Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
25-11-2023 09:30
General
-
Target
48bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e.exe
-
Size
389KB
-
MD5
06db095ad745f4d74172f4fba8f3627b
-
SHA1
ca7b62c845365ba6b89293c58b765ae6e583574f
-
SHA256
48bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e
-
SHA512
394d58e36537cb2bdfd6ed5c7c0a46a8d07dd9e9c835b8bdf7ee8a7604558a217ec59eca29372cb788ee0a9708a33f2db9c1f78bebda5b799196f712a346a207
-
SSDEEP
6144:QBILQwvGEKYPrXiR8vXkQlJIX6nIFI9he4jy1JKSH:QBI8wuXCXiRclJ5x9hly1x
Malware Config
Extracted
amadey
4.11
http://shohetrc.com
http://sibcomputer.ru
http://tve-mail.com
-
install_dir
d4dd819322
-
install_file
Utsysc.exe
-
strings_key
8419b3024d6f72beef8af6915e592308
-
url_paths
/forum/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\48bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e.exe"C:\Users\Admin\AppData\Local\Temp\48bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 5842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 6682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 7362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 8562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 8562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 8562⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 10122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 10482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 11642⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3848 -ip 38481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3848 -ip 38481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3848 -ip 38481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3848 -ip 38481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3848 -ip 38481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3848 -ip 38481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3848 -ip 38481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3848 -ip 38481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3848 -ip 38481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exeFilesize
389KB
MD506db095ad745f4d74172f4fba8f3627b
SHA1ca7b62c845365ba6b89293c58b765ae6e583574f
SHA25648bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e
SHA512394d58e36537cb2bdfd6ed5c7c0a46a8d07dd9e9c835b8bdf7ee8a7604558a217ec59eca29372cb788ee0a9708a33f2db9c1f78bebda5b799196f712a346a207
-
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exeFilesize
389KB
MD506db095ad745f4d74172f4fba8f3627b
SHA1ca7b62c845365ba6b89293c58b765ae6e583574f
SHA25648bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e
SHA512394d58e36537cb2bdfd6ed5c7c0a46a8d07dd9e9c835b8bdf7ee8a7604558a217ec59eca29372cb788ee0a9708a33f2db9c1f78bebda5b799196f712a346a207
-
C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exeFilesize
389KB
MD506db095ad745f4d74172f4fba8f3627b
SHA1ca7b62c845365ba6b89293c58b765ae6e583574f
SHA25648bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e
SHA512394d58e36537cb2bdfd6ed5c7c0a46a8d07dd9e9c835b8bdf7ee8a7604558a217ec59eca29372cb788ee0a9708a33f2db9c1f78bebda5b799196f712a346a207
-
memory/3848-1-0x0000000000550000-0x0000000000650000-memory.dmpFilesize
1024KB
-
memory/3848-2-0x0000000000720000-0x000000000078C000-memory.dmpFilesize
432KB
-
memory/3848-3-0x0000000000400000-0x0000000000514000-memory.dmpFilesize
1.1MB
-
memory/3848-15-0x0000000000400000-0x0000000000514000-memory.dmpFilesize
1.1MB
-
memory/3848-16-0x0000000000720000-0x000000000078C000-memory.dmpFilesize
432KB