amadey | 9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad

Analysis

max time kernel
109s
max time network
78s
platform
windows7_x64
resource
win7-20220414-en
submitted
23-06-2022 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exe
Size

250KB
MD5

b58edea3459e74011c931739ad7345f3
SHA1

6b11a3c10e081dd63201abbf65bacb206e054240
SHA256

9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad
SHA512

ff781b5c94e92fcd06e84958cefd5ad63db0f0db1ff7fe02ec23a95fcf70ebbb04cec7a6e790b334050efbf2296b6cb3e1c6b619fe39a1f17227a298e2c6c132

Score

10^/10

amadey suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.21

antispam-screen.com/fjgD555c3/index.php

soul-kissed.org/fjgD555c3/index.php

rupeika.info/fjgD555c3/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

Processes:

bguuwe.exebguuwe.exebguuwe.exe

pid	Process
1012	bguuwe.exe
1512	bguuwe.exe
1624	bguuwe.exe

Loads dropped DLL 4 IoCs

Processes:

9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exeWerFault.exe

pid	Process
2024	9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exe
1180	WerFault.exe
1180	WerFault.exe
1180	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1180	1012	WerFault.exe	27

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
1300	schtasks.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exebguuwe.execmd.exetaskeng.exe

description	pid	Process	procid_target
PID 2024 wrote to memory of 1012	2024	9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exe	27
PID 2024 wrote to memory of 1012	2024	9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exe	27
PID 2024 wrote to memory of 1012	2024	9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exe	27
PID 2024 wrote to memory of 1012	2024	9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exe	27
PID 1012 wrote to memory of 1684	1012	bguuwe.exe	28
PID 1012 wrote to memory of 1684	1012	bguuwe.exe	28
PID 1012 wrote to memory of 1684	1012	bguuwe.exe	28
PID 1012 wrote to memory of 1684	1012	bguuwe.exe	28
PID 1012 wrote to memory of 1300	1012	bguuwe.exe	30
PID 1012 wrote to memory of 1300	1012	bguuwe.exe	30
PID 1012 wrote to memory of 1300	1012	bguuwe.exe	30
PID 1012 wrote to memory of 1300	1012	bguuwe.exe	30
PID 1684 wrote to memory of 1152	1684	cmd.exe	32
PID 1684 wrote to memory of 1152	1684	cmd.exe	32
PID 1684 wrote to memory of 1152	1684	cmd.exe	32
PID 1684 wrote to memory of 1152	1684	cmd.exe	32
PID 1012 wrote to memory of 1180	1012	bguuwe.exe	35
PID 1012 wrote to memory of 1180	1012	bguuwe.exe	35
PID 1012 wrote to memory of 1180	1012	bguuwe.exe	35
PID 1012 wrote to memory of 1180	1012	bguuwe.exe	35
PID 804 wrote to memory of 1512	804	taskeng.exe	37
PID 804 wrote to memory of 1512	804	taskeng.exe	37
PID 804 wrote to memory of 1512	804	taskeng.exe	37
PID 804 wrote to memory of 1512	804	taskeng.exe	37
PID 804 wrote to memory of 1624	804	taskeng.exe	38
PID 804 wrote to memory of 1624	804	taskeng.exe	38
PID 804 wrote to memory of 1624	804	taskeng.exe	38
PID 804 wrote to memory of 1624	804	taskeng.exe	38

C:\Users\Admin\AppData\Local\Temp\9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exe
"C:\Users\Admin\AppData\Local\Temp\9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe
  "C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\74480db1f5\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\74480db1f5\
      4⤵
      PID:1152
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1020
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1180

C:\Windows\system32\taskeng.exe
taskeng.exe {695D2647-FCDE-4D24-AE71-A8ED1CD9F882} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe
  C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe
  C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe
  2⤵
  - Executes dropped EXE
  PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe

Filesize
250KB

MD5
b58edea3459e74011c931739ad7345f3

SHA1
6b11a3c10e081dd63201abbf65bacb206e054240

SHA256
9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad

SHA512
ff781b5c94e92fcd06e84958cefd5ad63db0f0db1ff7fe02ec23a95fcf70ebbb04cec7a6e790b334050efbf2296b6cb3e1c6b619fe39a1f17227a298e2c6c132

Download Submit
C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe

Filesize
250KB

MD5
b58edea3459e74011c931739ad7345f3

SHA1
6b11a3c10e081dd63201abbf65bacb206e054240

SHA256
9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad

SHA512
ff781b5c94e92fcd06e84958cefd5ad63db0f0db1ff7fe02ec23a95fcf70ebbb04cec7a6e790b334050efbf2296b6cb3e1c6b619fe39a1f17227a298e2c6c132

Download Submit
C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe

Filesize
250KB

MD5
b58edea3459e74011c931739ad7345f3

SHA1
6b11a3c10e081dd63201abbf65bacb206e054240

SHA256
9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad

SHA512
ff781b5c94e92fcd06e84958cefd5ad63db0f0db1ff7fe02ec23a95fcf70ebbb04cec7a6e790b334050efbf2296b6cb3e1c6b619fe39a1f17227a298e2c6c132

Download Submit
C:\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe

Filesize
250KB

MD5
b58edea3459e74011c931739ad7345f3

SHA1
6b11a3c10e081dd63201abbf65bacb206e054240

SHA256
9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad

SHA512
ff781b5c94e92fcd06e84958cefd5ad63db0f0db1ff7fe02ec23a95fcf70ebbb04cec7a6e790b334050efbf2296b6cb3e1c6b619fe39a1f17227a298e2c6c132

Download Submit
\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe

Filesize
250KB

MD5
b58edea3459e74011c931739ad7345f3

SHA1
6b11a3c10e081dd63201abbf65bacb206e054240

SHA256
9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad

SHA512
ff781b5c94e92fcd06e84958cefd5ad63db0f0db1ff7fe02ec23a95fcf70ebbb04cec7a6e790b334050efbf2296b6cb3e1c6b619fe39a1f17227a298e2c6c132

Download Submit
\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe

Filesize
250KB

MD5
b58edea3459e74011c931739ad7345f3

SHA1
6b11a3c10e081dd63201abbf65bacb206e054240

SHA256
9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad

SHA512
ff781b5c94e92fcd06e84958cefd5ad63db0f0db1ff7fe02ec23a95fcf70ebbb04cec7a6e790b334050efbf2296b6cb3e1c6b619fe39a1f17227a298e2c6c132

Download Submit
\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe

Filesize
250KB

MD5
b58edea3459e74011c931739ad7345f3

SHA1
6b11a3c10e081dd63201abbf65bacb206e054240

SHA256
9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad

SHA512
ff781b5c94e92fcd06e84958cefd5ad63db0f0db1ff7fe02ec23a95fcf70ebbb04cec7a6e790b334050efbf2296b6cb3e1c6b619fe39a1f17227a298e2c6c132

Download Submit
\Users\Admin\AppData\Local\Temp\74480db1f5\bguuwe.exe

Filesize
250KB

MD5
b58edea3459e74011c931739ad7345f3

SHA1
6b11a3c10e081dd63201abbf65bacb206e054240

SHA256
9ec768096c47d40c016a474b8b6dfec950673dfde82fcbd1a0c08dc0318b44ad

SHA512
ff781b5c94e92fcd06e84958cefd5ad63db0f0db1ff7fe02ec23a95fcf70ebbb04cec7a6e790b334050efbf2296b6cb3e1c6b619fe39a1f17227a298e2c6c132

Download Submit
memory/1012-56-0x0000000000000000-mapping.dmp

Download
memory/1152-62-0x0000000000000000-mapping.dmp

Download
memory/1180-63-0x0000000000000000-mapping.dmp

Download
memory/1300-60-0x0000000000000000-mapping.dmp

Download
memory/1512-67-0x0000000000000000-mapping.dmp

Download
memory/1624-70-0x0000000000000000-mapping.dmp

Download
memory/1684-59-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x0000000075381000-0x0000000075383000-memory.dmp

Filesize
8KB

Download