amadey | bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67

Analysis

max time kernel
295s
max time network
261s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
21-07-2023 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe
Size

6.8MB
MD5

4fcd70f4d036361d2fef09cf03932f7b
SHA1

b8c39838498676d95a267e8f9ee2bb59edb8e76e
SHA256

bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67
SHA512

3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab
SSDEEP

98304:TBWqiL18HkxPnA8n+wuxT4NqP2ozzv68ZslF8QLkY52P:9RiSk9pnNuiiXi8mF7LkY52P

Score

10^/10

amadey evasion themida trojan

Malware Config

Extracted

Family

amadey

Version

3.80

45.15.156.208/jd9dd3Vw/index.php

second.amadgood.com/jd9dd3Vw/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	oneetx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	oneetx.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	oneetx.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	oneetx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	oneetx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	oneetx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	oneetx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	oneetx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	oneetx.exe

Executes dropped EXE 3 IoCs

pid	Process
4768	oneetx.exe
808	oneetx.exe
2120	oneetx.exe

Themida packer 29 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/600-117-0x0000000000A10000-0x0000000001106000-memory.dmp	themida
behavioral2/memory/600-120-0x0000000000A10000-0x0000000001106000-memory.dmp	themida
behavioral2/memory/600-121-0x0000000000A10000-0x0000000001106000-memory.dmp	themida
behavioral2/memory/600-122-0x0000000000A10000-0x0000000001106000-memory.dmp	themida
behavioral2/memory/600-123-0x0000000000A10000-0x0000000001106000-memory.dmp	themida
behavioral2/files/0x000700000001af43-128.dat	themida
behavioral2/files/0x000700000001af43-129.dat	themida
behavioral2/memory/600-130-0x0000000000A10000-0x0000000001106000-memory.dmp	themida
behavioral2/memory/4768-131-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/memory/4768-136-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/memory/4768-137-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/memory/4768-139-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/memory/4768-138-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/files/0x000700000001af43-140.dat	themida
behavioral2/memory/4768-153-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/files/0x000700000001af43-156.dat	themida
behavioral2/memory/808-157-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/memory/808-160-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/memory/808-161-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/memory/808-162-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/memory/808-164-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/memory/808-163-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/files/0x000700000001af43-173.dat	themida
behavioral2/memory/2120-174-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/memory/2120-175-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/memory/2120-177-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/memory/2120-180-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/memory/2120-181-0x0000000001360000-0x0000000001A56000-memory.dmp	themida
behavioral2/memory/2120-179-0x0000000001360000-0x0000000001A56000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	oneetx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	oneetx.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	oneetx.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
600	bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe
4768	oneetx.exe
808	oneetx.exe
2120	oneetx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
600	bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe
600	bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe
4768	oneetx.exe
4768	oneetx.exe
808	oneetx.exe
808	oneetx.exe
2120	oneetx.exe
2120	oneetx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
600	bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 600 wrote to memory of 4768	600	bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe	70
PID 600 wrote to memory of 4768	600	bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe	70
PID 600 wrote to memory of 4768	600	bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe	70
PID 4768 wrote to memory of 1892	4768	oneetx.exe	71
PID 4768 wrote to memory of 1892	4768	oneetx.exe	71
PID 4768 wrote to memory of 1892	4768	oneetx.exe	71
PID 4768 wrote to memory of 4136	4768	oneetx.exe	73
PID 4768 wrote to memory of 4136	4768	oneetx.exe	73
PID 4768 wrote to memory of 4136	4768	oneetx.exe	73
PID 4136 wrote to memory of 4844	4136	cmd.exe	75
PID 4136 wrote to memory of 4844	4136	cmd.exe	75
PID 4136 wrote to memory of 4844	4136	cmd.exe	75
PID 4136 wrote to memory of 3772	4136	cmd.exe	76
PID 4136 wrote to memory of 3772	4136	cmd.exe	76
PID 4136 wrote to memory of 3772	4136	cmd.exe	76
PID 4136 wrote to memory of 2548	4136	cmd.exe	77
PID 4136 wrote to memory of 2548	4136	cmd.exe	77
PID 4136 wrote to memory of 2548	4136	cmd.exe	77
PID 4136 wrote to memory of 1388	4136	cmd.exe	78
PID 4136 wrote to memory of 1388	4136	cmd.exe	78
PID 4136 wrote to memory of 1388	4136	cmd.exe	78
PID 4136 wrote to memory of 4944	4136	cmd.exe	79
PID 4136 wrote to memory of 4944	4136	cmd.exe	79
PID 4136 wrote to memory of 4944	4136	cmd.exe	79
PID 4136 wrote to memory of 4764	4136	cmd.exe	80
PID 4136 wrote to memory of 4764	4136	cmd.exe	80
PID 4136 wrote to memory of 4764	4136	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe
"C:\Users\Admin\AppData\Local\Temp\bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:600
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4844
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:N"
      4⤵
      PID:3772
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:R" /E
      4⤵
      PID:2548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1388
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\eb0f58bce7" /P "Admin:N"
      4⤵
      PID:4944
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\eb0f58bce7" /P "Admin:R" /E
      4⤵
      PID:4764

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:808

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\175128012676

Filesize
68KB

MD5
22fcc76138cf71cbcab5637305ef7126

SHA1
fd7cf336751701dfa679a5e40e048b8b33f0f4e0

SHA256
46d3433d003105dce9d3772090916a48a8cee6d86190dff24bf95e4557b835ed

SHA512
cc33e0a4062f06782cc3db16858833ccc9f56dfe4a4f78586982122043e41accd63ea9845693d0b89472c496695f6cfd6eda0d54150070b44314fbda0ed9c8df

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
6.8MB

MD5
4fcd70f4d036361d2fef09cf03932f7b

SHA1
b8c39838498676d95a267e8f9ee2bb59edb8e76e

SHA256
bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67

SHA512
3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
6.8MB

MD5
4fcd70f4d036361d2fef09cf03932f7b

SHA1
b8c39838498676d95a267e8f9ee2bb59edb8e76e

SHA256
bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67

SHA512
3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
6.8MB

MD5
4fcd70f4d036361d2fef09cf03932f7b

SHA1
b8c39838498676d95a267e8f9ee2bb59edb8e76e

SHA256
bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67

SHA512
3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
6.8MB

MD5
4fcd70f4d036361d2fef09cf03932f7b

SHA1
b8c39838498676d95a267e8f9ee2bb59edb8e76e

SHA256
bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67

SHA512
3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
6.8MB

MD5
4fcd70f4d036361d2fef09cf03932f7b

SHA1
b8c39838498676d95a267e8f9ee2bb59edb8e76e

SHA256
bfe406b543ca148c2ef6424a32682fbd540810078d52c6f0af8f0edb5951cd67

SHA512
3bec3c60d903a348712a179bb96cc20ca868abda2019077279877f40b877b2f127b2a60704f276c23fec4da58a5bff78638ca228dfc79726d6afe048120eb9ab

Download Submit
memory/600-121-0x0000000000A10000-0x0000000001106000-memory.dmp

Filesize
7.0MB

Download
memory/600-123-0x0000000000A10000-0x0000000001106000-memory.dmp

Filesize
7.0MB

Download
memory/600-122-0x0000000000A10000-0x0000000001106000-memory.dmp

Filesize
7.0MB

Download
memory/600-130-0x0000000000A10000-0x0000000001106000-memory.dmp

Filesize
7.0MB

Download
memory/600-120-0x0000000000A10000-0x0000000001106000-memory.dmp

Filesize
7.0MB

Download
memory/600-117-0x0000000000A10000-0x0000000001106000-memory.dmp

Filesize
7.0MB

Download
memory/600-133-0x0000000074E20000-0x0000000074EF0000-memory.dmp

Filesize
832KB

Download
memory/600-134-0x00000000779E0000-0x0000000077BA2000-memory.dmp

Filesize
1.8MB

Download
memory/600-119-0x00000000779E0000-0x0000000077BA2000-memory.dmp

Filesize
1.8MB

Download
memory/600-118-0x0000000074E20000-0x0000000074EF0000-memory.dmp

Filesize
832KB

Download
memory/808-159-0x0000000074E20000-0x0000000074EF0000-memory.dmp

Filesize
832KB

Download
memory/808-161-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/808-163-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/808-164-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/808-165-0x0000000074E20000-0x0000000074EF0000-memory.dmp

Filesize
832KB

Download
memory/808-166-0x00000000779E0000-0x0000000077BA2000-memory.dmp

Filesize
1.8MB

Download
memory/808-162-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/808-160-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/808-158-0x00000000779E0000-0x0000000077BA2000-memory.dmp

Filesize
1.8MB

Download
memory/808-157-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/2120-183-0x0000000074E20000-0x0000000074EF0000-memory.dmp

Filesize
832KB

Download
memory/2120-174-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/2120-175-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/2120-180-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/2120-176-0x0000000074E20000-0x0000000074EF0000-memory.dmp

Filesize
832KB

Download
memory/2120-177-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/2120-179-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/2120-181-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/2120-178-0x00000000779E0000-0x0000000077BA2000-memory.dmp

Filesize
1.8MB

Download
memory/2120-182-0x00000000779E0000-0x0000000077BA2000-memory.dmp

Filesize
1.8MB

Download
memory/4768-132-0x0000000074E20000-0x0000000074EF0000-memory.dmp

Filesize
832KB

Download
memory/4768-155-0x00000000779E0000-0x0000000077BA2000-memory.dmp

Filesize
1.8MB

Download
memory/4768-154-0x0000000074E20000-0x0000000074EF0000-memory.dmp

Filesize
832KB

Download
memory/4768-153-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/4768-138-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/4768-139-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/4768-137-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/4768-136-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download
memory/4768-135-0x00000000779E0000-0x0000000077BA2000-memory.dmp

Filesize
1.8MB

Download
memory/4768-131-0x0000000001360000-0x0000000001A56000-memory.dmp

Filesize
7.0MB

Download