amadey | 958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe
Size

965KB
MD5

791d58c4ed6b8772eceda0b0254880e2
SHA1

a03bd87406f6025177c52a79fe81f1a59930aa37
SHA256

958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4
SHA512

29382169fe2249c506e8895e1e2af6ff42c76a1e8ee352f1c9557106040280cf8b8548d98974a8b07fb3d1140f55a3627f856b77454463168a8d6014df2e7899
SSDEEP

12288:6tLTyenMEh/rI+Ea4seWbh1/PjsrCe3NsGTzbEr6JeUc/X016JNHJPXFk2LxvTr2:6tieMEe+HeWXjsldP3

Score

10^/10

amadey f9a925 trojan

Malware Config

Extracted

Family

amadey

Version

3.81

Botnet

f9a925

http://77.91.124.20

Attributes

install_dir
c3912af058
install_file
oneetx.exe
strings_key
0504ce46646b0dc397a3c30d6692ec75
url_paths
/store/games/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects executables packed with ConfuserEx Mod 5 IoCs

resource	yara_rule
behavioral1/memory/2228-1-0x00000000009A0000-0x0000000000A98000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/files/0x0029000000015c0f-14.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2664-23-0x00000000008E0000-0x00000000009D8000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2456-35-0x00000000008E0000-0x00000000009D8000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/1868-41-0x00000000008E0000-0x00000000009D8000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Executes dropped EXE 8 IoCs

pid	Process
2664	oneetx.exe
2628	oneetx.exe
2456	oneetx.exe
2760	oneetx.exe
1868	oneetx.exe
2064	oneetx.exe
832	oneetx.exe
1824	oneetx.exe

Loads dropped DLL 6 IoCs

pid	Process
2084	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe
2084	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe
2664	oneetx.exe
2456	oneetx.exe
1868	oneetx.exe
832	oneetx.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2228 set thread context of 2084	2228	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	28
PID 2664 set thread context of 2628	2664	oneetx.exe	30
PID 2456 set thread context of 2760	2456	oneetx.exe	44
PID 1868 set thread context of 2064	1868	oneetx.exe	49
PID 832 set thread context of 1824	832	oneetx.exe	51

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2520	schtasks.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe
Token: SeDebugPrivilege	2664	oneetx.exe
Token: SeDebugPrivilege	2456	oneetx.exe
Token: SeDebugPrivilege	1868	oneetx.exe
Token: SeDebugPrivilege	832	oneetx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2084	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2084	2228	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	28
PID 2228 wrote to memory of 2084	2228	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	28
PID 2228 wrote to memory of 2084	2228	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	28
PID 2228 wrote to memory of 2084	2228	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	28
PID 2228 wrote to memory of 2084	2228	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	28
PID 2228 wrote to memory of 2084	2228	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	28
PID 2228 wrote to memory of 2084	2228	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	28
PID 2228 wrote to memory of 2084	2228	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	28
PID 2228 wrote to memory of 2084	2228	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	28
PID 2228 wrote to memory of 2084	2228	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	28
PID 2228 wrote to memory of 2084	2228	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	28
PID 2084 wrote to memory of 2664	2084	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	29
PID 2084 wrote to memory of 2664	2084	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	29
PID 2084 wrote to memory of 2664	2084	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	29
PID 2084 wrote to memory of 2664	2084	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	29
PID 2664 wrote to memory of 2628	2664	oneetx.exe	30
PID 2664 wrote to memory of 2628	2664	oneetx.exe	30
PID 2664 wrote to memory of 2628	2664	oneetx.exe	30
PID 2664 wrote to memory of 2628	2664	oneetx.exe	30
PID 2664 wrote to memory of 2628	2664	oneetx.exe	30
PID 2664 wrote to memory of 2628	2664	oneetx.exe	30
PID 2664 wrote to memory of 2628	2664	oneetx.exe	30
PID 2664 wrote to memory of 2628	2664	oneetx.exe	30
PID 2664 wrote to memory of 2628	2664	oneetx.exe	30
PID 2664 wrote to memory of 2628	2664	oneetx.exe	30
PID 2664 wrote to memory of 2628	2664	oneetx.exe	30
PID 2628 wrote to memory of 2520	2628	oneetx.exe	31
PID 2628 wrote to memory of 2520	2628	oneetx.exe	31
PID 2628 wrote to memory of 2520	2628	oneetx.exe	31
PID 2628 wrote to memory of 2520	2628	oneetx.exe	31
PID 2628 wrote to memory of 2640	2628	oneetx.exe	33
PID 2628 wrote to memory of 2640	2628	oneetx.exe	33
PID 2628 wrote to memory of 2640	2628	oneetx.exe	33
PID 2628 wrote to memory of 2640	2628	oneetx.exe	33
PID 2640 wrote to memory of 2512	2640	cmd.exe	35
PID 2640 wrote to memory of 2512	2640	cmd.exe	35
PID 2640 wrote to memory of 2512	2640	cmd.exe	35
PID 2640 wrote to memory of 2512	2640	cmd.exe	35
PID 2640 wrote to memory of 2532	2640	cmd.exe	36
PID 2640 wrote to memory of 2532	2640	cmd.exe	36
PID 2640 wrote to memory of 2532	2640	cmd.exe	36
PID 2640 wrote to memory of 2532	2640	cmd.exe	36
PID 2640 wrote to memory of 2636	2640	cmd.exe	37
PID 2640 wrote to memory of 2636	2640	cmd.exe	37
PID 2640 wrote to memory of 2636	2640	cmd.exe	37
PID 2640 wrote to memory of 2636	2640	cmd.exe	37
PID 2640 wrote to memory of 2916	2640	cmd.exe	38
PID 2640 wrote to memory of 2916	2640	cmd.exe	38
PID 2640 wrote to memory of 2916	2640	cmd.exe	38
PID 2640 wrote to memory of 2916	2640	cmd.exe	38
PID 2640 wrote to memory of 2952	2640	cmd.exe	39
PID 2640 wrote to memory of 2952	2640	cmd.exe	39
PID 2640 wrote to memory of 2952	2640	cmd.exe	39
PID 2640 wrote to memory of 2952	2640	cmd.exe	39
PID 2640 wrote to memory of 2976	2640	cmd.exe	40
PID 2640 wrote to memory of 2976	2640	cmd.exe	40
PID 2640 wrote to memory of 2976	2640	cmd.exe	40
PID 2640 wrote to memory of 2976	2640	cmd.exe	40
PID 1020 wrote to memory of 2456	1020	taskeng.exe	43
PID 1020 wrote to memory of 2456	1020	taskeng.exe	43
PID 1020 wrote to memory of 2456	1020	taskeng.exe	43
PID 1020 wrote to memory of 2456	1020	taskeng.exe	43
PID 2456 wrote to memory of 2760	2456	oneetx.exe	44
PID 2456 wrote to memory of 2760	2456	oneetx.exe	44

C:\Users\Admin\AppData\Local\Temp\958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe
"C:\Users\Admin\AppData\Local\Temp\958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe
  C:\Users\Admin\AppData\Local\Temp\958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2512
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        6⤵
        
        PID:2532
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        6⤵
        
        PID:2636
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2916
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:N"
        6⤵
        
        PID:2952
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:R" /E
        6⤵
        
        PID:2976

C:\Windows\system32\taskeng.exe
taskeng.exe {4BD45B52-152A-4136-AC3B-ED4BB05B7C90} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    3⤵
    - Executes dropped EXE
    PID:2760
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    3⤵
    - Executes dropped EXE
    PID:2064
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    3⤵
    - Executes dropped EXE
    PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
965KB

MD5
791d58c4ed6b8772eceda0b0254880e2

SHA1
a03bd87406f6025177c52a79fe81f1a59930aa37

SHA256
958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4

SHA512
29382169fe2249c506e8895e1e2af6ff42c76a1e8ee352f1c9557106040280cf8b8548d98974a8b07fb3d1140f55a3627f856b77454463168a8d6014df2e7899

Download Submit
memory/1868-41-0x00000000008E0000-0x00000000009D8000-memory.dmp

Filesize
992KB

Download
memory/2084-6-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2084-3-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2084-8-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2084-5-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2084-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2228-0-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/2228-7-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-2-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-1-0x00000000009A0000-0x0000000000A98000-memory.dmp

Filesize
992KB

Download
memory/2456-35-0x00000000008E0000-0x00000000009D8000-memory.dmp

Filesize
992KB

Download
memory/2628-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2628-30-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2664-22-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/2664-31-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-24-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-23-0x00000000008E0000-0x00000000009D8000-memory.dmp

Filesize
992KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads