amadey | ee511ca7cc073f574952f5894adc8028b701c7caba506b7895f06702e3a28590

Analysis

max time kernel
142s
max time network
78s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
11-04-2023 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee511ca7cc073f574952f5894adc8028b701c7caba506b7895f06702e3a28590.exe
Size

1.0MB
MD5

5c1d0e35bf1d5e854a8e4776d1786bc2
SHA1

61bb31fdca532e414f0230c9ac7c4058d17ba56f
SHA256

ee511ca7cc073f574952f5894adc8028b701c7caba506b7895f06702e3a28590
SHA512

8427abb197b54b0b27fae4b1e1b308b956c7d5fe1aca396302e8586947b1b9edad963c758e9119ca62b9be439eb6c9162fe87e7fe6c9cc3a4640e4447668bbd0
SSDEEP

24576:Py8/21RpGSYgv9OwDsneU8gpoi5uG+jh4DOOOMXwP6:asEp559yN6i5uDl4yFP

Score

10^/10

amadey evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.70

77.91.124.207/plays/chapter/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	az455780.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	az455780.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	az455780.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	az455780.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	az455780.exe

Executes dropped EXE 5 IoCs

pid	Process
2132	kina1194.exe
2296	kina0812.exe
2592	kina1323.exe
2676	az455780.exe
1480	bu211062.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	az455780.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ee511ca7cc073f574952f5894adc8028b701c7caba506b7895f06702e3a28590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ee511ca7cc073f574952f5894adc8028b701c7caba506b7895f06702e3a28590.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina1194.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	kina1194.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina0812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	kina0812.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	kina1323.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	kina1323.exe

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4576	1480	WerFault.exe	70
2696	1480	WerFault.exe	70
1292	1480	WerFault.exe	70
2328	1480	WerFault.exe	70
3076	1480	WerFault.exe	70
376	1480	WerFault.exe	70
3492	1480	WerFault.exe	70

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	az455780.exe
2676	az455780.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	az455780.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 2132	1920	ee511ca7cc073f574952f5894adc8028b701c7caba506b7895f06702e3a28590.exe	66
PID 1920 wrote to memory of 2132	1920	ee511ca7cc073f574952f5894adc8028b701c7caba506b7895f06702e3a28590.exe	66
PID 1920 wrote to memory of 2132	1920	ee511ca7cc073f574952f5894adc8028b701c7caba506b7895f06702e3a28590.exe	66
PID 2132 wrote to memory of 2296	2132	kina1194.exe	67
PID 2132 wrote to memory of 2296	2132	kina1194.exe	67
PID 2132 wrote to memory of 2296	2132	kina1194.exe	67
PID 2296 wrote to memory of 2592	2296	kina0812.exe	68
PID 2296 wrote to memory of 2592	2296	kina0812.exe	68
PID 2296 wrote to memory of 2592	2296	kina0812.exe	68
PID 2592 wrote to memory of 2676	2592	kina1323.exe	69
PID 2592 wrote to memory of 2676	2592	kina1323.exe	69
PID 2592 wrote to memory of 1480	2592	kina1323.exe	70
PID 2592 wrote to memory of 1480	2592	kina1323.exe	70
PID 2592 wrote to memory of 1480	2592	kina1323.exe	70

C:\Users\Admin\AppData\Local\Temp\ee511ca7cc073f574952f5894adc8028b701c7caba506b7895f06702e3a28590.exe
"C:\Users\Admin\AppData\Local\Temp\ee511ca7cc073f574952f5894adc8028b701c7caba506b7895f06702e3a28590.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina1194.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina1194.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina0812.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina0812.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina1323.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina1323.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az455780.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az455780.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu211062.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu211062.exe
        5⤵
        Executes dropped EXE
        
        PID:1480
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 616
        6⤵
        Program crash
        
        PID:4576
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 708
        6⤵
        Program crash
        
        PID:2696
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 796
        6⤵
        Program crash
        
        PID:1292
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 844
        6⤵
        Program crash
        
        PID:2328
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 872
        6⤵
        Program crash
        
        PID:3076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 876
        6⤵
        Program crash
        
        PID:376
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1080
        6⤵
        Program crash
        
