amadey | 4ae3ca87d8086b3d8beaca35c8d69db7b477f84111486caba6ff9682c5704b57

General

Target

Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe
Size

250KB
MD5

5144f2c618edf5a258b02fc2b71beefd
SHA1

69a27371c6c2f8db55ed23160945149a9011736e
SHA256

4ae3ca87d8086b3d8beaca35c8d69db7b477f84111486caba6ff9682c5704b57
SHA512

74a4e4be5b859f8edb999f0004cd7d13b4c56453de13379a073d6b077da691e291f89d3d0dcf791e623b6fd6bf5d16d3dfcc6df27fa43552a563227e98449567

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

2.11

C2

176.111.174.67/7Ndd3SnW/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	528	rundll32.exe
12	1552	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
880	rween.exe

Loads dropped DLL 10 IoCs

pid	Process
1784	Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe
1784	Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe
528	rundll32.exe
528	rundll32.exe
528	rundll32.exe
528	rundll32.exe
1552	rundll32.exe
1552	rundll32.exe
1552	rundll32.exe
1552	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
528	rundll32.exe
528	rundll32.exe
528	rundll32.exe
528	rundll32.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 880	1784	Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe	29
PID 1784 wrote to memory of 880	1784	Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe	29
PID 1784 wrote to memory of 880	1784	Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe	29
PID 1784 wrote to memory of 880	1784	Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe	29
PID 880 wrote to memory of 620	880	rween.exe	30
PID 880 wrote to memory of 620	880	rween.exe	30
PID 880 wrote to memory of 620	880	rween.exe	30
PID 880 wrote to memory of 620	880	rween.exe	30
PID 620 wrote to memory of 768	620	cmd.exe	32
PID 620 wrote to memory of 768	620	cmd.exe	32
PID 620 wrote to memory of 768	620	cmd.exe	32
PID 620 wrote to memory of 768	620	cmd.exe	32
PID 880 wrote to memory of 528	880	rween.exe	35
PID 880 wrote to memory of 528	880	rween.exe	35
PID 880 wrote to memory of 528	880	rween.exe	35
PID 880 wrote to memory of 528	880	rween.exe	35
PID 880 wrote to memory of 528	880	rween.exe	35
PID 880 wrote to memory of 528	880	rween.exe	35
PID 880 wrote to memory of 528	880	rween.exe	35
PID 880 wrote to memory of 1552	880	rween.exe	36
PID 880 wrote to memory of 1552	880	rween.exe	36
PID 880 wrote to memory of 1552	880	rween.exe	36
PID 880 wrote to memory of 1552	880	rween.exe	36
PID 880 wrote to memory of 1552	880	rween.exe	36
PID 880 wrote to memory of 1552	880	rween.exe	36
PID 880 wrote to memory of 1552	880	rween.exe	36

C:\Users\Admin\AppData\Local\Temp\Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe
"C:\Users\Admin\AppData\Local\Temp\Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784
- C:\ProgramData\011ab573a3\rween.exe
  "C:\ProgramData\011ab573a3\rween.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\
      4⤵
      PID:768
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\ProgramData\5eba991cccd123\cred.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:528
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\ProgramData\5eba991cccd123\scr.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/880-10-0x00000000009D0000-0x00000000009E1000-memory.dmp

Filesize
68KB

Download
memory/1636-17-0x000007FEF7510000-0x000007FEF778A000-memory.dmp

Filesize
2.5MB

Download
memory/1784-2-0x0000000000BE0000-0x0000000000BF1000-memory.dmp

Filesize
68KB

Download
memory/1784-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1784-8-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/1784-3-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing