Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
27-03-2024 13:09
General
-
Target
7077ab5685f753d94192aca8e3158fb5.exe
-
Size
6.2MB
-
MD5
7077ab5685f753d94192aca8e3158fb5
-
SHA1
a73f1b79f6a1fccc0cb4f10b875a0b5a0182dc90
-
SHA256
751ad0b26586c0dbb06379c8bbb1b7a47e77adc19c3f068d6305f47faec551b2
-
SHA512
64001b470b17434a051b64477955175f5c35db89761477dd5473f8229e6b141a252ab0ed0cef6655135be4fa70f13313475a427195e3013a7a2c061cd260ef26
-
SSDEEP
98304:Xrxkmr7CWoqbb4ngAFGw7WClREnjwaeSkMc88QS+qE0AaG8MlftjxeUZH:XKyzoLgkW4RmKMcJWqE0AaGxftjx/Z
Malware Config
Extracted
amadey
4.19
http://creationofprogress.com
-
install_dir
603179bf2d
-
install_file
Dctooux.exe
-
strings_key
e6d1abb3e9573b823ce443b691fcda47
-
url_paths
/8BvxwQdec3/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7077ab5685f753d94192aca8e3158fb5.exe"C:\Users\Admin\AppData\Local\Temp\7077ab5685f753d94192aca8e3158fb5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\add78427Filesize
1.1MB
MD52067bc4915fe76186dcb9c0f5432c608
SHA1fff611f9712a3a7a01b81b4072f0d157ac32912c
SHA2562f7ba6f9e552418a89e02cb66fca42f7fef9f58b8ca99030b29a1a7ebcd0299f
SHA51218d7edb4a03e278b26323ce1dc2d76bdbdc033917b5033a78b0dda02c33a7b5ac218be63499fe26393ee8a25a7a9893e97b18c3209d9355e9c3aea93aece14c9
-
C:\Users\Admin\AppData\Local\Temp\b0f1a0f0Filesize
1.1MB
MD5ce64db9cb00fafb3d29a69159dbdf713
SHA12066e9c7eb42a4303be3890b7c03dcd05c9af5b0
SHA256928c03ae29a2051953b8325d9e2ba537670411643bc645ebaf20591df5c5d5a4
SHA5127e3b1150acb8ef46d7d4cacca6b953f53d0d33d3a994760bc66ebba9e01198e7cf3679ad9828d2fa98a0f1b6ea49a5960228f0e9f6a36029eebd50a7551200a0
-
memory/1208-22-0x0000000074930000-0x0000000074AAB000-memory.dmpFilesize
1.5MB
-
memory/1208-12-0x0000000074930000-0x0000000074AAB000-memory.dmpFilesize
1.5MB
-
memory/1208-18-0x0000000074930000-0x0000000074AAB000-memory.dmpFilesize
1.5MB
-
memory/1208-17-0x0000000074930000-0x0000000074AAB000-memory.dmpFilesize
1.5MB
-
memory/1208-14-0x00007FFE05850000-0x00007FFE05A45000-memory.dmpFilesize
2.0MB
-
memory/3096-10-0x0000000074930000-0x0000000074AAB000-memory.dmpFilesize
1.5MB
-
memory/3096-6-0x0000000074930000-0x0000000074AAB000-memory.dmpFilesize
1.5MB
-
memory/3096-7-0x00007FFE05850000-0x00007FFE05A45000-memory.dmpFilesize
2.0MB
-
memory/3096-9-0x0000000074930000-0x0000000074AAB000-memory.dmpFilesize
1.5MB
-
memory/3096-8-0x0000000074930000-0x0000000074AAB000-memory.dmpFilesize
1.5MB
-
memory/3096-0-0x0000000000940000-0x0000000000BAB000-memory.dmpFilesize
2.4MB
-
memory/3600-23-0x00007FFE05850000-0x00007FFE05A45000-memory.dmpFilesize
2.0MB
-
memory/3600-24-0x00000000000C0000-0x000000000012F000-memory.dmpFilesize
444KB
-
memory/3600-26-0x00000000000C0000-0x000000000012F000-memory.dmpFilesize
444KB