amadey | ca88a597ed2127de7a2cb2f5b3e82d61035e9e2d5714ec5c0ae1659ef1c13df7

Analysis

max time kernel
32s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gktpohoadkth.exe
Size

429KB
MD5

1508a5d67bf9beb497b97cc5eff91c5e
SHA1

69c93e632d29fda0f093eacdadd434066f307343
SHA256

ca88a597ed2127de7a2cb2f5b3e82d61035e9e2d5714ec5c0ae1659ef1c13df7
SHA512

3e36d4dd681e1950fdac02f48d9e07b1419b5240b007e9595bba6a5ac1c6f3171db495359e7794b40bcd697c50ab4ebd4010a7c95317859ef6ec11d7ce34b06e
SSDEEP

12288:C+6Bg1Wu+6LQxbcjTqCyeC2PMI7uB7RTx:CH6L/IGMOuV

Score

10^/10

amadey systembc discovery persistence trojan

Malware Config

Extracted

Family

systembc

wodresomdaymomentum.org

Attributes

dns
5.132.191.104

ns1.vic.au.dns.opennic.glue

ns2.vic.au.dns.opennic.glue

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc

Blocklisted process makes network request 2 IoCs

flow	pid	Process
10	2856	rundll32.exe
11	2856	rundll32.exe

Executes dropped EXE 2 IoCs

pid	Process
2980	Gxtuum.exe
2760	eula.exe

Loads dropped DLL 11 IoCs

pid	Process
2172	gktpohoadkth.exe
2980	Gxtuum.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
2856	rundll32.exe
4564	WerFault.exe
4564	WerFault.exe
4564	WerFault.exe
4564	WerFault.exe
4564	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\terms.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\10001340110\\terms.dll, Main"	Gxtuum.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Gxtuum.job	gktpohoadkth.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4564	2760	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gktpohoadkth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eula.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2760	eula.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	eula.exe
Token: SeDebugPrivilege	2760	eula.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2172	gktpohoadkth.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2980	2172	gktpohoadkth.exe	29
PID 2172 wrote to memory of 2980	2172	gktpohoadkth.exe	29
PID 2172 wrote to memory of 2980	2172	gktpohoadkth.exe	29
PID 2172 wrote to memory of 2980	2172	gktpohoadkth.exe	29
PID 2980 wrote to memory of 2760	2980	Gxtuum.exe	31
PID 2980 wrote to memory of 2760	2980	Gxtuum.exe	31
PID 2980 wrote to memory of 2760	2980	Gxtuum.exe	31
PID 2980 wrote to memory of 2760	2980	Gxtuum.exe	31
PID 2980 wrote to memory of 2856	2980	Gxtuum.exe	32
PID 2980 wrote to memory of 2856	2980	Gxtuum.exe	32
PID 2980 wrote to memory of 2856	2980	Gxtuum.exe	32
PID 2980 wrote to memory of 2856	2980	Gxtuum.exe	32
PID 2980 wrote to memory of 2856	2980	Gxtuum.exe	32
PID 2980 wrote to memory of 2856	2980	Gxtuum.exe	32
PID 2980 wrote to memory of 2856	2980	Gxtuum.exe	32
PID 2760 wrote to memory of 4564	2760	eula.exe	33
PID 2760 wrote to memory of 4564	2760	eula.exe	33
PID 2760 wrote to memory of 4564	2760	eula.exe	33
PID 2760 wrote to memory of 4564	2760	eula.exe	33

C:\Users\Admin\AppData\Local\Temp\gktpohoadkth.exe
"C:\Users\Admin\AppData\Local\Temp\gktpohoadkth.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
  "C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\10001330101\eula.exe
    "C:\Users\Admin\AppData\Local\Temp\10001330101\eula.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 616
      4⤵
      Loads dropped DLL
      Program crash
      PID:4564
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\10001340110\terms.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10001330101\eula.exe

Filesize
2.0MB

MD5
cf14dd806489fb5772ebcea711b535a3

SHA1
064e5c703dd348e7408bbfbc0351467e624eea9b

SHA256
f719bd30d817c69e08d81266a4007c60a8c9ad98ddae27d0fa73f9e530b644ac

SHA512
d409ae1228e64f2d311a07e21f04c6a2eea38730db1178e8214725943a1bda31bf9c47d5eba6ea860403b593b98a8ba7ec42dc183385cf659fa64d18a7abb67f

Download Submit
C:\Users\Admin\AppData\Roaming\10001340110\terms.dll

Filesize
13KB

MD5
44163d81bb5710839fb9ba265de2c942

SHA1
a7497d6085ed8ce25e9728a0af7e989e026eaf04

SHA256
de4e3ff7f7da5d5561e384585a9d0cb66f2c51ea324c184848d125d8792bf666

SHA512
97ef4974f41affd04eb960fa873cd9754f31007c3d7239a7fb5b17cc152c01f2050c3b25d107e36ab5c65010610624e773f726de7d39255bb2c0ad5d8b9929a4

Download Submit
\Users\Admin\AppData\Local\Temp\10001330101\eula.exe

Filesize
1.0MB

MD5
73703d5bb617732c13350e6cc99e6c25

SHA1
c09633d94f419676a89c525ff7044bee3b27edf5

SHA256
e29f810eb7e50e88f466808b49e5068fdef0158c0646c14bada596b4cecdf0e4

SHA512
6e25df2bea7571e94258b4e1beca337caa535ab4abe713602a1e50a39c604d332bb82504615b07da799b1e5435dd117ea178dbce0c03992d2e9da6a60dcebde7

Download Submit
\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe

Filesize
429KB

MD5
1508a5d67bf9beb497b97cc5eff91c5e

SHA1
69c93e632d29fda0f093eacdadd434066f307343

SHA256
ca88a597ed2127de7a2cb2f5b3e82d61035e9e2d5714ec5c0ae1659ef1c13df7

SHA512
3e36d4dd681e1950fdac02f48d9e07b1419b5240b007e9595bba6a5ac1c6f3171db495359e7794b40bcd697c50ab4ebd4010a7c95317859ef6ec11d7ce34b06e

Download Submit
memory/2172-1-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2760-66-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-56-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-48-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-80-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-90-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-88-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-86-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-84-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-82-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-78-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-76-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-74-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-72-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-70-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-69-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-26-0x0000000002050000-0x0000000002136000-memory.dmp

Filesize
920KB

Download
memory/2760-64-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-62-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-60-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-38-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-54-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-52-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-50-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-46-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-44-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-42-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-40-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-36-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-34-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-32-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-30-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-28-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-58-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-27-0x0000000002050000-0x0000000002131000-memory.dmp

Filesize
900KB

Download
memory/2760-25-0x0000000000380000-0x0000000000482000-memory.dmp

Filesize
1.0MB

Download
memory/2760-1212-0x00000000043A0000-0x00000000043F8000-memory.dmp

Filesize
352KB

Download
memory/2760-1213-0x0000000002140000-0x000000000218C000-memory.dmp

Filesize
304KB

Download
memory/2760-1218-0x0000000004900000-0x0000000004954000-memory.dmp

Filesize
336KB

Download