Overview

overview

10

Static

static

3

2ce67a1ac2...00.exe

windows7-x64

10

2ce67a1ac2...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ce67a1ac2f39ff149ee9f832a02b1e4208300dd7db269c2abdea19d67e8ff00.exe

  • Size

    3.0MB

  • MD5

    735b427034dfa1e8184d92b3e9e0e918

  • SHA1

    b975f1733334e5fe7f5b243af277c443f2284959

  • SHA256

    2ce67a1ac2f39ff149ee9f832a02b1e4208300dd7db269c2abdea19d67e8ff00

  • SHA512

    c161ecb540f6f96cc2141920bf73d2964b9d467c40321659d908fb12d7cac130c1d15e927e45fbb58078ee2a5a0151d14883208edb1f5f8e08e346a77f497721

  • SSDEEP

    49152:jWGWJ9i+5Z5WxbqKJ9D+Fh1sOmQmSTxJCsso:CGZ+75WFqKJ9CFbPgST1

Score
10/10
amadeyxworm9c9aa5discoveryevasionrattrojan

Malware Config

Extracted

Family

amadey

Version

4.42

Botnet

9c9aa5

C2

http://185.215.113.43

Attributes
  • install_dir

    abc3bc1985

  • install_file

    skotes.exe

  • strings_key

    8a35cf2ea38c2817dba29a4b5b25dcf0

  • url_paths

    /Zu7JuNko/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • Detect Xworm Payload 3 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 7 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\2ce67a1ac2f39ff149ee9f832a02b1e4208300dd7db269c2abdea19d67e8ff00.exe
        "C:\Users\Admin\AppData\Local\Temp\2ce67a1ac2f39ff149ee9f832a02b1e4208300dd7db269c2abdea19d67e8ff00.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
          "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2828
          • C:\Users\Admin\AppData\Local\Temp\1005612001\new.exe
            "C:\Users\Admin\AppData\Local\Temp\1005612001\new.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2688
          • C:\Users\Admin\AppData\Local\Temp\1005617001\new.exe
            "C:\Users\Admin\AppData\Local\Temp\1005617001\new.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3056
          • C:\Users\Admin\AppData\Local\Temp\1005622001\PowderGpl.exe
            "C:\Users\Admin\AppData\Local\Temp\1005622001\PowderGpl.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2388
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c copy Dragon Dragon.bat & Dragon.bat
              5⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2724
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:2704
              • C:\Windows\SysWOW64\findstr.exe
                findstr /I "wrsa opssvc"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2896
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist
                6⤵
                • Enumerates processes with tasklist
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                PID:1028
              • C:\Windows\SysWOW64\findstr.exe
                findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1444
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 609587
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2120
              • C:\Windows\SysWOW64\findstr.exe
                findstr /V "outputdiffswalnutcontainer" Sufficient
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2400
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c copy /b ..\Combine + ..\Transportation + ..\Chef k
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1812
              • C:\Users\Admin\AppData\Local\Temp\609587\Horizon.pif
                Horizon.pif k
                6⤵
                • Suspicious use of NtCreateUserProcessOtherParentProcess
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:712
                • C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe
                  C:\Users\Admin\AppData\Local\Temp\609587\RegAsm.exe
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:2076
              • C:\Windows\SysWOW64\choice.exe
                choice /d y /t 5
                6⤵
                • System Location Discovery: System Language Discovery
                PID:968
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks.exe /create /tn "Windows" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js'" /sc minute /mo 5 /F
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1680
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /create /tn "Windows" /tr "wscript //B 'C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js'" /sc minute /mo 5 /F
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1652
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url" & echo URL="C:\Users\Admin\AppData\Local\Sync360 Sphere Elite Technologies Co\Sync360Sphere.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync360Sphere.url" & exit
        2⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:2152

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1005612001\new.exe
      Filesize

      7.9MB

      MD5

      3c7a5e1c746ab968c270df5517cf8a8e

      SHA1

      d685d6683df1904277d90c0d6090488fd8052ea9

      SHA256

      db027953eb30087f3084e85b1930b384847129a1a4a988e6b0ee6d78be00b7ca

      SHA512

      feb1f63b3ac7b700348ba7baea692d01d38e49638e2fde8598424ab09ea2747f07c797406c8b697fd8662fc051fea984dd2d0560be07ffee6d236be239c73d27

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1005622001\PowderGpl.exe
      Filesize

      1.0MB

      MD5

      bf265e0055178b2aa642fc6df2ae5f40

      SHA1

      f692cbf19ecf33a48ddefa2b615ea979fa5633b4

      SHA256

      9b0021640b636a39ab43bfff88e5dca26161e8cd4da26596f0c3068fb7659642

      SHA512

      c20bfffbe194f551dfaeab68579b89f5c4fb8d5bb90d80b516f008a4debc009505d059e03a404d08605f903be1126c1600e96786369a7abe6813842ab36cae3d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\609587\k
      Filesize

      223KB

      MD5

      9c3ccfc1b85ec90de741f82334ec5c13

      SHA1

      cdb55d03f47197ac3c1556de854384e25a161285

      SHA256

      08e08296d2da025e5fd84c3ad002a83af525149d56b5d9a24f75a6d080bbea58

      SHA512

      9b567d773421bf3a84a56911c86589225c1faaad1391063bac65495a0287798a28b764da81c44596cc9c69f7673233876292fd172bbcdad4ce91f391042912c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Chef
      Filesize

      64KB

      MD5

      4929feb5427b3e00555c7cebeb73ab46

      SHA1

      a48cf5e4a6e44bba30589f5cf96536a3a007141b

      SHA256

      8faea441687488ed8da8773c1acf4f6ba847b42359716d1275fe44100fc46cd9

      SHA512

      a13ce8842a46e19c436558f51de82ae036b520182a042865c3c625cdb6c4c9bee4ba7f914cf0feac67685e6f299ceaea2008b3255b0868c0d5f414c07b32e43b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Combine
      Filesize

      85KB

      MD5

      dad5d9394613487c0825ad87374a4a96

      SHA1

      806d908a747487b4693b1dc7598c66670b342cac

      SHA256

      81887327e72b9233e2a002ed8d4557669f3305a60fc4ab45b3cb37257798c42c

      SHA512

      f0a5e4051f24360bdf6d7f969d187ab848e42906878a33f960c72dfa28a7ed48540eb59dc28ae0691ba7771aae501387221e1549bf71e24c9f850c05e6513418

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Dragon
      Filesize

      13KB

      MD5

      8f99511bc647d62d0ab24676ffbf1f81

      SHA1

      ee9c17c288b3ecd7984edd8f5d3f3c2806c28beb

      SHA256

      3ae4eccb218817f804f188b17cdab5f2d5a46e4b01f61992522c687cb265b8a6

      SHA512

      9e7cf15d925c810c1cf0b56e73f5dfbe54188becf481fc600bf4479b0f3d4a2fb1bd261b4874ffc9a0498c0e3a30f4e08c4bc97e800d6013cd37c8bf46917ec7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Sufficient
      Filesize

      7KB

      MD5

      b3b46c8e223bde8e40e6628db25523c9

      SHA1

      b1fe51169b519463044c613d4f3edf9c26115dac

      SHA256

      d0fa12b632138baed0239d8da41e60ae5e9d08c4ab7de774bea56741e8bd9a09

      SHA512

      e426f66a18ec6c5471908520a81d8f0e6b14b48841f96da6a5480603dddf65be6e56ed44a0411f5a3387f387a0a5ef3e651f90f4398d1643665330428db9263f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Transportation
      Filesize

      74KB

      MD5

      30a3404783a2d7652e29d645628b04c9

      SHA1

      aaf37b72d13c697276b34e323ca1bd00fc243cdf

      SHA256

      5b264df9d00b5df6d976a76cca68f3fd70bc1c277344d6d8c16a024cebbcb9a6

      SHA512

      48d768d87b9ede55b34ec699fd223e7fab0b55cc8fcafcab28dede80dd235cbf2bd3e9429f1533d6f891ddff1221f9d8c7cefb15bce8b155322ee97981d23eab

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Traveling
      Filesize

      864KB

      MD5

      4546bdeea370b865f80ba3e523b3ade7

      SHA1

      7118f8844c1f938d3e00b5c50624d995ee01236a

      SHA256

      ade4df61ada81439b176e2b32f970ec6a0697c959e3d75c0e40eea07813ed930

      SHA512

      1c031f1a10e0080a3f5ed1359ebc05d214c8aa19a760ea05bb1008f3f1ee37d119f60ccd6c98c20044647711beb4f62c49a936b88199066dccceb9d741a1adb5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
      Filesize

      3.0MB

      MD5

      735b427034dfa1e8184d92b3e9e0e918

      SHA1

      b975f1733334e5fe7f5b243af277c443f2284959

      SHA256

      2ce67a1ac2f39ff149ee9f832a02b1e4208300dd7db269c2abdea19d67e8ff00

      SHA512

      c161ecb540f6f96cc2141920bf73d2964b9d467c40321659d908fb12d7cac130c1d15e927e45fbb58078ee2a5a0151d14883208edb1f5f8e08e346a77f497721

      Download Submit

    • \Users\Admin\AppData\Local\Temp\609587\Horizon.pif
      Filesize

      872KB

      MD5

      18ce19b57f43ce0a5af149c96aecc685

      SHA1

      1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

      SHA256

      d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

      SHA512

      a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

      Download Submit

    • \Users\Admin\AppData\Local\Temp\609587\RegAsm.exe
      Filesize

      63KB

      MD5

      b58b926c3574d28d5b7fdd2ca3ec30d5

      SHA1

      d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

      SHA256

      6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

      SHA512

      b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

      Download Submit

    • memory/1988-10-0x0000000000E90000-0x000000000118E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1988-19-0x0000000000E91000-0x0000000000EF9000-memory.dmp

      Filesize

      416KB

      Download

    • memory/1988-0-0x0000000000E90000-0x000000000118E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1988-15-0x0000000000E90000-0x000000000118E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1988-16-0x00000000066F0000-0x00000000069EE000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1988-5-0x0000000000E90000-0x000000000118E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1988-3-0x0000000000E90000-0x000000000118E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1988-2-0x0000000000E91000-0x0000000000EF9000-memory.dmp

      Filesize

      416KB

      Download

    • memory/1988-1-0x0000000076FE0000-0x0000000076FE2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2076-446-0x0000000000090000-0x00000000000A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2076-449-0x0000000000090000-0x00000000000A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2076-448-0x0000000000090000-0x00000000000A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2828-23-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-38-0x0000000000941000-0x00000000009A9000-memory.dmp

      Filesize

      416KB

      Download

    • memory/2828-41-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-24-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-70-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-21-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-440-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-20-0x0000000000941000-0x00000000009A9000-memory.dmp

      Filesize

      416KB

      Download

    • memory/2828-452-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-18-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-461-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-39-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-445-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-453-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-454-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-455-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-456-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-457-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-458-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-459-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-460-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2828-40-0x0000000000940000-0x0000000000C3E000-memory.dmp

      Filesize

      3.0MB

      Download