amadey | b164b8f7ba15bbe31200de80621f8fae155a2668cb62d7aa6d958b90c97673fb

Analysis

max time kernel
143s
max time network
81s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
11/04/2023, 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b164b8f7ba15bbe31200de80621f8fae155a2668cb62d7aa6d958b90c97673fb.exe
Size

1.0MB
MD5

f872f10c3f011bf21b40036f124e68bf
SHA1

e167922da9a015b35b502474da387b961a20068a
SHA256

b164b8f7ba15bbe31200de80621f8fae155a2668cb62d7aa6d958b90c97673fb
SHA512

5528fd313e3e5cbbd93279eead271b10845059f51f99ca7e5ede390133ca1c5d1f73f23f8265e74a68871fd7037319ddafd7e8eef04ad3eb450c6398a2b97550
SSDEEP

24576:gyF9l3umRugBsYUSGJG6saWzMGNoOjNyxrNukOkaQTc7pvfi9:nFtIRYUSGJGlahGmOZ4Al3py

Score

10^/10

amadey evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.70

77.91.124.207/plays/chapter/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	az156012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	az156012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	az156012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	az156012.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	az156012.exe

Executes dropped EXE 5 IoCs

pid	Process
3364	kina3777.exe
4236	kina7106.exe
4112	kina6677.exe
1448	az156012.exe
4720	bu352876.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	az156012.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b164b8f7ba15bbe31200de80621f8fae155a2668cb62d7aa6d958b90c97673fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b164b8f7ba15bbe31200de80621f8fae155a2668cb62d7aa6d958b90c97673fb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina3777.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina3777.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina7106.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina7106.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina6677.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina6677.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2608	4720	WerFault.exe	70
4324	4720	WerFault.exe	70
1548	4720	WerFault.exe	70
1388	4720	WerFault.exe	70
4844	4720	WerFault.exe	70
3996	4720	WerFault.exe	70
3956	4720	WerFault.exe	70

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1448	az156012.exe
1448	az156012.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	az156012.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 3364	4044	b164b8f7ba15bbe31200de80621f8fae155a2668cb62d7aa6d958b90c97673fb.exe	66
PID 4044 wrote to memory of 3364	4044	b164b8f7ba15bbe31200de80621f8fae155a2668cb62d7aa6d958b90c97673fb.exe	66
PID 4044 wrote to memory of 3364	4044	b164b8f7ba15bbe31200de80621f8fae155a2668cb62d7aa6d958b90c97673fb.exe	66
PID 3364 wrote to memory of 4236	3364	kina3777.exe	67
PID 3364 wrote to memory of 4236	3364	kina3777.exe	67
PID 3364 wrote to memory of 4236	3364	kina3777.exe	67
PID 4236 wrote to memory of 4112	4236	kina7106.exe	68
PID 4236 wrote to memory of 4112	4236	kina7106.exe	68
PID 4236 wrote to memory of 4112	4236	kina7106.exe	68
PID 4112 wrote to memory of 1448	4112	kina6677.exe	69
PID 4112 wrote to memory of 1448	4112	kina6677.exe	69
PID 4112 wrote to memory of 4720	4112	kina6677.exe	70
PID 4112 wrote to memory of 4720	4112	kina6677.exe	70
PID 4112 wrote to memory of 4720	4112	kina6677.exe	70

C:\Users\Admin\AppData\Local\Temp\b164b8f7ba15bbe31200de80621f8fae155a2668cb62d7aa6d958b90c97673fb.exe
"C:\Users\Admin\AppData\Local\Temp\b164b8f7ba15bbe31200de80621f8fae155a2668cb62d7aa6d958b90c97673fb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3777.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3777.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina7106.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina7106.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina6677.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina6677.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az156012.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az156012.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu352876.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu352876.exe
        5⤵
        Executes dropped EXE
        
        PID:4720
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 620
        6⤵
        Program crash
        
        PID:2608
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 700
        6⤵
        Program crash
        
        PID:4324
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 800
        6⤵
        Program crash
        
        PID:1548
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 848
        6⤵
        Program crash
        
        PID:1388
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 884
        6⤵
        Program crash
        
        PID:4844
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 860
        6⤵
        Program crash
        
        PID:3996
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1064
        6⤵
        Program crash
        
        PID:3956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3777.exe

Filesize
920KB

MD5
7a864821b991a38f92f539534df308c1

SHA1
7a985c44e368f79d8bce5a2ddeb8a048cc6be336

SHA256
62fd4c80644fb3d7ba52ecbbc3003da149ecb75200522bd75a2c7f70808b089f

SHA512
8762916b340cdc62be8618426f6c1038bfd8e42a07910064981f3abc2d95c33c37316cc1eb8a90ad04821df896672f86efe9168a2549eaed623205102e3b5ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina3777.exe

Filesize
920KB

MD5
7a864821b991a38f92f539534df308c1

SHA1
7a985c44e368f79d8bce5a2ddeb8a048cc6be336

SHA256
62fd4c80644fb3d7ba52ecbbc3003da149ecb75200522bd75a2c7f70808b089f

SHA512
8762916b340cdc62be8618426f6c1038bfd8e42a07910064981f3abc2d95c33c37316cc1eb8a90ad04821df896672f86efe9168a2549eaed623205102e3b5ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina7106.exe

Filesize
588KB

MD5
c3ff50e363286f85c7b39eca82d13650

SHA1
bb27d3a3c1e1854bb294af6c730f4ead331fc146

SHA256
2ab77b039c326d195ab202b9e6582b9c9a7ddb02e98dee8369ab5e6bc755819e

SHA512
90b2e0536d6d6d034a28747a1bd615aafe4075eae91865d0cf3af2cf8addf0c41c0304def30623403510024251fbdcc0deac74a40ef2ddfc3c58a61f06eb19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina7106.exe

Filesize
588KB

MD5
c3ff50e363286f85c7b39eca82d13650

SHA1
bb27d3a3c1e1854bb294af6c730f4ead331fc146

SHA256
2ab77b039c326d195ab202b9e6582b9c9a7ddb02e98dee8369ab5e6bc755819e

SHA512
90b2e0536d6d6d034a28747a1bd615aafe4075eae91865d0cf3af2cf8addf0c41c0304def30623403510024251fbdcc0deac74a40ef2ddfc3c58a61f06eb19a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina6677.exe

Filesize
315KB

MD5
9bd6ebd3525cbb039c279d6f180ea6c9

SHA1
092f67f5f17f5c005a120e05fde3e3aba564cfe6

SHA256
667c5961b20a3da3fdff7e30d41b4b5db567500769805ef0f7deb0c8ff821179

SHA512
4a7df50e94b13724b02e7c7b75c3626aa715166a935539fd7209187c62da74b3aae295d21000d884f710c2bb3d6432821a9f53d1bc7bf1da4eda0200df8fd936

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina6677.exe

Filesize
315KB

MD5
9bd6ebd3525cbb039c279d6f180ea6c9

SHA1
092f67f5f17f5c005a120e05fde3e3aba564cfe6

SHA256
667c5961b20a3da3fdff7e30d41b4b5db567500769805ef0f7deb0c8ff821179

SHA512
4a7df50e94b13724b02e7c7b75c3626aa715166a935539fd7209187c62da74b3aae295d21000d884f710c2bb3d6432821a9f53d1bc7bf1da4eda0200df8fd936

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az156012.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az156012.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu352876.exe

Filesize
230KB

MD5
4be9d89cb3308ce100c56b5bdbccafac

SHA1
274f57114096a555ece5bcd983fd670f4f971ece

SHA256
9f5400b19dabef76d3c52058cb5709d323dfd42387cc2202cde0e92016e3bdc9

SHA512
1095ae9191de62663ce440bc9adfab1ea609c1458d547e43ec309561fde518f45f0820bb699f0c9a771cc9c3a2703b86086a3767c5e2d10bf829f2a668f8175f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu352876.exe

Filesize
230KB

MD5
4be9d89cb3308ce100c56b5bdbccafac

SHA1
274f57114096a555ece5bcd983fd670f4f971ece

SHA256
9f5400b19dabef76d3c52058cb5709d323dfd42387cc2202cde0e92016e3bdc9

SHA512
1095ae9191de62663ce440bc9adfab1ea609c1458d547e43ec309561fde518f45f0820bb699f0c9a771cc9c3a2703b86086a3767c5e2d10bf829f2a668f8175f

Download Submit
memory/1448-149-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/4720-155-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/4720-156-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download