amadey | 4a9006cf3b6e40360af21fbc2c9c419a58212f9fc06cb2a534240790a2e6dbac

Analysis

max time kernel
131s
max time network
136s
platform
windows10_x64
resource
win10v20201028
submitted
26-01-2021 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb9775066c55310131db50ee2606fb66353e4c694d5713abaddd2293806ac34d.exe

Score

10^/10

amadey trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 1 IoCs

Processes:

rween.exe

pid process

3176 rween.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3580 rundll32.exe
356 rundll32.exe
356 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3176	rween.exe

pid	process
3580	rundll32.exe
356	rundll32.exe
356	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

eb9775066c55310131db50ee2606fb66353e4c694d5713abaddd2293806ac34d.exerween.execmd.exe

description	pid	process	target process
PID 860 wrote to memory of 3176	860	eb9775066c55310131db50ee2606fb66353e4c694d5713abaddd2293806ac34d.exe	rween.exe
PID 860 wrote to memory of 3176	860	eb9775066c55310131db50ee2606fb66353e4c694d5713abaddd2293806ac34d.exe	rween.exe
PID 860 wrote to memory of 3176	860	eb9775066c55310131db50ee2606fb66353e4c694d5713abaddd2293806ac34d.exe	rween.exe
PID 3176 wrote to memory of 492	3176	rween.exe	cmd.exe
PID 3176 wrote to memory of 492	3176	rween.exe	cmd.exe
PID 3176 wrote to memory of 492	3176	rween.exe	cmd.exe
PID 492 wrote to memory of 204	492	cmd.exe	reg.exe
PID 492 wrote to memory of 204	492	cmd.exe	reg.exe
PID 492 wrote to memory of 204	492	cmd.exe	reg.exe
PID 3176 wrote to memory of 3580	3176	rween.exe	rundll32.exe
PID 3176 wrote to memory of 3580	3176	rween.exe	rundll32.exe
PID 3176 wrote to memory of 3580	3176	rween.exe	rundll32.exe
PID 3176 wrote to memory of 356	3176	rween.exe	rundll32.exe
PID 3176 wrote to memory of 356	3176	rween.exe	rundll32.exe
PID 3176 wrote to memory of 356	3176	rween.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\eb9775066c55310131db50ee2606fb66353e4c694d5713abaddd2293806ac34d.exe
"C:\Users\Admin\AppData\Local\Temp\eb9775066c55310131db50ee2606fb66353e4c694d5713abaddd2293806ac34d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\ProgramData\ace0aa41cd\rween.exe
"C:\ProgramData\ace0aa41cd\rween.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\ace0aa41cd\
3⤵
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\ace0aa41cd\
4⤵
PID:204

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\b26d9bda140704\cred.dll, a_Main
3⤵
- Loads dropped DLL
PID:3580

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\ProgramData\b26d9bda140704\scr.dll, a_Main
3⤵
- Loads dropped DLL
PID:356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\152119853632563005190890
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\ace0aa41cd\rween.exe
MD5
104d68ad37956b6b9ffe9a69effa6c57

SHA1
6e58c74c92ede192f323358d865f1ce94e69b33b

SHA256
eb9775066c55310131db50ee2606fb66353e4c694d5713abaddd2293806ac34d

SHA512
1aa56916792556d461c13343e37286eedbbf0b957a03d98f1916d1c797a036d88ec7f09baa02c45165dfc03b2b9bda6c056abe616abbf88b8f6dba338466bc49

Download Submit
C:\ProgramData\ace0aa41cd\rween.exe
MD5
104d68ad37956b6b9ffe9a69effa6c57

SHA1
6e58c74c92ede192f323358d865f1ce94e69b33b

SHA256
eb9775066c55310131db50ee2606fb66353e4c694d5713abaddd2293806ac34d

SHA512
1aa56916792556d461c13343e37286eedbbf0b957a03d98f1916d1c797a036d88ec7f09baa02c45165dfc03b2b9bda6c056abe616abbf88b8f6dba338466bc49

Download Submit
C:\ProgramData\b26d9bda140704\cred.dll
MD5
984d1d77ef48255505fe6d73e895b46c

SHA1
b057b92301c6c8422c47cdf118cf6957447da800

SHA256
25d52bf695c8a13c8a7eae730e2b036b0343432365a66d3aa0e6e19447fecf3b

SHA512
af6dd9696271350f567b578c3330127a762f0a8ba0eebee6825fec50402199cdf1dae91bf9c38ccbdb5aec207a44fa750eab14a547822cc8f6b03276bf4816e5

Download Submit
C:\ProgramData\b26d9bda140704\scr.dll
MD5
e367bbad8b617100bd35834ba92621bb

SHA1
9a626fb5604fee9b7df846411e01404f9ad90d4f

SHA256
bf332072f75e04ce25bc0aefcb19b8b63151f424917f59e06b49b14e51d5fd0b

SHA512
95bd3fd0582c9c511e1863fff29c6a6a20c17f2d29c4baaf05cacce841743288d428e4534f9e8af2a71efd377244aefbf3fa043dc145b64ccc11c532bfb101e7

Download Submit
\ProgramData\b26d9bda140704\cred.dll
MD5
984d1d77ef48255505fe6d73e895b46c

SHA1
b057b92301c6c8422c47cdf118cf6957447da800

SHA256
25d52bf695c8a13c8a7eae730e2b036b0343432365a66d3aa0e6e19447fecf3b

SHA512
af6dd9696271350f567b578c3330127a762f0a8ba0eebee6825fec50402199cdf1dae91bf9c38ccbdb5aec207a44fa750eab14a547822cc8f6b03276bf4816e5

Download Submit
\ProgramData\b26d9bda140704\scr.dll
MD5
e367bbad8b617100bd35834ba92621bb

SHA1
9a626fb5604fee9b7df846411e01404f9ad90d4f

SHA256
bf332072f75e04ce25bc0aefcb19b8b63151f424917f59e06b49b14e51d5fd0b

SHA512
95bd3fd0582c9c511e1863fff29c6a6a20c17f2d29c4baaf05cacce841743288d428e4534f9e8af2a71efd377244aefbf3fa043dc145b64ccc11c532bfb101e7

Download Submit
\ProgramData\b26d9bda140704\scr.dll
MD5
e367bbad8b617100bd35834ba92621bb

SHA1
9a626fb5604fee9b7df846411e01404f9ad90d4f

SHA256
bf332072f75e04ce25bc0aefcb19b8b63151f424917f59e06b49b14e51d5fd0b

SHA512
95bd3fd0582c9c511e1863fff29c6a6a20c17f2d29c4baaf05cacce841743288d428e4534f9e8af2a71efd377244aefbf3fa043dc145b64ccc11c532bfb101e7

Download Submit
memory/204-11-0x0000000000000000-mapping.dmp

Download
memory/356-15-0x0000000000000000-mapping.dmp

Download
memory/356-19-0x0000000003E71000-0x0000000003EA2000-memory.dmp

Filesize
196KB

Download
memory/492-10-0x0000000000000000-mapping.dmp

Download
memory/860-2-0x00000000021C0000-0x0000000002223000-memory.dmp

Filesize
396KB

Download
memory/860-3-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3176-8-0x0000000002070000-0x00000000020D3000-memory.dmp

Filesize
396KB

Download
memory/3176-4-0x0000000000000000-mapping.dmp

Download
memory/3580-12-0x0000000000000000-mapping.dmp

Download