amadey | e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0007000000015c2f-106.exe
Size

227KB
MD5

69d468f64dc451287c4d2af9e7e1e649
SHA1

7799b32a7a3c0e8679dade16ff97e60324e8b93c
SHA256

e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451
SHA512

b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd
SSDEEP

6144:LEPAc72ss5pKL93yMax7pH3F2d1ugMeSWpy:LE32xpoaxBFg1ugMeSB

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	0x0007000000015c2f-106.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 3 IoCs

pid	Process
4752	explothe.exe
208	explothe.exe
548	explothe.exe

Loads dropped DLL 1 IoCs

pid	Process
1696	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2900	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1124	svchost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 964 wrote to memory of 4752	964	0x0007000000015c2f-106.exe	83
PID 964 wrote to memory of 4752	964	0x0007000000015c2f-106.exe	83
PID 964 wrote to memory of 4752	964	0x0007000000015c2f-106.exe	83
PID 4752 wrote to memory of 2900	4752	explothe.exe	85
PID 4752 wrote to memory of 2900	4752	explothe.exe	85
PID 4752 wrote to memory of 2900	4752	explothe.exe	85
PID 4752 wrote to memory of 1020	4752	explothe.exe	87
PID 4752 wrote to memory of 1020	4752	explothe.exe	87
PID 4752 wrote to memory of 1020	4752	explothe.exe	87
PID 1020 wrote to memory of 1076	1020	cmd.exe	89
PID 1020 wrote to memory of 1076	1020	cmd.exe	89
PID 1020 wrote to memory of 1076	1020	cmd.exe	89
PID 1020 wrote to memory of 4116	1020	cmd.exe	90
PID 1020 wrote to memory of 4116	1020	cmd.exe	90
PID 1020 wrote to memory of 4116	1020	cmd.exe	90
PID 1020 wrote to memory of 1048	1020	cmd.exe	91
PID 1020 wrote to memory of 1048	1020	cmd.exe	91
PID 1020 wrote to memory of 1048	1020	cmd.exe	91
PID 1020 wrote to memory of 4604	1020	cmd.exe	92
PID 1020 wrote to memory of 4604	1020	cmd.exe	92
PID 1020 wrote to memory of 4604	1020	cmd.exe	92
PID 1020 wrote to memory of 2252	1020	cmd.exe	93
PID 1020 wrote to memory of 2252	1020	cmd.exe	93
PID 1020 wrote to memory of 2252	1020	cmd.exe	93
PID 1020 wrote to memory of 756	1020	cmd.exe	94
PID 1020 wrote to memory of 756	1020	cmd.exe	94
PID 1020 wrote to memory of 756	1020	cmd.exe	94
PID 4752 wrote to memory of 1696	4752	explothe.exe	109
PID 4752 wrote to memory of 1696	4752	explothe.exe	109
PID 4752 wrote to memory of 1696	4752	explothe.exe	109

C:\Users\Admin\AppData\Local\Temp\0x0007000000015c2f-106.exe
"C:\Users\Admin\AppData\Local\Temp\0x0007000000015c2f-106.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:964
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1076
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:N"
      4⤵
      PID:4116
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:R" /E
      4⤵
      PID:1048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4604
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:N"
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:R" /E
      4⤵
      PID:756
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1696

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:208

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
67696e26f3b79be4e8564dbd95362d01

SHA1
062d0da2631fec197eb4abb2c7e507abd74cf99b

SHA256
4f96600938fe98dea88f2b26dcb43b898b34b00dca45650bdb32b6831ca0d2d1

SHA512
d33c214bd74fad9ef41c089c01f8ea293cbb423c1c55cf571633a3ac7b3ac6fb4851cd4131bb7c4c852c96099ea1f3e92fbfbef84babd444baff34cd074ca94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
227KB

MD5
69d468f64dc451287c4d2af9e7e1e649

SHA1
7799b32a7a3c0e8679dade16ff97e60324e8b93c

SHA256
e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451

SHA512
b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
227KB

MD5
69d468f64dc451287c4d2af9e7e1e649

SHA1
7799b32a7a3c0e8679dade16ff97e60324e8b93c

SHA256
e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451

SHA512
b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
227KB

MD5
69d468f64dc451287c4d2af9e7e1e649

SHA1
7799b32a7a3c0e8679dade16ff97e60324e8b93c

SHA256
e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451

SHA512
b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
227KB

MD5
69d468f64dc451287c4d2af9e7e1e649

SHA1
7799b32a7a3c0e8679dade16ff97e60324e8b93c

SHA256
e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451

SHA512
b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
227KB

MD5
69d468f64dc451287c4d2af9e7e1e649

SHA1
7799b32a7a3c0e8679dade16ff97e60324e8b93c

SHA256
e88701f5f2bc931ade631c04c5d2d50e21ba0e64217c022d75b9c38fb132f451

SHA512
b8dc99a347a6d4fb7492830221bc89384f44f0f13cb17ef884e6b27e8fa7da5c7dda74bd276f9a3a6ff87373d01a11ed13243cb670cf372955270a558bc6f2bd

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
memory/1124-61-0x0000028F0B3F0000-0x0000028F0B3F1000-memory.dmp

Filesize
4KB

Download
memory/1124-66-0x0000028F0B000000-0x0000028F0B001000-memory.dmp

Filesize
4KB

Download
memory/1124-57-0x0000028F0B3F0000-0x0000028F0B3F1000-memory.dmp

Filesize
4KB

Download
memory/1124-58-0x0000028F0B3F0000-0x0000028F0B3F1000-memory.dmp

Filesize
4KB

Download
memory/1124-59-0x0000028F0B3F0000-0x0000028F0B3F1000-memory.dmp

Filesize
4KB

Download
memory/1124-60-0x0000028F0B3F0000-0x0000028F0B3F1000-memory.dmp

Filesize
4KB

Download
memory/1124-55-0x0000028F0B3F0000-0x0000028F0B3F1000-memory.dmp

Filesize
4KB

Download
memory/1124-62-0x0000028F0B3F0000-0x0000028F0B3F1000-memory.dmp

Filesize
4KB

Download
memory/1124-63-0x0000028F0B3F0000-0x0000028F0B3F1000-memory.dmp

Filesize
4KB

Download
memory/1124-64-0x0000028F0B3F0000-0x0000028F0B3F1000-memory.dmp

Filesize
4KB

Download
memory/1124-65-0x0000028F0B010000-0x0000028F0B011000-memory.dmp

Filesize
4KB

Download
memory/1124-56-0x0000028F0B3F0000-0x0000028F0B3F1000-memory.dmp

Filesize
4KB

Download
memory/1124-68-0x0000028F0B010000-0x0000028F0B011000-memory.dmp

Filesize
4KB

Download
memory/1124-71-0x0000028F0B000000-0x0000028F0B001000-memory.dmp

Filesize
4KB

Download
memory/1124-74-0x0000028F0AF40000-0x0000028F0AF41000-memory.dmp

Filesize
4KB

Download
memory/1124-54-0x0000028F0B3C0000-0x0000028F0B3C1000-memory.dmp

Filesize
4KB

Download
memory/1124-86-0x0000028F0B140000-0x0000028F0B141000-memory.dmp

Filesize
4KB

Download
memory/1124-88-0x0000028F0B150000-0x0000028F0B151000-memory.dmp

Filesize
4KB

Download
memory/1124-89-0x0000028F0B150000-0x0000028F0B151000-memory.dmp

Filesize
4KB

Download
memory/1124-90-0x0000028F0B260000-0x0000028F0B261000-memory.dmp

Filesize
4KB

Download
memory/1124-38-0x0000028F02E40000-0x0000028F02E50000-memory.dmp

Filesize
64KB

Download
memory/1124-22-0x0000028F02D40000-0x0000028F02D50000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads