amadey | 1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2023 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c80864ec4f40c15a4589d19a1e6cd3ca.exe
Size

344KB
MD5

c80864ec4f40c15a4589d19a1e6cd3ca
SHA1

60179fed90422c2db1cefa9e05762965fa0e4283
SHA256

1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc
SHA512

acd6642f29702e26ebf2831506824caf2a1c86c9cf14822c5527545844c6194fb4577c2007b2c6c62238af46f7cc92f045c13b8358e48c173e4cacda11345fa1
SSDEEP

6144:iru3Ja8xyrlTd03PzFcJeOwgTq9HBjf0Pc/zx9Eg5D:GGchs7l3bzx6gl

Score

10^/10

amadey systembc persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.70

tadogem.com/dF30Hn4m/index.php

Extracted

Family

systembc

65.21.119.52:4277

localhost.exchange:4277

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

44 4440 rundll32.exe
Downloads MZ/PE file

flow	pid	process
44	4440	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LBnHfOPmk.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	LBnHfOPmk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 5 IoCs

Processes:

LBnHfOPmk.exeoneetx.exerundll32.exeoneetx.exeoneetx.exe

pid process

4344 LBnHfOPmk.exe
4028 oneetx.exe
3544 rundll32.exe
4312 oneetx.exe
4264 oneetx.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3640 rundll32.exe
4440 rundll32.exe

pid	process
4344	LBnHfOPmk.exe
4028	oneetx.exe
3544	rundll32.exe
4312	oneetx.exe
4264	oneetx.exe

pid	process
3640	rundll32.exe
4440	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

oneetx.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000020050\\rundll32.exe"	oneetx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sc64.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000021061\\sc64.dll, rundll"	oneetx.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

c80864ec4f40c15a4589d19a1e6cd3ca.exe

pid process

3196 c80864ec4f40c15a4589d19a1e6cd3ca.exe
3196 c80864ec4f40c15a4589d19a1e6cd3ca.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1568 3196 WerFault.exe c80864ec4f40c15a4589d19a1e6cd3ca.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2372 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c80864ec4f40c15a4589d19a1e6cd3ca.exe

description pid process

Token: SeDebugPrivilege 3196 c80864ec4f40c15a4589d19a1e6cd3ca.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

LBnHfOPmk.exe

pid process

4344 LBnHfOPmk.exe

pid	process
3196	c80864ec4f40c15a4589d19a1e6cd3ca.exe
3196	c80864ec4f40c15a4589d19a1e6cd3ca.exe

pid	pid_target	process	target process
1568	3196	WerFault.exe	c80864ec4f40c15a4589d19a1e6cd3ca.exe

pid	process
2372	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	3196	c80864ec4f40c15a4589d19a1e6cd3ca.exe

pid	process
4344	LBnHfOPmk.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

c80864ec4f40c15a4589d19a1e6cd3ca.exeLBnHfOPmk.exeoneetx.exerundll32.exe

description	pid	process	target process
PID 3196 wrote to memory of 4344	3196	c80864ec4f40c15a4589d19a1e6cd3ca.exe	LBnHfOPmk.exe
PID 3196 wrote to memory of 4344	3196	c80864ec4f40c15a4589d19a1e6cd3ca.exe	LBnHfOPmk.exe
PID 3196 wrote to memory of 4344	3196	c80864ec4f40c15a4589d19a1e6cd3ca.exe	LBnHfOPmk.exe
PID 4344 wrote to memory of 4028	4344	LBnHfOPmk.exe	oneetx.exe
PID 4344 wrote to memory of 4028	4344	LBnHfOPmk.exe	oneetx.exe
PID 4344 wrote to memory of 4028	4344	LBnHfOPmk.exe	oneetx.exe
PID 4028 wrote to memory of 2372	4028	oneetx.exe	schtasks.exe
PID 4028 wrote to memory of 2372	4028	oneetx.exe	schtasks.exe
PID 4028 wrote to memory of 2372	4028	oneetx.exe	schtasks.exe
PID 4028 wrote to memory of 3544	4028	oneetx.exe	rundll32.exe
PID 4028 wrote to memory of 3544	4028	oneetx.exe	rundll32.exe
PID 4028 wrote to memory of 3544	4028	oneetx.exe	rundll32.exe
PID 4028 wrote to memory of 3640	4028	oneetx.exe	rundll32.exe
PID 4028 wrote to memory of 3640	4028	oneetx.exe	rundll32.exe
PID 4028 wrote to memory of 3640	4028	oneetx.exe	rundll32.exe
PID 3640 wrote to memory of 4440	3640	rundll32.exe	rundll32.exe
PID 3640 wrote to memory of 4440	3640	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe
"C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196

C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe
"C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:2372

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
"C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe"
4⤵
- Executes dropped EXE
PID:3544

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 1848
2⤵
- Program crash
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3196 -ip 3196
1⤵
PID:380

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
1⤵
- Executes dropped EXE
PID:4264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

Filesize
17KB

MD5
4c09e8e3a1d837f125ea9f9c0c2c5380

SHA1
0221f489cdef441afad424b5954d07b432d0b8e8

SHA256
44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace

SHA512
d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

Filesize
17KB

MD5
4c09e8e3a1d837f125ea9f9c0c2c5380

SHA1
0221f489cdef441afad424b5954d07b432d0b8e8

SHA256
44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace

SHA512
d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

Filesize
17KB

MD5
4c09e8e3a1d837f125ea9f9c0c2c5380

SHA1
0221f489cdef441afad424b5954d07b432d0b8e8

SHA256
44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace

SHA512
d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

Filesize
17KB

MD5
4c09e8e3a1d837f125ea9f9c0c2c5380

SHA1
0221f489cdef441afad424b5954d07b432d0b8e8

SHA256
44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace

SHA512
d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\443549032550

Filesize
84KB

MD5
f9a17c8e93eb0838490e4c81a2d074a4

SHA1
5d0dabbc2a7b6a2d5fbe9ef6318f90827d8e17d1

SHA256
1e17ebce9ba3bb2a24b78d15f09141da98b7666aa7b31481595e9721e17a9e14

SHA512
7c04660b27dd35eceac2a9ab0f7b080802036a61fde403350b7be3a73938b935d1f4b22a4e0b10b2b6d1cb3014f4a9091540af991fd038581ecc4d3bb4950e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

Filesize
238KB

MD5
c23d62c9166ae248fe9fe078328182f9

SHA1
ce684054121205b1cd7befc016644680fd5b29d5

SHA256
90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e

SHA512
1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

Filesize
238KB

MD5
c23d62c9166ae248fe9fe078328182f9

SHA1
ce684054121205b1cd7befc016644680fd5b29d5

SHA256
90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e

SHA512
1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

Filesize
238KB

MD5
c23d62c9166ae248fe9fe078328182f9

SHA1
ce684054121205b1cd7befc016644680fd5b29d5

SHA256
90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e

SHA512
1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

Filesize
238KB

MD5
c23d62c9166ae248fe9fe078328182f9

SHA1
ce684054121205b1cd7befc016644680fd5b29d5

SHA256
90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e

SHA512
1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

Filesize
238KB

MD5
c23d62c9166ae248fe9fe078328182f9

SHA1
ce684054121205b1cd7befc016644680fd5b29d5

SHA256
90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e

SHA512
1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe

Filesize
238KB

MD5
c23d62c9166ae248fe9fe078328182f9

SHA1
ce684054121205b1cd7befc016644680fd5b29d5

SHA256
90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e

SHA512
1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBnHfOPmk.exe

Filesize
238KB

MD5
c23d62c9166ae248fe9fe078328182f9

SHA1
ce684054121205b1cd7befc016644680fd5b29d5

SHA256
90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e

SHA512
1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

Download Submit
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

Filesize
211KB

MD5
1d81057710dc737ffee88f7f8b0ef90c

SHA1
8a13b1fe68d5010e5e9b14719a279c4037d7c446

SHA256
c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc

SHA512
a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

Download Submit
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

Filesize
211KB

MD5
1d81057710dc737ffee88f7f8b0ef90c

SHA1
8a13b1fe68d5010e5e9b14719a279c4037d7c446

SHA256
c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc

SHA512
a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

Download Submit
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

Filesize
211KB

MD5
1d81057710dc737ffee88f7f8b0ef90c

SHA1
8a13b1fe68d5010e5e9b14719a279c4037d7c446

SHA256
c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc

SHA512
a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

Download Submit
C:\Users\Admin\AppData\Roaming\d3ed71f752c04f\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/3196-133-0x0000000000280000-0x0000000000314000-memory.dmp

Filesize
592KB

Download
memory/3196-135-0x0000000009250000-0x0000000009260000-memory.dmp

Filesize
64KB

Download
memory/3196-134-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/3544-181-0x0000000000A60000-0x0000000000AA0000-memory.dmp

Filesize
256KB

Download
memory/3544-218-0x0000000005410000-0x00000000054A2000-memory.dmp

Filesize
584KB

Download
memory/3544-219-0x0000000009840000-0x0000000009850000-memory.dmp

Filesize
64KB

Download
memory/3544-220-0x0000000009840000-0x0000000009850000-memory.dmp

Filesize
64KB

Download
memory/3544-217-0x0000000009E00000-0x000000000A3A4000-memory.dmp

Filesize
5.6MB

Download