Overview

overview

10

Static

static

1

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-03-2024 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe

  • Size

    1.4MB

  • MD5

    04055601abbd16ec6cc9e02450c19381

  • SHA1

    420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e

  • SHA256

    b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13

  • SHA512

    826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac

  • SSDEEP

    24576:HhSIBky91oHhqyp54SWIbts8MZHq9NGCzgNgpiZtsyCx+OO9OKfNgd5H4+3:B3J91qhDp5HWAsF28ZtsJsOO9WH4g

Score
10/10
amadeytrojan

Malware Config

Extracted

Family

amadey

Version

4.18

C2

http://185.172.128.3

http://cdnforbusiness.com
Attributes
  • install_dir

    One_Dragon_Center

  • install_file

    MSI.CentralServer.exe

  • strings_key

    fd2f5851d3165c210396dcbe9930d294

  • url_paths

    /QajE3OBS/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Executes dropped EXE 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe
    "C:\Users\Admin\AppData\Local\Temp\b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe"
    1⤵
    • Drops file in Windows directory
    PID:1472
  • C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
    C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k "taskkill /f /im "MSI.CentralServer.exe" && timeout 1 && del "MSI.CentralServer.exe" && ren c36f10 MSI.CentralServer.exe && C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe && Exit"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im "MSI.CentralServer.exe"
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3932
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1476
      • C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
        C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3232
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:3624
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            5⤵
              PID:2872
    • C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
      C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:676
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          3⤵
            PID:1448

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
        Filesize

        717B

        MD5

        822467b728b7a66b081c91795373789a

        SHA1

        d8f2f02e1eef62485a9feffd59ce837511749865

        SHA256

        af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

        SHA512

        bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61
        Filesize

        299B

        MD5

        5ae8478af8dd6eec7ad4edf162dd3df1

        SHA1

        55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

        SHA256

        fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

        SHA512

        a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
        Filesize

        192B

        MD5

        37193a24ef52c1a7536e28c860bdde31

        SHA1

        83e007683eb32f5b81c38ba639344940b8ba4726

        SHA256

        d7abb22633e43bf76ce10a72e975ae96a00df9fefacfe088a2b5aa8dd3481ce9

        SHA512

        087488b87dd8fbf88db761787c1f1883cfd55e70da9a4e0818f87673a6bc3185661f56419fb291f19a67bef427d165ba6beefbfdeff94f9682c844b11221bbd2

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
        Filesize

        192B

        MD5

        109abf956a3c414be4a101d20eae509f

        SHA1

        e0cb1c935cccf55a57cf66639d8bb13bbe9e2d44

        SHA256

        bde02805093e841eba08a27935ef77b2194e4e98b232ca55716c5e5475b01bd9

        SHA512

        adfd71b6bc39cde07e74a3bf0e802ffb50a9e220c50260061ad75d4afe9966d3b9b47338a248d05464f879e0eca9060d48efb0130e43addc83a27990c794a097

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1917ba19
        Filesize

        128KB

        MD5

        ff8774fb693db74d3cae3d7ff2e9087d

        SHA1

        db39cdf5bc47f214a4a1e1e865db34bbc53c4bfd

        SHA256

        00648def061cc4d442ecc46295b45d7df9c806617735a6edae1f3a44469c9646

        SHA512

        21b26bfea9f9d4a4ae7ed3fd9ccd9068dee7b908cee76bcd58d6090cc9c4ea58b59f4bd89b90c2a1eaa1b66506d87c72eb1c39205fa65fdec9cf6b6e00f32741

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\1b2b5d38
        Filesize

        89KB

        MD5

        df5c22d8d01c7abb0efee9a65f31715c

        SHA1

        3aeaeb90014d3a53bee06afb48825699bdfc8460

        SHA256

        e6e484fdec7220f2662c2550ce375fbffea80d2f7edb921e06003f66c19e2269

        SHA512

        98befc0b76c6712e5ed851ff9bb2ff8e01fad016dd2362e4ad70c3939748820cb86870d8af7c3dc3579757990306314c450ebb21a618401da9b5a0589b9f53c7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
        Filesize

        442KB

        MD5

        5354778c1c198d065f5129cba8979bb2

        SHA1

        d1f0b0b7ef675f3484cc1d57a88c6a749b9d46d6

        SHA256

        5c5342a832644265ca09c5001a83e8aad955e694644fdce334364f14114a3a8e

        SHA512

        50ea98306aa1acef42eb492b3351c796a92eab588ef1958116d4c88467a64e072dbd7269935e53e942f2da3c5db2cbd322cefc39af8432cbac0047a4dd6d202d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
        Filesize

        401KB

        MD5

        4a3d4394e848cda1d52900b704924ef0

        SHA1

        b0f9643869a1a422722cb1c279a3a3080f66ba3a

        SHA256

        7efa6654940afe40d26975022af8d0980e5656db22db788e95a0e6c8ae5a8e95

        SHA512

        aa249afd0bee0a4aac70adfaad29a06a606c0f4898095f57261396675f6cda7f6574f4c51ba94b993423f67ab08ee2877e47377af512fd240148c4d022985594

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
        Filesize

        789KB

        MD5

        09fe6f6f40c0adc36a554750ca70f72d

        SHA1

        05049c5af84d520bf193dfb177966bb35c500f1e

        SHA256

        ebfecf5d450e3a9a3fe04fa2f20ae3e78f1871986fe784100c78d58eb1f02aea

        SHA512

        5532db19ac1d6c0b5ea8e2c5202586e55bb54d8729b18f6cb9a98e6599c7ff68ba3766e7a6435e6dec88b5024e960ad5ecef941464755fbf710e5e780c8585f5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
        Filesize

        172KB

        MD5

        8b530259d098538d443af20c832fcef2

        SHA1

        50a9272d2133cc59436e9c1c5b60a6ebf6ed6045

        SHA256

        34fd13d7230885cd58b95ffdb7c34087f92ed4a20459517ec4e312137b0bb3cd

        SHA512

        8265186f85eb6bd87259c2d29d5c7f4b1e315a869e373f2c36d0df3f43e402cba5d38550dee3196d6bc03be20469220fdd62009b3447cfaadf96a4913a014d38

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\c36f10
        Filesize

        2.4MB

        MD5

        ced6183a4588797f595788a568f31550

        SHA1

        25dafbc7b3604f45e22b5875baa6cf22e87dc439

        SHA256

        13ae8685d400e61aa7784f114fe7083b9358a4839d45776cadaea3a8a1fa1422

        SHA512

        c6645aa5d5c1568dea8298ebf83f107ec794b68d15460f2b1ccfc17602590bb8fe06ba2986569319f964530a73c809a62d7c2b6e2dc0883be5f3706893c40303

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\c36f10
        Filesize

        264KB

        MD5

        4e03045f3f93f2c5c77538d1801b3cea

        SHA1

        f75a86ea79fd066a0e93a9d5ba5033f61d7551e7

        SHA256

        e97e7087dda4a46df73310405c3b9d8cec45c3dca99b42e163a20b49bdd15308

        SHA512

        f337b3a18a343eb57238581ea2b5e8302f777860b6d48824063222eeee2e7184fd7eac9c03d01196f827e35f7787393f59d13798403a6930ee9ffd9678c06043

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\aa2c08de
        Filesize

        1.1MB

        MD5

        363e4c4c6b86f288acac0a09d8daa9a0

        SHA1

        57c58e29729c8d23e5abbfafb84585fea6af3837

        SHA256

        37cba56115b154e81c04b932f7fcc40eedadd8fc7deeb118dfedefdc31bd3fdf

        SHA512

        25cb2edfd9e4b3deb77c71e51d3232b7603a159017e3e2debd4086e02516e119cc66703783b9588be0dcbee6ed47a26922acde5ee7f6a0a11c7b93e0db900bc4

        Download Submit

      • memory/676-74-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1448-83-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/1448-84-0x0000000000EF0000-0x0000000000F5F000-memory.dmp

        Filesize

        444KB

        Download

      • memory/1472-6-0x0000000002A50000-0x0000000002ABC000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1472-0-0x0000000002A50000-0x0000000002ABC000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1472-1-0x0000000002A50000-0x0000000002ABC000-memory.dmp

        Filesize

        432KB

        Download

      • memory/2872-81-0x00000000005C0000-0x000000000062F000-memory.dmp

        Filesize

        444KB

        Download

      • memory/2872-85-0x00000000005C0000-0x000000000062F000-memory.dmp

        Filesize

        444KB

        Download

      • memory/2872-80-0x0000000000710000-0x0000000000B3C000-memory.dmp

        Filesize

        4.2MB

        Download

      • memory/2872-76-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2872-77-0x00000000005C0000-0x000000000062F000-memory.dmp

        Filesize

        444KB

        Download

      • memory/2920-29-0x0000000000AD0000-0x0000000000B3C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/2920-11-0x0000000000AD0000-0x0000000000B3C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/2920-9-0x0000000000AD0000-0x0000000000B3C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/2920-10-0x0000000000AD0000-0x0000000000B3C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/3140-58-0x0000000000870000-0x0000000000A18000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/3140-64-0x0000000073950000-0x0000000073ACD000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3140-65-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3140-66-0x0000000073950000-0x0000000073ACD000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3140-69-0x0000000073950000-0x0000000073ACD000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3232-45-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3232-38-0x0000000000870000-0x0000000000A18000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/3232-44-0x0000000073950000-0x0000000073ACD000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3232-47-0x0000000073950000-0x0000000073ACD000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3232-46-0x0000000073950000-0x0000000073ACD000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3624-51-0x00007FFA22580000-0x00007FFA22789000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3624-73-0x0000000073950000-0x0000000073ACD000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3624-68-0x0000000073950000-0x0000000073ACD000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3624-67-0x0000000073950000-0x0000000073ACD000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3624-49-0x0000000073950000-0x0000000073ACD000-memory.dmp

        Filesize

        1.5MB

        Download