amadey | 4ae3ca87d8086b3d8beaca35c8d69db7b477f84111486caba6ff9682c5704b57

General

Target

Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe
Size

250KB
MD5

5144f2c618edf5a258b02fc2b71beefd
SHA1

69a27371c6c2f8db55ed23160945149a9011736e
SHA256

4ae3ca87d8086b3d8beaca35c8d69db7b477f84111486caba6ff9682c5704b57
SHA512

74a4e4be5b859f8edb999f0004cd7d13b4c56453de13379a073d6b077da691e291f89d3d0dcf791e623b6fd6bf5d16d3dfcc6df27fa43552a563227e98449567

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

2.11

C2

176.111.174.67/7Ndd3SnW/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Blocklisted process makes network request 2 IoCs

flow	pid	Process
17	1296	rundll32.exe
20	2308	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
2216	rween.exe

Loads dropped DLL 2 IoCs

pid	Process
1296	rundll32.exe
2308	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1296	rundll32.exe
1296	rundll32.exe
1296	rundll32.exe
1296	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 2216	1192	Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe	76
PID 1192 wrote to memory of 2216	1192	Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe	76
PID 1192 wrote to memory of 2216	1192	Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe	76
PID 2216 wrote to memory of 3464	2216	rween.exe	79
PID 2216 wrote to memory of 3464	2216	rween.exe	79
PID 2216 wrote to memory of 3464	2216	rween.exe	79
PID 3464 wrote to memory of 3700	3464	cmd.exe	81
PID 3464 wrote to memory of 3700	3464	cmd.exe	81
PID 3464 wrote to memory of 3700	3464	cmd.exe	81
PID 2216 wrote to memory of 1296	2216	rween.exe	83
PID 2216 wrote to memory of 1296	2216	rween.exe	83
PID 2216 wrote to memory of 1296	2216	rween.exe	83
PID 2216 wrote to memory of 2308	2216	rween.exe	84
PID 2216 wrote to memory of 2308	2216	rween.exe	84
PID 2216 wrote to memory of 2308	2216	rween.exe	84

C:\Users\Admin\AppData\Local\Temp\Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe
"C:\Users\Admin\AppData\Local\Temp\Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\ProgramData\011ab573a3\rween.exe
  "C:\ProgramData\011ab573a3\rween.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\
      4⤵
      PID:3700
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\ProgramData\5eba991cccd123\cred.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1296
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\ProgramData\5eba991cccd123\scr.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-6-0x0000000000C80000-0x0000000000CAC000-memory.dmp

Filesize
176KB

Download
memory/1192-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1192-2-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2216-8-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing