amadey | d66c5907218da0e1082f3a1318226d1c5bab6bd1ebb57b034a817b4c35495ac8

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe
Size

234KB
MD5

45e93a000b07f25fe943fdf1f7b65357
SHA1

87725546f53447d680f47e63a0cc581dcd4503fa
SHA256

9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755
SHA512

83cb89078894b96f0bf1f7a8ef6b2983d7e21f60bd575004772267424c4603b75e18f9f805535634a9678aa58494f25eb83fdfc36553f25b3c80bdd4691b2c6d
SSDEEP

6144:KBy+bnr+2p0yN90QEHBKyBErKK+iBI/cl:/Mryy90ZxBEz+iBIEl

Score

10^/10

amadey healer fb0fb8 dropper evasion persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.89

Botnet

fb0fb8

http://77.91.68.52

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688
url_paths
/mac/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q7686010.exe	healer
behavioral11/memory/2988-7-0x00000000001B0000-0x00000000001BA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

q7686010.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q7686010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q7686010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q7686010.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q7686010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q7686010.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q7686010.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

r7196851.exeexplonde.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	r7196851.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	explonde.exe

Executes dropped EXE 5 IoCs

Processes:

q7686010.exer7196851.exeexplonde.exeexplonde.exeexplonde.exe

pid process

2988 q7686010.exe
1496 r7196851.exe
392 explonde.exe
1172 explonde.exe
1548 explonde.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

q7686010.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q7686010.exe

pid	process
2988	q7686010.exe
1496	r7196851.exe
392	explonde.exe
1172	explonde.exe
1548	explonde.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q7686010.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

396 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

q7686010.exe

pid process

2988 q7686010.exe
2988 q7686010.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

q7686010.exe

description pid process

Token: SeDebugPrivilege 2988 q7686010.exe

pid	process
396	schtasks.exe

pid	process
2988	q7686010.exe
2988	q7686010.exe

description	pid	process
Token: SeDebugPrivilege	2988	q7686010.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exer7196851.exeexplonde.execmd.exe

description	pid	process	target process
PID 4724 wrote to memory of 2988	4724	9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe	q7686010.exe
PID 4724 wrote to memory of 2988	4724	9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe	q7686010.exe
PID 4724 wrote to memory of 1496	4724	9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe	r7196851.exe
PID 4724 wrote to memory of 1496	4724	9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe	r7196851.exe
PID 4724 wrote to memory of 1496	4724	9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe	r7196851.exe
PID 1496 wrote to memory of 392	1496	r7196851.exe	explonde.exe
PID 1496 wrote to memory of 392	1496	r7196851.exe	explonde.exe
PID 1496 wrote to memory of 392	1496	r7196851.exe	explonde.exe
PID 392 wrote to memory of 396	392	explonde.exe	schtasks.exe
PID 392 wrote to memory of 396	392	explonde.exe	schtasks.exe
PID 392 wrote to memory of 396	392	explonde.exe	schtasks.exe
PID 392 wrote to memory of 680	392	explonde.exe	cmd.exe
PID 392 wrote to memory of 680	392	explonde.exe	cmd.exe
PID 392 wrote to memory of 680	392	explonde.exe	cmd.exe
PID 680 wrote to memory of 4028	680	cmd.exe	cmd.exe
PID 680 wrote to memory of 4028	680	cmd.exe	cmd.exe
PID 680 wrote to memory of 4028	680	cmd.exe	cmd.exe
PID 680 wrote to memory of 3648	680	cmd.exe	cacls.exe
PID 680 wrote to memory of 3648	680	cmd.exe	cacls.exe
PID 680 wrote to memory of 3648	680	cmd.exe	cacls.exe
PID 680 wrote to memory of 2900	680	cmd.exe	cacls.exe
PID 680 wrote to memory of 2900	680	cmd.exe	cacls.exe
PID 680 wrote to memory of 2900	680	cmd.exe	cacls.exe
PID 680 wrote to memory of 4968	680	cmd.exe	cmd.exe
PID 680 wrote to memory of 4968	680	cmd.exe	cmd.exe
PID 680 wrote to memory of 4968	680	cmd.exe	cmd.exe
PID 680 wrote to memory of 4572	680	cmd.exe	cacls.exe
PID 680 wrote to memory of 4572	680	cmd.exe	cacls.exe
PID 680 wrote to memory of 4572	680	cmd.exe	cacls.exe
PID 680 wrote to memory of 2540	680	cmd.exe	cacls.exe
PID 680 wrote to memory of 2540	680	cmd.exe	cacls.exe
PID 680 wrote to memory of 2540	680	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe
"C:\Users\Admin\AppData\Local\Temp\9a45e9c2060aa38e5c0bd25ef98f2a3acb0c464207b459fa09e6fe8492e26755.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q7686010.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q7686010.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7196851.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7196851.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
    "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:392
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:396
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4028
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        5⤵
        
        PID:3648
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        5⤵
        
        PID:2900
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4968
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        5⤵
        
        PID:4572
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        5⤵
        
        PID:2540

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q7686010.exe

Filesize
12KB

MD5
05d44dca7da313a6875ab2e2ce15cf4c

SHA1
fb62bcfc8209d7246dce532fd00d4ea2d56ecb71

SHA256
b894a0dc444adc2774ca868edb76d306b089eccd9dbea910c9a5f8bb7f4dc50c

SHA512
01075dd204512cb35dcd4cb0f77fe2962ee2e8709ff48cf36b3e681b96caafe1c4edcb0b4cab6be77754f791907dfd368570b425e89f740231578f19e2fc3fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r7196851.exe

Filesize
221KB

MD5
a179aaa8b2da45d6806e6a737696d101

SHA1
0d5e6174461ffb16368cd80216abca674d893660

SHA256
f13ad3f74496d3eb644233b1f70c1b9c10abdd4b777007daa0d391fbfdd44a73

SHA512
41b53c48d9f6ba2bb744e48654957b12c93493cb1f2bfc11bac85694eaac5642bb3480fbaea1d16d5a89b886289efcbfc527c762114a4d85f7cbbef7eac3d375

Download Submit
memory/2988-7-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/2988-8-0x00007FFF84243000-0x00007FFF84245000-memory.dmp

Filesize
8KB

Download