Overview

overview

10

Static

static

3

48bcf2b8e6...9e.exe

windows7-x64

10

48bcf2b8e6...9e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2023 09:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    48bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e.exe

  • Size

    389KB

  • MD5

    06db095ad745f4d74172f4fba8f3627b

  • SHA1

    ca7b62c845365ba6b89293c58b765ae6e583574f

  • SHA256

    48bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e

  • SHA512

    394d58e36537cb2bdfd6ed5c7c0a46a8d07dd9e9c835b8bdf7ee8a7604558a217ec59eca29372cb788ee0a9708a33f2db9c1f78bebda5b799196f712a346a207

  • SSDEEP

    6144:QBILQwvGEKYPrXiR8vXkQlJIX6nIFI9he4jy1JKSH:QBI8wuXCXiRclJ5x9hly1x

Score
10/10
amadeytrojan

Malware Config

Extracted

Family

amadey

Version

4.11

C2

http://shohetrc.com

http://sibcomputer.ru

http://tve-mail.com
Attributes
  • install_dir

    d4dd819322

  • install_file

    Utsysc.exe

  • strings_key

    8419b3024d6f72beef8af6915e592308

  • url_paths

    /forum/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e.exe
    "C:\Users\Admin\AppData\Local\Temp\48bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3848
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 584
      2⤵
      • Program crash
      PID:3952
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 668
      2⤵
      • Program crash
      PID:3964
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 736
      2⤵
      • Program crash
      PID:4044
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 856
      2⤵
      • Program crash
      PID:4292
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 856
      2⤵
      • Program crash
      PID:4316
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 856
      2⤵
      • Program crash
      PID:2032
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 1012
      2⤵
      • Program crash
      PID:2112
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 1048
      2⤵
      • Program crash
      PID:1628
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 1164
      2⤵
      • Program crash
      PID:2508
    • C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
      "C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe"
      2⤵
      • Executes dropped EXE
      PID:4976
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3848 -ip 3848
    1⤵
      PID:2380
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3848 -ip 3848
      1⤵
        PID:4700
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3848 -ip 3848
        1⤵
          PID:3976
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3848 -ip 3848
          1⤵
            PID:4680
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3848 -ip 3848
            1⤵
              PID:3132
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3848 -ip 3848
              1⤵
                PID:3300
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3848 -ip 3848
                1⤵
                  PID:2516
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3848 -ip 3848
                  1⤵
                    PID:4184
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3848 -ip 3848
                    1⤵
                      PID:3696

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
                      Filesize

                      389KB

                      MD5

                      06db095ad745f4d74172f4fba8f3627b

                      SHA1

                      ca7b62c845365ba6b89293c58b765ae6e583574f

                      SHA256

                      48bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e

                      SHA512

                      394d58e36537cb2bdfd6ed5c7c0a46a8d07dd9e9c835b8bdf7ee8a7604558a217ec59eca29372cb788ee0a9708a33f2db9c1f78bebda5b799196f712a346a207

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
                      Filesize

                      389KB

                      MD5

                      06db095ad745f4d74172f4fba8f3627b

                      SHA1

                      ca7b62c845365ba6b89293c58b765ae6e583574f

                      SHA256

                      48bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e

                      SHA512

                      394d58e36537cb2bdfd6ed5c7c0a46a8d07dd9e9c835b8bdf7ee8a7604558a217ec59eca29372cb788ee0a9708a33f2db9c1f78bebda5b799196f712a346a207

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\d4dd819322\Utsysc.exe
                      Filesize

                      389KB

                      MD5

                      06db095ad745f4d74172f4fba8f3627b

                      SHA1

                      ca7b62c845365ba6b89293c58b765ae6e583574f

                      SHA256

                      48bcf2b8e6a7bd4a807cde942b014848dfc1a0e65fde4959f6c187ea547e659e

                      SHA512

                      394d58e36537cb2bdfd6ed5c7c0a46a8d07dd9e9c835b8bdf7ee8a7604558a217ec59eca29372cb788ee0a9708a33f2db9c1f78bebda5b799196f712a346a207

                      Download Submit

                    • memory/3848-1-0x0000000000550000-0x0000000000650000-memory.dmp

                      Filesize

                      1024KB

                      Download

                    • memory/3848-2-0x0000000000720000-0x000000000078C000-memory.dmp

                      Filesize

                      432KB

                      Download

                    • memory/3848-3-0x0000000000400000-0x0000000000514000-memory.dmp

                      Filesize

                      1.1MB

                      Download

                    • memory/3848-15-0x0000000000400000-0x0000000000514000-memory.dmp

                      Filesize

                      1.1MB

                      Download

                    • memory/3848-16-0x0000000000720000-0x000000000078C000-memory.dmp

                      Filesize

                      432KB

                      Download