Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2024, 18:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe

  • Size

    1.4MB

  • MD5

    04055601abbd16ec6cc9e02450c19381

  • SHA1

    420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e

  • SHA256

    b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13

  • SHA512

    826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac

  • SSDEEP

    24576:HhSIBky91oHhqyp54SWIbts8MZHq9NGCzgNgpiZtsyCx+OO9OKfNgd5H4+3:B3J91qhDp5HWAsF28ZtsJsOO9WH4g

Score
10/10
amadeytrojan

Malware Config

Extracted

Family

amadey

Version

4.18

C2

http://185.172.128.3

http://cdnforbusiness.com
Attributes
  • install_dir

    One_Dragon_Center

  • install_file

    MSI.CentralServer.exe

  • strings_key

    fd2f5851d3165c210396dcbe9930d294

  • url_paths

    /QajE3OBS/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe
    "C:\Users\Admin\AppData\Local\Temp\b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    PID:628
  • C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
    C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "MSI.CentralServer.exe" && timeout 1 && del "MSI.CentralServer.exe" && ren c36f10 MSI.CentralServer.exe && C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe && Exit"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "MSI.CentralServer.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:452
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:2584
      • C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
        C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2212
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:4964
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
              PID:3952
    • C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
      C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:704
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2300
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          3⤵
            PID:4088

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
              Filesize

              717B

              MD5

              822467b728b7a66b081c91795373789a

              SHA1

              d8f2f02e1eef62485a9feffd59ce837511749865

              SHA256

              af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

              SHA512

              bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61
              Filesize

              299B

              MD5

              5ae8478af8dd6eec7ad4edf162dd3df1

              SHA1

              55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

              SHA256

              fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

              SHA512

              a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
              Filesize

              192B

              MD5

              8441b4b1912ca115dc675f3c24d73102

              SHA1

              b591c89569a64dd3aa8730321376d02ba48d5ae6

              SHA256

              930f4ac39bd395edfff5365c4044562a509b9e28d7be769f579617a244cb97dc

              SHA512

              d704e5d5bf1873a5f08e214ced6187c3b2441d7599145faa04e0d5491d6b7e31ab233f37f1ba817f40a2612c2ce4e54c73e223305666835ec39a9e5b7b001792

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
              Filesize

              192B

              MD5

              e9825cc51093adf353bc80d9b139f7d1

              SHA1

              3513045afb2ca88f2cde8c53d888df90e0f0aae1

              SHA256

              a98b1c09d87359fc8f8127a888ebab712a0dd1638abfc7cd8bb25886d1dd72d8

              SHA512

              241e6ce03e8ba411c9cc507f742fd8951b397fd2fdf1bc05eda771d4b8edfba1922ee1ec0215f751732ece3a69cc98be2fcfdf4678eb5e3e1fcc88a7c983eb67

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\472e3a54
              Filesize

              1.2MB

              MD5

              6143f9007a1b19642c76345546ba5db6

              SHA1

              a0fdee5c5e8674235a22ff0a11c17c9648485581

              SHA256

              062724e6361ae3b802d1a48c06d42d45e021b40a5c930ffec1d92d9a061a9b9a

              SHA512

              dcd72334c669c58baa393351b8c0a433dbcffc2aa3a1cd209078f42c15062af85ac7f6e5df7c2570eb3137371ea8593bf9f17f742ed9e2c7ca20e95eb6dd80bc

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\47ae20a9
              Filesize

              1.1MB

              MD5

              80c224056113090df0181619bcaae033

              SHA1

              d858fd23fbc86b1da7256d9c9d5d398adeb39c29

              SHA256

              af210a82b5bf2001fed63cdf251d21909a9dc382765e4054cb5ffd5b71db04c6

              SHA512

              aced1034dc3bdd7ec9cbf3afa531ff4129d92b3984186f2eff110cd83871d2465cd127fe60c9be4d2c5240f843d5541a233eea1bffda75481f59d44c39eb9c02

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\530d2c94
              Filesize

              1.0MB

              MD5

              3564741bdf8a110adb67072d7e2837fb

              SHA1

              e260038af6ef6ff8afd034cb4311edf855508ad1

              SHA256

              9a5f68fd3e96d865fefd05c4d15560da7aa41732bffa59da8bf5af87f8779c37

              SHA512

              a9dc1cbe50277b3d35c6e5c47aed57f91f596a1efeebf62de8971ed07125cc4f128cb14f601af39f94df98a0c0715d1b566eaa0c1a966bee0d36e9623457f23e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
              Filesize

              1.4MB

              MD5

              04055601abbd16ec6cc9e02450c19381

              SHA1

              420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e

              SHA256

              b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13

              SHA512

              826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\c36f10
              Filesize

              145KB

              MD5

              7a9f43248b98ad3fbbcf8723f19eb04f

              SHA1

              28edcb8423d677471e07e07fcc7df60357ff4e84

              SHA256

              2553d4aa7edff2d95082562ab9e626f05d4b4e6d32a9448b71b6433660acb95f

              SHA512

              388d4bc38694668ec71400add3100c7e73641f2d9492f86e73c5cfa3edaf60cf6b04cab9ffae5510d7d9518df73544bb415af63512ac6cabd31c94a8fb5d7c79

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\c36f10
              Filesize

              3.7MB

              MD5

              80f0f67821e14dc05947471e93f0b09a

              SHA1

              3ddeea07768b3b7d50aa5f00a52a1eaeef7ede2b

              SHA256

              7300e6a755a8606b1036b83af1bb6bbab6b10a83c93e0d5345d23c656b0a2422

              SHA512

              b90737641176201350e44c83ce82671f57a89d8afe647968a28efa18a5cd861c5c7d055106ddb5605b1513c8123d1fb6685083a4f861063ee0f22e04349b6652

              Download Submit

            • memory/628-0-0x0000000002FD0000-0x000000000303C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/628-6-0x0000000002FD0000-0x000000000303C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/628-1-0x0000000002FD0000-0x000000000303C000-memory.dmp

              Filesize

              432KB

              Download

            • memory/704-65-0x00000000732C0000-0x000000007343B000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/704-63-0x00000000732C0000-0x000000007343B000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/704-62-0x00007FFAE1CB0000-0x00007FFAE1EA5000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/704-61-0x00000000732C0000-0x000000007343B000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/704-55-0x00000000008B0000-0x0000000000A58000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/1968-11-0x0000000002B90000-0x0000000002BFC000-memory.dmp

              Filesize

              432KB

              Download

            • memory/1968-9-0x0000000002B90000-0x0000000002BFC000-memory.dmp

              Filesize

              432KB

              Download

            • memory/1968-10-0x0000000002B90000-0x0000000002BFC000-memory.dmp

              Filesize

              432KB

              Download

            • memory/1968-27-0x0000000002B90000-0x0000000002BFC000-memory.dmp

              Filesize

              432KB

              Download

            • memory/2212-36-0x00000000008B0000-0x0000000000A58000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/2212-45-0x00000000732C0000-0x000000007343B000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/2212-42-0x00000000732C0000-0x000000007343B000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/2212-44-0x00000000732C0000-0x000000007343B000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/2212-43-0x00007FFAE1CB0000-0x00007FFAE1EA5000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/2300-68-0x00007FFAE1CB0000-0x00007FFAE1EA5000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/3952-74-0x00007FFAE1CB0000-0x00007FFAE1EA5000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/3952-75-0x0000000000360000-0x00000000003CF000-memory.dmp

              Filesize

              444KB

              Download

            • memory/3952-79-0x0000000000AA0000-0x0000000000ED3000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/3952-80-0x0000000000360000-0x00000000003CF000-memory.dmp

              Filesize

              444KB

              Download

            • memory/4088-81-0x00007FFAE1CB0000-0x00007FFAE1EA5000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/4964-47-0x00000000732C0000-0x000000007343B000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/4964-49-0x00007FFAE1CB0000-0x00007FFAE1EA5000-memory.dmp

              Filesize

              2.0MB

              Download

            • memory/4964-69-0x00000000732C0000-0x000000007343B000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/4964-70-0x00000000732C0000-0x000000007343B000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/4964-73-0x00000000732C0000-0x000000007343B000-memory.dmp

              Filesize

              1.5MB

              Download