amadey | 1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1

Analysis

max time kernel
125s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2023 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

231KB
MD5

3dd072d71907f6d5a5b046908c081f11
SHA1

6432c3dacb6e4dec30ad44cc92f79d4a0156affd
SHA256

1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1
SHA512

2f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453
SSDEEP

6144:0s9bFCavQJdMSzPgI0KIikB/NiFEZu7dRmV:pbFCRMcRIiTFgu7dR

Score

10^/10

amadey lgoogloader downloader persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.84

109.206.241.33/9bDc8sQ/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral2/memory/4740-172-0x0000000000A20000-0x0000000000A2D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation	jbruyer.exe

Executes dropped EXE 4 IoCs

pid	Process
2004	jbruyer.exe
4740	AAAd1.exe
1008	jbruyer.exe
4776	jbruyer.exe

Loads dropped DLL 3 IoCs

pid	Process
3004	rundll32.exe
3396	rundll32.exe
4972	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AAAd1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001051\\AAAd1.exe"	jbruyer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2692	4972	WerFault.exe	98

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
924	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1528	tmp.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2004	1528	tmp.exe	83
PID 1528 wrote to memory of 2004	1528	tmp.exe	83
PID 1528 wrote to memory of 2004	1528	tmp.exe	83
PID 2004 wrote to memory of 924	2004	jbruyer.exe	84
PID 2004 wrote to memory of 924	2004	jbruyer.exe	84
PID 2004 wrote to memory of 924	2004	jbruyer.exe	84
PID 2004 wrote to memory of 4696	2004	jbruyer.exe	86
PID 2004 wrote to memory of 4696	2004	jbruyer.exe	86
PID 2004 wrote to memory of 4696	2004	jbruyer.exe	86
PID 4696 wrote to memory of 444	4696	cmd.exe	88
PID 4696 wrote to memory of 444	4696	cmd.exe	88
PID 4696 wrote to memory of 444	4696	cmd.exe	88
PID 4696 wrote to memory of 5096	4696	cmd.exe	89
PID 4696 wrote to memory of 5096	4696	cmd.exe	89
PID 4696 wrote to memory of 5096	4696	cmd.exe	89
PID 4696 wrote to memory of 3732	4696	cmd.exe	90
PID 4696 wrote to memory of 3732	4696	cmd.exe	90
PID 4696 wrote to memory of 3732	4696	cmd.exe	90
PID 4696 wrote to memory of 2512	4696	cmd.exe	91
PID 4696 wrote to memory of 2512	4696	cmd.exe	91
PID 4696 wrote to memory of 2512	4696	cmd.exe	91
PID 4696 wrote to memory of 3668	4696	cmd.exe	92
PID 4696 wrote to memory of 3668	4696	cmd.exe	92
PID 4696 wrote to memory of 3668	4696	cmd.exe	92
PID 4696 wrote to memory of 4476	4696	cmd.exe	93
PID 4696 wrote to memory of 4476	4696	cmd.exe	93
PID 4696 wrote to memory of 4476	4696	cmd.exe	93
PID 2004 wrote to memory of 4740	2004	jbruyer.exe	94
PID 2004 wrote to memory of 4740	2004	jbruyer.exe	94
PID 2004 wrote to memory of 4740	2004	jbruyer.exe	94
PID 2004 wrote to memory of 3396	2004	jbruyer.exe	96
PID 2004 wrote to memory of 3396	2004	jbruyer.exe	96
PID 2004 wrote to memory of 3396	2004	jbruyer.exe	96
PID 2004 wrote to memory of 3004	2004	jbruyer.exe	97
PID 2004 wrote to memory of 3004	2004	jbruyer.exe	97
PID 2004 wrote to memory of 3004	2004	jbruyer.exe	97
PID 3396 wrote to memory of 4972	3396	rundll32.exe	98
PID 3396 wrote to memory of 4972	3396	rundll32.exe	98

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
  "C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN jbruyer.exe /TR "C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "jbruyer.exe" /P "Admin:N"&&CACLS "jbruyer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\73456c80a6" /P "Admin:N"&&CACLS "..\73456c80a6" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:444
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "jbruyer.exe" /P "Admin:N"
      4⤵
      PID:5096
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "jbruyer.exe" /P "Admin:R" /E
      4⤵
      PID:3732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2512
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\73456c80a6" /P "Admin:N"
      4⤵
      PID:3668
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\73456c80a6" /P "Admin:R" /E
      4⤵
      PID:4476
- - C:\Users\Admin\AppData\Local\Temp\1000001051\AAAd1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000001051\AAAd1.exe"
    3⤵
    - Executes dropped EXE
    PID:4740
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4972
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4972 -s 644
        5⤵
        Program crash
        
        PID:2692
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:3004

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 188 -p 4972 -ip 4972
1⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
1⤵
- Executes dropped EXE
PID:1008

C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe
1⤵
- Executes dropped EXE
PID:4776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000001051\AAAd1.exe

Filesize
196KB

MD5
94f7dacd5b046eba244fceebe7b9a1dd

SHA1
02db8d219f8b97fc25d812e9c0012e6ffb3e71e1

SHA256
a5476eed216a55fa35d1a0ed0b4be51ce8c376e12a44a8f74f1ee9b1e0a1e685

SHA512
0364a6f74fb7e1632d540c30478f8e5f60c014de2a7282ec128fe5c00deb93d6d054a4519c089292aa72b0fe90b89579b6236a26223586a795beff0a0252594b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001051\AAAd1.exe

Filesize
196KB

MD5
94f7dacd5b046eba244fceebe7b9a1dd

SHA1
02db8d219f8b97fc25d812e9c0012e6ffb3e71e1

SHA256
a5476eed216a55fa35d1a0ed0b4be51ce8c376e12a44a8f74f1ee9b1e0a1e685

SHA512
0364a6f74fb7e1632d540c30478f8e5f60c014de2a7282ec128fe5c00deb93d6d054a4519c089292aa72b0fe90b89579b6236a26223586a795beff0a0252594b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001051\AAAd1.exe

Filesize
196KB

MD5
94f7dacd5b046eba244fceebe7b9a1dd

SHA1
02db8d219f8b97fc25d812e9c0012e6ffb3e71e1

SHA256
a5476eed216a55fa35d1a0ed0b4be51ce8c376e12a44a8f74f1ee9b1e0a1e685

SHA512
0364a6f74fb7e1632d540c30478f8e5f60c014de2a7282ec128fe5c00deb93d6d054a4519c089292aa72b0fe90b89579b6236a26223586a795beff0a0252594b

Download Submit
C:\Users\Admin\AppData\Local\Temp\177513644190

Filesize
83KB

MD5
a8af4733eba251e1dbc4389b494b2e0c

SHA1
254cf3a0fde7aa7497b6aa3f817b2adc1d2a18cb

SHA256
2d64dfd4a934440b89f84eb5ccfc2f2932c80f32c7f11ef40a0b1924afb4feaa

SHA512
1275aef075881125eb82cc87da08968a3ae06824af3cd56335eb0ac777c42e195a55b233499aa5240d45a0f1d01eb6ba82c33128389edc6b1941b7108a880bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe

Filesize
231KB

MD5
3dd072d71907f6d5a5b046908c081f11

SHA1
6432c3dacb6e4dec30ad44cc92f79d4a0156affd

SHA256
1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1

SHA512
2f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453

Download Submit
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe

Filesize
231KB

MD5
3dd072d71907f6d5a5b046908c081f11

SHA1
6432c3dacb6e4dec30ad44cc92f79d4a0156affd

SHA256
1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1

SHA512
2f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453

Download Submit
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe

Filesize
231KB

MD5
3dd072d71907f6d5a5b046908c081f11

SHA1
6432c3dacb6e4dec30ad44cc92f79d4a0156affd

SHA256
1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1

SHA512
2f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453

Download Submit
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe

Filesize
231KB

MD5
3dd072d71907f6d5a5b046908c081f11

SHA1
6432c3dacb6e4dec30ad44cc92f79d4a0156affd

SHA256
1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1

SHA512
2f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453

Download Submit
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe

Filesize
231KB

MD5
3dd072d71907f6d5a5b046908c081f11

SHA1
6432c3dacb6e4dec30ad44cc92f79d4a0156affd

SHA256
1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1

SHA512
2f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

Filesize
89KB

MD5
49b3faf5b84f179885b1520ffa3ef3da

SHA1
c1ac12aeca413ec45a4f09aa66f0721b4f80413e

SHA256
b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5

SHA512
018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

Filesize
89KB

MD5
49b3faf5b84f179885b1520ffa3ef3da

SHA1
c1ac12aeca413ec45a4f09aa66f0721b4f80413e

SHA256
b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5

SHA512
018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\clip64.dll

Filesize
89KB

MD5
49b3faf5b84f179885b1520ffa3ef3da

SHA1
c1ac12aeca413ec45a4f09aa66f0721b4f80413e

SHA256
b89189d3fca0a41aee9d4582a8efbe820d49e87224c325b4a0f4806d96bf86a5

SHA512
018d531b3328267ecaebcb9f523c386c8aa36bf29e7b2e0f61bd96a0f7f2d03c7f25f878c373fbce7e44c8d5512e969b816ed9c72edb44afa302670c652de742

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

Filesize
1.1MB

MD5
4bd56443d35c388dbeabd8357c73c67d

SHA1
26248ce8165b788e2964b89d54d1f1125facf8f9

SHA256
021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867

SHA512
100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

Filesize
1.1MB

MD5
4bd56443d35c388dbeabd8357c73c67d

SHA1
26248ce8165b788e2964b89d54d1f1125facf8f9

SHA256
021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867

SHA512
100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

Filesize
1.1MB

MD5
4bd56443d35c388dbeabd8357c73c67d

SHA1
26248ce8165b788e2964b89d54d1f1125facf8f9

SHA256
021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867

SHA512
100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

Filesize
1.1MB

MD5
4bd56443d35c388dbeabd8357c73c67d

SHA1
26248ce8165b788e2964b89d54d1f1125facf8f9

SHA256
021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867

SHA512
100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

Download Submit
memory/4740-172-0x0000000000A20000-0x0000000000A2D000-memory.dmp

Filesize
52KB

Download
memory/4740-171-0x0000000000450000-0x0000000000459000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads