Overview

overview

10

Static

static

7

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    298s
  • max time network
    267s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    10-09-2023 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61ae562ea867b2b85de6b6482dd1d315b49497ec2404e799d71a7df9a434a4ad.exe

  • Size

    2.4MB

  • MD5

    a2f2e39ba9cd5bbd496e5f6e46210cd6

  • SHA1

    738b4f192a6e5e3311e8788ae8872ff2166672f9

  • SHA256

    61ae562ea867b2b85de6b6482dd1d315b49497ec2404e799d71a7df9a434a4ad

  • SHA512

    f34ffeae482fdd9105e4838664c62dc6148ffe924a89083e6d9d77cec98cf0258b60b6e7c009ea5b1d09bfb98c57b862c47008f258ae2e74c68d2d8bcafa322a

  • SSDEEP

    49152:rHSnhemOWEUuSyr9GVHyK1OqdzuepWVOsyplgVFi9d3ra+RKrpce+7:sOPkHycOnepWIs2lgfy3DRCZo

Score
10/10
amadeyevasionthemidatrojan

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://5.42.64.33/vu3skClDn/index.php

Attributes
  • install_dir

    a304d35d74

  • install_file

    yiueea.exe

  • strings_key

    3ae6c4e6339065c6f5a368011bb5cb8c

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 38 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61ae562ea867b2b85de6b6482dd1d315b49497ec2404e799d71a7df9a434a4ad.exe
    "C:\Users\Admin\AppData\Local\Temp\61ae562ea867b2b85de6b6482dd1d315b49497ec2404e799d71a7df9a434a4ad.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN 61ae562ea867b2b85de6b6482dd1d315b49497ec2404e799d71a7df9a434a4ad.exe /TR "C:\Users\Admin\AppData\Local\Temp\61ae562ea867b2b85de6b6482dd1d315b49497ec2404e799d71a7df9a434a4ad.exe" /F
      2⤵
      • Creates scheduled task(s)
      PID:2244
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {8E25941C-26D6-4F82-8BA6-25E4463255F6} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Users\Admin\AppData\Local\Temp\61ae562ea867b2b85de6b6482dd1d315b49497ec2404e799d71a7df9a434a4ad.exe
      C:\Users\Admin\AppData\Local\Temp\61ae562ea867b2b85de6b6482dd1d315b49497ec2404e799d71a7df9a434a4ad.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2652
    • C:\Users\Admin\AppData\Local\Temp\61ae562ea867b2b85de6b6482dd1d315b49497ec2404e799d71a7df9a434a4ad.exe
      C:\Users\Admin\AppData\Local\Temp\61ae562ea867b2b85de6b6482dd1d315b49497ec2404e799d71a7df9a434a4ad.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2312
    • C:\Users\Admin\AppData\Local\Temp\61ae562ea867b2b85de6b6482dd1d315b49497ec2404e799d71a7df9a434a4ad.exe
      C:\Users\Admin\AppData\Local\Temp\61ae562ea867b2b85de6b6482dd1d315b49497ec2404e799d71a7df9a434a4ad.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1656
    • C:\Users\Admin\AppData\Local\Temp\61ae562ea867b2b85de6b6482dd1d315b49497ec2404e799d71a7df9a434a4ad.exe
      C:\Users\Admin\AppData\Local\Temp\61ae562ea867b2b85de6b6482dd1d315b49497ec2404e799d71a7df9a434a4ad.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1364
    • C:\Users\Admin\AppData\Local\Temp\61ae562ea867b2b85de6b6482dd1d315b49497ec2404e799d71a7df9a434a4ad.exe
      C:\Users\Admin\AppData\Local\Temp\61ae562ea867b2b85de6b6482dd1d315b49497ec2404e799d71a7df9a434a4ad.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1364-54-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1364-53-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1364-58-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1364-57-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1364-56-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1364-55-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1364-59-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1656-40-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1656-44-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1656-46-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1656-45-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1656-43-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1656-42-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1656-41-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2312-29-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2312-32-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2312-27-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2312-28-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2312-33-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2312-30-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2312-31-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2484-4-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2484-3-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2484-1-0x0000000077220000-0x0000000077222000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2484-2-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2484-0-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2484-5-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2484-6-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2484-7-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2484-8-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2652-14-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2652-15-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2652-16-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2652-19-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2652-17-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2652-18-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2652-20-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2720-66-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2720-73-0x0000000000F80000-0x00000000015C0000-memory.dmp

    Filesize

    6.2MB

    Download