Overview

overview

10

Static

static

10

OneApp.IGC...ce.exe

windows7-x64

10

OneApp.IGC...ce.exe

windows10-2004-x64

10

Resubmissions

28-06-2024 17:14

240628-vr2fbaxclf 10

09-03-2024 17:17

240309-vtrnwsdg2s 10

Analysis

  • max time kernel
    145s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 17:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OneApp.IGCC.WinService.exe

  • Size

    5.5MB

  • MD5

    0cb7d11ea511391d791b0fbb9637ee79

  • SHA1

    96c13496ad8342bdf1cb0ffbe59f673c8395e99b

  • SHA256

    502129a00203367b15d57f87b5b51d01fb292928708decb723cd7ad866a7fda3

  • SHA512

    8823a02a66d883cb7bffce5f4c93a216dd3280f5f65b340b00b8d6e72112327ef4e64fe6cd3c43dfe3dc7e241d19d4ea98bc9e9e3d49ca2818131920b4093aeb

  • SSDEEP

    98304:MXu+i79EbSTjewAV6G67Ngr9wZZGBysnji/MZ/HqLGdOVnhamYMNwHYo8C4Esg6:MXuzCSTqwAV63Ngr9w6Zj5lHkG8hzqHw

Score
10/10
amadeyhijackloader84fc95executionloadertrojan

Malware Config

Extracted

Family

amadey

Version

4.18

Botnet

84fc95

C2

http://pleasurecanbesafe.com

Attributes
  • install_dir

    40c3273379

  • install_file

    Dctooux.exe

  • strings_key

    65688f14a915e81474c2405160e45f77

  • url_paths

    /7vAficZogD/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects HijackLoader (aka IDAT Loader) 1 IoCs
  • HijackLoader

    HijackLoader is a multistage loader first seen in 2023.

    loaderhijackloader
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OneApp.IGCC.WinService.exe
    "C:\Users\Admin\AppData\Local\Temp\OneApp.IGCC.WinService.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Windows\SysWOW64\more.com
      C:\Windows\SysWOW64\more.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Users\Admin\AppData\Local\Temp\procmap.exe
        C:\Users\Admin\AppData\Local\Temp\procmap.exe
        3⤵
        • Checks computer location settings
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3136
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1001429041\run.ps1"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4248
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4288,i,12594301322143882025,16832588342008839449,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
    1⤵
      PID:3340

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1001429041\run.ps1
      Filesize

      16B

      MD5

      4845f01eaa8068384625e302e9a4eb05

      SHA1

      fb6ff8293fa45e17ba97f84954e7d1d5b0d38f87

      SHA256

      8a482f2271a42c5f54c96e816a84340a6f2357a5b81f927d07d00788f5140a41

      SHA512

      bb58f2438524b518b19f2b74c5d598460735958f77c310ba3710520d1d88ce7975449977c9965dbca87cd6a824c8ab82e56bea6d571d79594079f0a0ea404d77

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\765a0ec0
      Filesize

      1.1MB

      MD5

      7b15e08be0bd48be921961b626de935f

      SHA1

      db50eba93c6015c0e6cfe4e607b95dea928df768

      SHA256

      7df2da3f2e7aac35df84f761908905c8aef85a2d6fdb6d7d382846c9c22a9ee8

      SHA512

      69d49f85381f69398c84a689803dc16ccd18f29127a61814d13816131ff990883819188ebcc2deffaecb1c0b84d90f259891467d64f20ec1b74a6d18033a0fd6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g0xwidtm.xze.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\procmap.exe
      Filesize

      13KB

      MD5

      0c13dfbc137a3bb4cc8da0b6301e9468

      SHA1

      f2ce29eed4c9f219dab415cf6729ee06c8fcff4d

      SHA256

      ee8ef58f3bf0dab066eb608cb0f167b1585e166bf4730858961c192860ceffe9

      SHA512

      e9343db4f416b4428745e57e47626e7ce52a21d0fa904915554fd900bab1b26d49d0f77b74bbf5404ec898b19af2287cdef3ed6b8ccf50760767eb3fc204a895

      Download Submit

    • memory/876-4-0x0000000075150000-0x00000000752CB000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/876-5-0x0000000075150000-0x00000000752CB000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/876-1-0x0000000075150000-0x00000000752CB000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/876-0-0x0000000000400000-0x0000000000A04000-memory.dmp

      Filesize

      6.0MB

      Download

    • memory/876-2-0x00007FFFCAAD0000-0x00007FFFCACC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/876-3-0x0000000075162000-0x0000000075163000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1796-18-0x0000000075150000-0x00000000752CB000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1796-14-0x0000000075150000-0x00000000752CB000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1796-12-0x0000000075150000-0x00000000752CB000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1796-9-0x00007FFFCAAD0000-0x00007FFFCACC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1796-7-0x0000000075150000-0x00000000752CB000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3136-21-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3136-22-0x00007FFFCAAD0000-0x00007FFFCACC5000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3136-23-0x0000000000BC0000-0x0000000000C2D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/3136-79-0x0000000000BC0000-0x0000000000C2D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/4248-40-0x0000000005630000-0x0000000005696000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4248-68-0x0000000007CC0000-0x000000000833A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4248-41-0x0000000005CF0000-0x0000000005D56000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4248-38-0x00000000056C0000-0x0000000005CE8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4248-51-0x0000000005F10000-0x0000000006264000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4248-52-0x0000000006340000-0x000000000635E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4248-53-0x0000000006390000-0x00000000063DC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4248-55-0x0000000007510000-0x0000000007542000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4248-56-0x000000006F710000-0x000000006F75C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4248-66-0x0000000006930000-0x000000000694E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4248-67-0x0000000007550000-0x00000000075F3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4248-39-0x0000000005390000-0x00000000053B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4248-69-0x00000000076A0000-0x00000000076BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4248-70-0x00000000076E0000-0x00000000076EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4248-71-0x0000000007910000-0x00000000079A6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4248-72-0x0000000007870000-0x0000000007881000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4248-73-0x00000000078B0000-0x00000000078BE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4248-74-0x00000000078C0000-0x00000000078D4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4248-75-0x00000000079B0000-0x00000000079CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4248-76-0x00000000078F0000-0x00000000078F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4248-37-0x0000000002A10000-0x0000000002A46000-memory.dmp

      Filesize

      216KB

      Download