Overview

overview

10

Static

static

7

172cb28c1c...JC.exe

windows7-x64

10

172cb28c1c...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    162s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 00:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01_JC.exe

  • Size

    6.9MB

  • MD5

    56c197e493f74f9233a16cdefab3109f

  • SHA1

    af35bd2fd5d884bdf6bea8aac695e98f5a00715a

  • SHA256

    172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01

  • SHA512

    d2830cfebfaa859f5fca15e3c81799e99c3cb31f72b1075d8828f03a490bfe6196b34d35bbcaede32a6d63d5c2d9bc17bea009e1bd8787cb4397f6627328b086

  • SSDEEP

    98304:ULop5mhzd71cBjG9Azp56BV8cM0AnwGSOnTXsYGeCW1zbiG54WeOVEMMRHGV7E:0op5mqU9KE8nNZnTXaexbZWsMGV7E

Score
10/10
amadeyevasionpersistencetrojanvmprotect

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://5.42.64.33/vu3skClDn/index.php

Attributes
  • install_dir

    a304d35d74

  • install_file

    yiueea.exe

  • strings_key

    3ae6c4e6339065c6f5a368011bb5cb8c

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01_JC.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:8
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01_JC.exe /TR "C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01_JC.exe" /F
      2⤵
      • Creates scheduled task(s)
      PID:3932
    • C:\Users\Admin\AppData\Local\Temp\1000071051\clip.exe
      "C:\Users\Admin\AppData\Local\Temp\1000071051\clip.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s10o.0.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1572
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:4988
        • C:\ProgramData\presepuesto\LEAJ.exe
          "C:\ProgramData\presepuesto\LEAJ.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:3440
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "LEAJ" /tr C:\ProgramData\presepuesto\LEAJ.exe /f
            5⤵
            • Creates scheduled task(s)
            PID:4244
  • C:\ProgramData\presepuesto\LEAJ.exe
    C:\ProgramData\presepuesto\LEAJ.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\presepuesto\LEAJ.exe
    Filesize

    5.6MB

    MD5

    55a7682ff0b918010481c8daa6b76a32

    SHA1

    e18309e4cd12d8217bc0d0f2ae3d58bf1a70cf5e

    SHA256

    033b38832db481d558743cc807a3657423535cc01d2e57fbca9035fa581e863d

    SHA512

    794d5c4d0ec7d5e00931251cfbc9d6da56d1d9964d43272849f4a424a448dba6c1549fa1f011bd8d07c31230922bd76e6cb69e11c4438b552fce98b9589de606

    Download Submit

  • C:\ProgramData\presepuesto\LEAJ.exe
    Filesize

    5.6MB

    MD5

    55a7682ff0b918010481c8daa6b76a32

    SHA1

    e18309e4cd12d8217bc0d0f2ae3d58bf1a70cf5e

    SHA256

    033b38832db481d558743cc807a3657423535cc01d2e57fbca9035fa581e863d

    SHA512

    794d5c4d0ec7d5e00931251cfbc9d6da56d1d9964d43272849f4a424a448dba6c1549fa1f011bd8d07c31230922bd76e6cb69e11c4438b552fce98b9589de606

    Download Submit

  • C:\ProgramData\presepuesto\LEAJ.exe
    Filesize

    5.6MB

    MD5

    55a7682ff0b918010481c8daa6b76a32

    SHA1

    e18309e4cd12d8217bc0d0f2ae3d58bf1a70cf5e

    SHA256

    033b38832db481d558743cc807a3657423535cc01d2e57fbca9035fa581e863d

    SHA512

    794d5c4d0ec7d5e00931251cfbc9d6da56d1d9964d43272849f4a424a448dba6c1549fa1f011bd8d07c31230922bd76e6cb69e11c4438b552fce98b9589de606

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1000002051\BRR.exe
    Filesize

    708B

    MD5

    2382378378c002d88b9a507c712c3349

    SHA1

    2e894db3808b554abadc8b144338ad9e2ea937ba

    SHA256

    37a4e56c497e170de6e152bc479624eb8d7ccb35bad5a190f2fdb17ac699cffa

    SHA512

    2120f9ae9e5d63ee9aa5aa25e24081662059bdeb01afd8b21ddb8bdfff22832ea0c1dec51dbcbf714e1e82537d624f0ddf0b862ff218b9d2a38941fbe63c3258

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1000071051\clip.exe
    Filesize

    5.6MB

    MD5

    55a7682ff0b918010481c8daa6b76a32

    SHA1

    e18309e4cd12d8217bc0d0f2ae3d58bf1a70cf5e

    SHA256

    033b38832db481d558743cc807a3657423535cc01d2e57fbca9035fa581e863d

    SHA512

    794d5c4d0ec7d5e00931251cfbc9d6da56d1d9964d43272849f4a424a448dba6c1549fa1f011bd8d07c31230922bd76e6cb69e11c4438b552fce98b9589de606

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1000071051\clip.exe
    Filesize

    5.6MB

    MD5

    55a7682ff0b918010481c8daa6b76a32

    SHA1

    e18309e4cd12d8217bc0d0f2ae3d58bf1a70cf5e

    SHA256

    033b38832db481d558743cc807a3657423535cc01d2e57fbca9035fa581e863d

    SHA512

    794d5c4d0ec7d5e00931251cfbc9d6da56d1d9964d43272849f4a424a448dba6c1549fa1f011bd8d07c31230922bd76e6cb69e11c4438b552fce98b9589de606

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1000071051\clip.exe
    Filesize

    5.6MB

    MD5

    55a7682ff0b918010481c8daa6b76a32

    SHA1

    e18309e4cd12d8217bc0d0f2ae3d58bf1a70cf5e

    SHA256

    033b38832db481d558743cc807a3657423535cc01d2e57fbca9035fa581e863d

    SHA512

    794d5c4d0ec7d5e00931251cfbc9d6da56d1d9964d43272849f4a424a448dba6c1549fa1f011bd8d07c31230922bd76e6cb69e11c4438b552fce98b9589de606

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe
    Filesize

    196B

    MD5

    62962daa1b19bbcc2db10b7bfd531ea6

    SHA1

    d64bae91091eda6a7532ebec06aa70893b79e1f8

    SHA256

    80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880

    SHA512

    9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\s10o.0.bat
    Filesize

    175B

    MD5

    70c0de19609b3adff1197647d9687861

    SHA1

    28fa329768fcb042a3c73ca81da455462e4f698d

    SHA256

    1f268faee8ac255861abd6131d1f7539a727a0140e27dd79c84f5c3e760e9edc

    SHA512

    d4d252ba965d76c573077640d706b569a1fe37fd63e831fbf2026945e6265a8639c21c5d44c18148089f6d2b330b4a03c377fc9210614193cecf1ece0361976e

    Download Submit

  • memory/8-24-0x0000000000080000-0x0000000000AF0000-memory.dmp

    Filesize

    10.4MB

    Download

  • memory/8-1-0x0000000000080000-0x0000000000AF0000-memory.dmp

    Filesize

    10.4MB

    Download

  • memory/8-2-0x0000000000080000-0x0000000000AF0000-memory.dmp

    Filesize

    10.4MB

    Download

  • memory/8-0-0x0000000001350000-0x0000000001351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1320-58-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/1320-57-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/1320-64-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/1320-56-0x0000000076FB4000-0x0000000076FB6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1320-51-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/1320-48-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/1320-47-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/3440-79-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/3440-78-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/3440-73-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/3440-80-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/3440-84-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/3440-69-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/4112-86-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/4112-91-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/4112-96-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/4112-97-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download

  • memory/4112-98-0x0000000000400000-0x0000000001219000-memory.dmp

    Filesize

    14.1MB

    Download