Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16/04/2023, 02:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    cf6b130371b463c7fdf9f034cb22814a751be6bb19aa6a45ec60df1a5172c5f8.exe

  • Size

    949KB

  • MD5

    249aa911314db4acc06e2bf769a7d360

  • SHA1

    2e8cccd32532ccacb56e7df74deffdf787597800

  • SHA256

    cf6b130371b463c7fdf9f034cb22814a751be6bb19aa6a45ec60df1a5172c5f8

  • SHA512

    7b336829bb6b72a154c7ec40105197471f39e2df754db1f798caff975aba0fbbfe9b37fc739d006bd84adf949680080c01eb5ea61a19128ed88d59d3508daa23

  • SSDEEP

    24576:tyTpuSXnYgzIrdjAlZqFF8tz2zQUhABs33EhC/yXq9c:ITpuanYSIBOqNdnEhC/EU

Score
10/10
amadeydiscoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cf6b130371b463c7fdf9f034cb22814a751be6bb19aa6a45ec60df1a5172c5f8.exe
    "C:\Users\Admin\AppData\Local\Temp\cf6b130371b463c7fdf9f034cb22814a751be6bb19aa6a45ec60df1a5172c5f8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDZ9660.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDZ9660.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zigY5924.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zigY5924.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2392
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it794600.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it794600.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2848
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr834077.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr834077.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4156
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp980402.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp980402.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3756
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr475333.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr475333.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      PID:2540
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 620
        3⤵
        • Program crash
        PID:1676
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 700
        3⤵
        • Program crash
        PID:3996
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 840
        3⤵
        • Program crash
        PID:2380
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 848
        3⤵
        • Program crash
        PID:2408
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 876
        3⤵
        • Program crash
        PID:4140
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 824
        3⤵
        • Program crash
        PID:4152
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 1128
        3⤵
        • Program crash
        PID:4724
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 1152
        3⤵
        • Program crash
        PID:1512
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 1216
        3⤵
        • Program crash
        PID:4836

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr475333.exe
          Filesize

          390KB

          MD5

          5ed9270ca56d41db87987823290dfa15

          SHA1

          89f81232efb22eb536efd30fa52ed8710601b592

          SHA256

          74c8d2e808ec0734e30d03e29b9a17b020bdbe85b6584c1aa501ba892ae4a054

          SHA512

          e612b392272b0b6cf27582286e1ac92a5609bb51f72af0c8acdb489ad6e3ab1ecba5470cf391015dab06dc67c01726da60f3bc9da68dfd3e2f84b2716443d4b1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr475333.exe
          Filesize

          390KB

          MD5

          5ed9270ca56d41db87987823290dfa15

          SHA1

          89f81232efb22eb536efd30fa52ed8710601b592

          SHA256

          74c8d2e808ec0734e30d03e29b9a17b020bdbe85b6584c1aa501ba892ae4a054

          SHA512

          e612b392272b0b6cf27582286e1ac92a5609bb51f72af0c8acdb489ad6e3ab1ecba5470cf391015dab06dc67c01726da60f3bc9da68dfd3e2f84b2716443d4b1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDZ9660.exe
          Filesize

          623KB

          MD5

          218dcdadd942c04a2e77db968aae7246

          SHA1

          798497558440e6d8cb480b58ab00f2754d32e115

          SHA256

          1dedec417c29d789ac22b3cde7be2e235fe83591b542023cba21132b198b5134

          SHA512

          ee5a59ee7c55ce46b2199361418ef90ed88cebe6125c21ed68882766bcc1f3a82ddde79273229065873cc9498bf7723826ba4db1f3892d0389a6ea5a507ecf91

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDZ9660.exe
          Filesize

          623KB

          MD5

          218dcdadd942c04a2e77db968aae7246

          SHA1

          798497558440e6d8cb480b58ab00f2754d32e115

          SHA256

          1dedec417c29d789ac22b3cde7be2e235fe83591b542023cba21132b198b5134

          SHA512

          ee5a59ee7c55ce46b2199361418ef90ed88cebe6125c21ed68882766bcc1f3a82ddde79273229065873cc9498bf7723826ba4db1f3892d0389a6ea5a507ecf91

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp980402.exe
          Filesize

          136KB

          MD5

          c1d5cc0ec04d3a332ea6011c434b5016

          SHA1

          5396c2e7387e7113f3320486d7fa2e3586142b5a

          SHA256

          85d325811a622b53778852622266c06e3ad285f2ac883af73384f1c9510cc021

          SHA512

          e2dc724c2db2cb148947f681870aba850a9b733c9f788542cd3e9df0796664ccdd48ff5e2b50b3446ebc6a9a4fe8b882a7ddcce71f0e9e1fd29b2c798a3dc8fc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp980402.exe
          Filesize

          136KB

          MD5

          c1d5cc0ec04d3a332ea6011c434b5016

          SHA1

          5396c2e7387e7113f3320486d7fa2e3586142b5a

          SHA256

          85d325811a622b53778852622266c06e3ad285f2ac883af73384f1c9510cc021

          SHA512

          e2dc724c2db2cb148947f681870aba850a9b733c9f788542cd3e9df0796664ccdd48ff5e2b50b3446ebc6a9a4fe8b882a7ddcce71f0e9e1fd29b2c798a3dc8fc

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zigY5924.exe
          Filesize

