amadey | bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

Analysis

max time kernel
140s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2023 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

778KB
MD5

d182c5cc932fdf30690e58b1c7e297de
SHA1

249540ccad900d3cc6c5b2ccc9447d5ca895879d
SHA256

bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68
SHA512

7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380
SSDEEP

12288:6bgEa19Hi8mgRp0rAj67YdHZhvWvMS8jTRaFxnn4wGTl:zPmy0rm1XvWvt8jTw/0T

Score

10^/10

amadey trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exeUtsysc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	Utsysc.exe

Executes dropped EXE 7 IoCs

Processes:

Utsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exe

pid process

1460 Utsysc.exe
3564 Utsysc.exe
2140 Utsysc.exe
2348 Utsysc.exe
2836 Utsysc.exe
1816 Utsysc.exe
4312 Utsysc.exe

pid	process
1460	Utsysc.exe
3564	Utsysc.exe
2140	Utsysc.exe
2348	Utsysc.exe
2836	Utsysc.exe
1816	Utsysc.exe
4312	Utsysc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

tmp.exeUtsysc.exeUtsysc.exeUtsysc.exe

description	pid	process	target process
PID 640 set thread context of 1068	640	tmp.exe	tmp.exe
PID 1460 set thread context of 3564	1460	Utsysc.exe	Utsysc.exe
PID 2140 set thread context of 2348	2140	Utsysc.exe	Utsysc.exe
PID 2836 set thread context of 4312	2836	Utsysc.exe	Utsysc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3100 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Utsysc.exe

pid process

2836 Utsysc.exe
2836 Utsysc.exe

pid	process
3100	schtasks.exe

pid	process
2836	Utsysc.exe
2836	Utsysc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tmp.exeUtsysc.exeUtsysc.exeUtsysc.exe

description	pid	process
Token: SeDebugPrivilege	640	tmp.exe
Token: SeDebugPrivilege	1460	Utsysc.exe
Token: SeDebugPrivilege	2140	Utsysc.exe
Token: SeDebugPrivilege	2836	Utsysc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

tmp.exe

pid process

1068 tmp.exe

pid	process
1068	tmp.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

tmp.exetmp.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exe

description	pid	process	target process
PID 640 wrote to memory of 1068	640	tmp.exe	tmp.exe
PID 640 wrote to memory of 1068	640	tmp.exe	tmp.exe
PID 640 wrote to memory of 1068	640	tmp.exe	tmp.exe
PID 640 wrote to memory of 1068	640	tmp.exe	tmp.exe
PID 640 wrote to memory of 1068	640	tmp.exe	tmp.exe
PID 640 wrote to memory of 1068	640	tmp.exe	tmp.exe
PID 640 wrote to memory of 1068	640	tmp.exe	tmp.exe
PID 640 wrote to memory of 1068	640	tmp.exe	tmp.exe
PID 640 wrote to memory of 1068	640	tmp.exe	tmp.exe
PID 640 wrote to memory of 1068	640	tmp.exe	tmp.exe
PID 1068 wrote to memory of 1460	1068	tmp.exe	Utsysc.exe
PID 1068 wrote to memory of 1460	1068	tmp.exe	Utsysc.exe
PID 1068 wrote to memory of 1460	1068	tmp.exe	Utsysc.exe
PID 1460 wrote to memory of 3564	1460	Utsysc.exe	Utsysc.exe
PID 1460 wrote to memory of 3564	1460	Utsysc.exe	Utsysc.exe
PID 1460 wrote to memory of 3564	1460	Utsysc.exe	Utsysc.exe
PID 1460 wrote to memory of 3564	1460	Utsysc.exe	Utsysc.exe
PID 1460 wrote to memory of 3564	1460	Utsysc.exe	Utsysc.exe
PID 1460 wrote to memory of 3564	1460	Utsysc.exe	Utsysc.exe
PID 1460 wrote to memory of 3564	1460	Utsysc.exe	Utsysc.exe
PID 1460 wrote to memory of 3564	1460	Utsysc.exe	Utsysc.exe
PID 1460 wrote to memory of 3564	1460	Utsysc.exe	Utsysc.exe
PID 1460 wrote to memory of 3564	1460	Utsysc.exe	Utsysc.exe
PID 3564 wrote to memory of 3100	3564	Utsysc.exe	schtasks.exe
PID 3564 wrote to memory of 3100	3564	Utsysc.exe	schtasks.exe
PID 3564 wrote to memory of 3100	3564	Utsysc.exe	schtasks.exe
PID 2140 wrote to memory of 2348	2140	Utsysc.exe	Utsysc.exe
PID 2140 wrote to memory of 2348	2140	Utsysc.exe	Utsysc.exe
PID 2140 wrote to memory of 2348	2140	Utsysc.exe	Utsysc.exe
PID 2140 wrote to memory of 2348	2140	Utsysc.exe	Utsysc.exe
PID 2140 wrote to memory of 2348	2140	Utsysc.exe	Utsysc.exe
PID 2140 wrote to memory of 2348	2140	Utsysc.exe	Utsysc.exe
PID 2140 wrote to memory of 2348	2140	Utsysc.exe	Utsysc.exe
PID 2140 wrote to memory of 2348	2140	Utsysc.exe	Utsysc.exe
PID 2140 wrote to memory of 2348	2140	Utsysc.exe	Utsysc.exe
PID 2140 wrote to memory of 2348	2140	Utsysc.exe	Utsysc.exe
PID 2836 wrote to memory of 1816	2836	Utsysc.exe	Utsysc.exe
PID 2836 wrote to memory of 1816	2836	Utsysc.exe	Utsysc.exe
PID 2836 wrote to memory of 1816	2836	Utsysc.exe	Utsysc.exe
PID 2836 wrote to memory of 4312	2836	Utsysc.exe	Utsysc.exe
PID 2836 wrote to memory of 4312	2836	Utsysc.exe	Utsysc.exe
PID 2836 wrote to memory of 4312	2836	Utsysc.exe	Utsysc.exe
PID 2836 wrote to memory of 4312	2836	Utsysc.exe	Utsysc.exe
PID 2836 wrote to memory of 4312	2836	Utsysc.exe	Utsysc.exe
PID 2836 wrote to memory of 4312	2836	Utsysc.exe	Utsysc.exe
PID 2836 wrote to memory of 4312	2836	Utsysc.exe	Utsysc.exe
PID 2836 wrote to memory of 4312	2836	Utsysc.exe	Utsysc.exe
PID 2836 wrote to memory of 4312	2836	Utsysc.exe	Utsysc.exe
PID 2836 wrote to memory of 4312	2836	Utsysc.exe	Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Local\Temp\tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp.exe
2⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe" /F
5⤵
- Creates scheduled task(s)
PID:3100

