amadey | c5e41abe14036a3331b4bd9e3bb24be2424439a8030b8dfbe1a61a3da6482573

Analysis

max time kernel
151s
max time network
179s
platform
windows7_x64
resource
win7v20210408
submitted
29-09-2021 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a26595e04bbad90731a04c1195c34d92.exe
Size

1.4MB
MD5

a26595e04bbad90731a04c1195c34d92
SHA1

0b295fa12e6bd596ba0071a58370966c6a4551c3
SHA256

c5e41abe14036a3331b4bd9e3bb24be2424439a8030b8dfbe1a61a3da6482573
SHA512

ad8682d0772bc0668fde3d7818a180b64da892e9c687332a960efa8c7ed5bdb12b5a1286d833c145c667d25373a7001ae320d24034c1f1fd089a1e1a273ff934

Score

10^/10

amadey suricata trojan

Malware Config

Extracted

Family

amadey

Version

2.61

185.215.113.33/hBF6ds2D/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata

Executes dropped EXE 8 IoCs

pid	Process
1524	sqtvvs.exe
464	sqtvvs.exe
1844	sqtvvs.exe
1068	sqtvvs.exe
1516	sqtvvs.exe
1528	sqtvvs.exe
1764	sqtvvs.exe
820	sqtvvs.exe

Loads dropped DLL 6 IoCs

pid	Process
1824	a26595e04bbad90731a04c1195c34d92.exe
1824	a26595e04bbad90731a04c1195c34d92.exe
1524	sqtvvs.exe
1844	sqtvvs.exe
1516	sqtvvs.exe
1764	sqtvvs.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1828 set thread context of 1824	1828	a26595e04bbad90731a04c1195c34d92.exe	25
PID 1524 set thread context of 464	1524	sqtvvs.exe	29
PID 1844 set thread context of 1068	1844	sqtvvs.exe	39
PID 1516 set thread context of 1528	1516	sqtvvs.exe	41
PID 1764 set thread context of 820	1764	sqtvvs.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1852	schtasks.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 1824	1828	a26595e04bbad90731a04c1195c34d92.exe	25
PID 1828 wrote to memory of 1824	1828	a26595e04bbad90731a04c1195c34d92.exe	25
PID 1828 wrote to memory of 1824	1828	a26595e04bbad90731a04c1195c34d92.exe	25
PID 1828 wrote to memory of 1824	1828	a26595e04bbad90731a04c1195c34d92.exe	25
PID 1828 wrote to memory of 1824	1828	a26595e04bbad90731a04c1195c34d92.exe	25
PID 1828 wrote to memory of 1824	1828	a26595e04bbad90731a04c1195c34d92.exe	25
PID 1824 wrote to memory of 1524	1824	a26595e04bbad90731a04c1195c34d92.exe	26
PID 1824 wrote to memory of 1524	1824	a26595e04bbad90731a04c1195c34d92.exe	26
PID 1824 wrote to memory of 1524	1824	a26595e04bbad90731a04c1195c34d92.exe	26
PID 1824 wrote to memory of 1524	1824	a26595e04bbad90731a04c1195c34d92.exe	26
PID 1524 wrote to memory of 464	1524	sqtvvs.exe	29
PID 1524 wrote to memory of 464	1524	sqtvvs.exe	29
PID 1524 wrote to memory of 464	1524	sqtvvs.exe	29
PID 1524 wrote to memory of 464	1524	sqtvvs.exe	29
PID 1524 wrote to memory of 464	1524	sqtvvs.exe	29
PID 1524 wrote to memory of 464	1524	sqtvvs.exe	29
PID 464 wrote to memory of 1504	464	sqtvvs.exe	30
PID 464 wrote to memory of 1504	464	sqtvvs.exe	30
PID 464 wrote to memory of 1504	464	sqtvvs.exe	30
PID 464 wrote to memory of 1504	464	sqtvvs.exe	30
PID 464 wrote to memory of 1852	464	sqtvvs.exe	32
PID 464 wrote to memory of 1852	464	sqtvvs.exe	32
PID 464 wrote to memory of 1852	464	sqtvvs.exe	32
PID 464 wrote to memory of 1852	464	sqtvvs.exe	32
PID 1504 wrote to memory of 1860	1504	cmd.exe	34
PID 1504 wrote to memory of 1860	1504	cmd.exe	34
PID 1504 wrote to memory of 1860	1504	cmd.exe	34
PID 1504 wrote to memory of 1860	1504	cmd.exe	34
PID 784 wrote to memory of 1844	784	taskeng.exe	38
PID 784 wrote to memory of 1844	784	taskeng.exe	38
PID 784 wrote to memory of 1844	784	taskeng.exe	38
PID 784 wrote to memory of 1844	784	taskeng.exe	38
PID 1844 wrote to memory of 1068	1844	sqtvvs.exe	39
PID 1844 wrote to memory of 1068	1844	sqtvvs.exe	39
PID 1844 wrote to memory of 1068	1844	sqtvvs.exe	39
PID 1844 wrote to memory of 1068	1844	sqtvvs.exe	39
PID 1844 wrote to memory of 1068	1844	sqtvvs.exe	39
PID 1844 wrote to memory of 1068	1844	sqtvvs.exe	39
PID 784 wrote to memory of 1516	784	taskeng.exe	40
PID 784 wrote to memory of 1516	784	taskeng.exe	40
PID 784 wrote to memory of 1516	784	taskeng.exe	40
PID 784 wrote to memory of 1516	784	taskeng.exe	40
PID 1516 wrote to memory of 1528	1516	sqtvvs.exe	41
PID 1516 wrote to memory of 1528	1516	sqtvvs.exe	41
PID 1516 wrote to memory of 1528	1516	sqtvvs.exe	41
PID 1516 wrote to memory of 1528	1516	sqtvvs.exe	41
PID 1516 wrote to memory of 1528	1516	sqtvvs.exe	41
PID 1516 wrote to memory of 1528	1516	sqtvvs.exe	41
PID 784 wrote to memory of 1764	784	taskeng.exe	44
PID 784 wrote to memory of 1764	784	taskeng.exe	44
PID 784 wrote to memory of 1764	784	taskeng.exe	44
PID 784 wrote to memory of 1764	784	taskeng.exe	44
PID 1764 wrote to memory of 820	1764	sqtvvs.exe	45
PID 1764 wrote to memory of 820	1764	sqtvvs.exe	45
PID 1764 wrote to memory of 820	1764	sqtvvs.exe	45
PID 1764 wrote to memory of 820	1764	sqtvvs.exe	45
PID 1764 wrote to memory of 820	1764	sqtvvs.exe	45
PID 1764 wrote to memory of 820	1764	sqtvvs.exe	45

C:\Users\Admin\AppData\Local\Temp\a26595e04bbad90731a04c1195c34d92.exe
"C:\Users\Admin\AppData\Local\Temp\a26595e04bbad90731a04c1195c34d92.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Users\Admin\AppData\Local\Temp\a26595e04bbad90731a04c1195c34d92.exe
  "C:\Users\Admin\AppData\Local\Temp\a26595e04bbad90731a04c1195c34d92.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe
    "C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe
      "C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\7ac441486f\
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\7ac441486f\
        6⤵
        
        PID:1860
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:1852

C:\Windows\system32\taskeng.exe
taskeng.exe {511B91C2-23E9-435C-BD3C-517743D021CA} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe
    3⤵
    - Executes dropped EXE
    PID:1068
- C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe
    3⤵
    - Executes dropped EXE
    PID:1528
- C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\7ac441486f\sqtvvs.exe
    3⤵
    - Executes dropped EXE
    PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/464-77-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1824-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1824-60-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1824-62-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads