Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    94s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17/04/2023, 02:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1f11ac69bf303e1859b93870461eb4f1c5d8dc3e673baabb20de3aa1917d1970.exe

  • Size

    952KB

  • MD5

    61cd0d501349d416cefb89e186a8a590

  • SHA1

    e8ea21acdfea55be1ce8fa43858e330ee06d59fe

  • SHA256

    1f11ac69bf303e1859b93870461eb4f1c5d8dc3e673baabb20de3aa1917d1970

  • SHA512

    21dcc770a6b679b9c87157091f14ba928116b50c0a983adad777b7930097a4bff642fefc3e87b8996f723a75bdaa966d515749ff08d4c64898e9e4efabeca8af

  • SSDEEP

    24576:9yI+4g+kKR5mwq9CKCAodA4ppZXaTMPaNBcA/2Z1p:Yc3fmJUzAo5rYqQA

Score
10/10
amadeydiscoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1f11ac69bf303e1859b93870461eb4f1c5d8dc3e673baabb20de3aa1917d1970.exe
    "C:\Users\Admin\AppData\Local\Temp\1f11ac69bf303e1859b93870461eb4f1c5d8dc3e673baabb20de3aa1917d1970.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisO8839.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisO8839.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziZI0220.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziZI0220.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3088
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it139336.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it139336.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4876
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr765399.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr765399.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp518023.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp518023.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2288
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr050917.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr050917.exe
      2⤵
      • Executes dropped EXE
      PID:4084
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 192
        3⤵
        • Program crash
        PID:428
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 700
        3⤵
        • Program crash
        PID:2496
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 836
        3⤵
        • Program crash
        PID:4872
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 848
        3⤵
        • Program crash
        PID:3552
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 884
        3⤵
        • Program crash
        PID:3948
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 740
        3⤵
        • Program crash
        PID:4568
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1060
        3⤵
        • Program crash
        PID:4604

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr050917.exe
    Filesize

    395KB

    MD5

    b54f44726399ff80bda16cb45c3c3173

    SHA1

    edd872b8a16b8845728084174a73d96362e85179

    SHA256

    300097deea9d2f2e51f3cae1ca3e9c3d2af9e34e02ea7ef9b26df4fc474937be

    SHA512

    22265dadaf203228d3ad9cecfe5402f67efa907bd4db50033710843bfa4cb38b449374ba75d8599a194c243f4d668ec368043bfa335f0e3660be3231008124f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr050917.exe
    Filesize

    395KB

    MD5

    b54f44726399ff80bda16cb45c3c3173

    SHA1

    edd872b8a16b8845728084174a73d96362e85179

    SHA256

    300097deea9d2f2e51f3cae1ca3e9c3d2af9e34e02ea7ef9b26df4fc474937be

    SHA512

    22265dadaf203228d3ad9cecfe5402f67efa907bd4db50033710843bfa4cb38b449374ba75d8599a194c243f4d668ec368043bfa335f0e3660be3231008124f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisO8839.exe
    Filesize

    624KB

    MD5

    d568829f9ea1152f46596650f3986c09

    SHA1

    fae985dbd268f8d2383968b62fa655688421842d

    SHA256

    87600a3373dd413486282ca124462553ad226fdb97f3206a47f7485c69bb6df2

    SHA512

    a7f67f1d00710038495c31d15e1771da4847a87250a90acdf557291a017c17641d1019252a4b18627e4d701d77c0591f412709fe9ab7a0b326a75b75e04a18ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisO8839.exe
    Filesize

    624KB

    MD5

    d568829f9ea1152f46596650f3986c09

    SHA1

    fae985dbd268f8d2383968b62fa655688421842d

    SHA256

    87600a3373dd413486282ca124462553ad226fdb97f3206a47f7485c69bb6df2

    SHA512

    a7f67f1d00710038495c31d15e1771da4847a87250a90acdf557291a017c17641d1019252a4b18627e4d701d77c0591f412709fe9ab7a0b326a75b75e04a18ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp518023.exe
    Filesize

    136KB

    MD5

    359db2338ae0f977dcf10e90cf9816fb

    SHA1

    94126cb670e5f434e555c991c967e0ee98fae552

    SHA256

    5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

    SHA512

    d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp518023.exe
    Filesize

    136KB

    MD5

    359db2338ae0f977dcf10e90cf9816fb

    SHA1

    94126cb670e5f434e555c991c967e0ee98fae552

    SHA256

    5f9eff953d7ca49f594a864517dfdf37950a41693e53b79aa3a5c396613031bc

    SHA512

    d2202c1f9dfe7c18993b834f3ccb34e9436c4bf814aca1ed38941ad41a4cf8326dda767389a5e39e64de74aacf76845464fdee73b61a926a1622a33c87382dbc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziZI0220.exe
    Filesize

    470KB

    MD5

    d06d29320b371463f4e60138be988026

    SHA1

    d5eab7c94711e40b1645cf0cd4fa468519772f1d

    SHA256

    76a174033a1c8948d0d0ea545b26528ed77058d00ddb971ab716fdbaed80bd41

    SHA512

    40d6adc78d841c6ae9a4787f861df3fcf80f813b529f928f20c8c017ecfbdaf1237804d3dd23db0af0b2510120be03c7a911c1b0d4b72ad8685cba96b89fd082

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziZI0220.exe
    Filesize

    470KB

    MD5

    d06d29320b371463f4e60138be988026

    SHA1

    d5eab7c94711e40b1645cf0cd4fa468519772f1d

    SHA256

    76a174033a1c8948d0d0ea545b26528ed77058d00ddb971ab716fdbaed80bd41

    SHA512

    40d6adc78d841c6ae9a4787f861df3fcf80f813b529f928f20c8c017ecfbdaf1237804d3dd23db0af0b2510120be03c7a911c1b0d4b72ad8685cba96b89fd082

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it139336.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it139336.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr765399.exe
    Filesize

    486KB

    MD5

    eca02c3627603cd84f2c9f4a4deffbe7

    SHA1

    cb3f24477c98df97ead7f35f6ed0b7ad6b6ec69d

    SHA256

    7f401fb7d98908fef97ca9cf85a1d77aa04847655c628e0388e7431981150f0b

    SHA512

    785deb0f0a8b00ed8754e2aad52639d0f93e3c03de2e6debe43341d2f619201bb29bab868c0ed487d42b863ba0470897fc7d9e56b1038f0eb4a716140a38ef0f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr765399.exe
    Filesize

    486KB

    MD5

    eca02c3627603cd84f2c9f4a4deffbe7

    SHA1

    cb3f24477c98df97ead7f35f6ed0b7ad6b6ec69d

    SHA256

    7f401fb7d98908fef97ca9cf85a1d77aa04847655c628e0388e7431981150f0b

    SHA512

    785deb0f0a8b00ed8754e2aad52639d0f93e3c03de2e6debe43341d2f619201bb29bab868c0ed487d42b863ba0470897fc7d9e56b1038f0eb4a716140a38ef0f

    Download Submit

  • memory/2288-966-0x00000000074F0000-0x000000000753B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2288-965-0x0000000000740000-0x0000000000768000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2288-967-0x00000000074E0000-0x00000000074F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4084-973-0x0000000000900000-0x000000000093B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/4876-142-0x0000000000800000-0x000000000080A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5100-182-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-202-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-154-0x0000000002540000-0x0000000002550000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5100-155-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-156-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-158-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-160-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-162-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-164-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-166-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-168-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-170-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-172-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-174-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-176-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-178-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-180-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-152-0x0000000002540000-0x0000000002550000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5100-184-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-186-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-188-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-190-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-192-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-194-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-196-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-198-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-200-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-153-0x0000000002540000-0x0000000002550000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5100-204-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-206-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-208-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-210-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-212-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-214-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-216-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-218-0x0000000005320000-0x0000000005355000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5100-947-0x0000000007820000-0x0000000007E26000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/5100-948-0x0000000007E70000-0x0000000007E82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5100-949-0x0000000007E90000-0x0000000007F9A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5100-950-0x0000000007FF0000-0x000000000802E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5100-951-0x0000000008130000-0x000000000817B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/5100-952-0x0000000002540000-0x0000000002550000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5100-953-0x00000000082C0000-0x0000000008326000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5100-954-0x0000000008980000-0x0000000008A12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5100-955-0x0000000008A20000-0x0000000008A96000-memory.dmp

    Filesize

    472KB

    Download

  • memory/5100-151-0x0000000005320000-0x000000000535A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/5100-150-0x00000000008F0000-0x0000000000936000-memory.dmp

    Filesize

    280KB

    Download

  • memory/5100-149-0x0000000004E20000-0x000000000531E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/5100-148-0x00000000024B0000-0x00000000024EC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5100-956-0x0000000008AF0000-0x0000000008B0E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/5100-957-0x0000000008B90000-0x0000000008BE0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/5100-958-0x0000000008D40000-0x0000000008F02000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/5100-959-0x0000000008F10000-0x000000000943C000-memory.dmp

    Filesize

    5.2MB

    Download