amadey | 4439c40b5de4942e215ac33995c521bd20c906125ef009c913fcf466c7406f19

Resubmissions

28/06/2024, 17:14

240628-vr2fbaxclf 10

09/03/2024, 17:17

240309-vtrnwsdg2s 10

Analysis

max time kernel
209s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OneApp.IGCC.WinService.exe
Size

5.5MB
MD5

0cb7d11ea511391d791b0fbb9637ee79
SHA1

96c13496ad8342bdf1cb0ffbe59f673c8395e99b
SHA256

502129a00203367b15d57f87b5b51d01fb292928708decb723cd7ad866a7fda3
SHA512

8823a02a66d883cb7bffce5f4c93a216dd3280f5f65b340b00b8d6e72112327ef4e64fe6cd3c43dfe3dc7e241d19d4ea98bc9e9e3d49ca2818131920b4093aeb
SSDEEP

98304:MXu+i79EbSTjewAV6G67Ngr9wZZGBysnji/MZ/HqLGdOVnhamYMNwHYo8C4Esg6:MXuzCSTqwAV63Ngr9w6Zj5lHkG8hzqHw

Score

10^/10

amadey persistence trojan

Malware Config

Extracted

Family

amadey

Version

4.18

http://pleasurecanbesafe.com

Attributes

install_dir
40c3273379
install_file
Dctooux.exe
strings_key
65688f14a915e81474c2405160e45f77
url_paths
/7vAficZogD/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	procmap.exe

Loads dropped DLL 1 IoCs

pid	Process
2452	procmap.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\file.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000595011\\file.dll, slumlike"	procmap.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4920 set thread context of 1512	4920	OneApp.IGCC.WinService.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4920	OneApp.IGCC.WinService.exe
4920	OneApp.IGCC.WinService.exe
1512	more.com
1512	more.com
1512	more.com
1512	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4920	OneApp.IGCC.WinService.exe
1512	more.com

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 1512	4920	OneApp.IGCC.WinService.exe	89
PID 4920 wrote to memory of 1512	4920	OneApp.IGCC.WinService.exe	89
PID 4920 wrote to memory of 1512	4920	OneApp.IGCC.WinService.exe	89
PID 4920 wrote to memory of 1512	4920	OneApp.IGCC.WinService.exe	89
PID 1512 wrote to memory of 2452	1512	more.com	103
PID 1512 wrote to memory of 2452	1512	more.com	103
PID 1512 wrote to memory of 2452	1512	more.com	103
PID 1512 wrote to memory of 2452	1512	more.com	103
PID 1512 wrote to memory of 2452	1512	more.com	103
PID 2452 wrote to memory of 2160	2452	procmap.exe	104
PID 2452 wrote to memory of 2160	2452	procmap.exe	104
PID 2452 wrote to memory of 2160	2452	procmap.exe	104
PID 1512 wrote to memory of 2452	1512	more.com	103

C:\Users\Admin\AppData\Local\Temp\OneApp.IGCC.WinService.exe
"C:\Users\Admin\AppData\Local\Temp\OneApp.IGCC.WinService.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Users\Admin\AppData\Local\Temp\procmap.exe
    C:\Users\Admin\AppData\Local\Temp\procmap.exe
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000595011\file.dll, slumlike
      4⤵
      PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000595011\file.dll

Filesize
36KB

MD5
fd897ccc5e6c4ef515fe7903302c5f9f

SHA1
16d75960adeee93dfb8da0faf1928791c9a06297

SHA256
68679dcbf4eabbd1c275dfe625439e7302e1443be76da732d47e6aaaff06e140

SHA512
6aafe5582210128c12394304e4fdf2656c9426f52dcaea5919c27014c275359f957c63331fe58d4beac24cc43189ded378e62ce46c6ab770fa81f3d201a75d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\a05c4cbb

Filesize
1.1MB

MD5
bde5657400301c1a699a1772f4228a63

SHA1
b222c4506ed8f16beb9ff3576e62c90cd43751d1

SHA256
553435fded88d3fb4062abd6f38eb3759b3e814c0923a93f435f52ed94a85174

SHA512
0074e2bcf5bc28b36dd979e0de0e41b065045cf7c350ad387a1370260ccefeb85c7d41e0f6ce57da6d81c088947dfacdf9fd73b88696296d4b113789f9bc563c

Download Submit
C:\Users\Admin\AppData\Local\Temp\procmap.exe

Filesize
13KB

MD5
0c13dfbc137a3bb4cc8da0b6301e9468

SHA1
f2ce29eed4c9f219dab415cf6729ee06c8fcff4d

SHA256
ee8ef58f3bf0dab066eb608cb0f167b1585e166bf4730858961c192860ceffe9

SHA512
e9343db4f416b4428745e57e47626e7ce52a21d0fa904915554fd900bab1b26d49d0f77b74bbf5404ec898b19af2287cdef3ed6b8ccf50760767eb3fc204a895

Download Submit
memory/1512-11-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download
memory/1512-17-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download
memory/1512-13-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download
memory/1512-6-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download
memory/1512-8-0x00007FFFEAFB0000-0x00007FFFEB1A5000-memory.dmp

Filesize
2.0MB

Download
memory/2452-20-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2452-21-0x00007FFFEAFB0000-0x00007FFFEB1A5000-memory.dmp

Filesize
2.0MB

Download
memory/2452-22-0x0000000000570000-0x00000000005DD000-memory.dmp

Filesize
436KB

Download
memory/2452-37-0x0000000000570000-0x00000000005DD000-memory.dmp

Filesize
436KB

Download
memory/2452-38-0x0000000000570000-0x00000000005DD000-memory.dmp

Filesize
436KB

Download
memory/4920-4-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download
memory/4920-3-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download
memory/4920-2-0x00007FFFEAFB0000-0x00007FFFEB1A5000-memory.dmp

Filesize
2.0MB

Download
memory/4920-0-0x0000000000400000-0x0000000000A04000-memory.dmp

Filesize
6.0MB

Download
memory/4920-1-0x00000000751E0000-0x000000007535B000-memory.dmp

Filesize
1.5MB

Download