Analysis Overview
SHA256
3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800
Threat Level: Known bad
The file 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 was found to be: Known bad.
Malicious Activity Summary
Amadey family
Amadey
Aurora
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-24 13:24
Signatures
Amadey family
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-24 13:24
Reported
2023-02-24 13:27
Platform
win10v2004-20230220-en
Max time kernel
149s
Max time network
137s
Command Line
Signatures
Amadey
Aurora
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000005000\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800.exe
"C:\Users\Admin\AppData\Local\Temp\3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800.exe"
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1eb2f325ea" /P "Admin:N"&&CACLS "..\1eb2f325ea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\1eb2f325ea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\1eb2f325ea" /P "Admin:R" /E
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
"C:\Users\Admin\AppData\Roaming\1000005000\bin.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
Network
| Country | Destination | Domain | Proto |
| NL | 193.42.33.28:80 | 193.42.33.28 | tcp |
| NL | 185.246.221.126:80 | 185.246.221.126 | tcp |
| US | 8.8.8.8:53 | 28.33.42.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.221.246.185.in-addr.arpa | udp |
| NL | 212.87.204.93:8081 | tcp | |
| US | 8.8.8.8:53 | 93.204.87.212.in-addr.arpa | udp |
| GB | 51.105.71.137:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Roaming\1000005000\bin.exe
| MD5 | af4268c094f2a9c6e6a85f8626b9a5c7 |
| SHA1 | 7d6b6083ec9081f52517cc7952dfb0c1c416e395 |
| SHA256 | 07b974442b53035b8d057a7b429c191fe71f149a698041b005ee85645a89c165 |
| SHA512 | 2ab2d4771841ebbeb195d21697c1708db985ae821a7ed3e2bb050c5759fbdb1e7784354fa5611e377a603a6db437e90a7258ecfcbea7703e584330b91eacac68 |
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
| MD5 | 386c014d0948d4fc41afa98cfca9022e |
| SHA1 | 786cc52d9b962f55f92202c7d50c3707eb62607b |
| SHA256 | 448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2 |
| SHA512 | 13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f |
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
| MD5 | 77e31b1123e94ce5720ceb729a425798 |
| SHA1 | 2b65c95f27d8dca23864a3ed4f78490039ae27bf |
| SHA256 | 68cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85 |
| SHA512 | 9c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a |
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |
C:\Users\Admin\AppData\Local\Temp\1eb2f325ea\mnolyk.exe
| MD5 | 17a8f85f937d8106c020a366d7c6ccb4 |
| SHA1 | 43ef57b2adf9115c51041b5baba5a1565501b1a1 |
| SHA256 | 3f3dadd2a5177fb918eabacc6a433d46f1975dd9c18cc0a7b63e09669625b800 |
| SHA512 | ca6e62269cb5394d92fb291fc7902b639a3e92ba9144e403816265d79b739193572cc15dcaec14a09cf59ba9b9f4f8ed00212e935f7c16a6294ec67ec14c5193 |