amadey | 93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2023 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6866f4e7450d085b19ad1aa9adaca819.exe
Size

1.5MB
MD5

6866f4e7450d085b19ad1aa9adaca819
SHA1

4afc3a0de610f45dbf8eb83da2a16052c2a81b01
SHA256

93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e
SHA512

4d35943770423afe92784836a0aeb2d69c6d929d6208b2d3bd5dd347f54a58e4bcc2e074fc8a930d0d6fbddc3dc4082b362aced683d81966ed488e22d7b9c7c8
SSDEEP

24576:NQIsq2Q2GOAO4fCCy7gtsICmEly/nDBRyqni3xbU4eWxDJ3YsXv6+tH9ZPz1:NQIsq2Q2GOAO4fCZ7YsL8/KqihAsxDJX

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

4.13

http://65.108.99.238

http://brodoyouevenlift.co.za

Attributes

strings_key
bda044f544861e32e95f5d49b3939bcc
url_paths
/yXNwKVfkS28Y/index.php

/g5ddWs/index.php

/pOVxaw24d/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6866f4e7450d085b19ad1aa9adaca819.exeUtsysc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	6866f4e7450d085b19ad1aa9adaca819.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation	Utsysc.exe

Executes dropped EXE 6 IoCs

Processes:

Utsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exe

pid process

3916 Utsysc.exe
3964 Utsysc.exe
1616 Utsysc.exe
3060 Utsysc.exe
1188 Utsysc.exe
692 Utsysc.exe

pid	process
3916	Utsysc.exe
3964	Utsysc.exe
1616	Utsysc.exe
3060	Utsysc.exe
1188	Utsysc.exe
692	Utsysc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

6866f4e7450d085b19ad1aa9adaca819.exeUtsysc.exeUtsysc.exeUtsysc.exe

description	pid	process	target process
PID 4016 set thread context of 2892	4016	6866f4e7450d085b19ad1aa9adaca819.exe	6866f4e7450d085b19ad1aa9adaca819.exe
PID 3916 set thread context of 3964	3916	Utsysc.exe	Utsysc.exe
PID 1616 set thread context of 3060	1616	Utsysc.exe	Utsysc.exe
PID 1188 set thread context of 692	1188	Utsysc.exe	Utsysc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2476 schtasks.exe

pid	process
2476	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

6866f4e7450d085b19ad1aa9adaca819.exeUtsysc.exeUtsysc.exeUtsysc.exe

description	pid	process
Token: SeDebugPrivilege	4016	6866f4e7450d085b19ad1aa9adaca819.exe
Token: SeDebugPrivilege	3916	Utsysc.exe
Token: SeDebugPrivilege	1616	Utsysc.exe
Token: SeDebugPrivilege	1188	Utsysc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

6866f4e7450d085b19ad1aa9adaca819.exe

pid process

2892 6866f4e7450d085b19ad1aa9adaca819.exe

pid	process
2892	6866f4e7450d085b19ad1aa9adaca819.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

6866f4e7450d085b19ad1aa9adaca819.exe6866f4e7450d085b19ad1aa9adaca819.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exe

description	pid	process	target process
PID 4016 wrote to memory of 2892	4016	6866f4e7450d085b19ad1aa9adaca819.exe	6866f4e7450d085b19ad1aa9adaca819.exe
PID 4016 wrote to memory of 2892	4016	6866f4e7450d085b19ad1aa9adaca819.exe	6866f4e7450d085b19ad1aa9adaca819.exe
PID 4016 wrote to memory of 2892	4016	6866f4e7450d085b19ad1aa9adaca819.exe	6866f4e7450d085b19ad1aa9adaca819.exe
PID 4016 wrote to memory of 2892	4016	6866f4e7450d085b19ad1aa9adaca819.exe	6866f4e7450d085b19ad1aa9adaca819.exe
PID 4016 wrote to memory of 2892	4016	6866f4e7450d085b19ad1aa9adaca819.exe	6866f4e7450d085b19ad1aa9adaca819.exe
PID 4016 wrote to memory of 2892	4016	6866f4e7450d085b19ad1aa9adaca819.exe	6866f4e7450d085b19ad1aa9adaca819.exe
PID 4016 wrote to memory of 2892	4016	6866f4e7450d085b19ad1aa9adaca819.exe	6866f4e7450d085b19ad1aa9adaca819.exe
PID 4016 wrote to memory of 2892	4016	6866f4e7450d085b19ad1aa9adaca819.exe	6866f4e7450d085b19ad1aa9adaca819.exe
PID 4016 wrote to memory of 2892	4016	6866f4e7450d085b19ad1aa9adaca819.exe	6866f4e7450d085b19ad1aa9adaca819.exe
PID 4016 wrote to memory of 2892	4016	6866f4e7450d085b19ad1aa9adaca819.exe	6866f4e7450d085b19ad1aa9adaca819.exe
PID 2892 wrote to memory of 3916	2892	6866f4e7450d085b19ad1aa9adaca819.exe	Utsysc.exe
PID 2892 wrote to memory of 3916	2892	6866f4e7450d085b19ad1aa9adaca819.exe	Utsysc.exe
PID 2892 wrote to memory of 3916	2892	6866f4e7450d085b19ad1aa9adaca819.exe	Utsysc.exe
PID 3916 wrote to memory of 3964	3916	Utsysc.exe	Utsysc.exe
PID 3916 wrote to memory of 3964	3916	Utsysc.exe	Utsysc.exe
PID 3916 wrote to memory of 3964	3916	Utsysc.exe	Utsysc.exe
PID 3916 wrote to memory of 3964	3916	Utsysc.exe	Utsysc.exe
PID 3916 wrote to memory of 3964	3916	Utsysc.exe	Utsysc.exe
PID 3916 wrote to memory of 3964	3916	Utsysc.exe	Utsysc.exe
PID 3916 wrote to memory of 3964	3916	Utsysc.exe	Utsysc.exe
PID 3916 wrote to memory of 3964	3916	Utsysc.exe	Utsysc.exe
PID 3916 wrote to memory of 3964	3916	Utsysc.exe	Utsysc.exe
PID 3916 wrote to memory of 3964	3916	Utsysc.exe	Utsysc.exe
PID 3964 wrote to memory of 2476	3964	Utsysc.exe	schtasks.exe
PID 3964 wrote to memory of 2476	3964	Utsysc.exe	schtasks.exe
PID 3964 wrote to memory of 2476	3964	Utsysc.exe	schtasks.exe
PID 1616 wrote to memory of 3060	1616	Utsysc.exe	Utsysc.exe
PID 1616 wrote to memory of 3060	1616	Utsysc.exe	Utsysc.exe
PID 1616 wrote to memory of 3060	1616	Utsysc.exe	Utsysc.exe
PID 1616 wrote to memory of 3060	1616	Utsysc.exe	Utsysc.exe
PID 1616 wrote to memory of 3060	1616	Utsysc.exe	Utsysc.exe
PID 1616 wrote to memory of 3060	1616	Utsysc.exe	Utsysc.exe
PID 1616 wrote to memory of 3060	1616	Utsysc.exe	Utsysc.exe
PID 1616 wrote to memory of 3060	1616	Utsysc.exe	Utsysc.exe
PID 1616 wrote to memory of 3060	1616	Utsysc.exe	Utsysc.exe
PID 1616 wrote to memory of 3060	1616	Utsysc.exe	Utsysc.exe
PID 1188 wrote to memory of 692	1188	Utsysc.exe	Utsysc.exe
PID 1188 wrote to memory of 692	1188	Utsysc.exe	Utsysc.exe
PID 1188 wrote to memory of 692	1188	Utsysc.exe	Utsysc.exe
PID 1188 wrote to memory of 692	1188	Utsysc.exe	Utsysc.exe
PID 1188 wrote to memory of 692	1188	Utsysc.exe	Utsysc.exe
PID 1188 wrote to memory of 692	1188	Utsysc.exe	Utsysc.exe
PID 1188 wrote to memory of 692	1188	Utsysc.exe	Utsysc.exe
PID 1188 wrote to memory of 692	1188	Utsysc.exe	Utsysc.exe
PID 1188 wrote to memory of 692	1188	Utsysc.exe	Utsysc.exe
PID 1188 wrote to memory of 692	1188	Utsysc.exe	Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\6866f4e7450d085b19ad1aa9adaca819.exe
"C:\Users\Admin\AppData\Local\Temp\6866f4e7450d085b19ad1aa9adaca819.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016

C:\Users\Admin\AppData\Local\Temp\6866f4e7450d085b19ad1aa9adaca819.exe
C:\Users\Admin\AppData\Local\Temp\6866f4e7450d085b19ad1aa9adaca819.exe
2⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916

C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe" /F
5⤵
- Creates scheduled task(s)
PID:2476

C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe
2⤵
- Executes dropped EXE
PID:3060

C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe
2⤵
- Executes dropped EXE
PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Utsysc.exe.log

Filesize
927B

MD5
4a911455784f74e368a4c2c7876d76f4

SHA1
a1700a0849ffb4f26671eb76da2489946b821c34

SHA256
264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

SHA512
4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

Download Submit
C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe

Filesize
1.5MB

MD5
6866f4e7450d085b19ad1aa9adaca819

SHA1
4afc3a0de610f45dbf8eb83da2a16052c2a81b01

SHA256
93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e

SHA512
4d35943770423afe92784836a0aeb2d69c6d929d6208b2d3bd5dd347f54a58e4bcc2e074fc8a930d0d6fbddc3dc4082b362aced683d81966ed488e22d7b9c7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe

Filesize
1.5MB

MD5
6866f4e7450d085b19ad1aa9adaca819

SHA1
4afc3a0de610f45dbf8eb83da2a16052c2a81b01

SHA256
93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e

SHA512
4d35943770423afe92784836a0aeb2d69c6d929d6208b2d3bd5dd347f54a58e4bcc2e074fc8a930d0d6fbddc3dc4082b362aced683d81966ed488e22d7b9c7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe

Filesize
1.5MB

MD5
6866f4e7450d085b19ad1aa9adaca819

SHA1
4afc3a0de610f45dbf8eb83da2a16052c2a81b01

SHA256
93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e

SHA512
4d35943770423afe92784836a0aeb2d69c6d929d6208b2d3bd5dd347f54a58e4bcc2e074fc8a930d0d6fbddc3dc4082b362aced683d81966ed488e22d7b9c7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe

Filesize
1.5MB

MD5
6866f4e7450d085b19ad1aa9adaca819

SHA1
4afc3a0de610f45dbf8eb83da2a16052c2a81b01

SHA256
93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e

SHA512
4d35943770423afe92784836a0aeb2d69c6d929d6208b2d3bd5dd347f54a58e4bcc2e074fc8a930d0d6fbddc3dc4082b362aced683d81966ed488e22d7b9c7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe

Filesize
1.5MB

MD5
6866f4e7450d085b19ad1aa9adaca819

SHA1
4afc3a0de610f45dbf8eb83da2a16052c2a81b01

SHA256
93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e

SHA512
4d35943770423afe92784836a0aeb2d69c6d929d6208b2d3bd5dd347f54a58e4bcc2e074fc8a930d0d6fbddc3dc4082b362aced683d81966ed488e22d7b9c7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe

Filesize
1.5MB

MD5
6866f4e7450d085b19ad1aa9adaca819

SHA1
4afc3a0de610f45dbf8eb83da2a16052c2a81b01

SHA256
93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e

SHA512
4d35943770423afe92784836a0aeb2d69c6d929d6208b2d3bd5dd347f54a58e4bcc2e074fc8a930d0d6fbddc3dc4082b362aced683d81966ed488e22d7b9c7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe

Filesize
1.5MB

MD5
6866f4e7450d085b19ad1aa9adaca819

SHA1
4afc3a0de610f45dbf8eb83da2a16052c2a81b01

SHA256
93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e

SHA512
4d35943770423afe92784836a0aeb2d69c6d929d6208b2d3bd5dd347f54a58e4bcc2e074fc8a930d0d6fbddc3dc4082b362aced683d81966ed488e22d7b9c7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\037ceed7fc\Utsysc.exe

Filesize
1.5MB

MD5
6866f4e7450d085b19ad1aa9adaca819

SHA1
4afc3a0de610f45dbf8eb83da2a16052c2a81b01

SHA256
93583dfa872b44e13e449cdfbbe20e64851dbe0e615f30b0313d2cb6a9b2309e

SHA512
4d35943770423afe92784836a0aeb2d69c6d929d6208b2d3bd5dd347f54a58e4bcc2e074fc8a930d0d6fbddc3dc4082b362aced683d81966ed488e22d7b9c7c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\350690463354

Filesize
78KB

MD5
225a187f204091a60c6072b0bc10ffae

SHA1
919c5bd9344cb70d9ba14ccf6169e0a5c620a2a1

SHA256
da5ed8b5219175bc105cfe135e23f36264d1483fd4ff11952bfebd6fd74f415c

SHA512
c67cbd0e12a35b0c16e34c0c73646cf5c67704869f6b40a227b07bb1e6cccf93592f751557645b55069d54c294b9fda5c1df5e173f964700d8d1af9daf7a1525

Download Submit
memory/692-73-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/692-76-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/692-75-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1188-69-0x0000000072E00000-0x00000000735B0000-memory.dmp

Filesize
7.7MB

Download
memory/1188-70-0x00000000049C0000-0x00000000049D0000-memory.dmp

Filesize
64KB

Download
memory/1188-74-0x0000000072E00000-0x00000000735B0000-memory.dmp

Filesize
7.7MB

Download
memory/1616-59-0x0000000072E00000-0x00000000735B0000-memory.dmp

Filesize
7.7MB

Download
memory/1616-61-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/1616-65-0x0000000072E00000-0x00000000735B0000-memory.dmp

Filesize
7.7MB

Download
memory/2892-13-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2892-27-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2892-11-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2892-10-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2892-8-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3060-66-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3060-64-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3060-67-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3916-34-0x0000000072D30000-0x00000000734E0000-memory.dmp

Filesize
7.7MB

Download
memory/3916-28-0x0000000072D30000-0x00000000734E0000-memory.dmp

Filesize
7.7MB

Download
memory/3916-29-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/3964-37-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3964-36-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3964-57-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3964-35-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3964-33-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4016-12-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4016-1-0x00000000749F0000-0x00000000751A0000-memory.dmp

Filesize
7.7MB

Download
memory/4016-7-0x0000000005C70000-0x0000000006214000-memory.dmp

Filesize
5.6MB

Download
memory/4016-6-0x0000000005620000-0x000000000566C000-memory.dmp

Filesize
304KB

Download
memory/4016-5-0x00000000055C0000-0x0000000005620000-memory.dmp

Filesize
384KB

Download
memory/4016-4-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/4016-3-0x0000000005560000-0x00000000055C0000-memory.dmp

Filesize
384KB

Download
memory/4016-2-0x00000000054E0000-0x000000000555A000-memory.dmp

Filesize
488KB

Download
memory/4016-0-0x00000000009A0000-0x0000000000B1A000-memory.dmp

Filesize
1.5MB

Download