amadey | 72691413d7d918f8064667bd71ac58a8e53244a137670353f66a727b5cc456d5

General

Target

72691413d7d918f8064667bd71ac58a8e53244a137670353f66a727b5cc456d5.exe
Size

398KB
MD5

f6be182d94ecfa6172e27d254444e88f
SHA1

29ed9fb88e923b23c5d1be6e7171fbfdf63ffe31
SHA256

72691413d7d918f8064667bd71ac58a8e53244a137670353f66a727b5cc456d5
SHA512

2145c9831c5b30649a17bd343f2ceeddbcda4d1175b3b2d318482f9c4eaf09549e747c527eee69233a5d9f6bc195bbef98bd2f90bf1a7d53a66f1146a045f06f

Score

10^/10

amadey suricata trojan

Malware Config

Extracted

Family

amadey

Version

2.70

C2

185.215.113.45/g4MbvE/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
Executes dropped EXE 1 IoCs

Processes:

sqtvvs.exe

pid process

2236 sqtvvs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

592 schtasks.exe

pid	process
2236	sqtvvs.exe

pid	process
592	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

72691413d7d918f8064667bd71ac58a8e53244a137670353f66a727b5cc456d5.exesqtvvs.execmd.exe

description	pid	process	target process
PID 3476 wrote to memory of 2236	3476	72691413d7d918f8064667bd71ac58a8e53244a137670353f66a727b5cc456d5.exe	sqtvvs.exe
PID 3476 wrote to memory of 2236	3476	72691413d7d918f8064667bd71ac58a8e53244a137670353f66a727b5cc456d5.exe	sqtvvs.exe
PID 3476 wrote to memory of 2236	3476	72691413d7d918f8064667bd71ac58a8e53244a137670353f66a727b5cc456d5.exe	sqtvvs.exe
PID 2236 wrote to memory of 1168	2236	sqtvvs.exe	cmd.exe
PID 2236 wrote to memory of 1168	2236	sqtvvs.exe	cmd.exe
PID 2236 wrote to memory of 1168	2236	sqtvvs.exe	cmd.exe
PID 2236 wrote to memory of 592	2236	sqtvvs.exe	schtasks.exe
PID 2236 wrote to memory of 592	2236	sqtvvs.exe	schtasks.exe
PID 2236 wrote to memory of 592	2236	sqtvvs.exe	schtasks.exe
PID 1168 wrote to memory of 2424	1168	cmd.exe	reg.exe
PID 1168 wrote to memory of 2424	1168	cmd.exe	reg.exe
PID 1168 wrote to memory of 2424	1168	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\72691413d7d918f8064667bd71ac58a8e53244a137670353f66a727b5cc456d5.exe
"C:\Users\Admin\AppData\Local\Temp\72691413d7d918f8064667bd71ac58a8e53244a137670353f66a727b5cc456d5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3476

C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
3⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
4⤵
PID:2424

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
3⤵
- Creates scheduled task(s)
PID:592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\15212481030822282825
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
MD5
f6be182d94ecfa6172e27d254444e88f

SHA1
29ed9fb88e923b23c5d1be6e7171fbfdf63ffe31

SHA256
72691413d7d918f8064667bd71ac58a8e53244a137670353f66a727b5cc456d5

SHA512
2145c9831c5b30649a17bd343f2ceeddbcda4d1175b3b2d318482f9c4eaf09549e747c527eee69233a5d9f6bc195bbef98bd2f90bf1a7d53a66f1146a045f06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
MD5
f6be182d94ecfa6172e27d254444e88f

SHA1
29ed9fb88e923b23c5d1be6e7171fbfdf63ffe31

SHA256
72691413d7d918f8064667bd71ac58a8e53244a137670353f66a727b5cc456d5

SHA512
2145c9831c5b30649a17bd343f2ceeddbcda4d1175b3b2d318482f9c4eaf09549e747c527eee69233a5d9f6bc195bbef98bd2f90bf1a7d53a66f1146a045f06f

Download Submit
memory/592-122-0x0000000000000000-mapping.dmp

Download
memory/1168-121-0x0000000000000000-mapping.dmp

Download
memory/2236-117-0x0000000000000000-mapping.dmp

Download
memory/2236-124-0x0000000002100000-0x0000000002158000-memory.dmp

Filesize
352KB

Download
memory/2424-123-0x0000000000000000-mapping.dmp

Download
memory/3476-115-0x0000000000A10000-0x0000000000A68000-memory.dmp

Filesize
352KB

Download
memory/3476-116-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads