Malware Analysis Report

2024-10-23 21:52

Sample ID 240909-pry3aszgla
Target 15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8
SHA256 15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8
Tags
amadey c7817d discovery evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8

Threat Level: Known bad

The file 15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8 was found to be: Known bad.

Malicious Activity Summary

amadey c7817d discovery evasion trojan

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-09 12:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-09 12:34

Reported

2024-09-09 12:37

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe

"C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 31.41.244.10:80 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 31.41.244.10:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp

Files

memory/720-0-0x0000000000C40000-0x0000000001100000-memory.dmp

memory/720-1-0x0000000077634000-0x0000000077636000-memory.dmp

memory/720-2-0x0000000000C41000-0x0000000000C6F000-memory.dmp

memory/720-3-0x0000000000C40000-0x0000000001100000-memory.dmp

memory/720-4-0x0000000000C40000-0x0000000001100000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 86428dd44549198730fd4dbcb1813e20
SHA1 835b9410650b1477b06063fe34a1e8025b6dacf6
SHA256 15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8
SHA512 0c0337ce954ec27fb290766fef9a2ae8bfc3eb8e0cf4486733ebc7d7846c57df15181198723d8c6b2c9bbe382f5271777aed6e7ad5bfb31f6cf065ff469e8cbe

memory/720-18-0x0000000000C40000-0x0000000001100000-memory.dmp

memory/3356-16-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-19-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-20-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-21-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-22-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-23-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-24-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-25-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/4428-27-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/4428-28-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/4428-29-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/4428-31-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-32-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-33-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-34-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-35-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-36-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-37-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/1448-40-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-41-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-42-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-43-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-44-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-45-0x0000000000910000-0x0000000000DD0000-memory.dmp

memory/3356-46-0x0000000000910000-0x0000000000DD0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-09 12:34

Reported

2024-09-09 12:36

Platform

win7-20240708-en

Max time kernel

141s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\svoutse.job C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe

"C:\Users\Admin\AppData\Local\Temp\15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8.exe"

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"

Network

Country Destination Domain Proto
RU 31.41.244.10:80 31.41.244.10 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 31.41.244.11:80 31.41.244.11 tcp
RU 31.41.244.11:80 31.41.244.11 tcp

Files

memory/2964-0-0x00000000011C0000-0x0000000001680000-memory.dmp

memory/2964-1-0x0000000077540000-0x0000000077542000-memory.dmp

memory/2964-2-0x00000000011C1000-0x00000000011EF000-memory.dmp

memory/2964-3-0x00000000011C0000-0x0000000001680000-memory.dmp

memory/2964-5-0x00000000011C0000-0x0000000001680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe

MD5 86428dd44549198730fd4dbcb1813e20
SHA1 835b9410650b1477b06063fe34a1e8025b6dacf6
SHA256 15596ed6632a2fdaf71772084761311cfe376b307e7225e5f48c8bf9025494f8
SHA512 0c0337ce954ec27fb290766fef9a2ae8bfc3eb8e0cf4486733ebc7d7846c57df15181198723d8c6b2c9bbe382f5271777aed6e7ad5bfb31f6cf065ff469e8cbe

memory/2964-15-0x00000000068A0000-0x0000000006D60000-memory.dmp

memory/2964-14-0x00000000011C0000-0x0000000001680000-memory.dmp

memory/2476-17-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-18-0x0000000000AE1000-0x0000000000B0F000-memory.dmp

memory/2476-19-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-21-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-22-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-23-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-24-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-25-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-26-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-27-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-28-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-29-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

C:\Users\Admin\AppData\Roaming\1000026000\fa0bb9d3e7.exe

MD5 790053cc2982cd015ea245f476dd2cee
SHA1 4ebdcf333170f4ca27b5de72a2ebb8b527eca409
SHA256 7b7f0acb12ea749492157a52c5c6de543dc89ba0cfbc588716a929fc29005a66
SHA512 87bc8d056bf8f08886517ddefee6c1c4eda413ad76a54847af9a4daecd624453d2ac3ca6c9b3b2b0bc2631826e3794f925b19cdceaba9e4b68deb4c9aa238002

memory/2476-40-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-41-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-42-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-54-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-55-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-56-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-57-0x0000000000AE0000-0x0000000000FA0000-memory.dmp

memory/2476-58-0x0000000000AE0000-0x0000000000FA0000-memory.dmp