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:2348

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:1816

C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe
2⤵
- Executes dropped EXE
PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Utsysc.exe.log

Filesize
1KB

MD5
f7047b64aa01f9d80c7a5e177ce2485c

SHA1
bab6005f4a30f12ee36b9abf6bfdfaa5411bbff8

SHA256
807356d2424d2d04f51ebd56f926d4d5a8318bc947c76569a3b5ca2c2f279915

SHA512
a9af5ace72eb66a6156a5d8764031cdc46feefffabb6898651f91a5af7f3bcef645e63e8d01ed35f1105e824d6830f6fa97e70adda2d5b148ffaff5f54ca248f

Download Submit
C:\Users\Admin\AppData\Local\Temp\873812795143

Filesize
78KB

MD5
d9e564c69a2e79f500160d14bbb94958

SHA1
1fee8c89bbed7d52cf3027147434631e9190e41b

SHA256
1ef408c4afb8b80c7a17c2a85a66e233ad3e2f24eb405345d0e6effdc40c8d7c

SHA512
43fd8c978e9e34075cd3642ba48026b6cb6390cf73fd97630348cd9fcaf217b1df1b553c169e2c952b14176ee64c83c1c06e0130d2a4176e3c45cf816f503d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce3eb8f6b2\Utsysc.exe

Filesize
778KB

MD5
d182c5cc932fdf30690e58b1c7e297de

SHA1
249540ccad900d3cc6c5b2ccc9447d5ca895879d

SHA256
bb150377b93d4df2a877a68e700490644290a0ea59001c189e55bbf62bad1e68

SHA512
7038d3a737edd97fa9278c5c76df5e5cccfd0b6bc10cf76d422e0ec3b244519863d959b350dc3b8712203df6bf6f9f134db68b60545421bd6c65b83ec0aef380

Download Submit
memory/640-7-0x0000000005CC0000-0x0000000005D0C000-memory.dmp

Filesize
304KB

Download
memory/640-0-0x0000000074750000-0x0000000074F00000-memory.dmp

Filesize
7.7MB

Download
memory/640-1-0x0000000000F60000-0x0000000001028000-memory.dmp

Filesize
800KB

Download
memory/640-15-0x0000000074750000-0x0000000074F00000-memory.dmp

Filesize
7.7MB

Download
memory/640-2-0x00000000059B0000-0x00000000059C0000-memory.dmp

Filesize
64KB

Download
memory/640-3-0x00000000059C0000-0x0000000005A38000-memory.dmp

Filesize
480KB

Download
memory/640-10-0x0000000006490000-0x0000000006A34000-memory.dmp

Filesize
5.6MB

Download
memory/640-9-0x0000000005E70000-0x0000000005ED6000-memory.dmp

Filesize
408KB

Download
memory/640-4-0x0000000005A40000-0x0000000005ABA000-memory.dmp

Filesize
488KB

Download
memory/640-8-0x0000000005DD0000-0x0000000005E62000-memory.dmp

Filesize
584KB

Download
memory/640-6-0x0000000005C60000-0x0000000005CC0000-memory.dmp

Filesize
384KB

Download
memory/640-5-0x0000000005AC0000-0x0000000005B20000-memory.dmp

Filesize
384KB

Download
memory/1068-30-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1068-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1068-11-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1068-16-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1068-14-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1460-37-0x0000000072370000-0x0000000072B20000-memory.dmp

Filesize
7.7MB

Download
memory/1460-31-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/1460-32-0x0000000072370000-0x0000000072B20000-memory.dmp

Filesize
7.7MB

Download
memory/2140-58-0x00000000725B0000-0x0000000072D60000-memory.dmp

Filesize
7.7MB

Download
memory/2140-51-0x00000000725B0000-0x0000000072D60000-memory.dmp

Filesize
7.7MB

Download
memory/2140-52-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/2348-55-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2348-56-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2348-57-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2836-69-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/2836-68-0x00000000725B0000-0x0000000072D60000-memory.dmp

Filesize
7.7MB

Download
memory/2836-76-0x00000000725B0000-0x0000000072D60000-memory.dmp

Filesize
7.7MB

Download
memory/3564-38-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3564-36-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3564-48-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3564-39-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3564-40-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4312-73-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4312-74-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4312-75-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download