amadey | 83619ee24044322ebd76bc42b0ecb9085325a3803bd8cb23a15d209cd351d79c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83619ee24044322ebd76bc42b0ecb9085325a3803bd8cb23a15d209cd351d79c.exe
Size

471KB
MD5

52060135358cb4c75394785aeb1448a4
SHA1

711fe362dc28bbd5a0848b6f09e48a6f44fea1a6
SHA256

83619ee24044322ebd76bc42b0ecb9085325a3803bd8cb23a15d209cd351d79c
SHA512

8c76e3c310cb2548504f305e244c1729961bd98470ee495f5a9329e9117833dd81590c55138486e054a3e1b3d6eaab35e8f2a9446a71e7506294c5f5f5e774e9
SSDEEP

12288:1Zn/WBVUB/uFt2nsykIQA7Zke1cKbImgY/s:1MVU9uFYsmlee1cKbImgYk

Score

10^/10

amadey b2c2c1 trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

b2c2c1

http://greendag.ru

Attributes

install_dir
e221f72865
install_file
Dctooux.exe
strings_key
09a7af7983af08af50ea3f51a73065e9
url_paths
/forum/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	83619ee24044322ebd76bc42b0ecb9085325a3803bd8cb23a15d209cd351d79c.exe

Executes dropped EXE 4 IoCs

pid	Process
3328	Dctooux.exe
3576	Dctooux.exe
560	Dctooux.exe
3308	Dctooux.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Dctooux.job	83619ee24044322ebd76bc42b0ecb9085325a3803bd8cb23a15d209cd351d79c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 29 IoCs

pid	pid_target	Process	procid_target
3928	4912	WerFault.exe	80
4224	4912	WerFault.exe	80
4932	4912	WerFault.exe	80
3084	4912	WerFault.exe	80
776	4912	WerFault.exe	80
2256	4912	WerFault.exe	80
4696	4912	WerFault.exe	80
3240	4912	WerFault.exe	80
2564	4912	WerFault.exe	80
4496	4912	WerFault.exe	80
1444	3328	WerFault.exe	103
932	3328	WerFault.exe	103
3620	3328	WerFault.exe	103
1908	3328	WerFault.exe	103
2788	3328	WerFault.exe	103
2132	3328	WerFault.exe	103
960	3328	WerFault.exe	103
3332	3328	WerFault.exe	103
2588	3328	WerFault.exe	103
5004	3328	WerFault.exe	103
1452	3328	WerFault.exe	103
948	3328	WerFault.exe	103
4088	3328	WerFault.exe	103
2348	3328	WerFault.exe	103
3436	3328	WerFault.exe	103
2096	3576	WerFault.exe	136
4176	560	WerFault.exe	142
3124	3328	WerFault.exe	103
4492	3308	WerFault.exe	147

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4912	83619ee24044322ebd76bc42b0ecb9085325a3803bd8cb23a15d209cd351d79c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 3328	4912	83619ee24044322ebd76bc42b0ecb9085325a3803bd8cb23a15d209cd351d79c.exe	103
PID 4912 wrote to memory of 3328	4912	83619ee24044322ebd76bc42b0ecb9085325a3803bd8cb23a15d209cd351d79c.exe	103
PID 4912 wrote to memory of 3328	4912	83619ee24044322ebd76bc42b0ecb9085325a3803bd8cb23a15d209cd351d79c.exe	103

C:\Users\Admin\AppData\Local\Temp\83619ee24044322ebd76bc42b0ecb9085325a3803bd8cb23a15d209cd351d79c.exe
"C:\Users\Admin\AppData\Local\Temp\83619ee24044322ebd76bc42b0ecb9085325a3803bd8cb23a15d209cd351d79c.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 560
  2⤵
  - Program crash
  PID:3928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 780
  2⤵
  - Program crash
  PID:4224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 856
  2⤵
  - Program crash
  PID:4932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 904
  2⤵
  - Program crash
  PID:3084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 936
  2⤵
  - Program crash
  PID:776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 976
  2⤵
  - Program crash
  PID:2256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1124
  2⤵
  - Program crash
  PID:4696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1140
  2⤵
  - Program crash
  PID:3240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1240
  2⤵
  - Program crash
  PID:2564
- C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
  "C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"
  2⤵
  - Executes dropped EXE
  PID:3328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 556
    3⤵
    - Program crash
    PID:1444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 576
    3⤵
    - Program crash
    PID:932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 580
    3⤵
    - Program crash
    PID:3620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 656
    3⤵
    - Program crash
    PID:1908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 700
    3⤵
    - Program crash
    PID:2788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 764
    3⤵
    - Program crash
    PID:2132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 896
    3⤵
    - Program crash
    PID:960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 764
    3⤵
    - Program crash
    PID:3332
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 764
    3⤵
    - Program crash
    PID:2588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 704
    3⤵
    - Program crash
    PID:5004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 1016
    3⤵
    - Program crash
    PID:1452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 1028
    3⤵
    - Program crash
    PID:948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 1368
    3⤵
    - Program crash
    PID:4088
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 1388
    3⤵
    - Program crash
    PID:2348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 1436
    3⤵
    - Program crash
    PID:3436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 856
    3⤵
    - Program crash
    PID:3124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1264
  2⤵
  - Program crash
  PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4912 -ip 4912
1⤵
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4912 -ip 4912
1⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4912 -ip 4912
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4912 -ip 4912
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4912 -ip 4912
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4912 -ip 4912
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4912 -ip 4912
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4912 -ip 4912
1⤵
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4912 -ip 4912
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4912 -ip 4912
1⤵
PID:1228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3328 -ip 3328
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3328 -ip 3328
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3328 -ip 3328
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3328 -ip 3328
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3328 -ip 3328
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3328 -ip 3328
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3328 -ip 3328
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3328 -ip 3328
1⤵
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3328 -ip 3328
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3328 -ip 3328
1⤵
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3328 -ip 3328
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3328 -ip 3328
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3328 -ip 3328
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3328 -ip 3328
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3328 -ip 3328
1⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 448
  2⤵
  - Program crash
  PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3576 -ip 3576
1⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 448
  2⤵
  - Program crash
  PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 560 -ip 560
1⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3328 -ip 3328
1⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
1⤵
- Executes dropped EXE
PID:3308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 452
  2⤵
  - Program crash
  PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3308 -ip 3308
1⤵
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\080292272204

Filesize
76KB

MD5
ce54a2a07855cb83a9d7f2aaa70d16dd

SHA1
906423e29014d92f29081f6f546b607e3bcc4486

SHA256
8ab8f332a5ed8b21518e1fb7294052607b86fe051dfa5ae3be30deb06550204f

SHA512
c436cf4e811accea88bb8c16e1a9dae970692268db4a843f79e6df7c78268ed2e0b591d3f4a24a52ba25b5cea6be9e28516f8e6e4fbb839bf3188ac0a6289ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Filesize
471KB

MD5
52060135358cb4c75394785aeb1448a4

SHA1
711fe362dc28bbd5a0848b6f09e48a6f44fea1a6

SHA256
83619ee24044322ebd76bc42b0ecb9085325a3803bd8cb23a15d209cd351d79c

SHA512
8c76e3c310cb2548504f305e244c1729961bd98470ee495f5a9329e9117833dd81590c55138486e054a3e1b3d6eaab35e8f2a9446a71e7506294c5f5f5e774e9

Download Submit
memory/560-53-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/560-52-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3308-62-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3328-44-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3328-22-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3328-33-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3576-34-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3576-43-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4912-18-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/4912-20-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4912-1-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/4912-19-0x0000000000760000-0x00000000007CB000-memory.dmp

Filesize
428KB

Download
memory/4912-3-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4912-2-0x0000000000760000-0x00000000007CB000-memory.dmp

Filesize
428KB

Download