          468KB

          MD5

          59cf6c4eee7939dd5be8b18456f7e60e

          SHA1

          bf2ff87bf231bbf8cdfbcaa942aad3297bd721dd

          SHA256

          99ef0daac610b7ef8eb74a4a8de56c611eeaea5e972d88fbac496e17b4cd46b6

          SHA512

          0b00b6a4186a465dbbe968f1a244debfd37e98a0625b8dd0f9e06f7aa6265cd6893925fb673667371a4c6ee82266e28a5abf42a1566f9d8feeb9f1b13b2a551a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zigY5924.exe
          Filesize

          468KB

          MD5

          59cf6c4eee7939dd5be8b18456f7e60e

          SHA1

          bf2ff87bf231bbf8cdfbcaa942aad3297bd721dd

          SHA256

          99ef0daac610b7ef8eb74a4a8de56c611eeaea5e972d88fbac496e17b4cd46b6

          SHA512

          0b00b6a4186a465dbbe968f1a244debfd37e98a0625b8dd0f9e06f7aa6265cd6893925fb673667371a4c6ee82266e28a5abf42a1566f9d8feeb9f1b13b2a551a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it794600.exe
          Filesize

          12KB

          MD5

          43bddf9e7df9a9f934b5e67af09d078c

          SHA1

          851fdeb93b24556b99857931b9464db15b54d680

          SHA256

          fa373044d6907da276faa5d0cfd91f0dbf195a497dbbd8020d99142f191625f8

          SHA512

          024e40f715edddb234a5d4eaf7a3c59545e18580447b12a2d97659d32a610a7a53553461facc87b2a8d729e8713c278c24d3bf82c18086323ea72ccf4942089d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it794600.exe
          Filesize

          12KB

          MD5

          43bddf9e7df9a9f934b5e67af09d078c

          SHA1

          851fdeb93b24556b99857931b9464db15b54d680

          SHA256

          fa373044d6907da276faa5d0cfd91f0dbf195a497dbbd8020d99142f191625f8

          SHA512

          024e40f715edddb234a5d4eaf7a3c59545e18580447b12a2d97659d32a610a7a53553461facc87b2a8d729e8713c278c24d3bf82c18086323ea72ccf4942089d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr834077.exe
          Filesize

          481KB

          MD5

          8a18a6a6a6a1eb60e66ddd605815d810

          SHA1

          3bdb5c0d677fcfa9042f4867188a237c9b85ddd6

          SHA256

          5586ebdc7ae1d319a31b7cc6b6da7357cb2a12a5f389caedc142e4b4bb61409a

          SHA512

          f42e07948f071465ed2d94f3ea2bdd39971c7faf4f1af1c1b7b1c7d39728b78b5dfb73c92a18770c552ea7b818588e3be988d5c1dd7a925ad186df69ac8fae91

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr834077.exe
          Filesize

          481KB

          MD5

          8a18a6a6a6a1eb60e66ddd605815d810

          SHA1

          3bdb5c0d677fcfa9042f4867188a237c9b85ddd6

          SHA256

          5586ebdc7ae1d319a31b7cc6b6da7357cb2a12a5f389caedc142e4b4bb61409a

          SHA512

          f42e07948f071465ed2d94f3ea2bdd39971c7faf4f1af1c1b7b1c7d39728b78b5dfb73c92a18770c552ea7b818588e3be988d5c1dd7a925ad186df69ac8fae91

          Download Submit

        • memory/2540-974-0x00000000008E0000-0x000000000091B000-memory.dmp

          Filesize

          236KB

          Download

        • memory/2848-142-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3756-966-0x0000000000770000-0x0000000000798000-memory.dmp

          Filesize

          160KB

          Download

        • memory/3756-967-0x0000000007510000-0x000000000755B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/3756-968-0x0000000007840000-0x0000000007850000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4156-182-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-202-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-154-0x00000000052C0000-0x00000000052FA000-memory.dmp

          Filesize

          232KB

          Download

        • memory/4156-155-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-156-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-158-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-160-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-162-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-166-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-164-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-168-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-170-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-172-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-174-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-176-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-178-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-180-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-153-0x0000000004DC0000-0x00000000052BE000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/4156-184-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-186-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-188-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-192-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-190-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-194-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-196-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-198-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-200-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-152-0x00000000027A0000-0x00000000027B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4156-204-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-206-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-208-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-210-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-212-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-214-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-216-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-218-0x00000000052C0000-0x00000000052F5000-memory.dmp

          Filesize

          212KB

          Download

        • memory/4156-947-0x0000000007DD0000-0x00000000083D6000-memory.dmp

          Filesize

          6.0MB

          Download

        • memory/4156-948-0x0000000007850000-0x0000000007862000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4156-949-0x0000000007880000-0x000000000798A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4156-950-0x00000000079A0000-0x00000000079DE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4156-951-0x0000000007A20000-0x0000000007A6B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/4156-952-0x00000000027A0000-0x00000000027B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4156-953-0x0000000007CB0000-0x0000000007D16000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4156-954-0x0000000008970000-0x0000000008A02000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4156-955-0x0000000008A20000-0x0000000008A96000-memory.dmp

          Filesize

          472KB

          Download

        • memory/4156-151-0x00000000027A0000-0x00000000027B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4156-150-0x00000000027A0000-0x00000000027B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4156-149-0x0000000000940000-0x0000000000986000-memory.dmp

          Filesize

          280KB

          Download

        • memory/4156-148-0x00000000025C0000-0x00000000025FC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4156-956-0x0000000008AD0000-0x0000000008AEE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4156-957-0x0000000008BB0000-0x0000000008D72000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/4156-958-0x0000000008D80000-0x00000000092AC000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/4156-959-0x00000000027F0000-0x0000000002840000-memory.dmp

          Filesize

          320KB

          Download