Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 17:57
Behavioral task
behavioral1
Sample
amadey.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
amadey.exe
Resource
win10v2004-20240226-en
General
-
Target
amadey.exe
-
Size
231KB
-
MD5
3dd072d71907f6d5a5b046908c081f11
-
SHA1
6432c3dacb6e4dec30ad44cc92f79d4a0156affd
-
SHA256
1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1
-
SHA512
2f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453
-
SSDEEP
6144:0s9bFCavQJdMSzPgI0KIikB/NiFEZu7dRmV:pbFCRMcRIiTFgu7dR
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
amadey.exejbruyer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation amadey.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation jbruyer.exe -
Executes dropped EXE 4 IoCs
Processes:
jbruyer.exejbruyer.exejbruyer.exejbruyer.exepid process 3772 jbruyer.exe 3464 jbruyer.exe 3340 jbruyer.exe 1580 jbruyer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
amadey.exepid process 772 amadey.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
amadey.exejbruyer.execmd.exedescription pid process target process PID 772 wrote to memory of 3772 772 amadey.exe jbruyer.exe PID 772 wrote to memory of 3772 772 amadey.exe jbruyer.exe PID 772 wrote to memory of 3772 772 amadey.exe jbruyer.exe PID 3772 wrote to memory of 4252 3772 jbruyer.exe schtasks.exe PID 3772 wrote to memory of 4252 3772 jbruyer.exe schtasks.exe PID 3772 wrote to memory of 4252 3772 jbruyer.exe schtasks.exe PID 3772 wrote to memory of 4576 3772 jbruyer.exe cmd.exe PID 3772 wrote to memory of 4576 3772 jbruyer.exe cmd.exe PID 3772 wrote to memory of 4576 3772 jbruyer.exe cmd.exe PID 4576 wrote to memory of 2076 4576 cmd.exe cmd.exe PID 4576 wrote to memory of 2076 4576 cmd.exe cmd.exe PID 4576 wrote to memory of 2076 4576 cmd.exe cmd.exe PID 4576 wrote to memory of 2228 4576 cmd.exe cacls.exe PID 4576 wrote to memory of 2228 4576 cmd.exe cacls.exe PID 4576 wrote to memory of 2228 4576 cmd.exe cacls.exe PID 4576 wrote to memory of 4732 4576 cmd.exe cacls.exe PID 4576 wrote to memory of 4732 4576 cmd.exe cacls.exe PID 4576 wrote to memory of 4732 4576 cmd.exe cacls.exe PID 4576 wrote to memory of 1392 4576 cmd.exe cmd.exe PID 4576 wrote to memory of 1392 4576 cmd.exe cmd.exe PID 4576 wrote to memory of 1392 4576 cmd.exe cmd.exe PID 4576 wrote to memory of 2964 4576 cmd.exe cacls.exe PID 4576 wrote to memory of 2964 4576 cmd.exe cacls.exe PID 4576 wrote to memory of 2964 4576 cmd.exe cacls.exe PID 4576 wrote to memory of 3220 4576 cmd.exe cacls.exe PID 4576 wrote to memory of 3220 4576 cmd.exe cacls.exe PID 4576 wrote to memory of 3220 4576 cmd.exe cacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\amadey.exe"C:\Users\Admin\AppData\Local\Temp\amadey.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe"C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN jbruyer.exe /TR "C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe" /F3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "jbruyer.exe" /P "Admin:N"&&CACLS "jbruyer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\73456c80a6" /P "Admin:N"&&CACLS "..\73456c80a6" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "jbruyer.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "jbruyer.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\73456c80a6" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\73456c80a6" /P "Admin:R" /E4⤵
-
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exeC:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3780 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exeC:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exeC:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\73456c80a6\jbruyer.exeFilesize
231KB
MD53dd072d71907f6d5a5b046908c081f11
SHA16432c3dacb6e4dec30ad44cc92f79d4a0156affd
SHA2561783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1
SHA5122f6a4df887ad59e8b34644e8832f843f0f3c84171dbd8ceee9e1ec348684ba43a7ab4f2864464e343c8a17bc147839add11c939dfcea4fd60f79f48b89010453
-
C:\Users\Admin\AppData\Local\Temp\808065738166Filesize
74KB
MD5f05a0319a2e5c2c9f37dc0a75e154c12
SHA1dc5929d9b458de59c009e59a93f909ded39aafb1
SHA2563d5594b175b9e8ee71a698cbd78122582eb9f43f651c7b9d87c69d42c63856ad
SHA512a8fedd665fe06679d77282fee6f8d3fab8e96ee2b5c5f7df7cc161a030c9eb7341180cd9df1c91c23485907e36b1c5e911eba2938be3bc404504901ebc16c909