ed4e77ea9305aeae3b545735358b6d1b.exe

General
Target

ed4e77ea9305aeae3b545735358b6d1b.exe

Filesize

345KB

Completed

08-04-2021 07:51

Score
10 /10
MD5

ed4e77ea9305aeae3b545735358b6d1b

SHA1

5aadcc89f95baf1452776f3b6a87cd2fbc89bd30

SHA256

462874360a3b4cff7c9fab2448ae25bca022253e71af71b128af502136e8b2e6

Malware Config

Extracted

Family amadey
Version 2.14
C2

cdn12-web-security.com/gf4EdsW/index.php

shegw583reg.hopto.org/gf4EdsW/index.php

Signatures 8

Filter: none

Discovery
  • Amadey

    Description

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Executes dropped EXE
    brdm.exebrdm.exe

    Reported IOCs

    pidprocess
    692brdm.exe
    1460brdm.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    ed4e77ea9305aeae3b545735358b6d1b.exebrdm.exe

    Reported IOCs

    pidprocess
    2536ed4e77ea9305aeae3b545735358b6d1b.exe
    2536ed4e77ea9305aeae3b545735358b6d1b.exe
    1460brdm.exe
    1460brdm.exe
  • Suspicious use of SetThreadContext
    ed4e77ea9305aeae3b545735358b6d1b.exebrdm.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 496 set thread context of 2536496ed4e77ea9305aeae3b545735358b6d1b.exeed4e77ea9305aeae3b545735358b6d1b.exe
    PID 692 set thread context of 1460692brdm.exebrdm.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: MapViewOfSection
    ed4e77ea9305aeae3b545735358b6d1b.exebrdm.exe

    Reported IOCs

    pidprocess
    496ed4e77ea9305aeae3b545735358b6d1b.exe
    692brdm.exe
  • Suspicious use of SetWindowsHookEx
    ed4e77ea9305aeae3b545735358b6d1b.exebrdm.exe

    Reported IOCs

    pidprocess
    496ed4e77ea9305aeae3b545735358b6d1b.exe
    692brdm.exe
  • Suspicious use of WriteProcessMemory
    ed4e77ea9305aeae3b545735358b6d1b.exeed4e77ea9305aeae3b545735358b6d1b.exebrdm.exebrdm.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 496 wrote to memory of 2536496ed4e77ea9305aeae3b545735358b6d1b.exeed4e77ea9305aeae3b545735358b6d1b.exe
    PID 496 wrote to memory of 2536496ed4e77ea9305aeae3b545735358b6d1b.exeed4e77ea9305aeae3b545735358b6d1b.exe
    PID 496 wrote to memory of 2536496ed4e77ea9305aeae3b545735358b6d1b.exeed4e77ea9305aeae3b545735358b6d1b.exe
    PID 496 wrote to memory of 2536496ed4e77ea9305aeae3b545735358b6d1b.exeed4e77ea9305aeae3b545735358b6d1b.exe
    PID 2536 wrote to memory of 6922536ed4e77ea9305aeae3b545735358b6d1b.exebrdm.exe
    PID 2536 wrote to memory of 6922536ed4e77ea9305aeae3b545735358b6d1b.exebrdm.exe
    PID 2536 wrote to memory of 6922536ed4e77ea9305aeae3b545735358b6d1b.exebrdm.exe
    PID 692 wrote to memory of 1460692brdm.exebrdm.exe
    PID 692 wrote to memory of 1460692brdm.exebrdm.exe
    PID 692 wrote to memory of 1460692brdm.exebrdm.exe
    PID 692 wrote to memory of 1460692brdm.exebrdm.exe
    PID 1460 wrote to memory of 40081460brdm.execmd.exe
    PID 1460 wrote to memory of 40081460brdm.execmd.exe
    PID 1460 wrote to memory of 40081460brdm.execmd.exe
    PID 4008 wrote to memory of 31284008cmd.exereg.exe
    PID 4008 wrote to memory of 31284008cmd.exereg.exe
    PID 4008 wrote to memory of 31284008cmd.exereg.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\ed4e77ea9305aeae3b545735358b6d1b.exe
    "C:\Users\Admin\AppData\Local\Temp\ed4e77ea9305aeae3b545735358b6d1b.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: MapViewOfSection
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:496
    • C:\Users\Admin\AppData\Local\Temp\ed4e77ea9305aeae3b545735358b6d1b.exe
      "C:\Users\Admin\AppData\Local\Temp\ed4e77ea9305aeae3b545735358b6d1b.exe"
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:2536
      • C:\ProgramData\04bbb7d123\brdm.exe
        "C:\ProgramData\04bbb7d123\brdm.exe"
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        PID:692
        • C:\ProgramData\04bbb7d123\brdm.exe
          "C:\ProgramData\04bbb7d123\brdm.exe"
          Executes dropped EXE
          Suspicious use of NtSetInformationThreadHideFromDebugger
          Suspicious use of WriteProcessMemory
          PID:1460
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\04bbb7d123\
            Suspicious use of WriteProcessMemory
            PID:4008
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\04bbb7d123\
              PID:3128
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\ProgramData\04bbb7d123\brdm.exe

                          MD5

                          ed4e77ea9305aeae3b545735358b6d1b

                          SHA1

                          5aadcc89f95baf1452776f3b6a87cd2fbc89bd30

                          SHA256

                          462874360a3b4cff7c9fab2448ae25bca022253e71af71b128af502136e8b2e6

                          SHA512

                          4dee200e21281f63a6445c7ee9a2dec5003e6a854279b0b37cbd8121af182028e0c3f11b204c34d58bf7936ba4bd8dd936f82eac979e0081b21515797a47d641

                        • C:\ProgramData\04bbb7d123\brdm.exe

                          MD5

                          ed4e77ea9305aeae3b545735358b6d1b

                          SHA1

                          5aadcc89f95baf1452776f3b6a87cd2fbc89bd30

                          SHA256

                          462874360a3b4cff7c9fab2448ae25bca022253e71af71b128af502136e8b2e6

                          SHA512

                          4dee200e21281f63a6445c7ee9a2dec5003e6a854279b0b37cbd8121af182028e0c3f11b204c34d58bf7936ba4bd8dd936f82eac979e0081b21515797a47d641

                        • C:\ProgramData\04bbb7d123\brdm.exe

                          MD5

                          ed4e77ea9305aeae3b545735358b6d1b

                          SHA1

                          5aadcc89f95baf1452776f3b6a87cd2fbc89bd30

                          SHA256

                          462874360a3b4cff7c9fab2448ae25bca022253e71af71b128af502136e8b2e6

                          SHA512

                          4dee200e21281f63a6445c7ee9a2dec5003e6a854279b0b37cbd8121af182028e0c3f11b204c34d58bf7936ba4bd8dd936f82eac979e0081b21515797a47d641

                        • C:\ProgramData\152119853632563005190890

                          MD5

                          d41d8cd98f00b204e9800998ecf8427e

                          SHA1

                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                          SHA256

                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                          SHA512

                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        • memory/496-116-0x0000000000A40000-0x0000000000A41000-memory.dmp

                        • memory/496-118-0x0000000000A50000-0x0000000000A58000-memory.dmp

                        • memory/692-121-0x0000000000000000-mapping.dmp

                        • memory/692-126-0x00000000005D0000-0x00000000005D1000-memory.dmp

                        • memory/1460-133-0x0000000000400000-0x0000000000436000-memory.dmp

                        • memory/1460-127-0x000000000040F4EB-mapping.dmp

                        • memory/1460-134-0x0000000000440000-0x000000000058A000-memory.dmp

                        • memory/2536-119-0x0000000000400000-0x0000000000436000-memory.dmp

                        • memory/2536-117-0x000000000040F4EB-mapping.dmp

                        • memory/2536-120-0x0000000002020000-0x0000000002021000-memory.dmp

                        • memory/3128-131-0x0000000000000000-mapping.dmp

                        • memory/4008-130-0x0000000000000000-mapping.dmp