amadey | 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

General

Target

4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
Size

218KB
MD5

a9c62f3c2b7bf88433746c06a7196a92
SHA1

020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA256

4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512

342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.08

C2

190.123.44.195/d2VxjasuwS/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

ftewk.exeftewk.exeftewk.exe

pid process

5044 ftewk.exe
3736 ftewk.exe
944 ftewk.exe

pid	process
5044	ftewk.exe
3736	ftewk.exe
944	ftewk.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exeftewk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	ftewk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2104 schtasks.exe

pid	process
2104	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exeftewk.execmd.exe

description	pid	process	target process
PID 1032 wrote to memory of 5044	1032	4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe	ftewk.exe
PID 1032 wrote to memory of 5044	1032	4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe	ftewk.exe
PID 1032 wrote to memory of 5044	1032	4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe	ftewk.exe
PID 5044 wrote to memory of 4816	5044	ftewk.exe	cmd.exe
PID 5044 wrote to memory of 4816	5044	ftewk.exe	cmd.exe
PID 5044 wrote to memory of 4816	5044	ftewk.exe	cmd.exe
PID 5044 wrote to memory of 2104	5044	ftewk.exe	schtasks.exe
PID 5044 wrote to memory of 2104	5044	ftewk.exe	schtasks.exe
PID 5044 wrote to memory of 2104	5044	ftewk.exe	schtasks.exe
PID 4816 wrote to memory of 3748	4816	cmd.exe	reg.exe
PID 4816 wrote to memory of 3748	4816	cmd.exe	reg.exe
PID 4816 wrote to memory of 3748	4816	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
"C:\Users\Admin\AppData\Local\Temp\4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\dd7e303766\
3⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\dd7e303766\
4⤵
PID:3748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe" /F
3⤵
- Creates scheduled task(s)
PID:2104

C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
1⤵
- Executes dropped EXE
PID:3736

C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
1⤵
- Executes dropped EXE
PID:944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
Filesize
218KB

MD5
a9c62f3c2b7bf88433746c06a7196a92

SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378

SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
Filesize
218KB

MD5
a9c62f3c2b7bf88433746c06a7196a92

SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378

SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
Filesize
218KB

MD5
a9c62f3c2b7bf88433746c06a7196a92

SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378

SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe
Filesize
218KB

MD5
a9c62f3c2b7bf88433746c06a7196a92

SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378

SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7

SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80

Download Submit
memory/2104-134-0x0000000000000000-mapping.dmp

Download
memory/3748-135-0x0000000000000000-mapping.dmp

Download
memory/4816-133-0x0000000000000000-mapping.dmp

Download
memory/5044-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads