Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-09-2024 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd.exe

  • Size

    44KB

  • MD5

    b73cf29c0ea647c353e4771f0697c41f

  • SHA1

    3e5339b80dcfbdc80d946fc630c657654ef58de7

  • SHA256

    edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd

  • SHA512

    2274d4c1e0ef72dc7e73b977e315ddd5472ec35a52e3449b1f6b87336ee18ff8966fed0451d19d24293fde101e0c231a3caa08b7bd0047a18a41466c2525e2e8

  • SSDEEP

    768:fcbuPx+zgDwfIH/335cJX2om4VQRIEvmg5+FOKo5h:flxT1H/335C2ozVQRItgMF4h

Score
10/10
amadeyzharkbot1176f2botnetdiscoverypersistencetrojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

1176f2

C2

http://185.215.113.19

Attributes
  • install_dir

    417fd29867

  • install_file

    ednfoki.exe

  • strings_key

    183201dc3defc4394182b4bff63c4065

  • url_paths

    /CoreOPT/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects ZharkBot payload 1 IoCs

    ZharkBot is a botnet written C++.

  • ZharkBot

    ZharkBot is a botnet written C++.

    botnetzharkbot
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd.exe
    "C:\Users\Admin\AppData\Local\Temp\edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:440
      • C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe
        "C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2292
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 488
          4⤵
          • Program crash
          PID:3648
      • C:\Users\Admin\AppData\Local\Temp\1000279001\ovrflw.exe
        "C:\Users\Admin\AppData\Local\Temp\1000279001\ovrflw.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4604
        • C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4220
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd.exe" "C:\Users\Admin\Pictures\Lighter Tech\edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd" /TR "C:\Users\Admin\Pictures\Lighter Tech\edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd.exe" /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1924
      • C:\Windows\system32\schtasks.exe
        schtasks /Create /SC MINUTE /MO 1 /TN "edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd" /TR "C:\Users\Admin\Pictures\Lighter Tech\edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd.exe" /F
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3080
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2292 -ip 2292
    1⤵
      PID:3548
    • C:\Users\Admin\Pictures\Lighter Tech\edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd.exe
      "C:\Users\Admin\Pictures\Lighter Tech\edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3828
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
          PID:4464
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\Pictures\Lighter Tech\edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd.exe" "C:\Users\Admin\Pictures\Lighter Tech\edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd" /TR "C:\Users\Admin\Pictures\Lighter Tech\edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd.exe" /F
          2⤵
            PID:3456
        • C:\Users\Admin\Pictures\Lighter Tech\edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd.exe
          "C:\Users\Admin\Pictures\Lighter Tech\edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2292
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            2⤵
              PID:4056

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\1000268001\kitty.exe
            Filesize

            319KB

            MD5

            0ec1f7cc17b6402cd2df150e0e5e92ca

            SHA1

            8405b9bf28accb6f1907fbe28d2536da4fba9fc9

            SHA256

            4c5ca5701285337a96298ebf994f8ba013d290c63afa65b5c2b05771fbbb9ed4

            SHA512

            7caa2416bc7878493b62a184ddc844d201a9ab5282abfa77a616316af39ff65309e37bb566b3e29d9e764e08f4eda43a06464acaf9962f911b33e6dbc60c1861

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\1000279001\ovrflw.exe
            Filesize

            1.4MB

            MD5

            3adfc7cf1e296c6fb703991c5233721d

            SHA1

            fddd2877ce7952b91c3f841ca353235d6d8eea67

            SHA256

            6bc23179d079d220337ede270113d4a474b549f5f0c7fd57f3d33d318f7ae471

            SHA512

            5136525626c3021baf8d35be0d76473cc03bfe2433682d613650b8e4bb444f767d2d14ac0070ce46c4c220e0a71a8f2e789e4e684e2042bd78b60f68f35a652b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\182098368252
            Filesize

            84KB

            MD5

            cff4e6e07ceb853c954f4a1b3b7717d6

            SHA1

            8c5dc86b039c5a697dd3cefaba85953b9163b222

            SHA256

            288eaf6ce5806fc1b765e73c3c4e3330ca47b831470e820a8f216fff84e0ca0b

            SHA512

            ff53cd06dff37488ecd63549c17c2e811237a39b9d3ce421bbadd22c6b89d0600abf42de57b10240415d8e038d231bee32744c36c120c4aa1253a7c7fba95968

            Download Submit

          • C:\Users\Admin\Pictures\Lighter Tech\edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd.exe
            Filesize

            44KB

            MD5

            b73cf29c0ea647c353e4771f0697c41f

            SHA1

            3e5339b80dcfbdc80d946fc630c657654ef58de7

            SHA256

            edd76f144bbdbfc060f7cb7e19863f89eb55863efc1a913561d812083b6306cd

            SHA512

            2274d4c1e0ef72dc7e73b977e315ddd5472ec35a52e3449b1f6b87336ee18ff8966fed0451d19d24293fde101e0c231a3caa08b7bd0047a18a41466c2525e2e8

            Download Submit

          • memory/440-57-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

            Download

          • memory/440-36-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

            Download

          • memory/440-72-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

            Download

          • memory/440-7-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

            Download

          • memory/440-8-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

            Download

          • memory/440-9-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

            Download

          • memory/440-10-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

            Download

          • memory/440-11-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

            Download

          • memory/440-47-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

            Download

          • memory/440-30-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

            Download

          • memory/4056-82-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

            Download

          • memory/4464-79-0x0000000000400000-0x0000000000471000-memory.dmp

            Filesize

            452KB

            Download

          • memory/4604-59-0x0000000000790000-0x00000000008F2000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/4808-3-0x00007FFA14ED0000-0x00007FFA15991000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4808-5-0x000000001BC20000-0x000000001BC90000-memory.dmp

            Filesize

            448KB

            Download

          • memory/4808-2-0x00007FFA14ED0000-0x00007FFA15991000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4808-4-0x000000001BA60000-0x000000001BAE4000-memory.dmp

            Filesize

            528KB

            Download

          • memory/4808-0-0x00007FFA14ED3000-0x00007FFA14ED5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4808-71-0x00007FFA14ED0000-0x00007FFA15991000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4808-6-0x00007FFA14ED0000-0x00007FFA15991000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4808-75-0x00007FFA14ED0000-0x00007FFA15991000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4808-1-0x0000000000320000-0x0000000000332000-memory.dmp

            Filesize

            72KB

            Download