amadey | a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2024, 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
Size

799KB
MD5

89bd66e4285cb7295300a941964af529
SHA1

232d9fee67a3c3652a80e1c1a258f0d789c6a6cf
SHA256

a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047
SHA512

72d1c8c4b74bacca619a58062441203c6cfea81d064dc1933af7a3cb9758d924b011a6935e8d255aad58159a4ecbb3677cc6a6e80f6daa8b135711195a5c8498
SSDEEP

12288:TuhUdOIOQCEXR8DTX0mjy/tP1qtH/OefKE4Ov6O5ebo12AVwyPpW1amgufD/:TuhUSk8DTXtGtP4H5fLzp507uA1wufD

Score

10^/10

amadey 397a17 discovery persistence trojan

Malware Config

Extracted

Family

amadey

Version

5.04

Botnet

397a17

http://89.110.69.103

http://94.156.177.33

Attributes

install_dir
0efeaab28d
install_file
Gxtuum.exe
strings_key
6dea7a0890c1d404d1b67c90aea6ece4
url_paths
/Lv2D7fGdopb/index.php

/b9kdj3s3C0/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	word.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	word.exe

Executes dropped EXE 3 IoCs

pid	Process
1800	word.exe
1444	word.exe
1360	word.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\word.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 3064	1800	word.exe	110

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	word.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	word.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	word.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3792	PING.EXE
2648	cmd.exe
3088	PING.EXE
3124	PING.EXE
2884	cmd.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3792	PING.EXE
3088	PING.EXE
3124	PING.EXE

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
1800	word.exe
1800	word.exe
1800	word.exe
1800	word.exe
1800	word.exe
1800	word.exe
1444	word.exe
1360	word.exe
1360	word.exe
1360	word.exe
1800	word.exe
1800	word.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
Token: SeDebugPrivilege	1800	word.exe
Token: SeDebugPrivilege	1444	word.exe
Token: SeDebugPrivilege	1360	word.exe

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 2884	4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe	83
PID 4176 wrote to memory of 2884	4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe	83
PID 4176 wrote to memory of 2884	4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe	83
PID 2884 wrote to memory of 3792	2884	cmd.exe	85
PID 2884 wrote to memory of 3792	2884	cmd.exe	85
PID 2884 wrote to memory of 3792	2884	cmd.exe	85
PID 4176 wrote to memory of 2648	4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe	86
PID 4176 wrote to memory of 2648	4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe	86
PID 4176 wrote to memory of 2648	4176	a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe	86
PID 2648 wrote to memory of 3088	2648	cmd.exe	88
PID 2648 wrote to memory of 3088	2648	cmd.exe	88
PID 2648 wrote to memory of 3088	2648	cmd.exe	88
PID 2884 wrote to memory of 3568	2884	cmd.exe	90
PID 2884 wrote to memory of 3568	2884	cmd.exe	90
PID 2884 wrote to memory of 3568	2884	cmd.exe	90
PID 2648 wrote to memory of 3124	2648	cmd.exe	104
PID 2648 wrote to memory of 3124	2648	cmd.exe	104
PID 2648 wrote to memory of 3124	2648	cmd.exe	104
PID 2648 wrote to memory of 1800	2648	cmd.exe	108
PID 2648 wrote to memory of 1800	2648	cmd.exe	108
PID 2648 wrote to memory of 1800	2648	cmd.exe	108
PID 1800 wrote to memory of 4388	1800	word.exe	109
PID 1800 wrote to memory of 4388	1800	word.exe	109
PID 1800 wrote to memory of 4388	1800	word.exe	109
PID 1800 wrote to memory of 4388	1800	word.exe	109
PID 1800 wrote to memory of 4388	1800	word.exe	109
PID 1800 wrote to memory of 4388	1800	word.exe	109
PID 1800 wrote to memory of 4388	1800	word.exe	109
PID 1800 wrote to memory of 4388	1800	word.exe	109
PID 1800 wrote to memory of 4388	1800	word.exe	109
PID 1800 wrote to memory of 4388	1800	word.exe	109
PID 1800 wrote to memory of 3064	1800	word.exe	110
PID 1800 wrote to memory of 3064	1800	word.exe	110
PID 1800 wrote to memory of 3064	1800	word.exe	110
PID 1800 wrote to memory of 3064	1800	word.exe	110
PID 1800 wrote to memory of 3064	1800	word.exe	110
PID 1800 wrote to memory of 3064	1800	word.exe	110
PID 1800 wrote to memory of 3064	1800	word.exe	110
PID 1800 wrote to memory of 3064	1800	word.exe	110
PID 1800 wrote to memory of 3064	1800	word.exe	110
PID 1800 wrote to memory of 3064	1800	word.exe	110
PID 1800 wrote to memory of 1444	1800	word.exe	112
PID 1800 wrote to memory of 1444	1800	word.exe	112
PID 1800 wrote to memory of 1444	1800	word.exe	112
PID 1444 wrote to memory of 1360	1444	word.exe	113
PID 1444 wrote to memory of 1360	1444	word.exe	113
PID 1444 wrote to memory of 1360	1444	word.exe	113

C:\Users\Admin\AppData\Local\Temp\a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe
"C:\Users\Admin\AppData\Local\Temp\a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 9 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 9
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3792
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "word" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3568
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\Users\Admin\AppData\Local\Temp\a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 18
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3088
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 18
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3124
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:4388
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\word.exe
      "C:\Users\Admin\AppData\Local\Temp\word.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1444
    - - C:\Users\Admin\AppData\Local\Temp\word.exe
        
        "C:\Users\Admin\AppData\Local\Temp\word.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\word.exe.log

Filesize
1KB

MD5
7dca233df92b3884663fa5a40db8d49c

SHA1
208b8f27b708c4e06ac37f974471cc7b29c29b60

SHA256
90c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c

SHA512
d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.txt

Filesize
88B

MD5
d462b8f313bedbac7c1b987b0309c0ea

SHA1
180556db7304e38619f264b61dc31bbcfb41d83b

SHA256
ed2170e3f93ab9b95b1cd536d22fd633a18cbaf7724c0006b514bd5d0b716a11

SHA512
0694bd0e027ac7c64070593a3da3f40919c6f34d62950c63d66682f32ee75e63209e8db191f3c592a852d5aa4be84ba879bf20e0f1b9bdda7bf3fe1664151301

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.txt

Filesize
91B

MD5
ac1213ef1c95dc9c8d59c37905c106a5

SHA1
d30922698077485028534e0ff655cf112851f0ce

SHA256
98d2d280da37abb58c50cde16dee5771cf14839edb461f49df8d77da638fffa4

SHA512
d04df3f84865701748e72bb84087a8b876e2af544a9fec696c2c891f06365a993ff040dc27acbbb66464d106665df4e63a858f2e92c1ff5b69515a26cc0e25cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.txt

Filesize
91B

MD5
4d65505603dad1581282ced34f05a665

SHA1
fb5a72e3ea28b5bd71dcbe2a94f19a8ce6f20231

SHA256
2c080bf949f1bbf4feb5cf8858d4e88433e61123daefc82f33cfb742adbedd1f

SHA512
9a83af27cb1908b9e5ec9cca5c70b09151999cbf19a50542f74f2f9a9e46ee8a3cefc3c8dea66fc69913a7bb8111b4845949c8458da037b2c9242e9917ab01a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\word.exe

Filesize
799KB

MD5
89bd66e4285cb7295300a941964af529

SHA1
232d9fee67a3c3652a80e1c1a258f0d789c6a6cf

SHA256
a46bf8412717f75bf098966cb1f5074836e78f5699bb5073dcc45d59ca790047

SHA512
72d1c8c4b74bacca619a58062441203c6cfea81d064dc1933af7a3cb9758d924b011a6935e8d255aad58159a4ecbb3677cc6a6e80f6daa8b135711195a5c8498

Download Submit
memory/1444-38-0x00000000002D0000-0x00000000002EA000-memory.dmp

Filesize
104KB

Download
memory/1800-18-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/1800-21-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/1800-20-0x00000000077B0000-0x00000000077B6000-memory.dmp

Filesize
24KB

Download
memory/1800-19-0x0000000007790000-0x00000000077AA000-memory.dmp

Filesize
104KB

Download
memory/1800-16-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/1800-17-0x00000000007C0000-0x000000000088E000-memory.dmp

Filesize
824KB

Download
memory/3064-25-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3064-22-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3064-26-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4176-10-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4176-8-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4176-7-0x00000000056B0000-0x00000000056BA000-memory.dmp

Filesize
40KB

Download
memory/4176-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/4176-6-0x00000000051D0000-0x00000000051F6000-memory.dmp

Filesize
152KB

Download
memory/4176-5-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4176-4-0x0000000005270000-0x0000000005302000-memory.dmp

Filesize
584KB

Download
memory/4176-3-0x0000000005780000-0x0000000005D24000-memory.dmp

Filesize
5.6MB

Download
memory/4176-2-0x00000000050F0000-0x000000000518C000-memory.dmp

Filesize
624KB

Download
memory/4176-1-0x0000000000B70000-0x0000000000C3E000-memory.dmp

Filesize
824KB

Download