amadey | 27263008f674083d9b76bfa572103a5c5cfeaac82375ff1b2014903ab42aee8d

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 18:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

27263008f674083d9b76bfa572103a5c5cfeaac82375ff1b2014903ab42aee8d.exe
Size

479KB
MD5

75c1b653f733ae5c4ab3c1654225eed7
SHA1

5ef25cc5fd701cb10cc94dde2fe8fdb06a3892bf
SHA256

27263008f674083d9b76bfa572103a5c5cfeaac82375ff1b2014903ab42aee8d
SHA512

59b04bdd8e770ae11fa700b1f7e4c9e32a47bd438cdbe1179151df5675be24941a0fc63db6b93f67dabaf7e278e3f1e00b965d880921f18f164d61edb96ca412
SSDEEP

6144:MhDtFk4NeB9BPlldSJM3qTowxi+fJFZRIEEzDeTfFb4T:4tFk4NobdSyqfrFGzDeT6

Score

10^/10

amadey b2c2c1 trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

b2c2c1

http://greendag.ru

Attributes

install_dir
e221f72865
install_file
Dctooux.exe
strings_key
09a7af7983af08af50ea3f51a73065e9
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	27263008f674083d9b76bfa572103a5c5cfeaac82375ff1b2014903ab42aee8d.exe

Executes dropped EXE 3 IoCs

pid	Process
2520	Dctooux.exe
2468	Dctooux.exe
4928	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	27263008f674083d9b76bfa572103a5c5cfeaac82375ff1b2014903ab42aee8d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
4580	4824	WerFault.exe	88
2468	4824	WerFault.exe	88
4044	4824	WerFault.exe	88
4288	4824	WerFault.exe	88
4416	4824	WerFault.exe	88
1868	4824	WerFault.exe	88
4600	4824	WerFault.exe	88
2892	4824	WerFault.exe	88
1528	4824	WerFault.exe	88
4432	4824	WerFault.exe	88
2504	2520	WerFault.exe	112
372	2520	WerFault.exe	112
3052	2520	WerFault.exe	112
4304	2520	WerFault.exe	112
1532	2520	WerFault.exe	112
1004	2520	WerFault.exe	112
1204	2520	WerFault.exe	112
3780	2520	WerFault.exe	112
2492	2520	WerFault.exe	112
4196	2520	WerFault.exe	112
4280	2520	WerFault.exe	112
2164	2520	WerFault.exe	112
872	2520	WerFault.exe	112
1868	2520	WerFault.exe	112
452	2520	WerFault.exe	112
632	2520	WerFault.exe	112
3180	2468	WerFault.exe	157
5000	4928	WerFault.exe	160
2788	2520	WerFault.exe	112

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4824	27263008f674083d9b76bfa572103a5c5cfeaac82375ff1b2014903ab42aee8d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 2520	4824	27263008f674083d9b76bfa572103a5c5cfeaac82375ff1b2014903ab42aee8d.exe	112
PID 4824 wrote to memory of 2520	4824	27263008f674083d9b76bfa572103a5c5cfeaac82375ff1b2014903ab42aee8d.exe	112
PID 4824 wrote to memory of 2520	4824	27263008f674083d9b76bfa572103a5c5cfeaac82375ff1b2014903ab42aee8d.exe	112

C:\Users\Admin\AppData\Local\Temp\27263008f674083d9b76bfa572103a5c5cfeaac82375ff1b2014903ab42aee8d.exe
"C:\Users\Admin\AppData\Local\Temp\27263008f674083d9b76bfa572103a5c5cfeaac82375ff1b2014903ab42aee8d.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 756
  2⤵
  - Program crash
  PID:4580
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 804
  2⤵
  - Program crash
  PID:2468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 816
  2⤵
  - Program crash
  PID:4044
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 928
  2⤵
  - Program crash
  PID:4288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 920
  2⤵
  - Program crash
  PID:4416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 868
  2⤵
  - Program crash
  PID:1868
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1136
  2⤵
  - Program crash
  PID:4600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1192
  2⤵
  - Program crash
  PID:2892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1136
  2⤵
  - Program crash
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:2520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 556
    3⤵
    - Program crash
    PID:2504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 596
    3⤵
    - Program crash
    PID:372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 616
    3⤵
    - Program crash
    PID:3052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 632
    3⤵
    - Program crash
    PID:4304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 704
    3⤵
    - Program crash
    PID:1532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 884
    3⤵
    - Program crash
    PID:1004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 924
    3⤵
    - Program crash
    PID:1204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 884
    3⤵
    - Program crash
    PID:3780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 912
    3⤵
    - Program crash
    PID:2492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 956
    3⤵
    - Program crash
    PID:4196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 996
    3⤵
    - Program crash
    PID:4280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1164
    3⤵
    - Program crash
    PID:2164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1404
    3⤵
    - Program crash
    PID:872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1328
    3⤵
    - Program crash
    PID:1868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1432
    3⤵
    - Program crash
    PID:452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 1468
    3⤵
    - Program crash
    PID:632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 888
    3⤵
    - Program crash
    PID:2788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1316
  2⤵
  - Program crash
  PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4824 -ip 4824
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4824 -ip 4824
1⤵
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4824 -ip 4824
1⤵
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4824 -ip 4824
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4824 -ip 4824
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4824 -ip 4824
1⤵
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4824 -ip 4824
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4824 -ip 4824
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4824 -ip 4824
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4824 -ip 4824
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2520 -ip 2520
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2520 -ip 2520
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2520 -ip 2520
1⤵
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4040 /prefetch:8
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2520 -ip 2520
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2520 -ip 2520
1⤵
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2520 -ip 2520
1⤵
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2520 -ip 2520
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2520 -ip 2520
1⤵
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2520 -ip 2520
1⤵
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2520 -ip 2520
1⤵
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2520 -ip 2520
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2520 -ip 2520
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2520 -ip 2520
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2520 -ip 2520
1⤵
PID:3120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2520 -ip 2520
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2520 -ip 2520
1⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 444
  2⤵
  - Program crash
  PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2468 -ip 2468
1⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 440
  2⤵
  - Program crash
  PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4928 -ip 4928
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2520 -ip 2520
1⤵
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\181767204200

Filesize
84KB

MD5
0ccc33be25efc128a84fdf1cb3adea3b

SHA1
0f46b041ff22455ff49abdd8740e8a28eb65423c

SHA256
9986ed355d3b02e5a5a376995102a10870437d93cf1053f4d3e9303d58229297

SHA512
624686ca7188b78c990a5e39acc7b0efa57fcfaef475133661237b0e16c916928098be97fe70d2065c34ceb85012c93ae62b73cc0d3286451ad19b2f80a18196

Download Submit
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Filesize
479KB

MD5
75c1b653f733ae5c4ab3c1654225eed7

SHA1
5ef25cc5fd701cb10cc94dde2fe8fdb06a3892bf

SHA256
27263008f674083d9b76bfa572103a5c5cfeaac82375ff1b2014903ab42aee8d

SHA512
59b04bdd8e770ae11fa700b1f7e4c9e32a47bd438cdbe1179151df5675be24941a0fc63db6b93f67dabaf7e278e3f1e00b965d880921f18f164d61edb96ca412

Download Submit
memory/2468-43-0x0000000000400000-0x00000000006AA000-memory.dmp

Filesize
2.7MB

Download
memory/2468-44-0x0000000000400000-0x00000000006AA000-memory.dmp

Filesize
2.7MB

Download
memory/2520-40-0x0000000000400000-0x00000000006AA000-memory.dmp

Filesize
2.7MB

Download
memory/2520-27-0x0000000000400000-0x00000000006AA000-memory.dmp

Filesize
2.7MB

Download
memory/2520-32-0x0000000000400000-0x00000000006AA000-memory.dmp

Filesize
2.7MB

Download
memory/2520-19-0x0000000000400000-0x00000000006AA000-memory.dmp

Filesize
2.7MB

Download
memory/4824-20-0x0000000000400000-0x00000000006AA000-memory.dmp

Filesize
2.7MB

Download
memory/4824-22-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4824-21-0x0000000000820000-0x000000000088B000-memory.dmp

Filesize
428KB

Download
memory/4824-2-0x0000000000820000-0x000000000088B000-memory.dmp

Filesize
428KB

Download
memory/4824-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4824-1-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/4928-53-0x0000000000400000-0x00000000006AA000-memory.dmp

Filesize
2.7MB

Download