Analysis
-
max time kernel
1s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
-
submitted
04-12-2023 19:10
General
-
Target
58233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1.exe
-
Size
2.2MB
-
MD5
1d32535deb1c523d0be798ff37593efa
-
SHA1
af8d446c2b97ee254b06924423b17cd95e8c0d27
-
SHA256
58233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1
-
SHA512
3aab24ce42cc650dafb71f68acc0e63c92a8c87e6d9eef653d2eddc36891801fb03ec0dd70c7d8feff03aa27560e4bce7d7bbff6abd44ecbb7f8f893f429a085
-
SSDEEP
49152:HM864hpl6/xzfnZHKEI92BtxHWfq7918JgFOwZko:s81pg+EIYBtZWfq7918exb
Malware Config
Extracted
amadey
4.13
http://185.172.128.125
-
install_dir
4fdb51ccdc
-
install_file
Utsysc.exe
-
strings_key
a70b05054314f381be1ab9a5cdc8b250
-
url_paths
/u6vhSc3PPq/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 45 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\58233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1.exe"C:\Users\Admin\AppData\Local\Temp\58233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD51d32535deb1c523d0be798ff37593efa
SHA1af8d446c2b97ee254b06924423b17cd95e8c0d27
SHA25658233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1
SHA5123aab24ce42cc650dafb71f68acc0e63c92a8c87e6d9eef653d2eddc36891801fb03ec0dd70c7d8feff03aa27560e4bce7d7bbff6abd44ecbb7f8f893f429a085
-
Filesize
2.2MB
MD51d32535deb1c523d0be798ff37593efa
SHA1af8d446c2b97ee254b06924423b17cd95e8c0d27
SHA25658233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1
SHA5123aab24ce42cc650dafb71f68acc0e63c92a8c87e6d9eef653d2eddc36891801fb03ec0dd70c7d8feff03aa27560e4bce7d7bbff6abd44ecbb7f8f893f429a085
-
Filesize
2.2MB
MD51d32535deb1c523d0be798ff37593efa
SHA1af8d446c2b97ee254b06924423b17cd95e8c0d27
SHA25658233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1
SHA5123aab24ce42cc650dafb71f68acc0e63c92a8c87e6d9eef653d2eddc36891801fb03ec0dd70c7d8feff03aa27560e4bce7d7bbff6abd44ecbb7f8f893f429a085
-
Filesize
2.2MB
MD51d32535deb1c523d0be798ff37593efa
SHA1af8d446c2b97ee254b06924423b17cd95e8c0d27
SHA25658233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1
SHA5123aab24ce42cc650dafb71f68acc0e63c92a8c87e6d9eef653d2eddc36891801fb03ec0dd70c7d8feff03aa27560e4bce7d7bbff6abd44ecbb7f8f893f429a085
-
Filesize
2.2MB
MD51d32535deb1c523d0be798ff37593efa
SHA1af8d446c2b97ee254b06924423b17cd95e8c0d27
SHA25658233388d4840d05814fac8b1d2c844c2d224a013194b1cbcfb8a7adca6e18a1
SHA5123aab24ce42cc650dafb71f68acc0e63c92a8c87e6d9eef653d2eddc36891801fb03ec0dd70c7d8feff03aa27560e4bce7d7bbff6abd44ecbb7f8f893f429a085
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
8KB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
960KB
-
Filesize
7.0MB
-
Filesize
7.0MB
-
Filesize
960KB