amadey | 8190a93648c447f5b81a4f0202fe7b578ab74886c87f452629eaf8bd58160bd0

Analysis

max time kernel
149s
max time network
143s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
11/04/2023, 02:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8190a93648c447f5b81a4f0202fe7b578ab74886c87f452629eaf8bd58160bd0.exe
Size

1.0MB
MD5

cb03e81c5dc9264c458edb0f1f19147e
SHA1

d10164edc3bbe54792de159764bce813dfa06d54
SHA256

8190a93648c447f5b81a4f0202fe7b578ab74886c87f452629eaf8bd58160bd0
SHA512

1836b781f5b0ee4568915d5eeaed180eb01a7aba10eb98c2c7ec7879c657f47e9e56e925f42ff75ef4ad7de0d5424453b63341a3b617d3a60a29d164fb470d58
SSDEEP

24576:/y1lJJE3dtYbLAYBHQXvj5JihOPOwR1t9I40:KZJE3+bw/jjihPet9

Score

10^/10

amadey evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.70

77.91.124.207/plays/chapter/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	az186670.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	az186670.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	az186670.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	az186670.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	az186670.exe

Executes dropped EXE 5 IoCs

pid	Process
3644	kina9872.exe
4340	kina2020.exe
4900	kina0085.exe
2136	az186670.exe
4208	bu097626.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	az186670.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina0085.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	8190a93648c447f5b81a4f0202fe7b578ab74886c87f452629eaf8bd58160bd0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8190a93648c447f5b81a4f0202fe7b578ab74886c87f452629eaf8bd58160bd0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina9872.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina9872.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina2020.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina2020.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina0085.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
3992	4208	WerFault.exe	70
4848	4208	WerFault.exe	70
1936	4208	WerFault.exe	70
2980	4208	WerFault.exe	70
3064	4208	WerFault.exe	70
4764	4208	WerFault.exe	70
4312	4208	WerFault.exe	70

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2136	az186670.exe
2136	az186670.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	az186670.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 3644	3664	8190a93648c447f5b81a4f0202fe7b578ab74886c87f452629eaf8bd58160bd0.exe	66
PID 3664 wrote to memory of 3644	3664	8190a93648c447f5b81a4f0202fe7b578ab74886c87f452629eaf8bd58160bd0.exe	66
PID 3664 wrote to memory of 3644	3664	8190a93648c447f5b81a4f0202fe7b578ab74886c87f452629eaf8bd58160bd0.exe	66
PID 3644 wrote to memory of 4340	3644	kina9872.exe	67
PID 3644 wrote to memory of 4340	3644	kina9872.exe	67
PID 3644 wrote to memory of 4340	3644	kina9872.exe	67
PID 4340 wrote to memory of 4900	4340	kina2020.exe	68
PID 4340 wrote to memory of 4900	4340	kina2020.exe	68
PID 4340 wrote to memory of 4900	4340	kina2020.exe	68
PID 4900 wrote to memory of 2136	4900	kina0085.exe	69
PID 4900 wrote to memory of 2136	4900	kina0085.exe	69
PID 4900 wrote to memory of 4208	4900	kina0085.exe	70
PID 4900 wrote to memory of 4208	4900	kina0085.exe	70
PID 4900 wrote to memory of 4208	4900	kina0085.exe	70

C:\Users\Admin\AppData\Local\Temp\8190a93648c447f5b81a4f0202fe7b578ab74886c87f452629eaf8bd58160bd0.exe
"C:\Users\Admin\AppData\Local\Temp\8190a93648c447f5b81a4f0202fe7b578ab74886c87f452629eaf8bd58160bd0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina9872.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina9872.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina2020.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina2020.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina0085.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina0085.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az186670.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az186670.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu097626.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu097626.exe
        5⤵
        Executes dropped EXE
        
        PID:4208
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 620
        6⤵
        Program crash
        
        PID:3992
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 700
        6⤵
        Program crash
        
        PID:4848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 772
        6⤵
        Program crash
        
        PID:1936
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 848
        6⤵
        Program crash
        
        PID:2980
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 884
        6⤵
        Program crash
        
        PID:3064
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 772
        6⤵
        Program crash
        
        PID:4764
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1072
        6⤵
        Program crash
        
        PID:4312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina9872.exe

Filesize
919KB

MD5
92d84e406fabd18e132ca5ed812feca7

SHA1
deb06e8859c2ea513b99825d87028961324e3e82

SHA256
bca7aaf69631cccf34c2a2a29636e51604d225283fdf4127f9befb7cbfb325eb

SHA512
afca289c7048b0da6bbb40034ce90a12f8aeb942a7de9a5a20335415e2700606b56679dbbebb24ce661bf9f5d9cacfd14b8bce90446c3973e6bbc8f12cf0250d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina9872.exe

Filesize
919KB

MD5
92d84e406fabd18e132ca5ed812feca7

SHA1
deb06e8859c2ea513b99825d87028961324e3e82

SHA256
bca7aaf69631cccf34c2a2a29636e51604d225283fdf4127f9befb7cbfb325eb

SHA512
afca289c7048b0da6bbb40034ce90a12f8aeb942a7de9a5a20335415e2700606b56679dbbebb24ce661bf9f5d9cacfd14b8bce90446c3973e6bbc8f12cf0250d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina2020.exe

Filesize
588KB

MD5
0d2c2dc3e8f1c6c3222ce1186ac7b16f

SHA1
556ad1a1e68c86fc11d6d437d6bd23f6e940a0f0

SHA256
9fc560a45c9873a7c2e708452e758f64b20c7620f1fcd6889dbbc6e3edf1d31f

SHA512
20783d0d73b52350c2e51e11cb693f0c926ee7308f9a878fd8dad4ba85457f64ea07dbfa9a6e3fea3308b30e6ae6009b8c400d44c5cd15fcc6ca01cfaba3cea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina2020.exe

Filesize
588KB

MD5
0d2c2dc3e8f1c6c3222ce1186ac7b16f

SHA1
556ad1a1e68c86fc11d6d437d6bd23f6e940a0f0

SHA256
9fc560a45c9873a7c2e708452e758f64b20c7620f1fcd6889dbbc6e3edf1d31f

SHA512
20783d0d73b52350c2e51e11cb693f0c926ee7308f9a878fd8dad4ba85457f64ea07dbfa9a6e3fea3308b30e6ae6009b8c400d44c5cd15fcc6ca01cfaba3cea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina0085.exe

Filesize
315KB

MD5
a85eb4a4761e5d710e482ee7344484e1

SHA1
af8729e6f35f1523825190854181c5821856694c

SHA256
398fa4db4bae5ef0d88df216aff2f5aad765094ec3bd08e30f3c34a15a190342

SHA512
dcf8d21947e415e904281ac2733fd1d5303eb1745ec7dd74116c4bbf1a00a07957d7ea18d5f1bd53cc70e3fdb454aafb877ee94ea95db666ab022a8ae829bf1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina0085.exe

Filesize
315KB

MD5
a85eb4a4761e5d710e482ee7344484e1

SHA1
af8729e6f35f1523825190854181c5821856694c

SHA256
398fa4db4bae5ef0d88df216aff2f5aad765094ec3bd08e30f3c34a15a190342

SHA512
dcf8d21947e415e904281ac2733fd1d5303eb1745ec7dd74116c4bbf1a00a07957d7ea18d5f1bd53cc70e3fdb454aafb877ee94ea95db666ab022a8ae829bf1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az186670.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az186670.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu097626.exe

Filesize
230KB

MD5
54c44f28117c042e00f54b4f44aa89bb

SHA1
3c8668e8500216e31e4e7943dc5dc7a045619dec

SHA256
5ad202f9785ad847380ef33c36d00446a06eadb03bb0c1e7e7e7cc87b6b841f3

SHA512
bbd3037dc11758fb17d1973fd904c99e2c2ad3ff84a94adde9b6e50f5493e55b09fb30bbef825b2dc31debaa6fa7427fe97b7fbb277fa8f79965b2ba36232d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu097626.exe

Filesize
230KB

MD5
54c44f28117c042e00f54b4f44aa89bb

SHA1
3c8668e8500216e31e4e7943dc5dc7a045619dec

SHA256
5ad202f9785ad847380ef33c36d00446a06eadb03bb0c1e7e7e7cc87b6b841f3

SHA512
bbd3037dc11758fb17d1973fd904c99e2c2ad3ff84a94adde9b6e50f5493e55b09fb30bbef825b2dc31debaa6fa7427fe97b7fbb277fa8f79965b2ba36232d4e

Download Submit
memory/2136-147-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/4208-153-0x0000000000580000-0x00000000005BB000-memory.dmp

Filesize
236KB

Download
memory/4208-154-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download