Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/05/2023, 00:38

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b9167b1383f50b505263b23efec2437d4f07ef2b0b6c843b008161c0b319a3ec.exe

  • Size

    490KB

  • MD5

    4d774fc8e6f04b3ae2fa354c05cb26c4

  • SHA1

    ae76cae1c43695ff6678fcde9175bb089a88a2bf

  • SHA256

    b9167b1383f50b505263b23efec2437d4f07ef2b0b6c843b008161c0b319a3ec

  • SHA512

    96b9bb3d0a27d01690c5c4ee8b1b770122e105dd6f30bbd02ffe802193d8fd6562c683cb3996179a66674aab7b4737cfa023b8dc905df01101158bcfddee3354

  • SSDEEP

    12288:+Mrvy90F4k4TeYGKqAnITVCsbCnp4+qP/P:ty6d4K9LfTAs0p45PX

Score
10/10
amadeydiscoveryevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.70

C2

212.113.119.255/joomla/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9167b1383f50b505263b23efec2437d4f07ef2b0b6c843b008161c0b319a3ec.exe
    "C:\Users\Admin\AppData\Local\Temp\b9167b1383f50b505263b23efec2437d4f07ef2b0b6c843b008161c0b319a3ec.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4548
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1893145.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1893145.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4172
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0202943.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0202943.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4640
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5860019.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5860019.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1891934.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1891934.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
        "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3932
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
          4⤵
          • Creates scheduled task(s)
          PID:3348
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
          4⤵
          • Loads dropped DLL
          PID:1468
  • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
    C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
    1⤵
    • Executes dropped EXE
    PID:3116
  • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
    C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
    1⤵
    • Executes dropped EXE
    PID:1504

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
          Filesize

          230KB

          MD5

          a3efc14ccc186892fe4f9bcaf3190350

          SHA1

          a7e9e0a865f6ab218d59b804f0332300a57cf594

          SHA256

          4040d0991967c5cc973cb635cf94fcddddb2a901a2f7fc39b6a8929a4580cccb

          SHA512

          3a633a890c0188b72e1c49eb1baec2931e71b0fc249f2017fbf855b4f124f9d24cf08a56450080d0f6186475ed1114f2653b1d629ac6c002c0b8e818beaff25e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
          Filesize

          230KB

          MD5

          a3efc14ccc186892fe4f9bcaf3190350

          SHA1

          a7e9e0a865f6ab218d59b804f0332300a57cf594

          SHA256

          4040d0991967c5cc973cb635cf94fcddddb2a901a2f7fc39b6a8929a4580cccb

          SHA512

          3a633a890c0188b72e1c49eb1baec2931e71b0fc249f2017fbf855b4f124f9d24cf08a56450080d0f6186475ed1114f2653b1d629ac6c002c0b8e818beaff25e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
          Filesize

          230KB

          MD5

          a3efc14ccc186892fe4f9bcaf3190350

          SHA1

          a7e9e0a865f6ab218d59b804f0332300a57cf594

          SHA256

          4040d0991967c5cc973cb635cf94fcddddb2a901a2f7fc39b6a8929a4580cccb

          SHA512

          3a633a890c0188b72e1c49eb1baec2931e71b0fc249f2017fbf855b4f124f9d24cf08a56450080d0f6186475ed1114f2653b1d629ac6c002c0b8e818beaff25e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
          Filesize

          230KB

          MD5

          a3efc14ccc186892fe4f9bcaf3190350

          SHA1

          a7e9e0a865f6ab218d59b804f0332300a57cf594

          SHA256

          4040d0991967c5cc973cb635cf94fcddddb2a901a2f7fc39b6a8929a4580cccb

          SHA512

          3a633a890c0188b72e1c49eb1baec2931e71b0fc249f2017fbf855b4f124f9d24cf08a56450080d0f6186475ed1114f2653b1d629ac6c002c0b8e818beaff25e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
          Filesize

          230KB

          MD5

          a3efc14ccc186892fe4f9bcaf3190350

          SHA1

          a7e9e0a865f6ab218d59b804f0332300a57cf594

          SHA256

          4040d0991967c5cc973cb635cf94fcddddb2a901a2f7fc39b6a8929a4580cccb

          SHA512

          3a633a890c0188b72e1c49eb1baec2931e71b0fc249f2017fbf855b4f124f9d24cf08a56450080d0f6186475ed1114f2653b1d629ac6c002c0b8e818beaff25e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1891934.exe
          Filesize

          230KB

          MD5

          a3efc14ccc186892fe4f9bcaf3190350

          SHA1

          a7e9e0a865f6ab218d59b804f0332300a57cf594

          SHA256

          4040d0991967c5cc973cb635cf94fcddddb2a901a2f7fc39b6a8929a4580cccb

          SHA512

          3a633a890c0188b72e1c49eb1baec2931e71b0fc249f2017fbf855b4f124f9d24cf08a56450080d0f6186475ed1114f2653b1d629ac6c002c0b8e818beaff25e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1891934.exe
          Filesize

          230KB

          MD5

          a3efc14ccc186892fe4f9bcaf3190350

          SHA1

          a7e9e0a865f6ab218d59b804f0332300a57cf594

          SHA256

          4040d0991967c5cc973cb635cf94fcddddb2a901a2f7fc39b6a8929a4580cccb

          SHA512

          3a633a890c0188b72e1c49eb1baec2931e71b0fc249f2017fbf855b4f124f9d24cf08a56450080d0f6186475ed1114f2653b1d629ac6c002c0b8e818beaff25e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1893145.exe
          Filesize

          307KB

          MD5

          e19bea4d69375353b04abf696bb3a83f

          SHA1

          b362ecbea35468de9a426c9597d744b890868d50

          SHA256

          2b6c55ba27224a928610d9b492069290e639da0baa0684a3281045f59c3e3a23

          SHA512

          49643ef4dee077bb7caef1aef6932af1d1cba67cefbf94d98739de20d7cfee4b5ea306ca98bd38903a9c73a261d3fc38b2cee15155d985577ec3bf85058d8f9f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1893145.exe
          Filesize

          307KB

          MD5

          e19bea4d69375353b04abf696bb3a83f

          SHA1

          b362ecbea35468de9a426c9597d744b890868d50

          SHA256

          2b6c55ba27224a928610d9b492069290e639da0baa0684a3281045f59c3e3a23

          SHA512

          49643ef4dee077bb7caef1aef6932af1d1cba67cefbf94d98739de20d7cfee4b5ea306ca98bd38903a9c73a261d3fc38b2cee15155d985577ec3bf85058d8f9f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0202943.exe
          Filesize

          175KB

          MD5

          13ba9891a8f1c24b0b21a1a2cd20a980

          SHA1

          a5e1fb7227347df32648a8e6b8d4f29b3ac7392e

          SHA256

          b6117b409490ab9fa2e4d59b1bf4556a58d931ec298c1b32e8777c6902073a01

          SHA512

          19076315e20a960d55b0e0ccc81d202bc360771962641a8d97483f55828bef32a0df33758f3fcb12c6d40c11d5f291fbc8749335f149730d455583ddf72adcca

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o0202943.exe
          Filesize

          175KB

          MD5

          13ba9891a8f1c24b0b21a1a2cd20a980

          SHA1

          a5e1fb7227347df32648a8e6b8d4f29b3ac7392e

          SHA256

          b6117b409490ab9fa2e4d59b1bf4556a58d931ec298c1b32e8777c6902073a01

          SHA512

          19076315e20a960d55b0e0ccc81d202bc360771962641a8d97483f55828bef32a0df33758f3fcb12c6d40c11d5f291fbc8749335f149730d455583ddf72adcca

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5860019.exe
          Filesize

          136KB

          MD5

          10d9085eb6e1c272561aef46cc0974c4

          SHA1

          f6108f10a89848124f39a7853062df2560012785

          SHA256

          905f4bbf8607952bbfb9087983f72cada8d265f1c0b9aa671c1ee11fbfb84974

          SHA512

          956c58e7b870b8c6c76754da8f15aeb6d106c9015b001dabf26c4ef1848df1e0fcf16a3fb9d57d05b12d4e1a59aef7a900dd3df868d5d9ef5b6b06e6577bdaa4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5860019.exe
          Filesize

          136KB

          MD5

          10d9085eb6e1c272561aef46cc0974c4

          SHA1

          f6108f10a89848124f39a7853062df2560012785

          SHA256

          905f4bbf8607952bbfb9087983f72cada8d265f1c0b9aa671c1ee11fbfb84974

          SHA512

          956c58e7b870b8c6c76754da8f15aeb6d106c9015b001dabf26c4ef1848df1e0fcf16a3fb9d57d05b12d4e1a59aef7a900dd3df868d5d9ef5b6b06e6577bdaa4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
          Filesize

          89KB

          MD5

          73df88d68a4f5e066784d462788cf695

          SHA1

          e4bfed336848d0b622fa464d40cf4bd9222aab3f

          SHA256

          f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

          SHA512

          64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

          Download Submit

        • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
          Filesize

          89KB

          MD5

          73df88d68a4f5e066784d462788cf695

          SHA1

          e4bfed336848d0b622fa464d40cf4bd9222aab3f

          SHA256

          f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

          SHA512

          64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

          Download Submit

        • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
          Filesize

          89KB

          MD5

          73df88d68a4f5e066784d462788cf695

          SHA1

          e4bfed336848d0b622fa464d40cf4bd9222aab3f

          SHA256

          f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

          SHA512

          64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

          Download Submit

        • C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
          Filesize

          162B

          MD5

          1b7c22a214949975556626d7217e9a39

          SHA1

          d01c97e2944166ed23e47e4a62ff471ab8fa031f

          SHA256

          340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

          SHA512

          ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

          Download Submit

        • memory/2832-197-0x0000000008280000-0x000000000829E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2832-188-0x0000000007090000-0x00000000070A2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2832-198-0x0000000002550000-0x00000000025A0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/2832-196-0x0000000009110000-0x000000000963C000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/2832-195-0x00000000083D0000-0x0000000008592000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2832-194-0x0000000008180000-0x00000000081F6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2832-193-0x0000000007FE0000-0x0000000008072000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2832-192-0x0000000007450000-0x00000000074B6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2832-191-0x0000000007180000-0x0000000007190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2832-190-0x00000000070F0000-0x000000000712C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/2832-189-0x00000000071C0000-0x00000000072CA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2832-186-0x0000000000380000-0x00000000003A8000-memory.dmp

          Filesize

          160KB

          Download

        • memory/2832-187-0x0000000007620000-0x0000000007C38000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/4640-168-0x0000000004F10000-0x0000000004F22000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4640-162-0x0000000004F10000-0x0000000004F22000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4640-170-0x0000000004F10000-0x0000000004F22000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4640-181-0x0000000002490000-0x00000000024A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4640-180-0x0000000002490000-0x00000000024A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4640-179-0x0000000002490000-0x00000000024A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4640-178-0x0000000004F10000-0x0000000004F22000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4640-176-0x0000000004F10000-0x0000000004F22000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4640-174-0x0000000004F10000-0x0000000004F22000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4640-164-0x0000000004F10000-0x0000000004F22000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4640-172-0x0000000004F10000-0x0000000004F22000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4640-166-0x0000000004F10000-0x0000000004F22000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4640-160-0x0000000004F10000-0x0000000004F22000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4640-158-0x0000000004F10000-0x0000000004F22000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4640-156-0x0000000004F10000-0x0000000004F22000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4640-154-0x0000000004F10000-0x0000000004F22000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4640-152-0x0000000004F10000-0x0000000004F22000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4640-151-0x0000000004F10000-0x0000000004F22000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4640-150-0x0000000002490000-0x00000000024A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4640-149-0x0000000002490000-0x00000000024A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4640-148-0x0000000002490000-0x00000000024A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4640-147-0x0000000004910000-0x0000000004EB4000-memory.dmp

          Filesize

          5.6MB

          Download