amadey | a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08/12/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
Size

799KB
MD5

89bd66e4285cb7295300a941964af529
SHA1

232d9fee67a3c3652a80e1c1a258f0d789c6a6cf
SHA256

a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047
SHA512

72d1c8c4b74bacca619a58062441203c6cfea81d064dc1933af7a3cb9758d924b011a6935e8d255aad58159a4ecbb3677cc6a6e80f6daa8b135711195a5c8498
SSDEEP

12288:TuhUdOIOQCEXR8DTX0mjy/tP1qtH/OefKE4Ov6O5ebo12AVwyPpW1amgufD/:TuhUSk8DTXtGtP4H5fLzp507uA1wufD

Score

10^/10

amadey 397a17 discovery persistence trojan

Malware Config

Extracted

Family

amadey

Version

5.04

Botnet

397a17

http://89.110.69.103

http://94.156.177.33

Attributes

install_dir
0efeaab28d
install_file
Gxtuum.exe
strings_key
6dea7a0890c1d404d1b67c90aea6ece4
url_paths
/Lv2D7fGdopb/index.php

/b9kdj3s3C0/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Executes dropped EXE 3 IoCs

pid	Process
2616	word.exe
1864	word.exe
1272	word.exe

Loads dropped DLL 4 IoCs

pid	Process
1780	cmd.exe
1780	cmd.exe
2616	word.exe
1864	word.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\word.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2616 set thread context of 1608	2616	word.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	word.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	word.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	word.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
792	cmd.exe
2564	PING.EXE
1780	cmd.exe
2200	PING.EXE
3000	PING.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2564	PING.EXE
2200	PING.EXE
3000	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
388	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
388	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
388	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
388	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
388	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
388	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
2616	word.exe
2616	word.exe
2616	word.exe
2616	word.exe
1864	word.exe
1272	word.exe
1272	word.exe
1272	word.exe
2616	word.exe
2616	word.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	388	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
Token: SeDebugPrivilege	2616	word.exe
Token: SeDebugPrivilege	1864	word.exe
Token: SeDebugPrivilege	1272	word.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 792	388	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe	31
PID 388 wrote to memory of 792	388	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe	31
PID 388 wrote to memory of 792	388	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe	31
PID 388 wrote to memory of 792	388	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe	31
PID 792 wrote to memory of 2564	792	cmd.exe	33
PID 792 wrote to memory of 2564	792	cmd.exe	33
PID 792 wrote to memory of 2564	792	cmd.exe	33
PID 792 wrote to memory of 2564	792	cmd.exe	33
PID 388 wrote to memory of 1780	388	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe	34
PID 388 wrote to memory of 1780	388	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe	34
PID 388 wrote to memory of 1780	388	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe	34
PID 388 wrote to memory of 1780	388	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe	34
PID 1780 wrote to memory of 2200	1780	cmd.exe	36
PID 1780 wrote to memory of 2200	1780	cmd.exe	36
PID 1780 wrote to memory of 2200	1780	cmd.exe	36
PID 1780 wrote to memory of 2200	1780	cmd.exe	36
PID 792 wrote to memory of 2868	792	cmd.exe	37
PID 792 wrote to memory of 2868	792	cmd.exe	37
PID 792 wrote to memory of 2868	792	cmd.exe	37
PID 792 wrote to memory of 2868	792	cmd.exe	37
PID 1780 wrote to memory of 3000	1780	cmd.exe	38
PID 1780 wrote to memory of 3000	1780	cmd.exe	38
PID 1780 wrote to memory of 3000	1780	cmd.exe	38
PID 1780 wrote to memory of 3000	1780	cmd.exe	38
PID 1780 wrote to memory of 2616	1780	cmd.exe	39
PID 1780 wrote to memory of 2616	1780	cmd.exe	39
PID 1780 wrote to memory of 2616	1780	cmd.exe	39
PID 1780 wrote to memory of 2616	1780	cmd.exe	39
PID 2616 wrote to memory of 1608	2616	word.exe	40
PID 2616 wrote to memory of 1608	2616	word.exe	40
PID 2616 wrote to memory of 1608	2616	word.exe	40
PID 2616 wrote to memory of 1608	2616	word.exe	40
PID 2616 wrote to memory of 1608	2616	word.exe	40
PID 2616 wrote to memory of 1608	2616	word.exe	40
PID 2616 wrote to memory of 1608	2616	word.exe	40
PID 2616 wrote to memory of 1608	2616	word.exe	40
PID 2616 wrote to memory of 1608	2616	word.exe	40
PID 2616 wrote to memory of 1608	2616	word.exe	40
PID 2616 wrote to memory of 1608	2616	word.exe	40
PID 2616 wrote to memory of 1864	2616	word.exe	42
PID 2616 wrote to memory of 1864	2616	word.exe	42
PID 2616 wrote to memory of 1864	2616	word.exe	42
PID 2616 wrote to memory of 1864	2616	word.exe	42
PID 1864 wrote to memory of 1272	1864	word.exe	43
PID 1864 wrote to memory of 1272	1864	word.exe	43
PID 1864 wrote to memory of 1272	1864	word.exe	43
PID 1864 wrote to memory of 1272	1864	word.exe	43

C:\Users\Admin\AppData\Local\Temp\a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
"C:\Users\Admin\AppData\Local\Temp\a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 8 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 8
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2564
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\Users\Admin\AppData\Local\Temp\a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe" && ping 127.0.0.1 -n 20 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 20
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2200
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 20
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3000
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\word.exe
      "C:\Users\Admin\AppData\Local\Temp\word.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1864
    - - C:\Users\Admin\AppData\Local\Temp\word.exe
        
        "C:\Users\Admin\AppData\Local\Temp\word.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\word.txt

Filesize
88B

MD5
1d4653ed7952f19d2e6973304695525b

SHA1
35c3bf21520a2893171450ea20638c3d7e5be9af

SHA256
2749a900f984bb7be87d9812222389afb90c322e657e4ff5ee4d7e7d84c920ae

SHA512
e87a2bf3a3602752eaa654a1496467fd1ae156050c994439b6ef149f736c2b5bb3ed877f4d217b9823f2f190de1b14154595898fcb0d1e8a420997177f964586

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.txt

Filesize
91B

MD5
796254a28f73bbf7fc1055e3f4de523d

SHA1
4bc6116e4b0f03fc2f70990e78447ed90a1fce18

SHA256
0a5081f3a58a5844387ed131d7b310caf8b7e2cac2c927b2d212ca2c041b8c1c

SHA512
c1e4cdd5b8ccd3de5cfd30d67ac08c6513340f8a26a8ffce11852d954ce301ed576f614e341e36f995158a13a642bbbc7f8a26478274b2799a5d1108e5245696

Download Submit
\Users\Admin\AppData\Local\Temp\word.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe

Filesize
799KB

MD5
89bd66e4285cb7295300a941964af529

SHA1
232d9fee67a3c3652a80e1c1a258f0d789c6a6cf

SHA256
a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047

SHA512
72d1c8c4b74bacca619a58062441203c6cfea81d064dc1933af7a3cb9758d924b011a6935e8d255aad58159a4ecbb3677cc6a6e80f6daa8b135711195a5c8498

Download Submit
memory/388-0-0x000000007402E000-0x000000007402F000-memory.dmp

Filesize
4KB

Download
memory/388-1-0x0000000000350000-0x000000000041E000-memory.dmp

Filesize
824KB

Download
memory/388-2-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/388-3-0x0000000000300000-0x0000000000326000-memory.dmp

Filesize
152KB

Download
memory/388-4-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/1608-28-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1608-31-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1608-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1608-26-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1608-24-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1608-22-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1608-20-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1608-19-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1608-34-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1608-35-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1864-43-0x00000000003A0000-0x00000000003BA000-memory.dmp

Filesize
104KB

Download
memory/2616-17-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/2616-16-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/2616-15-0x00000000012A0000-0x000000000136E000-memory.dmp

Filesize
824KB

Download