amadey | 3bf5cfd44aaff78c8d01a0eef87ed49d7971884ac990a4dcd653f186b9c05a87

Analysis

max time kernel
116s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2024, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bf5cfd44aaff78c8d01a0eef87ed49d7971884ac990a4dcd653f186b9c05a87.exe
Size

367KB
MD5

b87f6c9394b7d10ccc8d5d19cc72d88e
SHA1

412700f0a8aede47ea99d11bb12e47df628d529a
SHA256

3bf5cfd44aaff78c8d01a0eef87ed49d7971884ac990a4dcd653f186b9c05a87
SHA512

14f0f6a793e19f6133829af150248ab8594d710095c53f1d9ac855479be2bb7eb876a57291657cbd3adb1d0364d64154ad1e84cdc931618734b505f4141bbc62
SSDEEP

3072:oi+QXwgl9vHPbhy6VYnH88eY/8Fcy5iThp+vbeNNGPcbYq/NFPYNwPFcq+bERhV5:olQXLP9PG1/S5KxNG81NFYqqq2EbzRf

Score

10^/10

amadey 8c4642 discovery trojan

Malware Config

Extracted

Family

amadey

Version

3.80

Botnet

8c4642

http://193.201.9.240

Attributes

install_dir
cb7ae701b3
install_file
oneetx.exe
strings_key
c7c0f24aa6d8f611f5533809029a4795
url_paths
/live/games/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	3bf5cfd44aaff78c8d01a0eef87ed49d7971884ac990a4dcd653f186b9c05a87.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 3 IoCs

pid	Process
424	oneetx.exe
884	oneetx.exe
3788	oneetx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 27 IoCs

pid	pid_target	Process	procid_target
924	2452	WerFault.exe	82
3092	2452	WerFault.exe	82
1596	2452	WerFault.exe	82
4828	2452	WerFault.exe	82
3316	2452	WerFault.exe	82
2988	2452	WerFault.exe	82
440	2452	WerFault.exe	82
1012	2452	WerFault.exe	82
4732	2452	WerFault.exe	82
4964	2452	WerFault.exe	82
3724	424	WerFault.exe	110
436	424	WerFault.exe	110
4716	424	WerFault.exe	110
4720	424	WerFault.exe	110
3652	424	WerFault.exe	110
1804	424	WerFault.exe	110
456	424	WerFault.exe	110
4024	424	WerFault.exe	110
2136	424	WerFault.exe	110
3384	424	WerFault.exe	110
396	424	WerFault.exe	110
4156	424	WerFault.exe	110
3244	424	WerFault.exe	110
4760	424	WerFault.exe	110
2200	884	WerFault.exe	157
4672	424	WerFault.exe	110
3364	3788	WerFault.exe	166

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3bf5cfd44aaff78c8d01a0eef87ed49d7971884ac990a4dcd653f186b9c05a87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oneetx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1648	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2452	3bf5cfd44aaff78c8d01a0eef87ed49d7971884ac990a4dcd653f186b9c05a87.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 424	2452	3bf5cfd44aaff78c8d01a0eef87ed49d7971884ac990a4dcd653f186b9c05a87.exe	110
PID 2452 wrote to memory of 424	2452	3bf5cfd44aaff78c8d01a0eef87ed49d7971884ac990a4dcd653f186b9c05a87.exe	110
PID 2452 wrote to memory of 424	2452	3bf5cfd44aaff78c8d01a0eef87ed49d7971884ac990a4dcd653f186b9c05a87.exe	110
PID 424 wrote to memory of 1648	424	oneetx.exe	129
PID 424 wrote to memory of 1648	424	oneetx.exe	129
PID 424 wrote to memory of 1648	424	oneetx.exe	129
PID 424 wrote to memory of 1600	424	oneetx.exe	135
PID 424 wrote to memory of 1600	424	oneetx.exe	135
PID 424 wrote to memory of 1600	424	oneetx.exe	135
PID 1600 wrote to memory of 3628	1600	cmd.exe	139
PID 1600 wrote to memory of 3628	1600	cmd.exe	139
PID 1600 wrote to memory of 3628	1600	cmd.exe	139
PID 1600 wrote to memory of 852	1600	cmd.exe	140
PID 1600 wrote to memory of 852	1600	cmd.exe	140
PID 1600 wrote to memory of 852	1600	cmd.exe	140
PID 1600 wrote to memory of 4304	1600	cmd.exe	141
PID 1600 wrote to memory of 4304	1600	cmd.exe	141
PID 1600 wrote to memory of 4304	1600	cmd.exe	141
PID 1600 wrote to memory of 4588	1600	cmd.exe	142
PID 1600 wrote to memory of 4588	1600	cmd.exe	142
PID 1600 wrote to memory of 4588	1600	cmd.exe	142
PID 1600 wrote to memory of 2840	1600	cmd.exe	143
PID 1600 wrote to memory of 2840	1600	cmd.exe	143
PID 1600 wrote to memory of 2840	1600	cmd.exe	143
PID 1600 wrote to memory of 5004	1600	cmd.exe	144
PID 1600 wrote to memory of 5004	1600	cmd.exe	144
PID 1600 wrote to memory of 5004	1600	cmd.exe	144

C:\Users\Admin\AppData\Local\Temp\3bf5cfd44aaff78c8d01a0eef87ed49d7971884ac990a4dcd653f186b9c05a87.exe
"C:\Users\Admin\AppData\Local\Temp\3bf5cfd44aaff78c8d01a0eef87ed49d7971884ac990a4dcd653f186b9c05a87.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 560
  2⤵
  - Program crash
  PID:924
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 644
  2⤵
  - Program crash
  PID:3092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 696
  2⤵
  - Program crash
  PID:1596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 840
  2⤵
  - Program crash
  PID:4828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 840
  2⤵
  - Program crash
  PID:3316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 872
  2⤵
  - Program crash
  PID:2988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1100
  2⤵
  - Program crash
  PID:440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1100
  2⤵
  - Program crash
  PID:1012
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1220
  2⤵
  - Program crash
  PID:4732
- C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
  "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 584
    3⤵
    - Program crash
    PID:3724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 736
    3⤵
    - Program crash
    PID:436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 824
    3⤵
    - Program crash
    PID:4716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 944
    3⤵
    - Program crash
    PID:4720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 984
    3⤵
    - Program crash
    PID:3652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 984
    3⤵
    - Program crash
    PID:1804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1004
    3⤵
    - Program crash
    PID:456
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 888
    3⤵
    - Program crash
    PID:4024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 688
    3⤵
    - Program crash
    PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3628
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:N"
      4⤵
      System Location Discovery: System Language Discovery
      PID:852
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:R" /E
      4⤵
      System Location Discovery: System Language Discovery
      PID:4304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4588
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\cb7ae701b3" /P "Admin:N"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2840
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\cb7ae701b3" /P "Admin:R" /E
      4⤵
      System Location Discovery: System Language Discovery
      PID:5004
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 680
    3⤵
    - Program crash
    PID:3384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 668
    3⤵
    - Program crash
    PID:396
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1160
    3⤵
    - Program crash
    PID:4156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 676
    3⤵
    - Program crash
    PID:3244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1324
    3⤵
    - Program crash
    PID:4760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 1016
    3⤵
    - Program crash
    PID:4672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 1256
  2⤵
  - Program crash
  PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2452 -ip 2452
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2452 -ip 2452
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2452 -ip 2452
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2452 -ip 2452
1⤵
PID:4120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2452 -ip 2452
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2452 -ip 2452
1⤵
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2452 -ip 2452
1⤵
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2452 -ip 2452
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2452 -ip 2452
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2452 -ip 2452
1⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 424 -ip 424
1⤵
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 424 -ip 424
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 424 -ip 424
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 424 -ip 424
1⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 424 -ip 424
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 424 -ip 424
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 424 -ip 424
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 424 -ip 424
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 424 -ip 424
1⤵
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 424 -ip 424
1⤵
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 424 -ip 424
1⤵
PID:68

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 424 -ip 424
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 424 -ip 424
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 424 -ip 424
1⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 316
  2⤵
  - Program crash
  PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 884 -ip 884
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 424 -ip 424
1⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe
1⤵
- Executes dropped EXE
PID:3788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 312
  2⤵
  - Program crash
  PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3788 -ip 3788
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe

Filesize
367KB

MD5
b87f6c9394b7d10ccc8d5d19cc72d88e

SHA1
412700f0a8aede47ea99d11bb12e47df628d529a

SHA256
3bf5cfd44aaff78c8d01a0eef87ed49d7971884ac990a4dcd653f186b9c05a87

SHA512
14f0f6a793e19f6133829af150248ab8594d710095c53f1d9ac855479be2bb7eb876a57291657cbd3adb1d0364d64154ad1e84cdc931618734b505f4141bbc62

Download Submit
memory/424-23-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/424-21-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/424-22-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/424-32-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/424-37-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/884-27-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/2452-3-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2452-2-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/2452-18-0x0000000002570000-0x00000000025A5000-memory.dmp

Filesize
212KB

Download
memory/2452-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2452-17-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download
memory/2452-1-0x0000000000940000-0x0000000000A40000-memory.dmp

Filesize
1024KB

Download
memory/3788-36-0x0000000000400000-0x0000000000800000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads