amadey | 2f1103e99fb464143a58c654763fe9c8ea25dfa84d04cfa9a1557fcb891330f5

General

Target

Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exe
Size

325KB
MD5

f8bdaa4de9861b0d490490deaa372625
SHA1

f72e8b2d815af12760656339adb7f9ca6f633e2a
SHA256

2f1103e99fb464143a58c654763fe9c8ea25dfa84d04cfa9a1557fcb891330f5
SHA512

e5c61deed4df89f3fcfa3671ba3ddaa9fe8ef8f32815160e51f233dd400dbc8fd19716f4e04edd482ffe0a47577bb6b627464d7c1d8156547d988b07e4013875

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

2.07

C2

91.241.19.159/m7vvsw2dsQ/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 1 IoCs

Processes:

bween.exe

pid process

2840 bween.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2840	bween.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exebween.execmd.exe

description	pid	process	target process
PID 416 wrote to memory of 2840	416	Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exe	bween.exe
PID 416 wrote to memory of 2840	416	Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exe	bween.exe
PID 416 wrote to memory of 2840	416	Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exe	bween.exe
PID 2840 wrote to memory of 3756	2840	bween.exe	cmd.exe
PID 2840 wrote to memory of 3756	2840	bween.exe	cmd.exe
PID 2840 wrote to memory of 3756	2840	bween.exe	cmd.exe
PID 3756 wrote to memory of 2108	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2108	3756	cmd.exe	reg.exe
PID 3756 wrote to memory of 2108	3756	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exe
"C:\Users\Admin\AppData\Local\Temp\Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:416
- C:\ProgramData\8ad2f1a034\bween.exe
  "C:\ProgramData\8ad2f1a034\bween.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\8ad2f1a034\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\8ad2f1a034\
      4⤵
      PID:2108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\152119853632563005190890

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\8ad2f1a034\bween.exe

MD5
f8bdaa4de9861b0d490490deaa372625

SHA1
f72e8b2d815af12760656339adb7f9ca6f633e2a

SHA256
2f1103e99fb464143a58c654763fe9c8ea25dfa84d04cfa9a1557fcb891330f5

SHA512
e5c61deed4df89f3fcfa3671ba3ddaa9fe8ef8f32815160e51f233dd400dbc8fd19716f4e04edd482ffe0a47577bb6b627464d7c1d8156547d988b07e4013875

Download Submit
C:\ProgramData\8ad2f1a034\bween.exe

MD5
f8bdaa4de9861b0d490490deaa372625

SHA1
f72e8b2d815af12760656339adb7f9ca6f633e2a

SHA256
2f1103e99fb464143a58c654763fe9c8ea25dfa84d04cfa9a1557fcb891330f5

SHA512
e5c61deed4df89f3fcfa3671ba3ddaa9fe8ef8f32815160e51f233dd400dbc8fd19716f4e04edd482ffe0a47577bb6b627464d7c1d8156547d988b07e4013875

Download Submit
memory/416-2-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/416-3-0x00000000023D0000-0x00000000023FF000-memory.dmp

Filesize
188KB

Download
memory/416-4-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2108-11-0x0000000000000000-mapping.dmp

Download
memory/2840-5-0x0000000000000000-mapping.dmp

Download
memory/2840-8-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/3756-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing