amadey | 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

General

Target

4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
Size

218KB
MD5

a9c62f3c2b7bf88433746c06a7196a92
SHA1

020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA256

4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512

342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.08

C2

190.123.44.195/d2VxjasuwS/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 4 IoCs

Processes:

ftewk.exeftewk.exeftewk.exeftewk.exe

pid process

1736 ftewk.exe
1876 ftewk.exe
536 ftewk.exe
928 ftewk.exe
Loads dropped DLL 1 IoCs

Processes:

4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe

pid process

1108 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1156 schtasks.exe

pid	process
1736	ftewk.exe
1876	ftewk.exe
536	ftewk.exe
928	ftewk.exe

pid	process
1108	4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe

pid	process
1156	schtasks.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exeftewk.execmd.exetaskeng.exe

description	pid	process	target process
PID 1108 wrote to memory of 1736	1108	4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe	ftewk.exe
PID 1108 wrote to memory of 1736	1108	4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe	ftewk.exe
PID 1108 wrote to memory of 1736	1108	4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe	ftewk.exe
PID 1108 wrote to memory of 1736	1108	4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe	ftewk.exe
PID 1736 wrote to memory of 1704	1736	ftewk.exe	cmd.exe
PID 1736 wrote to memory of 1704	1736	ftewk.exe	cmd.exe
PID 1736 wrote to memory of 1704	1736	ftewk.exe	cmd.exe
PID 1736 wrote to memory of 1704	1736	ftewk.exe	cmd.exe
PID 1736 wrote to memory of 1156	1736	ftewk.exe	schtasks.exe
PID 1736 wrote to memory of 1156	1736	ftewk.exe	schtasks.exe
PID 1736 wrote to memory of 1156	1736	ftewk.exe	schtasks.exe
PID 1736 wrote to memory of 1156	1736	ftewk.exe	schtasks.exe
PID 1704 wrote to memory of 2004	1704	cmd.exe	reg.exe
PID 1704 wrote to memory of 2004	1704	cmd.exe	reg.exe
PID 1704 wrote to memory of 2004	1704	cmd.exe	reg.exe
PID 1704 wrote to memory of 2004	1704	cmd.exe	reg.exe
PID 1136 wrote to memory of 1876	1136	taskeng.exe	ftewk.exe
PID 1136 wrote to memory of 1876	1136	taskeng.exe	ftewk.exe
PID 1136 wrote to memory of 1876	1136	taskeng.exe	ftewk.exe
PID 1136 wrote to memory of 1876	1136	taskeng.exe	ftewk.exe
PID 1136 wrote to memory of 536	1136	taskeng.exe	ftewk.exe
PID 1136 wrote to memory of 536	1136	taskeng.exe	ftewk.exe
PID 1136 wrote to memory of 536	1136	taskeng.exe	ftewk.exe
PID 1136 wrote to memory of 536	1136	taskeng.exe	ftewk.exe
PID 1136 wrote to memory of 928	1136	taskeng.exe	ftewk.exe
PID 1136 wrote to memory of 928	1136	taskeng.exe	ftewk.exe
PID 1136 wrote to memory of 928	1136	taskeng.exe	ftewk.exe
PID 1136 wrote to memory of 928	1136	taskeng.exe	ftewk.exe

C:\Users\Admin\AppData\Local\Temp\4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
"C:\Users\Admin\AppData\Local\Temp\4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\dd7e303766\
3⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\dd7e303766\
4⤵
PID:2004

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe" /F
3⤵
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\taskeng.exe
taskeng.exe {FDDC052F-DDD0-4659-96B2-E4BDA79DE8BA} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
2⤵
- Executes dropped EXE
PID:1876

C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
2⤵
- Executes dropped EXE
PID:536

C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
2⤵
- Executes dropped EXE
PID:928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
Filesize
218KB

MD5
a9c62f3c2b7bf88433746c06a7196a92

SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378

SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
Filesize
218KB

MD5
a9c62f3c2b7bf88433746c06a7196a92

SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378

SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
Filesize
218KB

MD5
a9c62f3c2b7bf88433746c06a7196a92

SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378

SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
Filesize
218KB

MD5
a9c62f3c2b7bf88433746c06a7196a92

SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378

SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
Filesize
200KB

MD5
0efd430b3eb7104519c0f97c9b223ce9

SHA1
cd889ae784060a4c23bd91d12ef128d7a87b70fa

SHA256
32f5f6aa3c50ac245168771a7039080f983c43eb44eb954921dddb6bdda89ff4

SHA512
a6e6d5a4102423c9870b2609b438164ce2f45adc4a17119927d1a9bd467252bcb598a6539fd60fddffa871b36c5644a50bb8f92d9ceac09b02e45f548d306a5e

Download Submit
\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
Filesize
218KB

MD5
a9c62f3c2b7bf88433746c06a7196a92

SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378

SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Download Submit
memory/536-66-0x0000000000000000-mapping.dmp

Download
memory/928-69-0x0000000000000000-mapping.dmp

Download
memory/1108-54-0x0000000076431000-0x0000000076433000-memory.dmp

Filesize
8KB

Download
memory/1156-60-0x0000000000000000-mapping.dmp

Download
memory/1704-59-0x0000000000000000-mapping.dmp

Download
memory/1736-56-0x0000000000000000-mapping.dmp

Download
memory/1876-63-0x0000000000000000-mapping.dmp

Download
memory/2004-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads