amadey | 9accad21b56c8203721abd6bd80c9cddb70759ba4581c270dd6a1f064ee9df67

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2024, 10:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9accad21b56c8203721abd6bd80c9cddb70759ba4581c270dd6a1f064ee9df67.exe
Size

367KB
MD5

345d32a43a2adae9f81003dda4f9bcb1
SHA1

ad6ef9aeb0f1c850e55b9c0de472f821b33d71e2
SHA256

9accad21b56c8203721abd6bd80c9cddb70759ba4581c270dd6a1f064ee9df67
SHA512

6f6ee7e83f21ccc8954cbc8515d62eec11c75e5564b9b3e449c6766cb25521246a1a5783ae0a532960efd63ace9f1eaf71c33077b74e4d66ec889beb51086662
SSDEEP

3072:os+QXwgl9vHPbhy6VYnH88eY/8Fcy5iThp+vbeNNGPcbYq/NFPYNwPFcq+bERhV7:oDQXLP9PG1/S5KxNG81NFYqqq2EbzRN

Score

10^/10

amadey 8c4642 discovery trojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

8c4642

http://193.201.9.240

Attributes

install_dir
cb7ae701b3
install_file
oneetx.exe
strings_key
c7c0f24aa6d8f611f5533809029a4795
url_paths
/live/games/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	9accad21b56c8203721abd6bd80c9cddb70759ba4581c270dd6a1f064ee9df67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 3 IoCs

pid	Process
884	oneetx.exe
3656	oneetx.exe
2280	oneetx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 27 IoCs

pid	pid_target	Process	procid_target
3136	3952	WerFault.exe	82
856	3952	WerFault.exe	82
4852	3952	WerFault.exe	82
4240	3952	WerFault.exe	82
2832	3952	WerFault.exe	82
4164	3952	WerFault.exe	82
5116	3952	WerFault.exe	82
4348	3952	WerFault.exe	82
1160	3952	WerFault.exe	82
4848	3952	WerFault.exe	82
2248	884	WerFault.exe	110
3344	884	WerFault.exe	110
1352	884	WerFault.exe	110
3884	884	WerFault.exe	110
4668	884	WerFault.exe	110
4620	884	WerFault.exe	110
60	884	WerFault.exe	110
3832	884	WerFault.exe	110
116	884	WerFault.exe	110
1080	884	WerFault.exe	110
2316	884	WerFault.exe	110
1944	884	WerFault.exe	110
4720	884	WerFault.exe	110
3080	884	WerFault.exe	110
4996	884	WerFault.exe	110
4256	3656	WerFault.exe	158
384	2280	WerFault.exe	161

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9accad21b56c8203721abd6bd80c9cddb70759ba4581c270dd6a1f064ee9df67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4484	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3952	9accad21b56c8203721abd6bd80c9cddb70759ba4581c270dd6a1f064ee9df67.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 884	3952	9accad21b56c8203721abd6bd80c9cddb70759ba4581c270dd6a1f064ee9df67.exe	110
PID 3952 wrote to memory of 884	3952	9accad21b56c8203721abd6bd80c9cddb70759ba4581c270dd6a1f064ee9df67.exe	110
PID 3952 wrote to memory of 884	3952	9accad21b56c8203721abd6bd80c9cddb70759ba4581c270dd6a1f064ee9df67.exe	110
PID 884 wrote to memory of 4484	884	oneetx.exe	128
PID 884 wrote to memory of 4484	884	oneetx.exe	128
PID 884 wrote to memory of 4484	884	oneetx.exe	128
PID 884 wrote to memory of 856	884	oneetx.exe	136
PID 884 wrote to memory of 856	884	oneetx.exe	136
PID 884 wrote to memory of 856	884	oneetx.exe	136
PID 856 wrote to memory of 4596	856	cmd.exe	140
PID 856 wrote to memory of 4596	856	cmd.exe	140
PID 856 wrote to memory of 4596	856	cmd.exe	140
PID 856 wrote to memory of 2352	856	cmd.exe	141
PID 856 wrote to memory of 2352	856	cmd.exe	141
PID 856 wrote to memory of 2352	856	cmd.exe	141
PID 856 wrote to memory of 3652	856	cmd.exe	142
PID 856 wrote to memory of 3652	856	cmd.exe	142
PID 856 wrote to memory of 3652	856	cmd.exe	142
PID 856 wrote to memory of 864	856	cmd.exe	143
PID 856 wrote to memory of 864	856	cmd.exe	143
PID 856 wrote to memory of 864	856	cmd.exe	143
PID 856 wrote to memory of 2328	856	cmd.exe	144
PID 856 wrote to memory of 2328	856	cmd.exe	144
PID 856 wrote to memory of 2328	856	cmd.exe	144
PID 856 wrote to memory of 1348	856	cmd.exe	145
PID 856 wrote to memory of 1348	856	cmd.exe	145
PID 856 wrote to memory of 1348	856	cmd.exe	145

C:\Users\Admin\AppData\Local\Temp\9accad21b56c8203721abd6bd80c9cddb70759ba4581c270dd6a1f064ee9df67.exe
"C:\Users\Admin\AppData\Local\Temp\9accad21b56c8203721abd6bd80c9cddb70759ba4581c270dd6a1f064ee9df67.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 560
  2⤵
  - Program crash
  PID:3136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 628
  2⤵
  - Program crash
  PID:856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 732
  2⤵
  - Program crash
  PID:4852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 740
  2⤵
  - Program crash
  PID:4240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 672
  2⤵
  - Program crash
  PID:2832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 856
  2⤵
  - Program crash
  PID:4164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1104
  2⤵
  - Program crash
  PID:5116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1144
  2⤵
  - Program crash
  PID:4348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1212
  2⤵
  - Program crash
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
  "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 584
    3⤵
    - Program crash
    PID:2248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 756
    3⤵
    - Program crash
    PID:3344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 784
    3⤵
    - Program crash
    PID:1352
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 796
    3⤵
    - Program crash
    PID:3884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 808
    3⤵
    - Program crash
    PID:4668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 808
    3⤵
    - Program crash
    PID:4620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 1000
    3⤵
    - Program crash
    PID:60
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 760
    3⤵
    - Program crash
    PID:3832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 668
    3⤵
    - Program crash
    PID:116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4596
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:N"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2352
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:R" /E
      4⤵
      System Location Discovery: System Language Discovery
      PID:3652
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:864
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\cb7ae701b3" /P "Admin:N"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2328
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\cb7ae701b3" /P "Admin:R" /E
      4⤵
      System Location Discovery: System Language Discovery
      PID:1348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 1248
    3⤵
    - Program crash
    PID:1080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 1224
    3⤵
    - Program crash
    PID:2316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 1204
    3⤵
    - Program crash
    PID:1944
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 664
    3⤵
    - Program crash
    PID:4720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 1336
    3⤵
    - Program crash
    PID:3080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 796
    3⤵
    - Program crash
    PID:4996
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1260
  2⤵
  - Program crash
  PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3952 -ip 3952
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3952 -ip 3952
1⤵
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3952 -ip 3952
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3952 -ip 3952
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3952 -ip 3952
1⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3952 -ip 3952
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3952 -ip 3952
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3952 -ip 3952
1⤵
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3952 -ip 3952
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3952 -ip 3952
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 884 -ip 884
1⤵
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 884 -ip 884
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 884 -ip 884
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 884 -ip 884
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 884 -ip 884
1⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 884 -ip 884
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 884 -ip 884
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 884 -ip 884
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 884 -ip 884
1⤵
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 884 -ip 884
1⤵
PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 884 -ip 884
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 884 -ip 884
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 884 -ip 884
1⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 884 -ip 884
1⤵
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 884 -ip 884
1⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 312
  2⤵
  - Program crash
  PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3656 -ip 3656
1⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:2280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 312
  2⤵
  - Program crash
  PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2280 -ip 2280
1⤵
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
367KB

MD5
345d32a43a2adae9f81003dda4f9bcb1

SHA1
ad6ef9aeb0f1c850e55b9c0de472f821b33d71e2

SHA256
9accad21b56c8203721abd6bd80c9cddb70759ba4581c270dd6a1f064ee9df67

SHA512
6f6ee7e83f21ccc8954cbc8515d62eec11c75e5564b9b3e449c6766cb25521246a1a5783ae0a532960efd63ace9f1eaf71c33077b74e4d66ec889beb51086662

Download Submit
memory/884-23-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/884-21-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/884-22-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/884-32-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/884-34-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/2280-39-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/3656-30-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/3952-3-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3952-1-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download
memory/3952-17-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/3952-18-0x00000000025A0000-0x00000000025D5000-memory.dmp

Filesize
212KB

Download
memory/3952-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3952-2-0x00000000025A0000-0x00000000025D5000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads