amadey | 7110725acbacccb5dc022fc2eb1b1b7c9e30f2a6b24ef77abfed8cea3d297966

General

Target

2e0d574bf00170bb5a448510c2226408.exe
Size

1021KB
MD5

2e0d574bf00170bb5a448510c2226408
SHA1

05c599f0ffc3a7474a51ecbda9de51f8dce0ba62
SHA256

7110725acbacccb5dc022fc2eb1b1b7c9e30f2a6b24ef77abfed8cea3d297966
SHA512

7363d04e59ba5c2c1c5765d56e6656294847c3115e4caf37340d9b65fe3025bd26e113fedfca4661c69d9fb90b1021dfb81ba204289330f2782203b46c00c505

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

2.15

C2

185.215.113.49/fT5G42s/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 1 IoCs

Processes:

jmgas.exe

pid process

2400 jmgas.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

2e0d574bf00170bb5a448510c2226408.exe

description pid process target process

PID 2204 set thread context of 3960 2204 2e0d574bf00170bb5a448510c2226408.exe 2e0d574bf00170bb5a448510c2226408.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2400	jmgas.exe

description	pid	process	target process
PID 2204 set thread context of 3960	2204	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

2e0d574bf00170bb5a448510c2226408.exepowershell.exe

pid	process
2204	2e0d574bf00170bb5a448510c2226408.exe
2204	2e0d574bf00170bb5a448510c2226408.exe
2204	2e0d574bf00170bb5a448510c2226408.exe
2204	2e0d574bf00170bb5a448510c2226408.exe
2204	2e0d574bf00170bb5a448510c2226408.exe
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2e0d574bf00170bb5a448510c2226408.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2204 2e0d574bf00170bb5a448510c2226408.exe
Token: SeDebugPrivilege 4076 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2204	2e0d574bf00170bb5a448510c2226408.exe
Token: SeDebugPrivilege	4076	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

2e0d574bf00170bb5a448510c2226408.exe2e0d574bf00170bb5a448510c2226408.exe

C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe
"C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe
"C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
2⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe
"C:\Users\Admin\AppData\Local\Temp\2e0d574bf00170bb5a448510c2226408.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\ProgramData\c3a72be100\jmgas.exe
"C:\ProgramData\c3a72be100\jmgas.exe"
3⤵
- Executes dropped EXE
PID:2400

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\c3a72be100\jmgas.exe
MD5
2e0d574bf00170bb5a448510c2226408

SHA1
05c599f0ffc3a7474a51ecbda9de51f8dce0ba62

SHA256
7110725acbacccb5dc022fc2eb1b1b7c9e30f2a6b24ef77abfed8cea3d297966

SHA512
7363d04e59ba5c2c1c5765d56e6656294847c3115e4caf37340d9b65fe3025bd26e113fedfca4661c69d9fb90b1021dfb81ba204289330f2782203b46c00c505

Download Submit
C:\ProgramData\c3a72be100\jmgas.exe
MD5
2e0d574bf00170bb5a448510c2226408

SHA1
05c599f0ffc3a7474a51ecbda9de51f8dce0ba62

SHA256
7110725acbacccb5dc022fc2eb1b1b7c9e30f2a6b24ef77abfed8cea3d297966

SHA512
7363d04e59ba5c2c1c5765d56e6656294847c3115e4caf37340d9b65fe3025bd26e113fedfca4661c69d9fb90b1021dfb81ba204289330f2782203b46c00c505

Download Submit
memory/2204-123-0x0000000005B40000-0x0000000005BAE000-memory.dmp

Filesize
440KB

Download
memory/2204-119-0x0000000004E80000-0x0000000004E81000-memory.dmp

Filesize
4KB

Download
memory/2204-121-0x0000000004F50000-0x0000000004F5C000-memory.dmp

Filesize
48KB

Download
memory/2204-122-0x0000000004F40000-0x000000000543E000-memory.dmp

Filesize
5.0MB

Download
memory/2204-114-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2204-124-0x00000000053F0000-0x0000000005427000-memory.dmp

Filesize
220KB

Download
memory/2204-120-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/2204-118-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/2204-116-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/2204-117-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/2400-130-0x0000000000000000-mapping.dmp

Download
memory/2400-145-0x00000000055A0000-0x0000000005A9E000-memory.dmp

Filesize
5.0MB

Download
memory/3960-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3960-141-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3960-127-0x000000000040F0BB-mapping.dmp

Download
memory/4076-150-0x00000000081A0000-0x00000000081A1000-memory.dmp

Filesize
4KB

Download
memory/4076-151-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/4076-143-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/4076-133-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/4076-138-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/4076-147-0x0000000007670000-0x0000000007671000-memory.dmp

Filesize
4KB

Download
memory/4076-148-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/4076-149-0x0000000008130000-0x0000000008131000-memory.dmp

Filesize
4KB

Download
memory/4076-144-0x0000000004BD2000-0x0000000004BD3000-memory.dmp

Filesize
4KB

Download
memory/4076-125-0x0000000000000000-mapping.dmp

Download
memory/4076-152-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/4076-153-0x00000000086C0000-0x00000000086C1000-memory.dmp

Filesize
4KB

Download
memory/4076-161-0x00000000096E0000-0x0000000009713000-memory.dmp

Filesize
204KB

Download
memory/4076-168-0x00000000094A0000-0x00000000094A1000-memory.dmp

Filesize
4KB

Download
memory/4076-173-0x0000000009810000-0x0000000009811000-memory.dmp

Filesize
4KB

Download
memory/4076-174-0x000000007EA20000-0x000000007EA21000-memory.dmp

Filesize
4KB

Download
memory/4076-175-0x00000000099D0000-0x00000000099D1000-memory.dmp

Filesize
4KB

Download
memory/4076-189-0x0000000004BD3000-0x0000000004BD4000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 2204 wrote to memory of 4076	2204	2e0d574bf00170bb5a448510c2226408.exe	powershell.exe
PID 2204 wrote to memory of 4076	2204	2e0d574bf00170bb5a448510c2226408.exe	powershell.exe
PID 2204 wrote to memory of 4076	2204	2e0d574bf00170bb5a448510c2226408.exe	powershell.exe
PID 2204 wrote to memory of 1504	2204	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 2204 wrote to memory of 1504	2204	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 2204 wrote to memory of 1504	2204	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 2204 wrote to memory of 3960	2204	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 2204 wrote to memory of 3960	2204	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 2204 wrote to memory of 3960	2204	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 2204 wrote to memory of 3960	2204	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 2204 wrote to memory of 3960	2204	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 2204 wrote to memory of 3960	2204	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 2204 wrote to memory of 3960	2204	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 2204 wrote to memory of 3960	2204	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 2204 wrote to memory of 3960	2204	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 2204 wrote to memory of 3960	2204	2e0d574bf00170bb5a448510c2226408.exe	2e0d574bf00170bb5a448510c2226408.exe
PID 3960 wrote to memory of 2400	3960	2e0d574bf00170bb5a448510c2226408.exe	jmgas.exe
PID 3960 wrote to memory of 2400	3960	2e0d574bf00170bb5a448510c2226408.exe	jmgas.exe
PID 3960 wrote to memory of 2400	3960	2e0d574bf00170bb5a448510c2226408.exe	jmgas.exe

Analysis

Sharing