amadey | abd47e708b483c496d4485e6b05d542932d01953b8d0177712c33fb9f8d20bd2

General

Target

CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe
Size

174KB
MD5

72060693e5ebcbab80d41cf905ba4025
SHA1

84e128e1af6b133a8ba837f65cf4682ee4ca6066
SHA256

abd47e708b483c496d4485e6b05d542932d01953b8d0177712c33fb9f8d20bd2
SHA512

fda3208ff67f66b0495faa3054addcc10e5398fa75670171ffacae86797a4463e4b0aef05990578798c63fca97c9545f1225d854ace96606838a28ebbd424741

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

2.11

C2

176.111.174.67/7Ndd3SnW/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 1 IoCs

Processes:

rween.exe

pid process

1740 rween.exe

pid	process
1740	rween.exe

Loads dropped DLL 2 IoCs

Processes:

CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe

pid	process
340	CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe
340	CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exerween.execmd.exe

description	pid	process	target process
PID 340 wrote to memory of 1740	340	CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe	rween.exe
PID 340 wrote to memory of 1740	340	CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe	rween.exe
PID 340 wrote to memory of 1740	340	CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe	rween.exe
PID 340 wrote to memory of 1740	340	CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe	rween.exe
PID 1740 wrote to memory of 1200	1740	rween.exe	cmd.exe
PID 1740 wrote to memory of 1200	1740	rween.exe	cmd.exe
PID 1740 wrote to memory of 1200	1740	rween.exe	cmd.exe
PID 1740 wrote to memory of 1200	1740	rween.exe	cmd.exe
PID 1200 wrote to memory of 1428	1200	cmd.exe	reg.exe
PID 1200 wrote to memory of 1428	1200	cmd.exe	reg.exe
PID 1200 wrote to memory of 1428	1200	cmd.exe	reg.exe
PID 1200 wrote to memory of 1428	1200	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe
"C:\Users\Admin\AppData\Local\Temp\CONTRASEÑA544473415875315595728114914651743403766443087756259262775331427969255920220117852978145.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:340

C:\ProgramData\011ab573a3\rween.exe
"C:\ProgramData\011ab573a3\rween.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\
3⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\
4⤵
PID:1428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\011ab573a3\rween.exe
MD5
72060693e5ebcbab80d41cf905ba4025

SHA1
84e128e1af6b133a8ba837f65cf4682ee4ca6066

SHA256
abd47e708b483c496d4485e6b05d542932d01953b8d0177712c33fb9f8d20bd2

SHA512
fda3208ff67f66b0495faa3054addcc10e5398fa75670171ffacae86797a4463e4b0aef05990578798c63fca97c9545f1225d854ace96606838a28ebbd424741

Download Submit
C:\ProgramData\152124553523681077083310
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\011ab573a3\rween.exe
MD5
72060693e5ebcbab80d41cf905ba4025

SHA1
84e128e1af6b133a8ba837f65cf4682ee4ca6066

SHA256
abd47e708b483c496d4485e6b05d542932d01953b8d0177712c33fb9f8d20bd2

SHA512
fda3208ff67f66b0495faa3054addcc10e5398fa75670171ffacae86797a4463e4b0aef05990578798c63fca97c9545f1225d854ace96606838a28ebbd424741

Download Submit
\ProgramData\011ab573a3\rween.exe
MD5
72060693e5ebcbab80d41cf905ba4025

SHA1
84e128e1af6b133a8ba837f65cf4682ee4ca6066

SHA256
abd47e708b483c496d4485e6b05d542932d01953b8d0177712c33fb9f8d20bd2

SHA512
fda3208ff67f66b0495faa3054addcc10e5398fa75670171ffacae86797a4463e4b0aef05990578798c63fca97c9545f1225d854ace96606838a28ebbd424741

Download Submit
memory/340-59-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/340-64-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/340-65-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download
memory/1200-70-0x0000000000000000-mapping.dmp

Download
memory/1428-71-0x0000000000000000-mapping.dmp

Download
memory/1740-62-0x0000000000000000-mapping.dmp

Download
memory/1740-69-0x0000000000400000-0x0000000002B9B000-memory.dmp

Filesize
39.6MB

Download

Analysis

Sharing