Analysis
-
max time kernel
233s -
max time network
287s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
-
submitted
28-07-2023 03:34
General
-
Target
f0e0e17a24223a3ae38281c669b9e9702cb63f41859bcb4f489a9048795e27ba.exe
-
Size
6.5MB
-
MD5
047b5d2075c2d6610b0b63c34d0455be
-
SHA1
f5a29ddd6f1df5da62250f93094b754043cc586c
-
SHA256
f0e0e17a24223a3ae38281c669b9e9702cb63f41859bcb4f489a9048795e27ba
-
SHA512
6125cf9ab5cc9282a98867882207d0d5115970cc49bdbcdeea485995b66248e05dedf52f7246622d34b061687d8838edcce89338bb1623ba57ec9bd1d4086582
-
SSDEEP
196608:ohcmcCw4eb7tPjA5rAoYpB+2u54AXDkQcRDt8yhm0FpGn:ohPcfDtPc5sXpB+2umGd4DthtFO
Malware Config
Extracted
amadey
3.85
45.9.74.166/b7djSDcPcZ/index.php
45.9.74.141/b7djSDcPcZ/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
VMProtect packed file 14 IoCs
Detects executables packed with VMProtect commercial packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0e0e17a24223a3ae38281c669b9e9702cb63f41859bcb4f489a9048795e27ba.exe"C:\Users\Admin\AppData\Local\Temp\f0e0e17a24223a3ae38281c669b9e9702cb63f41859bcb4f489a9048795e27ba.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe"C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "bstyoops.exe" /P "Admin:N"&&CACLS "bstyoops.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c2868ed41c" /P "Admin:N"&&CACLS "..\c2868ed41c" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "bstyoops.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "bstyoops.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c2868ed41c" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c2868ed41c" /P "Admin:R" /E4⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {379EEECB-EABA-4704-BDB7-C4D8DCD7C448} S-1-5-21-3408354897-1169622894-3874090110-1000:WGWIREOE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exeC:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "bstyoops.exe" /P "Admin:N"&&CACLS "bstyoops.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c2868ed41c" /P "Admin:N"&&CACLS "..\c2868ed41c" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cacls.exeCACLS "bstyoops.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "bstyoops.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c2868ed41c" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\c2868ed41c" /P "Admin:R" /E4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exeFilesize
6.5MB
MD5047b5d2075c2d6610b0b63c34d0455be
SHA1f5a29ddd6f1df5da62250f93094b754043cc586c
SHA256f0e0e17a24223a3ae38281c669b9e9702cb63f41859bcb4f489a9048795e27ba
SHA5126125cf9ab5cc9282a98867882207d0d5115970cc49bdbcdeea485995b66248e05dedf52f7246622d34b061687d8838edcce89338bb1623ba57ec9bd1d4086582
-
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exeFilesize
6.5MB
MD5047b5d2075c2d6610b0b63c34d0455be
SHA1f5a29ddd6f1df5da62250f93094b754043cc586c
SHA256f0e0e17a24223a3ae38281c669b9e9702cb63f41859bcb4f489a9048795e27ba
SHA5126125cf9ab5cc9282a98867882207d0d5115970cc49bdbcdeea485995b66248e05dedf52f7246622d34b061687d8838edcce89338bb1623ba57ec9bd1d4086582
-
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exeFilesize
6.5MB
MD5047b5d2075c2d6610b0b63c34d0455be
SHA1f5a29ddd6f1df5da62250f93094b754043cc586c
SHA256f0e0e17a24223a3ae38281c669b9e9702cb63f41859bcb4f489a9048795e27ba
SHA5126125cf9ab5cc9282a98867882207d0d5115970cc49bdbcdeea485995b66248e05dedf52f7246622d34b061687d8838edcce89338bb1623ba57ec9bd1d4086582
-
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exeFilesize
6.5MB
MD5047b5d2075c2d6610b0b63c34d0455be
SHA1f5a29ddd6f1df5da62250f93094b754043cc586c
SHA256f0e0e17a24223a3ae38281c669b9e9702cb63f41859bcb4f489a9048795e27ba
SHA5126125cf9ab5cc9282a98867882207d0d5115970cc49bdbcdeea485995b66248e05dedf52f7246622d34b061687d8838edcce89338bb1623ba57ec9bd1d4086582
-
\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exeFilesize
6.5MB
MD5047b5d2075c2d6610b0b63c34d0455be
SHA1f5a29ddd6f1df5da62250f93094b754043cc586c
SHA256f0e0e17a24223a3ae38281c669b9e9702cb63f41859bcb4f489a9048795e27ba
SHA5126125cf9ab5cc9282a98867882207d0d5115970cc49bdbcdeea485995b66248e05dedf52f7246622d34b061687d8838edcce89338bb1623ba57ec9bd1d4086582
-
memory/2348-95-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/2348-90-0x00000000010F0000-0x0000000001B92000-memory.dmpFilesize
10.6MB
-
memory/2348-91-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/2348-93-0x00000000010F0000-0x0000000001B92000-memory.dmpFilesize
10.6MB
-
memory/2348-96-0x00000000778F0000-0x00000000778F1000-memory.dmpFilesize
4KB
-
memory/2348-100-0x00000000010F0000-0x0000000001B92000-memory.dmpFilesize
10.6MB
-
memory/2860-86-0x00000000010F0000-0x0000000001B92000-memory.dmpFilesize
10.6MB
-
memory/2860-78-0x00000000010F0000-0x0000000001B92000-memory.dmpFilesize
10.6MB
-
memory/2860-81-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/2860-83-0x00000000010F0000-0x0000000001B92000-memory.dmpFilesize
10.6MB
-
memory/2964-62-0x00000000778F0000-0x00000000778F1000-memory.dmpFilesize
4KB
-
memory/2964-75-0x0000000001000000-0x0000000001AA2000-memory.dmpFilesize
10.6MB
-
memory/2964-65-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/2964-54-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/2964-59-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/2964-60-0x0000000001000000-0x0000000001AA2000-memory.dmpFilesize
10.6MB
-
memory/2964-57-0x0000000000100000-0x0000000000101000-memory.dmpFilesize
4KB
-
memory/2964-56-0x0000000001000000-0x0000000001AA2000-memory.dmpFilesize
10.6MB