        PID:3492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina1194.exe

Filesize
920KB

MD5
9c3c4377b4832d384bb00f8d30821b3e

SHA1
7b538778c758aedd2eb8f4a5274b53fcfe720f60

SHA256
9b027faa03ed8fd518dfc66e82eb7708f3780765780736337cfa58aa0402323c

SHA512
34cf96500e287ab3de217897c00cdfcd406c072bb0c537737e0a435f0e9e03831bdfd727a53afa56080006be59b45763689ce4ee4613f638da348df53d309bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kina1194.exe

Filesize
920KB

MD5
9c3c4377b4832d384bb00f8d30821b3e

SHA1
7b538778c758aedd2eb8f4a5274b53fcfe720f60

SHA256
9b027faa03ed8fd518dfc66e82eb7708f3780765780736337cfa58aa0402323c

SHA512
34cf96500e287ab3de217897c00cdfcd406c072bb0c537737e0a435f0e9e03831bdfd727a53afa56080006be59b45763689ce4ee4613f638da348df53d309bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina0812.exe

Filesize
588KB

MD5
a1cb0fa5a37553ae7ed64f06208b9b23

SHA1
ad46b24c12f0ff399691466138b6bf5e7a0a460b

SHA256
c928e52682161b5b4558bdbae11c92c127a8b3a24b730e45c180ea634d125eea

SHA512
3b35ba38588f6462df3427f1918fda112f009a026afcad66f63f6773df4d70776ac8177ce8b56a53d67372b097bebc041731558f536ebf575b5e37023fe7f354

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kina0812.exe

Filesize
588KB

MD5
a1cb0fa5a37553ae7ed64f06208b9b23

SHA1
ad46b24c12f0ff399691466138b6bf5e7a0a460b

SHA256
c928e52682161b5b4558bdbae11c92c127a8b3a24b730e45c180ea634d125eea

SHA512
3b35ba38588f6462df3427f1918fda112f009a026afcad66f63f6773df4d70776ac8177ce8b56a53d67372b097bebc041731558f536ebf575b5e37023fe7f354

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina1323.exe

Filesize
315KB

MD5
cf61754a2d4e32ae1280f135f4111abd

SHA1
8c4d92b662fcb1c918b3ab027ccd6ab59e8bebde

SHA256
69778f39155095e8eca519df80a861dbc56d5ccf4833d31f9d07a0caab286216

SHA512
36e95eda862219cc7ce57f64a53234964f7584d67eadc9aac866c59db50328a558214ca8f97108a35e00158ad189b3f005a7e61b4e454a0a1fbccca98f455a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kina1323.exe

Filesize
315KB

MD5
cf61754a2d4e32ae1280f135f4111abd

SHA1
8c4d92b662fcb1c918b3ab027ccd6ab59e8bebde

SHA256
69778f39155095e8eca519df80a861dbc56d5ccf4833d31f9d07a0caab286216

SHA512
36e95eda862219cc7ce57f64a53234964f7584d67eadc9aac866c59db50328a558214ca8f97108a35e00158ad189b3f005a7e61b4e454a0a1fbccca98f455a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az455780.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az455780.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu211062.exe

Filesize
231KB

MD5
8f72e39dc917ec2036dc9f331f9a536f

SHA1
e1c13d690c796c8824777adacaf2be4204ce0f97

SHA256
173a4511cff68489f4aa2e141441f87ac3692ebb24f9771b46d6034b5970a3e3

SHA512
b38fa982bf6427ab6b844896e87e652209ab7d9adf1311bfd740b5b4f428185837cc6d520ec5ac687e5b07bf4fd88ed1105a51a8dcdf450c10a34c09dc3ecc29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu211062.exe

Filesize
231KB

MD5
8f72e39dc917ec2036dc9f331f9a536f

SHA1
e1c13d690c796c8824777adacaf2be4204ce0f97

SHA256
173a4511cff68489f4aa2e141441f87ac3692ebb24f9771b46d6034b5970a3e3

SHA512
b38fa982bf6427ab6b844896e87e652209ab7d9adf1311bfd740b5b4f428185837cc6d520ec5ac687e5b07bf4fd88ed1105a51a8dcdf450c10a34c09dc3ecc29

Download Submit
memory/1480-155-0x0000000000580000-0x00000000005BB000-memory.dmp

Filesize
236KB

Download
memory/1480-156-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2676-149-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download