Overview

overview

10

Static

static

7

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

Analysis

  • max time kernel
    149s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 03:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31b22e4749a83b1397e32c38bac0d7b98032d40d4542cde35392e7b365c82246.exe

  • Size

    1.8MB

  • MD5

    6129e62103a91193f06c705f05b1ef68

  • SHA1

    d1ea2a4ad8496a30bf51f8aa0611afd8480eb7c8

  • SHA256

    31b22e4749a83b1397e32c38bac0d7b98032d40d4542cde35392e7b365c82246

  • SHA512

    56dc1e0d5851bcadbc0a0cffcaefda5b3d64c7cdb88bcce3f00c476888e17e913ed1610d2b0e5aba0c275035b1ff0838b09f078b79b4229af9dc1f74bc5313da

  • SSDEEP

    49152:3V0AAc5A/yn+Y5UKBCwxnsDKWp4DH8kDi5/AGIOU:F09WA/ynr5UepxnWg8SgNU

Score
10/10
amadeyevasionthemidatrojan

Malware Config

Extracted

Family

amadey

Version

4.20

C2

http://193.233.132.139

Attributes
  • install_dir

    5454e6f062

  • install_file

    explorta.exe

  • strings_key

    c7a869c5ba1d72480093ec207994e2bf

  • url_paths

    /sev56rkm/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Themida packer 40 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31b22e4749a83b1397e32c38bac0d7b98032d40d4542cde35392e7b365c82246.exe
    "C:\Users\Admin\AppData\Local\Temp\31b22e4749a83b1397e32c38bac0d7b98032d40d4542cde35392e7b365c82246.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
      "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:4064
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4288
    • C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
      C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:1796
    • C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
      C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:3820

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
      Filesize

      1.8MB

      MD5

      6129e62103a91193f06c705f05b1ef68

      SHA1

      d1ea2a4ad8496a30bf51f8aa0611afd8480eb7c8

      SHA256

      31b22e4749a83b1397e32c38bac0d7b98032d40d4542cde35392e7b365c82246

      SHA512

      56dc1e0d5851bcadbc0a0cffcaefda5b3d64c7cdb88bcce3f00c476888e17e913ed1610d2b0e5aba0c275035b1ff0838b09f078b79b4229af9dc1f74bc5313da

      Download Submit

    • memory/1796-41-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1796-43-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1796-36-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1796-38-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1796-39-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1796-37-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1796-40-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1796-42-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1796-44-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1796-45-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1904-32-0x00000000009B0000-0x0000000000F0E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1904-2-0x00000000009B0000-0x0000000000F0E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1904-0-0x00000000009B0000-0x0000000000F0E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1904-10-0x00000000009B0000-0x0000000000F0E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1904-8-0x00000000009B0000-0x0000000000F0E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1904-4-0x00000000009B0000-0x0000000000F0E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1904-5-0x00000000009B0000-0x0000000000F0E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1904-6-0x00000000009B0000-0x0000000000F0E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1904-7-0x00000000009B0000-0x0000000000F0E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1904-3-0x00000000009B0000-0x0000000000F0E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/1904-1-0x00000000009B0000-0x0000000000F0E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/3820-54-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/3820-55-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/3820-59-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/3820-60-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/3820-56-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/3820-58-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/3820-57-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/3820-53-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/4064-26-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/4064-23-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/4064-24-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/4064-33-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/4064-22-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/4064-29-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/4064-28-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/4064-30-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/4064-27-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download

    • memory/4064-25-0x0000000000AD0000-0x000000000102E000-memory.dmp

      Filesize

      5.4MB

      Download