Overview

overview

10

Static

static

7

172cb28c1c...01.exe

windows7-x64

10

172cb28c1c...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 10:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe

  • Size

    6.9MB

  • MD5

    56c197e493f74f9233a16cdefab3109f

  • SHA1

    af35bd2fd5d884bdf6bea8aac695e98f5a00715a

  • SHA256

    172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01

  • SHA512

    d2830cfebfaa859f5fca15e3c81799e99c3cb31f72b1075d8828f03a490bfe6196b34d35bbcaede32a6d63d5c2d9bc17bea009e1bd8787cb4397f6627328b086

  • SSDEEP

    98304:ULop5mhzd71cBjG9Azp56BV8cM0AnwGSOnTXsYGeCW1zbiG54WeOVEMMRHGV7E:0op5mqU9KE8nNZnTXaexbZWsMGV7E

Score
10/10
amadeyevasionpersistencetrojanvmprotect

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://5.42.64.33/vu3skClDn/index.php

Attributes
  • install_dir

    a304d35d74

  • install_file

    yiueea.exe

  • strings_key

    3ae6c4e6339065c6f5a368011bb5cb8c

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe
    "C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN 172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe /TR "C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe" /F
      2⤵
      • Creates scheduled task(s)
      PID:1924
    • C:\Users\Admin\AppData\Local\Temp\1000071051\clip.exe
      "C:\Users\Admin\AppData\Local\Temp\1000071051\clip.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:3092
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s2dw.0.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3372
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:2332
        • C:\ProgramData\presepuesto\LEAJ.exe
          "C:\ProgramData\presepuesto\LEAJ.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:4144
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "LEAJ" /tr C:\ProgramData\presepuesto\LEAJ.exe /f
            5⤵
            • Creates scheduled task(s)
            PID:212
  • C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe
    C:\Users\Admin\AppData\Local\Temp\172cb28c1c7948ece5287c566e9a684c56e64d85574d1636d5204e168771ce01.exe
    1⤵
      PID:3908

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\presepuesto\LEAJ.exe
      Filesize

      5.6MB

      MD5

      55a7682ff0b918010481c8daa6b76a32

      SHA1

      e18309e4cd12d8217bc0d0f2ae3d58bf1a70cf5e

      SHA256

      033b38832db481d558743cc807a3657423535cc01d2e57fbca9035fa581e863d

      SHA512

      794d5c4d0ec7d5e00931251cfbc9d6da56d1d9964d43272849f4a424a448dba6c1549fa1f011bd8d07c31230922bd76e6cb69e11c4438b552fce98b9589de606

      Download Submit

    • C:\ProgramData\presepuesto\LEAJ.exe
      Filesize

      5.6MB

      MD5

      55a7682ff0b918010481c8daa6b76a32

      SHA1

      e18309e4cd12d8217bc0d0f2ae3d58bf1a70cf5e

      SHA256

      033b38832db481d558743cc807a3657423535cc01d2e57fbca9035fa581e863d

      SHA512

      794d5c4d0ec7d5e00931251cfbc9d6da56d1d9964d43272849f4a424a448dba6c1549fa1f011bd8d07c31230922bd76e6cb69e11c4438b552fce98b9589de606

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000071051\clip.exe
      Filesize

      5.6MB

      MD5

      55a7682ff0b918010481c8daa6b76a32

      SHA1

      e18309e4cd12d8217bc0d0f2ae3d58bf1a70cf5e

      SHA256

      033b38832db481d558743cc807a3657423535cc01d2e57fbca9035fa581e863d

      SHA512

      794d5c4d0ec7d5e00931251cfbc9d6da56d1d9964d43272849f4a424a448dba6c1549fa1f011bd8d07c31230922bd76e6cb69e11c4438b552fce98b9589de606

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000071051\clip.exe
      Filesize

      5.6MB

      MD5

      55a7682ff0b918010481c8daa6b76a32

      SHA1

      e18309e4cd12d8217bc0d0f2ae3d58bf1a70cf5e

      SHA256

      033b38832db481d558743cc807a3657423535cc01d2e57fbca9035fa581e863d

      SHA512

      794d5c4d0ec7d5e00931251cfbc9d6da56d1d9964d43272849f4a424a448dba6c1549fa1f011bd8d07c31230922bd76e6cb69e11c4438b552fce98b9589de606

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000071051\clip.exe
      Filesize

      5.6MB

      MD5

      55a7682ff0b918010481c8daa6b76a32

      SHA1

      e18309e4cd12d8217bc0d0f2ae3d58bf1a70cf5e

      SHA256

      033b38832db481d558743cc807a3657423535cc01d2e57fbca9035fa581e863d

      SHA512

      794d5c4d0ec7d5e00931251cfbc9d6da56d1d9964d43272849f4a424a448dba6c1549fa1f011bd8d07c31230922bd76e6cb69e11c4438b552fce98b9589de606

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1000498001\taskhost.exe
      Filesize

      196B

      MD5

      62962daa1b19bbcc2db10b7bfd531ea6

      SHA1

      d64bae91091eda6a7532ebec06aa70893b79e1f8

      SHA256

      80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880

      SHA512

      9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\s2dw.0.bat
      Filesize

      175B

      MD5

      c9aca48452f32aa7d94fff7e0c7bb294

      SHA1

      c502c69b7dbc64ee047f273b1899e6c8172f876d

      SHA256

      9169429724b3cc265685f9b3d4ec06d244f88bd5b613388bb7c50910e2158e50

      SHA512

      99cbb46385d9eb1e0595e51aca0f9f98f360b355616e08d34541b6a0f2c32b1fb87b5f8d2ae59b3e1cb6db770d3e23b5c2938664ef13550fa512f4679fedd0d6

      Download Submit

    • memory/3092-42-0x0000000000400000-0x0000000001219000-memory.dmp

      Filesize

      14.1MB

      Download

    • memory/3092-33-0x0000000000400000-0x0000000001219000-memory.dmp

      Filesize

      14.1MB

      Download

    • memory/3092-36-0x0000000000400000-0x0000000001219000-memory.dmp

      Filesize

      14.1MB

      Download

    • memory/3092-41-0x0000000077384000-0x0000000077386000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3092-22-0x0000000000400000-0x0000000001219000-memory.dmp

      Filesize

      14.1MB

      Download

    • memory/3092-43-0x0000000000400000-0x0000000001219000-memory.dmp

      Filesize

      14.1MB

      Download

    • memory/3092-49-0x0000000000400000-0x0000000001219000-memory.dmp

      Filesize

      14.1MB

      Download

    • memory/3908-67-0x0000000000620000-0x0000000001090000-memory.dmp

      Filesize

      10.4MB

      Download

    • memory/4144-63-0x0000000000400000-0x0000000001219000-memory.dmp

      Filesize

      14.1MB

      Download

    • memory/4144-65-0x0000000000400000-0x0000000001219000-memory.dmp

      Filesize

      14.1MB

      Download

    • memory/4144-64-0x0000000000400000-0x0000000001219000-memory.dmp

      Filesize

      14.1MB

      Download

    • memory/4144-54-0x0000000000400000-0x0000000001219000-memory.dmp

      Filesize

      14.1MB

      Download

    • memory/4144-58-0x0000000000400000-0x0000000001219000-memory.dmp

      Filesize

      14.1MB

      Download

    • memory/4888-0-0x00000000015E0000-0x00000000015E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4888-2-0x0000000000620000-0x0000000001090000-memory.dmp

      Filesize

      10.4MB

      Download

    • memory/4888-1-0x0000000000620000-0x0000000001090000-memory.dmp

      Filesize

      10.4MB

      Download

    • memory/4888-5-0x0000000000620000-0x0000000001090000-memory.dmp

      Filesize

      10.4MB

      Download