amadey | 190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe
Size

1.8MB
MD5

cccde21b7aa72f82653f08cd7dc99810
SHA1

9404a35d44af2596afa70aa99d77038708f1a590
SHA256

190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89
SHA512

eada6496281b8d6c1c61e3f1e534767fc5f8b1204d985f191afb65d2829730bedd55117ca871e6aa00ed0afb55fd6182c9cf454d9d9fb955ea490eb5cc1b6ca3
SSDEEP

24576:VPMF5WAjrjYtwFHzJAfAH+wR7/tN/RtFIxXx35TvWeaO4K6zYd500RBBB6eGgNbC:C2AjrzdJAYjVtNpIBDmMd5zBBpGS

Score

10^/10

amadey 0e6740 evasion trojan

Malware Config

Extracted

Family

amadey

Version

4.21

Botnet

0e6740

http://147.45.47.155

Attributes

install_dir
9217037dc9
install_file
explortu.exe
strings_key
8e894a8a4a3d0da8924003a561cfb244
url_paths
/ku4Nor9/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exeexplortu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explortu.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exeexplortu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explortu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exeexplortu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	explortu.exe

Executes dropped EXE 1 IoCs

Processes:

explortu.exe

pid process

1488 explortu.exe

pid	process
1488	explortu.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exeexplortu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine	190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Wine	explortu.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exeexplortu.exe

pid process

4592 190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe
1488 explortu.exe
Drops file in Windows directory 1 IoCs

Processes:

190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe

description ioc process

File created C:\Windows\Tasks\explortu.job 190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2784 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2144 taskkill.exe

description	ioc	process
File created	C:\Windows\Tasks\explortu.job	190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe

pid	process
2784	timeout.exe

pid	process
2144	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exeexplortu.exe

pid	process
4592	190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe
4592	190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe
1488	explortu.exe
1488	explortu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2144 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2144	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exeexplortu.execmd.exe

description	pid	process	target process
PID 4592 wrote to memory of 1488	4592	190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe	explortu.exe
PID 4592 wrote to memory of 1488	4592	190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe	explortu.exe
PID 4592 wrote to memory of 1488	4592	190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe	explortu.exe
PID 1488 wrote to memory of 2200	1488	explortu.exe	cmd.exe
PID 1488 wrote to memory of 2200	1488	explortu.exe	cmd.exe
PID 1488 wrote to memory of 2200	1488	explortu.exe	cmd.exe
PID 2200 wrote to memory of 2144	2200	cmd.exe	taskkill.exe
PID 2200 wrote to memory of 2144	2200	cmd.exe	taskkill.exe
PID 2200 wrote to memory of 2144	2200	cmd.exe	taskkill.exe
PID 2200 wrote to memory of 2784	2200	cmd.exe	timeout.exe
PID 2200 wrote to memory of 2784	2200	cmd.exe	timeout.exe
PID 2200 wrote to memory of 2784	2200	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89_NeikiAnalytics.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4592

C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
"C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "explortu.exe" && timeout 1 && del "explortu.exe" && ren 0e6740 explortu.exe && C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe && Exit"
3⤵
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "explortu.exe"
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:2784

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9217037dc9\0e6740
Filesize
1.8MB

MD5
c28f1b84c0c57d2821a7bd6df00d4bb1

SHA1
9295f6a3a97abc1e686c2628ff7f8a14dfd5edcc

SHA256
757e36fe4f5f8dcaee86b15974bee0e2b45445d679235c5857c349a4ff5f6353

SHA512
69ac8f8912f4b269699ac65aedd6dd91c4a32533df64ddbb56af838ae1a16d65808d623aeff444b82c3a2bc6c6e76cbcf9b840f8aab542bfe742b3bc8f2e9787

Download Submit
C:\Users\Admin\AppData\Local\Temp\9217037dc9\explortu.exe
Filesize
1.8MB

MD5
cccde21b7aa72f82653f08cd7dc99810

SHA1
9404a35d44af2596afa70aa99d77038708f1a590

SHA256
190b59533d38ee969b361261bd4a48e5e38a3d4ee94dda1853a81dc3197e4b89

SHA512
eada6496281b8d6c1c61e3f1e534767fc5f8b1204d985f191afb65d2829730bedd55117ca871e6aa00ed0afb55fd6182c9cf454d9d9fb955ea490eb5cc1b6ca3

Download Submit
memory/1488-19-0x0000000000871000-0x000000000089F000-memory.dmp

Filesize
184KB

Download
memory/1488-18-0x0000000000870000-0x0000000000D1B000-memory.dmp

Filesize
4.7MB

Download
memory/1488-20-0x0000000000870000-0x0000000000D1B000-memory.dmp

Filesize
4.7MB

Download
memory/1488-21-0x0000000000870000-0x0000000000D1B000-memory.dmp

Filesize
4.7MB

Download
memory/1488-30-0x0000000000870000-0x0000000000D1B000-memory.dmp

Filesize
4.7MB

Download
memory/4592-3-0x00000000007C0000-0x0000000000C6B000-memory.dmp

Filesize
4.7MB

Download
memory/4592-5-0x00000000007C0000-0x0000000000C6B000-memory.dmp

Filesize
4.7MB

Download
memory/4592-2-0x00000000007C1000-0x00000000007EF000-memory.dmp

Filesize
184KB

Download
memory/4592-17-0x00000000007C0000-0x0000000000C6B000-memory.dmp

Filesize
4.7MB

Download
memory/4592-0-0x00000000007C0000-0x0000000000C6B000-memory.dmp

Filesize
4.7MB

Download
memory/4592-1-0x00000000775F4000-0x00000000775F6000-memory.dmp

Filesize
8KB

Download