amadey | 958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe
Size

965KB
MD5

791d58c4ed6b8772eceda0b0254880e2
SHA1

a03bd87406f6025177c52a79fe81f1a59930aa37
SHA256

958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4
SHA512

29382169fe2249c506e8895e1e2af6ff42c76a1e8ee352f1c9557106040280cf8b8548d98974a8b07fb3d1140f55a3627f856b77454463168a8d6014df2e7899
SSDEEP

12288:6tLTyenMEh/rI+Ea4seWbh1/PjsrCe3NsGTzbEr6JeUc/X016JNHJPXFk2LxvTr2:6tieMEe+HeWXjsldP3

Score

10^/10

amadey f9a925 trojan

Malware Config

Extracted

Family

amadey

Version

3.81

Botnet

f9a925

http://77.91.124.20

Attributes

install_dir
c3912af058
install_file
oneetx.exe
strings_key
0504ce46646b0dc397a3c30d6692ec75
url_paths
/store/games/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detects executables packed with ConfuserEx Mod 2 IoCs

resource	yara_rule
behavioral2/memory/2632-1-0x0000000000820000-0x0000000000918000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x0005000000022ac4-13.dat	INDICATOR_EXE_Packed_ConfuserEx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 8 IoCs

pid	Process
4940	oneetx.exe
2452	oneetx.exe
2676	oneetx.exe
3340	oneetx.exe
900	oneetx.exe
4448	oneetx.exe
1016	oneetx.exe
4960	oneetx.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2632 set thread context of 760	2632	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	82
PID 4940 set thread context of 2452	4940	oneetx.exe	87
PID 2676 set thread context of 3340	2676	oneetx.exe	99
PID 900 set thread context of 4448	900	oneetx.exe	108
PID 1016 set thread context of 4960	1016	oneetx.exe	110

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2488	4960	WerFault.exe	110

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2988	schtasks.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe
Token: SeDebugPrivilege	4940	oneetx.exe
Token: SeDebugPrivilege	2676	oneetx.exe
Token: SeDebugPrivilege	900	oneetx.exe
Token: SeDebugPrivilege	1016	oneetx.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
4960	oneetx.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 760	2632	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	82
PID 2632 wrote to memory of 760	2632	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	82
PID 2632 wrote to memory of 760	2632	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	82
PID 2632 wrote to memory of 760	2632	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	82
PID 2632 wrote to memory of 760	2632	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	82
PID 2632 wrote to memory of 760	2632	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	82
PID 2632 wrote to memory of 760	2632	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	82
PID 2632 wrote to memory of 760	2632	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	82
PID 2632 wrote to memory of 760	2632	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	82
PID 2632 wrote to memory of 760	2632	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	82
PID 760 wrote to memory of 4940	760	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	86
PID 760 wrote to memory of 4940	760	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	86
PID 760 wrote to memory of 4940	760	958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe	86
PID 4940 wrote to memory of 2452	4940	oneetx.exe	87
PID 4940 wrote to memory of 2452	4940	oneetx.exe	87
PID 4940 wrote to memory of 2452	4940	oneetx.exe	87
PID 4940 wrote to memory of 2452	4940	oneetx.exe	87
PID 4940 wrote to memory of 2452	4940	oneetx.exe	87
PID 4940 wrote to memory of 2452	4940	oneetx.exe	87
PID 4940 wrote to memory of 2452	4940	oneetx.exe	87
PID 4940 wrote to memory of 2452	4940	oneetx.exe	87
PID 4940 wrote to memory of 2452	4940	oneetx.exe	87
PID 4940 wrote to memory of 2452	4940	oneetx.exe	87
PID 2452 wrote to memory of 2988	2452	oneetx.exe	88
PID 2452 wrote to memory of 2988	2452	oneetx.exe	88
PID 2452 wrote to memory of 2988	2452	oneetx.exe	88
PID 2452 wrote to memory of 3180	2452	oneetx.exe	90
PID 2452 wrote to memory of 3180	2452	oneetx.exe	90
PID 2452 wrote to memory of 3180	2452	oneetx.exe	90
PID 3180 wrote to memory of 4576	3180	cmd.exe	92
PID 3180 wrote to memory of 4576	3180	cmd.exe	92
PID 3180 wrote to memory of 4576	3180	cmd.exe	92
PID 3180 wrote to memory of 4492	3180	cmd.exe	93
PID 3180 wrote to memory of 4492	3180	cmd.exe	93
PID 3180 wrote to memory of 4492	3180	cmd.exe	93
PID 3180 wrote to memory of 5084	3180	cmd.exe	94
PID 3180 wrote to memory of 5084	3180	cmd.exe	94
PID 3180 wrote to memory of 5084	3180	cmd.exe	94
PID 3180 wrote to memory of 4772	3180	cmd.exe	95
PID 3180 wrote to memory of 4772	3180	cmd.exe	95
PID 3180 wrote to memory of 4772	3180	cmd.exe	95
PID 3180 wrote to memory of 3952	3180	cmd.exe	96
PID 3180 wrote to memory of 3952	3180	cmd.exe	96
PID 3180 wrote to memory of 3952	3180	cmd.exe	96
PID 3180 wrote to memory of 4656	3180	cmd.exe	97
PID 3180 wrote to memory of 4656	3180	cmd.exe	97
PID 3180 wrote to memory of 4656	3180	cmd.exe	97
PID 2676 wrote to memory of 3340	2676	oneetx.exe	99
PID 2676 wrote to memory of 3340	2676	oneetx.exe	99
PID 2676 wrote to memory of 3340	2676	oneetx.exe	99
PID 2676 wrote to memory of 3340	2676	oneetx.exe	99
PID 2676 wrote to memory of 3340	2676	oneetx.exe	99
PID 2676 wrote to memory of 3340	2676	oneetx.exe	99
PID 2676 wrote to memory of 3340	2676	oneetx.exe	99
PID 2676 wrote to memory of 3340	2676	oneetx.exe	99
PID 2676 wrote to memory of 3340	2676	oneetx.exe	99
PID 2676 wrote to memory of 3340	2676	oneetx.exe	99
PID 900 wrote to memory of 4448	900	oneetx.exe	108
PID 900 wrote to memory of 4448	900	oneetx.exe	108
PID 900 wrote to memory of 4448	900	oneetx.exe	108
PID 900 wrote to memory of 4448	900	oneetx.exe	108
PID 900 wrote to memory of 4448	900	oneetx.exe	108
PID 900 wrote to memory of 4448	900	oneetx.exe	108
PID 900 wrote to memory of 4448	900	oneetx.exe	108

C:\Users\Admin\AppData\Local\Temp\958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe
"C:\Users\Admin\AppData\Local\Temp\958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe
  C:\Users\Admin\AppData\Local\Temp\958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
      C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2988
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3180
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4576
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        6⤵
        
        PID:4492
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        6⤵
        
        PID:5084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4772
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:N"
        6⤵
        
        PID:3952
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\c3912af058" /P "Admin:R" /E
        6⤵
        
        PID:4656

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:3340

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:4448

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1016
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 12
    3⤵
    - Program crash
    PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4960 -ip 4960
1⤵
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oneetx.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
965KB

MD5
791d58c4ed6b8772eceda0b0254880e2

SHA1
a03bd87406f6025177c52a79fe81f1a59930aa37

SHA256
958aa94f4ad246b393cc98c789545c24bf974fb90447319ebbf34d0fa241edf4

SHA512
29382169fe2249c506e8895e1e2af6ff42c76a1e8ee352f1c9557106040280cf8b8548d98974a8b07fb3d1140f55a3627f856b77454463168a8d6014df2e7899

Download Submit
memory/760-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/760-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/760-3-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/760-5-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/760-6-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2452-29-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2452-28-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2452-31-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2452-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2632-7-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2632-2-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2632-0-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/2632-1-0x0000000000820000-0x0000000000918000-memory.dmp

Filesize
992KB

Download
memory/3340-38-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4448-42-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4940-23-0x000000007459E000-0x000000007459F000-memory.dmp

Filesize
4KB

Download
memory/4940-24-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/4940-30-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads