	4180	file.exe	88
PID 2160 wrote to memory of 404	2160	xriv.exe	89
PID 2160 wrote to memory of 404	2160	xriv.exe	89
PID 2160 wrote to memory of 404	2160	xriv.exe	89
PID 404 wrote to memory of 3576	404	mnolyk.exe	90
PID 404 wrote to memory of 3576	404	mnolyk.exe	90
PID 404 wrote to memory of 3576	404	mnolyk.exe	90
PID 404 wrote to memory of 4472	404	mnolyk.exe	92
PID 404 wrote to memory of 4472	404	mnolyk.exe	92
PID 404 wrote to memory of 4472	404	mnolyk.exe	92
PID 4472 wrote to memory of 1156	4472	cmd.exe	94
PID 4472 wrote to memory of 1156	4472	cmd.exe	94
PID 4472 wrote to memory of 1156	4472	cmd.exe	94
PID 4472 wrote to memory of 3292	4472	cmd.exe	95
PID 4472 wrote to memory of 3292	4472	cmd.exe	95
PID 4472 wrote to memory of 3292	4472	cmd.exe	95
PID 4472 wrote to memory of 2268	4472	cmd.exe	96
PID 4472 wrote to memory of 2268	4472	cmd.exe	96
PID 4472 wrote to memory of 2268	4472	cmd.exe	96
PID 4472 wrote to memory of 4232	4472	cmd.exe	97
PID 4472 wrote to memory of 4232	4472	cmd.exe	97
PID 4472 wrote to memory of 4232	4472	cmd.exe	97
PID 4472 wrote to memory of 3380	4472	cmd.exe	98
PID 4472 wrote to memory of 3380	4472	cmd.exe	98
PID 4472 wrote to memory of 3380	4472	cmd.exe	98
PID 4472 wrote to memory of 3132	4472	cmd.exe	99
PID 4472 wrote to memory of 3132	4472	cmd.exe	99
PID 4472 wrote to memory of 3132	4472	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bAxg.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bAxg.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aAxl.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aAxl.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1080
      4⤵
      Program crash
      PID:3640
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3508
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
    "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3576
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1156
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "mnolyk.exe" /P "Admin:N"
        5⤵
        
        PID:3292
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "mnolyk.exe" /P "Admin:R" /E
        5⤵
        
        PID:2268
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4232
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\4b9a106e76" /P "Admin:N"
        5⤵
        
        PID:3380
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\4b9a106e76" /P "Admin:R" /E
        5⤵
        
        PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3996 -ip 3996
1⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
1⤵
- Executes dropped EXE
PID:2652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe

Filesize
236KB

MD5
8bb923c4d81284daef7896e5682df6c6

SHA1
67e34a96b77e44b666c5479f540995bdeacf5de2

SHA256
9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

SHA512
2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe

Filesize
236KB

MD5
8bb923c4d81284daef7896e5682df6c6

SHA1
67e34a96b77e44b666c5479f540995bdeacf5de2

SHA256
9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

SHA512
2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe

Filesize
236KB

MD5
8bb923c4d81284daef7896e5682df6c6

SHA1
67e34a96b77e44b666c5479f540995bdeacf5de2

SHA256
9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

SHA512
2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bAxg.exe

Filesize
339KB

MD5
65f177cff95dab6d02895eb2f0d2fc69

SHA1
74f99bc2c61de46084ab1956a940e00a71252529

SHA256
7fd1535c5db6789902c632c15ffa2fbb24aa188bf99d88dab816fb41d8009a23

SHA512
bdece4c32b61360e8b5a0e5faf45e98ac5076e2c71873472664eebacb99c673ad076257e022810727c79a632e67095df7ea828bd7a01d27c5172d43ea381239e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\bAxg.exe

Filesize
339KB

MD5
65f177cff95dab6d02895eb2f0d2fc69

SHA1
74f99bc2c61de46084ab1956a940e00a71252529

SHA256
7fd1535c5db6789902c632c15ffa2fbb24aa188bf99d88dab816fb41d8009a23

SHA512
bdece4c32b61360e8b5a0e5faf45e98ac5076e2c71873472664eebacb99c673ad076257e022810727c79a632e67095df7ea828bd7a01d27c5172d43ea381239e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe

Filesize
236KB

MD5
8bb923c4d81284daef7896e5682df6c6

SHA1
67e34a96b77e44b666c5479f540995bdeacf5de2

SHA256
9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

SHA512
2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xriv.exe

Filesize
236KB

MD5
8bb923c4d81284daef7896e5682df6c6

SHA1
67e34a96b77e44b666c5479f540995bdeacf5de2

SHA256
9b0410052289a8416a458401fbb9a74d6361f4769465431b209f32151d7c6f21

SHA512
2daed03277a343db5fcb22e26baea5cda41de39dc825fe0aad51f6ec181b8f38f09427f27fb58ffd179f37032600d107ef772cc6275f7d0d62899c6cd3f8aff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aAxl.exe

Filesize
261KB

MD5
93f60e9827c5e8f115d0c9696f49514f

SHA1
445aa14face5e4e7a55eb828562e86fcbf7c66ad

SHA256
f49c5ce742a6680dd2a996b945640e70fd85307cc3f884f66b4497db3cf23578

SHA512
96d222cdadc156b1c0412cd4f1d7639e0c7db6609df9501080706fb885960982aeb12293c32c5d87f808934b50e09235c7a59222296accca58a70e9490c610aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aAxl.exe

Filesize
261KB

MD5
93f60e9827c5e8f115d0c9696f49514f

SHA1
445aa14face5e4e7a55eb828562e86fcbf7c66ad

SHA256
f49c5ce742a6680dd2a996b945640e70fd85307cc3f884f66b4497db3cf23578

SHA512
96d222cdadc156b1c0412cd4f1d7639e0c7db6609df9501080706fb885960982aeb12293c32c5d87f808934b50e09235c7a59222296accca58a70e9490c610aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nika.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/3508-149-0x0000000000DF0000-0x0000000000DFA000-memory.dmp

Filesize
40KB

Download
memory/3508-150-0x00007FFC3A620000-0x00007FFC3B0E1000-memory.dmp

Filesize
10.8MB

Download
memory/3508-151-0x00007FFC3A620000-0x00007FFC3B0E1000-memory.dmp

Filesize
10.8MB

Download
memory/3508-152-0x00007FFC3A620000-0x00007FFC3B0E1000-memory.dmp

Filesize
10.8MB

Download
memory/3996-145-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/3996-144-0x0000000000834000-0x0000000000854000-memory.dmp

Filesize
128KB

Download
memory/3996-143-0x00000000021D0000-0x00000000021FD000-memory.dmp

Filesize
180KB

Download
memory/3996-142-0x0000000000834000-0x0000000000854000-memory.dmp

Filesize
128KB

Download
memory/3996-141-0x0000000004D80000-0x0000000005324000-memory.dmp

Filesize
5.6MB

Download
memory/3996-140-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/3996-139-0x00000000021D0000-0x00000000021FD000-memory.dmp

Filesize
180KB

Download
memory/3996-138-0x0000000000834000-0x0000000000854000-memory.dmp

Filesize
128KB

Download