amadey | 4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde

Analysis

max time kernel
145s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe
Size

488KB
MD5

8d2241d27e11c862a3bc70b8122880c9
SHA1

fb8f8bc25adb92606c2e074414f6aeff578ed6e8
SHA256

4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde
SHA512

2a827394ad22b0c81d94bd8295443d99dc1e79c5f8e9cc0bab6eca03ff5a4553501fda7f37768eb31862463e4b26495c7b94bb47cfa4c69a8f88ee4a82e55cf8
SSDEEP

6144:5GAzLWt1C7Pc0k34ejK/CgGLB0ZRzCTdFKPkAEAS43p8nzdi9mZMnj/pFOnfb:57St1GPgmibyHSKuzdigb

Score

10^/10

amadey b2c2c1 trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

b2c2c1

http://greendag.ru

Attributes

install_dir
e221f72865
install_file
Dctooux.exe
strings_key
09a7af7983af08af50ea3f51a73065e9
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe

Executes dropped EXE 4 IoCs

pid	Process
3528	Dctooux.exe
208	Dctooux.exe
4036	Dctooux.exe
2704	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 31 IoCs

pid	pid_target	Process	procid_target
1664	3156	WerFault.exe	81
3404	3156	WerFault.exe	81
4192	3156	WerFault.exe	81
1684	3156	WerFault.exe	81
1412	3156	WerFault.exe	81
1648	3156	WerFault.exe	81
2216	3156	WerFault.exe	81
3356	3156	WerFault.exe	81
3868	3156	WerFault.exe	81
1528	3156	WerFault.exe	81
5072	3156	WerFault.exe	81
3188	3528	WerFault.exe	101
4012	3528	WerFault.exe	101
2408	3528	WerFault.exe	101
4612	3528	WerFault.exe	101
3616	3528	WerFault.exe	101
2640	3528	WerFault.exe	101
1088	3528	WerFault.exe	101
4812	3528	WerFault.exe	101
2980	3528	WerFault.exe	101
2108	3528	WerFault.exe	101
2648	3528	WerFault.exe	101
3044	3528	WerFault.exe	101
4624	3528	WerFault.exe	101
3652	3528	WerFault.exe	101
2184	3528	WerFault.exe	101
312	3528	WerFault.exe	101
4376	208	WerFault.exe	138
3164	4036	WerFault.exe	149
1248	3528	WerFault.exe	101
3548	2704	WerFault.exe	154

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3156	4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 3528	3156	4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe	101
PID 3156 wrote to memory of 3528	3156	4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe	101
PID 3156 wrote to memory of 3528	3156	4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe	101

C:\Users\Admin\AppData\Local\Temp\4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe
"C:\Users\Admin\AppData\Local\Temp\4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 756
  2⤵
  - Program crash
  PID:1664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 796
  2⤵
  - Program crash
  PID:3404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 832
  2⤵
  - Program crash
  PID:4192
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 928
  2⤵
  - Program crash
  PID:1684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 960
  2⤵
  - Program crash
  PID:1412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 972
  2⤵
  - Program crash
  PID:1648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 1128
  2⤵
  - Program crash
  PID:2216
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 1188
  2⤵
  - Program crash
  PID:3356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 1236
  2⤵
  - Program crash
  PID:3868
- C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:3528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 556
    3⤵
    - Program crash
    PID:3188
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 576
    3⤵
    - Program crash
    PID:4012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 552
    3⤵
    - Program crash
    PID:2408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 632
    3⤵
    - Program crash
    PID:4612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 704
    3⤵
    - Program crash
    PID:3616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 888
    3⤵
    - Program crash
    PID:2640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 732
    3⤵
    - Program crash
    PID:1088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 928
    3⤵
    - Program crash
    PID:4812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 944
    3⤵
    - Program crash
    PID:2980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 952
    3⤵
    - Program crash
    PID:2108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 732
    3⤵
    - Program crash
    PID:2648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 1160
    3⤵
    - Program crash
    PID:3044
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 1404
    3⤵
    - Program crash
    PID:4624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 1464
    3⤵
    - Program crash
    PID:3652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 1484
    3⤵
    - Program crash
    PID:2184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 1344
    3⤵
    - Program crash
    PID:312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 892
    3⤵
    - Program crash
    PID:1248
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 996
  2⤵
  - Program crash
  PID:1528
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 776
  2⤵
  - Program crash
  PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3156 -ip 3156
1⤵
PID:1436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3156 -ip 3156
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3156 -ip 3156
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3156 -ip 3156
1⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3156 -ip 3156
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3156 -ip 3156
1⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3156 -ip 3156
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3156 -ip 3156
1⤵
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3156 -ip 3156
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3156 -ip 3156
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3156 -ip 3156
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3528 -ip 3528
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3528 -ip 3528
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3528 -ip 3528
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3528 -ip 3528
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3528 -ip 3528
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3528 -ip 3528
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3528 -ip 3528
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3528 -ip 3528
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3528 -ip 3528
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3528 -ip 3528
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3528 -ip 3528
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3528 -ip 3528
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3528 -ip 3528
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3528 -ip 3528
1⤵
PID:1820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3528 -ip 3528
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3528 -ip 3528
1⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 444
  2⤵
  - Program crash
  PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 208 -ip 208
1⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:4036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 444
  2⤵
  - Program crash
  PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4036 -ip 4036
1⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3528 -ip 3528
1⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:2704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 448
  2⤵
  - Program crash
  PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2704 -ip 2704
1⤵
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\539840389126

Filesize
84KB

MD5
52abc24636967893fac368874ae4e4c7

SHA1
e83ccecf3aa6c44a730d7eec5cffb77db096361e

SHA256
45f90d9a0e7a2ce4f82f4d58631f3b4143d0e326509e07c27ad9ba6f7f11e453

SHA512
edcb9f3ea93d181593a31acb754bfe8470fa3cc585a49808581d3db43e298900aa390c67665f11a45855dbfb326caa6aab13ba24b311df56811011af1eb350f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Filesize
488KB

MD5
8d2241d27e11c862a3bc70b8122880c9

SHA1
fb8f8bc25adb92606c2e074414f6aeff578ed6e8

SHA256
4d06a56fe5167c0377a4a70bb4d36196928380593a524d41ecd0ba7d6b2dddde

SHA512
2a827394ad22b0c81d94bd8295443d99dc1e79c5f8e9cc0bab6eca03ff5a4553501fda7f37768eb31862463e4b26495c7b94bb47cfa4c69a8f88ee4a82e55cf8

Download Submit
memory/208-27-0x0000000000400000-0x0000000002396000-memory.dmp

Filesize
31.6MB

Download
memory/2704-56-0x0000000000400000-0x0000000002396000-memory.dmp

Filesize
31.6MB

Download
memory/3156-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3156-19-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3156-18-0x0000000003FA0000-0x000000000400B000-memory.dmp

Filesize
428KB

Download
memory/3156-17-0x0000000000400000-0x0000000002396000-memory.dmp

Filesize
31.6MB

Download
memory/3156-2-0x0000000003FA0000-0x000000000400B000-memory.dmp

Filesize
428KB

Download
memory/3156-1-0x00000000024F0000-0x00000000025F0000-memory.dmp

Filesize
1024KB

Download
memory/3528-16-0x0000000000400000-0x0000000002396000-memory.dmp

Filesize
31.6MB

Download
memory/3528-24-0x0000000000400000-0x0000000002396000-memory.dmp

Filesize
31.6MB

Download
memory/3528-32-0x0000000000400000-0x0000000002396000-memory.dmp

Filesize
31.6MB

Download
memory/3528-40-0x0000000000400000-0x0000000002396000-memory.dmp

Filesize
31.6MB

Download
memory/4036-47-0x0000000000400000-0x0000000002396000-memory.dmp

Filesize
31.6MB

Download