amadey | 90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3

General

Target

90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3.exe
Size

302KB
MD5

a359f00c1f48a7d4bb1eb05ad9a2fe3f
SHA1

053733b31efcab28d6548a9edbf03e963b43b18c
SHA256

90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3
SHA512

a2e3731c3e80e890e768a18fc8ca4a9c40b1486b4f1729b32d36df7870885c5da36942f1c0a0c3c0187b8404d1c3fcab8a61e620bf3717e7fe9f7bcc343c6542

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.05

C2

wecrack.su/fkwdoXScn2/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 4 IoCs

Processes:

ftewk.exeftewk.exeftewk.exeftewk.exe

pid process

828 ftewk.exe
1044 ftewk.exe
1536 ftewk.exe
1980 ftewk.exe

pid	process
828	ftewk.exe
1044	ftewk.exe
1536	ftewk.exe
1980	ftewk.exe

Loads dropped DLL 2 IoCs

Processes:

90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3.exe

pid	process
1400	90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3.exe
1400	90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1628 schtasks.exe

pid	process
1628	schtasks.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3.exeftewk.execmd.exetaskeng.exe

description	pid	process	target process
PID 1400 wrote to memory of 828	1400	90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3.exe	ftewk.exe
PID 1400 wrote to memory of 828	1400	90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3.exe	ftewk.exe
PID 1400 wrote to memory of 828	1400	90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3.exe	ftewk.exe
PID 1400 wrote to memory of 828	1400	90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3.exe	ftewk.exe
PID 828 wrote to memory of 904	828	ftewk.exe	cmd.exe
PID 828 wrote to memory of 904	828	ftewk.exe	cmd.exe
PID 828 wrote to memory of 904	828	ftewk.exe	cmd.exe
PID 828 wrote to memory of 904	828	ftewk.exe	cmd.exe
PID 828 wrote to memory of 1628	828	ftewk.exe	schtasks.exe
PID 828 wrote to memory of 1628	828	ftewk.exe	schtasks.exe
PID 828 wrote to memory of 1628	828	ftewk.exe	schtasks.exe
PID 828 wrote to memory of 1628	828	ftewk.exe	schtasks.exe
PID 904 wrote to memory of 1704	904	cmd.exe	reg.exe
PID 904 wrote to memory of 1704	904	cmd.exe	reg.exe
PID 904 wrote to memory of 1704	904	cmd.exe	reg.exe
PID 904 wrote to memory of 1704	904	cmd.exe	reg.exe
PID 1556 wrote to memory of 1044	1556	taskeng.exe	ftewk.exe
PID 1556 wrote to memory of 1044	1556	taskeng.exe	ftewk.exe
PID 1556 wrote to memory of 1044	1556	taskeng.exe	ftewk.exe
PID 1556 wrote to memory of 1044	1556	taskeng.exe	ftewk.exe
PID 1556 wrote to memory of 1536	1556	taskeng.exe	ftewk.exe
PID 1556 wrote to memory of 1536	1556	taskeng.exe	ftewk.exe
PID 1556 wrote to memory of 1536	1556	taskeng.exe	ftewk.exe
PID 1556 wrote to memory of 1536	1556	taskeng.exe	ftewk.exe
PID 1556 wrote to memory of 1980	1556	taskeng.exe	ftewk.exe
PID 1556 wrote to memory of 1980	1556	taskeng.exe	ftewk.exe
PID 1556 wrote to memory of 1980	1556	taskeng.exe	ftewk.exe
PID 1556 wrote to memory of 1980	1556	taskeng.exe	ftewk.exe

C:\Users\Admin\AppData\Local\Temp\90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3.exe
"C:\Users\Admin\AppData\Local\Temp\90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\4056a6ad6e\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\4056a6ad6e\ftewk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\4056a6ad6e\
3⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\4056a6ad6e\
4⤵
PID:1704

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4056a6ad6e\ftewk.exe" /F
3⤵
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\taskeng.exe
taskeng.exe {E18C7E20-2427-456D-893B-6B347A33BB10} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\4056a6ad6e\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\4056a6ad6e\ftewk.exe
2⤵
- Executes dropped EXE
PID:1044

C:\Users\Admin\AppData\Local\Temp\4056a6ad6e\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\4056a6ad6e\ftewk.exe
2⤵
- Executes dropped EXE
PID:1536

C:\Users\Admin\AppData\Local\Temp\4056a6ad6e\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\4056a6ad6e\ftewk.exe
2⤵
- Executes dropped EXE
PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4056a6ad6e\ftewk.exe
Filesize
302KB

MD5
a359f00c1f48a7d4bb1eb05ad9a2fe3f

SHA1
053733b31efcab28d6548a9edbf03e963b43b18c

SHA256
90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3

SHA512
a2e3731c3e80e890e768a18fc8ca4a9c40b1486b4f1729b32d36df7870885c5da36942f1c0a0c3c0187b8404d1c3fcab8a61e620bf3717e7fe9f7bcc343c6542

Download Submit
C:\Users\Admin\AppData\Local\Temp\4056a6ad6e\ftewk.exe
Filesize
302KB

MD5
a359f00c1f48a7d4bb1eb05ad9a2fe3f

SHA1
053733b31efcab28d6548a9edbf03e963b43b18c

SHA256
90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3

SHA512
a2e3731c3e80e890e768a18fc8ca4a9c40b1486b4f1729b32d36df7870885c5da36942f1c0a0c3c0187b8404d1c3fcab8a61e620bf3717e7fe9f7bcc343c6542

Download Submit
C:\Users\Admin\AppData\Local\Temp\4056a6ad6e\ftewk.exe
Filesize
302KB

MD5
a359f00c1f48a7d4bb1eb05ad9a2fe3f

SHA1
053733b31efcab28d6548a9edbf03e963b43b18c

SHA256
90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3

SHA512
a2e3731c3e80e890e768a18fc8ca4a9c40b1486b4f1729b32d36df7870885c5da36942f1c0a0c3c0187b8404d1c3fcab8a61e620bf3717e7fe9f7bcc343c6542

Download Submit
C:\Users\Admin\AppData\Local\Temp\4056a6ad6e\ftewk.exe
Filesize
302KB

MD5
a359f00c1f48a7d4bb1eb05ad9a2fe3f

SHA1
053733b31efcab28d6548a9edbf03e963b43b18c

SHA256
90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3

SHA512
a2e3731c3e80e890e768a18fc8ca4a9c40b1486b4f1729b32d36df7870885c5da36942f1c0a0c3c0187b8404d1c3fcab8a61e620bf3717e7fe9f7bcc343c6542

Download Submit
C:\Users\Admin\AppData\Local\Temp\4056a6ad6e\ftewk.exe
Filesize
302KB

MD5
a359f00c1f48a7d4bb1eb05ad9a2fe3f

SHA1
053733b31efcab28d6548a9edbf03e963b43b18c

SHA256
90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3

SHA512
a2e3731c3e80e890e768a18fc8ca4a9c40b1486b4f1729b32d36df7870885c5da36942f1c0a0c3c0187b8404d1c3fcab8a61e620bf3717e7fe9f7bcc343c6542

Download Submit
\Users\Admin\AppData\Local\Temp\4056a6ad6e\ftewk.exe
Filesize
302KB

MD5
a359f00c1f48a7d4bb1eb05ad9a2fe3f

SHA1
053733b31efcab28d6548a9edbf03e963b43b18c

SHA256
90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3

SHA512
a2e3731c3e80e890e768a18fc8ca4a9c40b1486b4f1729b32d36df7870885c5da36942f1c0a0c3c0187b8404d1c3fcab8a61e620bf3717e7fe9f7bcc343c6542

Download Submit
\Users\Admin\AppData\Local\Temp\4056a6ad6e\ftewk.exe
Filesize
302KB

MD5
a359f00c1f48a7d4bb1eb05ad9a2fe3f

SHA1
053733b31efcab28d6548a9edbf03e963b43b18c

SHA256
90cc787870f37ff7bd617976d253b613eab4fcbe65fb31cf3890efeb6636d9d3

SHA512
a2e3731c3e80e890e768a18fc8ca4a9c40b1486b4f1729b32d36df7870885c5da36942f1c0a0c3c0187b8404d1c3fcab8a61e620bf3717e7fe9f7bcc343c6542

Download Submit
memory/828-60-0x0000000000000000-mapping.dmp

Download
memory/828-63-0x00000000002C0000-0x00000000002F8000-memory.dmp

Filesize
224KB

Download
memory/828-64-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/904-65-0x0000000000000000-mapping.dmp

Download
memory/1044-69-0x0000000000000000-mapping.dmp

Download
memory/1044-72-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/1400-55-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download
memory/1400-56-0x0000000000800000-0x0000000000838000-memory.dmp

Filesize
224KB

Download
memory/1400-54-0x0000000075E41000-0x0000000075E43000-memory.dmp

Filesize
8KB

Download
memory/1400-57-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/1536-73-0x0000000000000000-mapping.dmp

Download
memory/1536-76-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download
memory/1628-66-0x0000000000000000-mapping.dmp

Download
memory/1704-67-0x0000000000000000-mapping.dmp

Download
memory/1980-77-0x0000000000000000-mapping.dmp

Download
memory/1980-80-0x0000000000400000-0x0000000000664000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads