amadey | 0ff9bc0436d6052b24d3174a3e4aeb590fa03a5b78a09d0b6a5a4084006891e2

Analysis

max time kernel
161s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exe
Size

390KB
MD5

118c662f820166afa9227a295d5e2cc2
SHA1

a2b6493129c6fa84aa662e694cdaee7685aa51b3
SHA256

7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea
SHA512

cddcd80647224fd43dfb4c2cf76675c9fe5b4cce16947cc45b638e07fa4fea9c31d9c1fc488a07840880f61a559f24d307243b4cc1113e1b82c7a68efcb52666
SSDEEP

12288:HMr+y90/RJg07IvDFwhm5YY2sRO/vUCA:5y4OVvnL2sk3UCA

Score

10^/10

amadey healer dropper evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.86

http://77.91.68.61

Attributes

install_dir
925e7e99c5
install_file
pdates.exe
strings_key
ada76b8b0e1f6892ee93c20ab8946117
url_paths
/rock/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe	healer
behavioral11/memory/5000-15-0x0000000000670000-0x000000000067A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

k6706793.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k6706793.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k6706793.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k6706793.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k6706793.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k6706793.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k6706793.exe

Executes dropped EXE 3 IoCs

Processes:

y8837515.exek6706793.exel4637560.exe

pid process

5084 y8837515.exe
5000 k6706793.exe
540 l4637560.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

k6706793.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k6706793.exe

pid	process
5084	y8837515.exe
5000	k6706793.exe
540	l4637560.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k6706793.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exey8837515.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y8837515.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

k6706793.exe

pid process

5000 k6706793.exe
5000 k6706793.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

k6706793.exe

description pid process

Token: SeDebugPrivilege 5000 k6706793.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

l4637560.exe

pid process

540 l4637560.exe

pid	process
5000	k6706793.exe
5000	k6706793.exe

description	pid	process
Token: SeDebugPrivilege	5000	k6706793.exe

pid	process
540	l4637560.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exey8837515.exe

description	pid	process	target process
PID 3932 wrote to memory of 5084	3932	7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exe	y8837515.exe
PID 3932 wrote to memory of 5084	3932	7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exe	y8837515.exe
PID 3932 wrote to memory of 5084	3932	7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exe	y8837515.exe
PID 5084 wrote to memory of 5000	5084	y8837515.exe	k6706793.exe
PID 5084 wrote to memory of 5000	5084	y8837515.exe	k6706793.exe
PID 5084 wrote to memory of 540	5084	y8837515.exe	l4637560.exe
PID 5084 wrote to memory of 540	5084	y8837515.exe	l4637560.exe
PID 5084 wrote to memory of 540	5084	y8837515.exe	l4637560.exe

C:\Users\Admin\AppData\Local\Temp\7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exe
"C:\Users\Admin\AppData\Local\Temp\7a4ee8388222f5e129b4d1d82750bea32e3956ea160d1a752dea1af994fa77ea.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8837515.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8837515.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4637560.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4637560.exe
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:3132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y8837515.exe
Filesize
234KB

MD5
27ff8bcfbd69753a89dca3cb0dcb4793

SHA1
0fc68e6d513f53da20e129cabe4c67431924fafd

SHA256
1ca048e8af553f43feb76af02ecd336aa40f1c1a25d3f47e92597fe40393771c

SHA512
4b5bbe988e9e9f58915b68040e2a62b733836357fad25b689eef6e3550ca405126a01d19f21a296b3dabef20444e331f4dcf7924d3f96ba14cdf927238756653

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6706793.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4637560.exe
Filesize
223KB

MD5
aea234064483f651010cf9d981f59fea

SHA1
002ad73a666d2d92d0c6d6b617e61c6fa0c5f3a6

SHA256
58b02c8b4bc2bf7f5f1e8e45d7c206956f188ae56b648922ca75987b999db503

SHA512
eae415ef55aeb1b4548c2422a72e618fce17c2c1322918d33dc6b9202a01c743a5684ba28e5d83b6cdb2b703bc12569e6bb0e87ef2decb4e8a18592e1380a434

Download Submit
memory/5000-14-0x00007FFC8C1C3000-0x00007FFC8C1C5000-memory.dmp

Filesize
8KB

Download
memory/5000-15-0x0000000000670000-0x000000000067A000-memory.dmp

Filesize
40KB

Download