amadey | 1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1

Analysis

max time kernel
142s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2023 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1.exe
Size

231KB
MD5

3dd072d71907f6d5a5b046908c081f11
SHA1

6432c3dacb6e4dec30ad44cc92f79d4a0156affd
SHA256

1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1
SHA512

2f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453
SSDEEP

6144:0s9bFCavQJdMSzPgI0KIikB/NiFEZu7dRmV:pbFCRMcRIiTFgu7dR

Score

10^/10

amadey lgoogloader downloader persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.84

109.206.241.33/9bDc8sQ/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral1/memory/2168-172-0x0000000000A20000-0x0000000000A2D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation	1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Control Panel\International\Geo\Nation	jbruyer.exe

Executes dropped EXE 5 IoCs

pid	Process
1684	jbruyer.exe
2168	AAAd1.exe
4404	jbruyer.exe
2992	jbruyer.exe
3216	jbruyer.exe

Loads dropped DLL 3 IoCs

pid	Process
4552	rundll32.exe
3536	rundll32.exe
4420	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AAAd1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001051\\AAAd1.exe"	jbruyer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2300	4420	WerFault.exe	97

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1296	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4744	1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 1684	4744	1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1.exe	81
PID 4744 wrote to memory of 1684	4744	1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1.exe	81
PID 4744 wrote to memory of 1684	4744	1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1.exe	81
PID 1684 wrote to memory of 1296	1684	jbruyer.exe	82
PID 1684 wrote to memory of 1296	1684	jbruyer.exe	82
PID 1684 wrote to memory of 1296	1684	jbruyer.exe	82
PID 1684 wrote to memory of 2240	1684	jbruyer.exe	84
PID 1684 wrote to memory of 2240	1684	jbruyer.exe	84
PID 1684 wrote to memory of 2240	1684	jbruyer.exe	84
PID 2240 wrote to memory of 4712	2240	cmd.exe	86
PID 2240 wrote to memory of 4712	2240	cmd.exe	86
PID 2240 wrote to memory of 4712	2240	cmd.exe	86
PID 2240 wrote to memory of 1260	2240	cmd.exe	87
PID 2240 wrote to memory of 1260	2240	cmd.exe	87
PID 2240 wrote to memory of 1260	2240	cmd.exe	87
PID 2240 wrote to memory of 1004	2240	cmd.exe	88
PID 2240 wrote to memory of 1004	2240	cmd.exe	88
PID 2240 wrote to memory of 1004	2240	cmd.exe	88
PID 2240 wrote to memory of 636	2240	cmd.exe	89
PID 2240 wrote to memory of 636	2240	cmd.exe	89
PID 2240 wrote to memory of 636	2240	cmd.exe	89
PID 2240 wrote to memory of 1752	2240	cmd.exe	90
PID 2240 wrote to memory of 1752	2240	cmd.exe	90
PID 2240 wrote to memory of 1752	2240	cmd.exe	90
PID 2240 wrote to memory of 908	2240	cmd.exe	91
PID 2240 wrote to memory of 908	2240	cmd.exe	91
PID 2240 wrote to memory of 908	2240	cmd.exe	91
PID 1684 wrote to memory of 2168	1684	jbruyer.exe	92
PID 1684 wrote to memory of 2168	1684	jbruyer.exe	92
PID 1684 wrote to memory of 2168	1684	jbruyer.exe	92
PID 1684 wrote to memory of 4552	1684	jbruyer.exe	95
PID 1684 wrote to memory of 4552	1684	jbruyer.exe	95
PID 1684 wrote to memory of 4552	1684	jbruyer.exe	95
PID 1684 wrote to memory of 3536	1684	jbruyer.exe	96
PID 1684 wrote to memory of 3536	1684	jbruyer.exe	96
PID 1684 wrote to memory of 3536	1684	jbruyer.exe	96
PID 4552 wrote to memory of 4420	4552	rundll32.exe	97
PID 4552 wrote to memory of 4420	4552	rundll32.exe	97

C:\Users\Admin\AppData\Local\Temp\1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1.exe
"C:\Users\Admin\AppData\Local\Temp\1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
  "C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN jbruyer.exe /TR "C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "jbruyer.exe" /P "Admin:N"&&CACLS "jbruyer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\73456c80a6" /P "Admin:N"&&CACLS "..\73456c80a6" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4712
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "jbruyer.exe" /P "Admin:N"
      4⤵
      PID:1260
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "jbruyer.exe" /P "Admin:R" /E
      4⤵
      PID:1004
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:636
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\73456c80a6" /P "Admin:N"
      4⤵
      PID:1752
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\73456c80a6" /P "Admin:R" /E
      4⤵
      PID:908
- - C:\Users\Admin\AppData\Local\Temp\1000001051\AAAd1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000001051\AAAd1.exe"
    3⤵
    - Executes dropped EXE
    PID:2168
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4420
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4420 -s 644
        5⤵
        Program crash
        
        PID:2300
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:3536

C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4420 -ip 4420
1⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
1⤵
- Executes dropped EXE
PID:2992

C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
1⤵
- Executes dropped EXE
PID:3216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\089297441894

Filesize
74KB

MD5
daa1087acfec6d847493567dfc3dfeb4

SHA1
040d588350447c7a683c4ed5d239f74271cc7d7d

SHA256
bca967c630eb8a302b86ffb389dcf98975d58f231a6a8a6676925b59ac02dd58

SHA512
c6cdc46f91c56ea27243ae40ecc649c78f3e3b25e60106e9a946a147a8934497ea29da5037d2577f7427dcf93b1c242bce263ba285b469bb5c46f1f0a2611542

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001051\AAAd1.exe

Filesize
196KB

MD5
94f7dacd5b046eba244fceebe7b9a1dd

SHA1
02db8d219f8b97fc25d812e9c0012e6ffb3e71e1

SHA256
a5476eed216a55fa35d1a0ed0b4be51ce8c376e12a44a8f74f1ee9b1e0a1e685

SHA512
0364a6f74fb7e1632d540c30478f8e5f60c014de2a7282ec128fe5c00deb93d6d054a4519c089292aa72b0fe90b89579b6236a26223586a795beff0a0252594b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001051\AAAd1.exe

Filesize
196KB

MD5
94f7dacd5b046eba244fceebe7b9a1dd

SHA1
02db8d219f8b97fc25d812e9c0012e6ffb3e71e1

SHA256
a5476eed216a55fa35d1a0ed0b4be51ce8c376e12a44a8f74f1ee9b1e0a1e685

SHA512
0364a6f74fb7e1632d540c30478f8e5f60c014de2a7282ec128fe5c00deb93d6d054a4519c089292aa72b0fe90b89579b6236a26223586a795beff0a0252594b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001051\AAAd1.exe

Filesize
196KB

MD5
94f7dacd5b046eba244fceebe7b9a1dd

SHA1
02db8d219f8b97fc25d812e9c0012e6ffb3e71e1

SHA256
a5476eed216a55fa35d1a0ed0b4be51ce8c376e12a44a8f74f1ee9b1e0a1e685

SHA512
0364a6f74fb7e1632d540c30478f8e5f60c014de2a7282ec128fe5c00deb93d6d054a4519c089292aa72b0fe90b89579b6236a26223586a795beff0a0252594b

Download Submit
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe

Filesize
231KB

MD5
3dd072d71907f6d5a5b046908c081f11

SHA1
6432c3dacb6e4dec30ad44cc92f79d4a0156affd

SHA256
1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1

SHA512
2f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453

Download Submit
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe

Filesize
231KB

MD5
3dd072d71907f6d5a5b046908c081f11

SHA1
6432c3dacb6e4dec30ad44cc92f79d4a0156affd

SHA256
1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1

SHA512
2f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453

Download Submit
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe

Filesize
231KB

MD5
3dd072d71907f6d5a5b046908c081f11

SHA1
6432c3dacb6e4dec30ad44cc92f79d4a0156affd

SHA256
1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1

SHA512
2f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453

Download Submit
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe

Filesize
231KB

MD5
3dd072d71907f6d5a5b046908c081f11

SHA1
6432c3dacb6e4dec30ad44cc92f79d4a0156affd

SHA256
1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1

SHA512
2f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453

Download Submit
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe

Filesize
231KB

MD5
3dd072d71907f6d5a5b046908c081f11

SHA1
6432c3dacb6e4dec30ad44cc92f79d4a0156affd

SHA256
1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1

SHA512
2f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453

Download Submit
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe

Filesize
231KB

MD5
3dd072d71907f6d5a5b046908c081f11

SHA1
6432c3dacb6e4dec30ad44cc92f79d4a0156affd

SHA256
1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1

SHA512
2f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

Filesize
89KB

MD5
49b3faf5b84f179885b1520ffa3ef3da

SHA1
c1ac12aeca413ec45a4f09aa66f0721b4f80413e

SHA256
b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5

SHA512
018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

Filesize
89KB

MD5
49b3faf5b84f179885b1520ffa3ef3da

SHA1
c1ac12aeca413ec45a4f09aa66f0721b4f80413e

SHA256
b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5

SHA512
018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

Filesize
89KB

MD5
49b3faf5b84f179885b1520ffa3ef3da

SHA1
c1ac12aeca413ec45a4f09aa66f0721b4f80413e

SHA256
b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5

SHA512
018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

Filesize
1.1MB

MD5
4bd56443d35c388dbeabd8357c73c67d

SHA1
26248ce8165b788e2964b89d54d1f1125facf8f9

SHA256
021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867

SHA512
100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

Filesize
1.1MB

MD5
4bd56443d35c388dbeabd8357c73c67d

SHA1
26248ce8165b788e2964b89d54d1f1125facf8f9

SHA256
021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867

SHA512
100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

Filesize
1.1MB

MD5
4bd56443d35c388dbeabd8357c73c67d

SHA1
26248ce8165b788e2964b89d54d1f1125facf8f9

SHA256
021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867

SHA512
100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

Filesize
1.1MB

MD5
4bd56443d35c388dbeabd8357c73c67d

SHA1
26248ce8165b788e2964b89d54d1f1125facf8f9

SHA256
021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867

SHA512
100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

Download Submit
memory/2168-172-0x0000000000A20000-0x0000000000A2D000-memory.dmp

Filesize
52KB

Download
memory/2168-171-0x00000000009F0000-0x00000000009F9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads