amadey | 74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

General

Target

74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe
Size

336KB
MD5

53f54f7688b7becf3f68ca1ac3cb3565
SHA1

b99a8ee9253186f3a19e750e4b9a7cecedb30136
SHA256

74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b
SHA512

a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Score

10^/10

amadey suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.10

C2

185.215.113.35/d2VxjasuwS_old/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
Executes dropped EXE 3 IoCs

Processes:

orxds.exeorxds.exeorxds.exe

pid process

1820 orxds.exe
1680 orxds.exe
1780 orxds.exe

pid	process
1820	orxds.exe
1680	orxds.exe
1780	orxds.exe

Loads dropped DLL 2 IoCs

Processes:

74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe

pid	process
1944	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe
1944	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1360 schtasks.exe

pid	process
1360	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exeorxds.execmd.exetaskeng.exe

description	pid	process	target process
PID 1944 wrote to memory of 1820	1944	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe	orxds.exe
PID 1944 wrote to memory of 1820	1944	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe	orxds.exe
PID 1944 wrote to memory of 1820	1944	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe	orxds.exe
PID 1944 wrote to memory of 1820	1944	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe	orxds.exe
PID 1820 wrote to memory of 1708	1820	orxds.exe	cmd.exe
PID 1820 wrote to memory of 1708	1820	orxds.exe	cmd.exe
PID 1820 wrote to memory of 1708	1820	orxds.exe	cmd.exe
PID 1820 wrote to memory of 1708	1820	orxds.exe	cmd.exe
PID 1820 wrote to memory of 1360	1820	orxds.exe	schtasks.exe
PID 1820 wrote to memory of 1360	1820	orxds.exe	schtasks.exe
PID 1820 wrote to memory of 1360	1820	orxds.exe	schtasks.exe
PID 1820 wrote to memory of 1360	1820	orxds.exe	schtasks.exe
PID 1708 wrote to memory of 268	1708	cmd.exe	reg.exe
PID 1708 wrote to memory of 268	1708	cmd.exe	reg.exe
PID 1708 wrote to memory of 268	1708	cmd.exe	reg.exe
PID 1708 wrote to memory of 268	1708	cmd.exe	reg.exe
PID 336 wrote to memory of 1680	336	taskeng.exe	orxds.exe
PID 336 wrote to memory of 1680	336	taskeng.exe	orxds.exe
PID 336 wrote to memory of 1680	336	taskeng.exe	orxds.exe
PID 336 wrote to memory of 1680	336	taskeng.exe	orxds.exe
PID 336 wrote to memory of 1780	336	taskeng.exe	orxds.exe
PID 336 wrote to memory of 1780	336	taskeng.exe	orxds.exe
PID 336 wrote to memory of 1780	336	taskeng.exe	orxds.exe
PID 336 wrote to memory of 1780	336	taskeng.exe	orxds.exe

C:\Users\Admin\AppData\Local\Temp\74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe
"C:\Users\Admin\AppData\Local\Temp\74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\d273120da5\
3⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\d273120da5\
4⤵
PID:268

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe" /F
3⤵
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\taskeng.exe
taskeng.exe {0EE1D346-F158-441F-B3B9-0D75E9AA8711} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
2⤵
- Executes dropped EXE
PID:1680

C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
2⤵
- Executes dropped EXE
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
memory/268-68-0x0000000000000000-mapping.dmp

Download
memory/1360-67-0x0000000000000000-mapping.dmp

Download
memory/1680-73-0x0000000002CDE000-0x0000000002CFC000-memory.dmp

Filesize
120KB

Download
memory/1680-74-0x0000000000400000-0x0000000002B70000-memory.dmp

Filesize
39.4MB

Download
memory/1680-70-0x0000000000000000-mapping.dmp

Download
memory/1708-66-0x0000000000000000-mapping.dmp

Download
memory/1780-75-0x0000000000000000-mapping.dmp

Download
memory/1780-78-0x0000000002C9E000-0x0000000002CBC000-memory.dmp

Filesize
120KB

Download
memory/1780-79-0x0000000000400000-0x0000000002B70000-memory.dmp

Filesize
39.4MB

Download
memory/1820-60-0x0000000000000000-mapping.dmp

Download
memory/1820-65-0x0000000000400000-0x0000000002B70000-memory.dmp

Filesize
39.4MB

Download
memory/1820-64-0x00000000001B0000-0x00000000001E8000-memory.dmp

Filesize
224KB

Download
memory/1820-63-0x000000000030F000-0x000000000032D000-memory.dmp

Filesize
120KB

Download
memory/1944-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1944-57-0x0000000000400000-0x0000000002B70000-memory.dmp

Filesize
39.4MB

Download
memory/1944-55-0x000000000028E000-0x00000000002AC000-memory.dmp

Filesize
120KB

Download
memory/1944-56-0x0000000002B70000-0x0000000002BA8000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads