Malware Analysis Report

2024-11-30 22:07

Sample ID 240704-ekmetavglg
Target 4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722
SHA256 4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722
Tags
amadey 4dd39d evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722

Threat Level: Known bad

The file 4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722 was found to be: Known bad.

Malicious Activity Summary

amadey 4dd39d evasion trojan

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 04:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 04:00

Reported

2024-07-04 04:02

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

63s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe

"C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 77.91.77.82:80 tcp
RU 77.91.77.82:80 tcp

Files

memory/3520-0-0x0000000000C60000-0x0000000001125000-memory.dmp

memory/3520-1-0x0000000077B24000-0x0000000077B26000-memory.dmp

memory/3520-2-0x0000000000C61000-0x0000000000C8F000-memory.dmp

memory/3520-3-0x0000000000C60000-0x0000000001125000-memory.dmp

memory/3520-5-0x0000000000C60000-0x0000000001125000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 182206467665f105bbd7f5255c35979a
SHA1 7f38f0b0b602c496d7d37a5324ca9f1f598d0ca1
SHA256 4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722
SHA512 de14bbd4eaaa676e6975db7530dd49d272d67d558583476705043ad9c34742f0620d583224ab92b2f02d3323b669a245e1de966709a5da4281ba77b6bf001039

memory/4984-18-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/3520-17-0x0000000000C60000-0x0000000001125000-memory.dmp

memory/4984-19-0x00000000002E1000-0x000000000030F000-memory.dmp

memory/4984-20-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-21-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-22-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-23-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-24-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-25-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-26-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-27-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-28-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4620-30-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4620-31-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4620-32-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4620-33-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-34-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-35-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-36-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-37-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-38-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-39-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/3952-41-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/3952-42-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-43-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-44-0x00000000002E0000-0x00000000007A5000-memory.dmp

memory/4984-45-0x00000000002E0000-0x00000000007A5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 04:00

Reported

2024-07-04 04:02

Platform

win11-20240508-en

Max time kernel

143s

Max time network

65s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe

"C:\Users\Admin\AppData\Local\Temp\4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

Network

Country Destination Domain Proto
RU 77.91.77.82:80 tcp
RU 77.91.77.82:80 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4936-0-0x00000000009D0000-0x0000000000E95000-memory.dmp

memory/4936-1-0x0000000077E56000-0x0000000077E58000-memory.dmp

memory/4936-2-0x00000000009D1000-0x00000000009FF000-memory.dmp

memory/4936-3-0x00000000009D0000-0x0000000000E95000-memory.dmp

memory/4936-5-0x00000000009D0000-0x0000000000E95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe

MD5 182206467665f105bbd7f5255c35979a
SHA1 7f38f0b0b602c496d7d37a5324ca9f1f598d0ca1
SHA256 4deb7b1193ed389f36eb6d50cb7ae3c046e5244cf07f5e9e9864f23843ac8722
SHA512 de14bbd4eaaa676e6975db7530dd49d272d67d558583476705043ad9c34742f0620d583224ab92b2f02d3323b669a245e1de966709a5da4281ba77b6bf001039

memory/4936-15-0x00000000009D0000-0x0000000000E95000-memory.dmp

memory/4240-17-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-18-0x0000000000B91000-0x0000000000BBF000-memory.dmp

memory/4240-19-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-20-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-21-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-22-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-23-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-24-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-25-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-26-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-27-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/2688-29-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/2688-30-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/2688-31-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/2688-33-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-34-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-35-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-36-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-37-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-38-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-39-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4648-41-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4648-42-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-43-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-44-0x0000000000B90000-0x0000000001055000-memory.dmp

memory/4240-45-0x0000000000B90000-0x0000000001055000-memory.dmp