Analysis

  • max time kernel
    147s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2023 23:46

General

  • Target

    9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe

  • Size

    6.5MB

  • MD5

    89e9bc7a5d97370a0f4a35041a54a696

  • SHA1

    c0e8572f48b2e5f83c39374f4175e35a5e7c2029

  • SHA256

    9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847

  • SHA512

    12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

  • SSDEEP

    196608:3PbBDSjGzSuyKff2j6pdVY3d2dZo2tOuAX+W6+B6VJN1lev:3JKGzXuTwdZdLM+JS

Score
10/10

Malware Config

Extracted

Family

amadey

Version

3.80

C2

45.15.156.208/jd9dd3Vw/index.php

second.amadgood.com/jd9dd3Vw/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe
    "C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:1164
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3468
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          4⤵
            PID:884
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "oneetx.exe" /P "Admin:N"
            4⤵
              PID:4836
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "oneetx.exe" /P "Admin:R" /E
              4⤵
                PID:4644
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "..\eb0f58bce7" /P "Admin:N"
                4⤵
                  PID:1380
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\eb0f58bce7" /P "Admin:R" /E
                  4⤵
                    PID:8
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    4⤵
                      PID:560
              • C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
                C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
                1⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:1848
              • C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
                C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
                1⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:2608

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\498570331231

                Filesize

                82KB

                MD5

                2841eaa48ad70635c173051bc9169e9e

                SHA1

                13d1c16636def5fdcb586d0e2de10bc20c8b44fc

                SHA256

                e81f0dc876fec6f0a99575dfa8f9d411fbe3b2ee6431a7bed218658b1daef179

                SHA512

                73f1d7914d1d9823ded79b99a32fe4af1f2dc4603314303ebc2397a723b52757b646175d031bd7c25317954e1a42b1b20518906bbec4ce10a9dbf6f486583840

              • C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

                Filesize

                6.5MB

                MD5

                89e9bc7a5d97370a0f4a35041a54a696

                SHA1

                c0e8572f48b2e5f83c39374f4175e35a5e7c2029

                SHA256

                9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847

                SHA512

                12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

              • C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

                Filesize

                6.5MB

                MD5

                89e9bc7a5d97370a0f4a35041a54a696

                SHA1

                c0e8572f48b2e5f83c39374f4175e35a5e7c2029

                SHA256

                9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847

                SHA512

                12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

              • C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

                Filesize

                6.5MB

                MD5

                89e9bc7a5d97370a0f4a35041a54a696

                SHA1

                c0e8572f48b2e5f83c39374f4175e35a5e7c2029

                SHA256

                9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847

                SHA512

                12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

              • C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

                Filesize

                6.5MB

                MD5

                89e9bc7a5d97370a0f4a35041a54a696

                SHA1

                c0e8572f48b2e5f83c39374f4175e35a5e7c2029

                SHA256

                9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847

                SHA512

                12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

              • C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

                Filesize

                6.5MB

                MD5

                89e9bc7a5d97370a0f4a35041a54a696

                SHA1

                c0e8572f48b2e5f83c39374f4175e35a5e7c2029

                SHA256

                9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847

                SHA512

                12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2

              • memory/1372-151-0x0000000000740000-0x00000000011E1000-memory.dmp

                Filesize

                10.6MB

              • memory/1372-135-0x0000000000740000-0x00000000011E1000-memory.dmp

                Filesize

                10.6MB

              • memory/1372-134-0x00000000031F0000-0x00000000031F1000-memory.dmp

                Filesize

                4KB

              • memory/1372-133-0x0000000000740000-0x00000000011E1000-memory.dmp

                Filesize

                10.6MB

              • memory/1848-172-0x00000000000D0000-0x0000000000B71000-memory.dmp

                Filesize

                10.6MB

              • memory/1848-171-0x00000000011E0000-0x00000000011E1000-memory.dmp

                Filesize

                4KB

              • memory/1848-174-0x00000000000D0000-0x0000000000B71000-memory.dmp

                Filesize

                10.6MB

              • memory/1848-177-0x00000000000D0000-0x0000000000B71000-memory.dmp

                Filesize

                10.6MB

              • memory/2608-184-0x00000000000D0000-0x0000000000B71000-memory.dmp

                Filesize

                10.6MB

              • memory/2608-181-0x00000000000D0000-0x0000000000B71000-memory.dmp

                Filesize

                10.6MB

              • memory/2608-180-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

                Filesize

                4KB

              • memory/2608-179-0x00000000000D0000-0x0000000000B71000-memory.dmp

                Filesize

                10.6MB

              • memory/2756-153-0x00000000010E0000-0x00000000010E1000-memory.dmp

                Filesize

                4KB

              • memory/2756-169-0x00000000000D0000-0x0000000000B71000-memory.dmp

                Filesize

                10.6MB

              • memory/2756-154-0x00000000000D0000-0x0000000000B71000-memory.dmp

                Filesize

                10.6MB

              • memory/2756-152-0x00000000000D0000-0x0000000000B71000-memory.dmp

                Filesize

                10.6MB