Malware Analysis Report

2024-09-11 16:19

Sample ID 240710-p6wwgsygrq
Target e62848b3576538fa77777032c232436b.bin
SHA256 97ec855a73ef9fc27b5b804dd0e5e882741c3dcfe316d3ecb6eb582aea38ed8e
Tags
execution ffb1b9 amadey
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

97ec855a73ef9fc27b5b804dd0e5e882741c3dcfe316d3ecb6eb582aea38ed8e

Threat Level: Known bad

The file e62848b3576538fa77777032c232436b.bin was found to be: Known bad.

Malicious Activity Summary

execution ffb1b9 amadey

Amadey family

Unsigned PE

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-10 12:57

Signatures

Amadey family

amadey

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 12:57

Reported

2024-07-10 13:02

Platform

win7-20240704-de

Max time kernel

194s

Max time network

287s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\29B9B6B8A1B770E87881347B0DE532DDB1262F63\Blob = 140000000100000014000000831254141f266c6819e9d5866c31d235d627f71703000000010000001400000029b9b6b8a1b770e87881347b0de532ddb1262f630f00000001000000200000003bcf530ef7f046e29cca7f7a98ee2dc32695a8f10f565db44b1830259c99547b2000000001000000f9020000308202f5308201dda003020102021066f8a9576c24bbfe65d8a1d0464750b5300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303631383132303030305a170d3239303631373132303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c170cbbc0a786bb4d4a04ee8c0f3d7c8a7ffa1187b5fe65abd8d952810df5a912e93e9c92aa70c0131ec6d3126fb4c0a81cd318e725cc81f4403a574afbc28cf024a9302729ffdd098e1956b3b7b5bdb7dd1d7b23f1123465ed11b18752061bda5c19da5816660e052ea2eab6e266589971cafa41af878b370afbf05c1da55fc8bd96f456fb07552982e4aa8fbdf76ff733b369144c93b55fafe08e5db8ddb93ec30c0b11cd67791e1ff7e03724a61ce62777606f88f10553bf68960ccea8c0816c45bfe67deead563aa7a4f2fba4c57d6be55f7ab45751d0786b284f1d71d7bf6d7f7c760317958b9d865f34ed68fa7cbd187ed548384f6b34953e025ce73010203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414831254141f266c6819e9d5866c31d235d627f717300d06092a864886f70d01010b0500038201010074cf49948930b038bb5e35f499ad3281509873029d5808ba58b705fc893e5e002b6d974f7b7d83d538d4726f7037b93433275d46e1397a793cf8dac2161ea031b0996e66a8798f9584883722a58c54468affa639d50d0c486818351b25e2d0da2c012fa15eb942ee8b443ffdcdc6b3b9255633cd610a3a8e98eb5b708bc913cd3e1daa75dd045c5f9ff36da926892f72e18c7375b0a0ffd9bae71fdf3bad413ff928430f8ab039e2806fabc12340c8dfc095740ba5a647a249110205e4f45275546427cdf49cd31bada7be5a90e44d8781c8fb59d1490296c6e10f9c8a3ecc0cd84e88c0bb4c22c6c73ba001f4b1593b4c49f6e8a50798309534e9d6799f3d5a C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\29B9B6B8A1B770E87881347B0DE532DDB1262F63\Blob = 19000000010000001000000028bfb0064ebe7450c3bc60cc37b841ac0f00000001000000200000003bcf530ef7f046e29cca7f7a98ee2dc32695a8f10f565db44b1830259c99547b03000000010000001400000029b9b6b8a1b770e87881347b0de532ddb1262f63140000000100000014000000831254141f266c6819e9d5866c31d235d627f7172000000001000000f9020000308202f5308201dda003020102021066f8a9576c24bbfe65d8a1d0464750b5300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303631383132303030305a170d3239303631373132303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c170cbbc0a786bb4d4a04ee8c0f3d7c8a7ffa1187b5fe65abd8d952810df5a912e93e9c92aa70c0131ec6d3126fb4c0a81cd318e725cc81f4403a574afbc28cf024a9302729ffdd098e1956b3b7b5bdb7dd1d7b23f1123465ed11b18752061bda5c19da5816660e052ea2eab6e266589971cafa41af878b370afbf05c1da55fc8bd96f456fb07552982e4aa8fbdf76ff733b369144c93b55fafe08e5db8ddb93ec30c0b11cd67791e1ff7e03724a61ce62777606f88f10553bf68960ccea8c0816c45bfe67deead563aa7a4f2fba4c57d6be55f7ab45751d0786b284f1d71d7bf6d7f7c760317958b9d865f34ed68fa7cbd187ed548384f6b34953e025ce73010203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414831254141f266c6819e9d5866c31d235d627f717300d06092a864886f70d01010b0500038201010074cf49948930b038bb5e35f499ad3281509873029d5808ba58b705fc893e5e002b6d974f7b7d83d538d4726f7037b93433275d46e1397a793cf8dac2161ea031b0996e66a8798f9584883722a58c54468affa639d50d0c486818351b25e2d0da2c012fa15eb942ee8b443ffdcdc6b3b9255633cd610a3a8e98eb5b708bc913cd3e1daa75dd045c5f9ff36da926892f72e18c7375b0a0ffd9bae71fdf3bad413ff928430f8ab039e2806fabc12340c8dfc095740ba5a647a249110205e4f45275546427cdf49cd31bada7be5a90e44d8781c8fb59d1490296c6e10f9c8a3ecc0cd84e88c0bb4c22c6c73ba001f4b1593b4c49f6e8a50798309534e9d6799f3d5a C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\29B9B6B8A1B770E87881347B0DE532DDB1262F63 C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\29B9B6B8A1B770E87881347B0DE532DDB1262F63\Blob = 0f00000001000000200000003bcf530ef7f046e29cca7f7a98ee2dc32695a8f10f565db44b1830259c99547b03000000010000001400000029b9b6b8a1b770e87881347b0de532ddb1262f632000000001000000f9020000308202f5308201dda003020102021066f8a9576c24bbfe65d8a1d0464750b5300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303631383132303030305a170d3239303631373132303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c170cbbc0a786bb4d4a04ee8c0f3d7c8a7ffa1187b5fe65abd8d952810df5a912e93e9c92aa70c0131ec6d3126fb4c0a81cd318e725cc81f4403a574afbc28cf024a9302729ffdd098e1956b3b7b5bdb7dd1d7b23f1123465ed11b18752061bda5c19da5816660e052ea2eab6e266589971cafa41af878b370afbf05c1da55fc8bd96f456fb07552982e4aa8fbdf76ff733b369144c93b55fafe08e5db8ddb93ec30c0b11cd67791e1ff7e03724a61ce62777606f88f10553bf68960ccea8c0816c45bfe67deead563aa7a4f2fba4c57d6be55f7ab45751d0786b284f1d71d7bf6d7f7c760317958b9d865f34ed68fa7cbd187ed548384f6b34953e025ce73010203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414831254141f266c6819e9d5866c31d235d627f717300d06092a864886f70d01010b0500038201010074cf49948930b038bb5e35f499ad3281509873029d5808ba58b705fc893e5e002b6d974f7b7d83d538d4726f7037b93433275d46e1397a793cf8dac2161ea031b0996e66a8798f9584883722a58c54468affa639d50d0c486818351b25e2d0da2c012fa15eb942ee8b443ffdcdc6b3b9255633cd610a3a8e98eb5b708bc913cd3e1daa75dd045c5f9ff36da926892f72e18c7375b0a0ffd9bae71fdf3bad413ff928430f8ab039e2806fabc12340c8dfc095740ba5a647a249110205e4f45275546427cdf49cd31bada7be5a90e44d8781c8fb59d1490296c6e10f9c8a3ecc0cd84e88c0bb4c22c6c73ba001f4b1593b4c49f6e8a50798309534e9d6799f3d5a C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2792 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe

"C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 proresupdate.com udp
RU 45.140.19.240:80 proresupdate.com tcp
US 8.8.8.8:53 contur2fa.recipeupdates.rest udp
US 172.67.197.250:443 contur2fa.recipeupdates.rest tcp
RU 45.140.19.240:80 proresupdate.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1

MD5 0fb684cc15d197c0b937e5528359d7c8
SHA1 7d963246f52f42012bdcddb31214283c84c954ed
SHA256 e767d70fc57483aae7a20cb094a9bfc1fd4f04e97fb772cd6892d057e5be4260
SHA512 c40335f72f802479dc0926704d87670a782362fedae5bb50179d427fc343c6a33cfe09f4640acb15624d1511d3d66f76d87f663f9ad430fc2ddb00c54056103c

memory/2200-24-0x00000000731E1000-0x00000000731E2000-memory.dmp

memory/2200-25-0x00000000731E0000-0x000000007378B000-memory.dmp

memory/2200-26-0x00000000731E0000-0x000000007378B000-memory.dmp

memory/2200-27-0x00000000731E0000-0x000000007378B000-memory.dmp

memory/2200-28-0x00000000731E0000-0x000000007378B000-memory.dmp

memory/2200-30-0x00000000731E0000-0x000000007378B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 12:57

Reported

2024-07-10 13:02

Platform

win10-20240404-de

Max time kernel

193s

Max time network

288s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe

"C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 proresupdate.com udp
RU 45.140.19.240:80 proresupdate.com tcp
US 8.8.8.8:53 240.19.140.45.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
RU 45.140.19.240:80 proresupdate.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-10 12:57

Reported

2024-07-10 13:02

Platform

win10v2004-20240709-de

Max time kernel

196s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe

"C:\Users\Admin\AppData\Local\Temp\6cdb5689c39841cb71537410e90fcd6db86ef27dff8cf9eac5ac8122997f5b90.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 proresupdate.com udp
RU 45.140.19.240:80 proresupdate.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 240.19.140.45.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
RU 45.140.19.240:80 proresupdate.com tcp

Files

N/A