amadey | 4ae3ca87d8086b3d8beaca35c8d69db7b477f84111486caba6ff9682c5704b57

General

Target

Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe
Size

250KB
MD5

5144f2c618edf5a258b02fc2b71beefd
SHA1

69a27371c6c2f8db55ed23160945149a9011736e
SHA256

4ae3ca87d8086b3d8beaca35c8d69db7b477f84111486caba6ff9682c5704b57
SHA512

74a4e4be5b859f8edb999f0004cd7d13b4c56453de13379a073d6b077da691e291f89d3d0dcf791e623b6fd6bf5d16d3dfcc6df27fa43552a563227e98449567

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

2.11

C2

176.111.174.67/7Ndd3SnW/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

17 1296 rundll32.exe
20 2308 rundll32.exe
Executes dropped EXE 1 IoCs

Processes:

rween.exe

pid process

2216 rween.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1296 rundll32.exe
2308 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

rundll32.exe

pid process

1296 rundll32.exe
1296 rundll32.exe
1296 rundll32.exe
1296 rundll32.exe

flow	pid	process
17	1296	rundll32.exe
20	2308	rundll32.exe

pid	process
2216	rween.exe

pid	process
1296	rundll32.exe
2308	rundll32.exe

pid	process
1296	rundll32.exe
1296	rundll32.exe
1296	rundll32.exe
1296	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exerween.execmd.exe

description	pid	process	target process
PID 1192 wrote to memory of 2216	1192	Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe	rween.exe
PID 1192 wrote to memory of 2216	1192	Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe	rween.exe
PID 1192 wrote to memory of 2216	1192	Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe	rween.exe
PID 2216 wrote to memory of 3464	2216	rween.exe	cmd.exe
PID 2216 wrote to memory of 3464	2216	rween.exe	cmd.exe
PID 2216 wrote to memory of 3464	2216	rween.exe	cmd.exe
PID 3464 wrote to memory of 3700	3464	cmd.exe	reg.exe
PID 3464 wrote to memory of 3700	3464	cmd.exe	reg.exe
PID 3464 wrote to memory of 3700	3464	cmd.exe	reg.exe
PID 2216 wrote to memory of 1296	2216	rween.exe	rundll32.exe
PID 2216 wrote to memory of 1296	2216	rween.exe	rundll32.exe
PID 2216 wrote to memory of 1296	2216	rween.exe	rundll32.exe
PID 2216 wrote to memory of 2308	2216	rween.exe	rundll32.exe
PID 2216 wrote to memory of 2308	2216	rween.exe	rundll32.exe
PID 2216 wrote to memory of 2308	2216	rween.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe
"C:\Users\Admin\AppData\Local\Temp\Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\ProgramData\011ab573a3\rween.exe
  "C:\ProgramData\011ab573a3\rween.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\
      4⤵
      PID:3700
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\ProgramData\5eba991cccd123\cred.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1296
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\ProgramData\5eba991cccd123\scr.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\011ab573a3\rween.exe

MD5
5144f2c618edf5a258b02fc2b71beefd

SHA1
69a27371c6c2f8db55ed23160945149a9011736e

SHA256
4ae3ca87d8086b3d8beaca35c8d69db7b477f84111486caba6ff9682c5704b57

SHA512
74a4e4be5b859f8edb999f0004cd7d13b4c56453de13379a073d6b077da691e291f89d3d0dcf791e623b6fd6bf5d16d3dfcc6df27fa43552a563227e98449567

Download Submit
C:\ProgramData\011ab573a3\rween.exe

MD5
5144f2c618edf5a258b02fc2b71beefd

SHA1
69a27371c6c2f8db55ed23160945149a9011736e

SHA256
4ae3ca87d8086b3d8beaca35c8d69db7b477f84111486caba6ff9682c5704b57

SHA512
74a4e4be5b859f8edb999f0004cd7d13b4c56453de13379a073d6b077da691e291f89d3d0dcf791e623b6fd6bf5d16d3dfcc6df27fa43552a563227e98449567

Download Submit
C:\ProgramData\152133414903337197415362

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\5eba991cccd123\cred.dll

MD5
69b7615f2767c3435f2479efdca30177

SHA1
a6d8c6d2bdef56a7197fef6fe79774338df50531

SHA256
6f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64

SHA512
749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee

Download Submit
C:\ProgramData\5eba991cccd123\scr.dll

MD5
f1c71bbc5b99ab01a8ec7c63a2e12242

SHA1
ad9b2fd325fff790b732be40d3b2182daa43cfa2

SHA256
3d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644

SHA512
50b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2

Download Submit
\ProgramData\5eba991cccd123\cred.dll

MD5
69b7615f2767c3435f2479efdca30177

SHA1
a6d8c6d2bdef56a7197fef6fe79774338df50531

SHA256
6f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64

SHA512
749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee

Download Submit
\ProgramData\5eba991cccd123\scr.dll

MD5
f1c71bbc5b99ab01a8ec7c63a2e12242

SHA1
ad9b2fd325fff790b732be40d3b2182daa43cfa2

SHA256
3d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644

SHA512
50b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2

Download Submit
memory/1192-6-0x0000000000C80000-0x0000000000CAC000-memory.dmp

Filesize
176KB

Download
memory/1192-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1192-2-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1296-14-0x0000000000000000-mapping.dmp

Download
memory/2216-8-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/2216-3-0x0000000000000000-mapping.dmp

Download
memory/2308-17-0x0000000000000000-mapping.dmp

Download
memory/3464-10-0x0000000000000000-mapping.dmp

Download
memory/3700-11-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing