amadey | d8cf6c04ef24dae0e6292747296741cec4ae6849ec5ee3be112cd79c8d9757c7

General

Target

D8CF6C04EF24DAE0E6292747296741CEC4AE6849EC5EE.exe
Size

222KB
MD5

ad6cf8a4d980c85d0e357003068a74c0
SHA1

09fa60806d733bbfa6088708e9efb9c70abbd962
SHA256

d8cf6c04ef24dae0e6292747296741cec4ae6849ec5ee3be112cd79c8d9757c7
SHA512

1ba27b4428f43bdfd7bd0579314433caff594b2bb546c875c8f6ab07aa22fdff574a140b6f936fcef1e752bc34d1b725f3a263d7ed29c5fc04840c1be6d9d528
SSDEEP

6144:ViZ0VevyvkENll/Iy9QAt3oC8ugJrDKNrO+L:IXEiy9tCugJrDKT

Score

10^/10

amadey trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
596	wfyoot.exe
284	wfyoot.exe
1944	wfyoot.exe

Loads dropped DLL 1 IoCs

pid	Process
944	D8CF6C04EF24DAE0E6292747296741CEC4AE6849EC5EE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1960	schtasks.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 596	944	D8CF6C04EF24DAE0E6292747296741CEC4AE6849EC5EE.exe	27
PID 944 wrote to memory of 596	944	D8CF6C04EF24DAE0E6292747296741CEC4AE6849EC5EE.exe	27
PID 944 wrote to memory of 596	944	D8CF6C04EF24DAE0E6292747296741CEC4AE6849EC5EE.exe	27
PID 944 wrote to memory of 596	944	D8CF6C04EF24DAE0E6292747296741CEC4AE6849EC5EE.exe	27
PID 596 wrote to memory of 1960	596	wfyoot.exe	28
PID 596 wrote to memory of 1960	596	wfyoot.exe	28
PID 596 wrote to memory of 1960	596	wfyoot.exe	28
PID 596 wrote to memory of 1960	596	wfyoot.exe	28
PID 1660 wrote to memory of 284	1660	taskeng.exe	33
PID 1660 wrote to memory of 284	1660	taskeng.exe	33
PID 1660 wrote to memory of 284	1660	taskeng.exe	33
PID 1660 wrote to memory of 284	1660	taskeng.exe	33
PID 1660 wrote to memory of 1944	1660	taskeng.exe	35
PID 1660 wrote to memory of 1944	1660	taskeng.exe	35
PID 1660 wrote to memory of 1944	1660	taskeng.exe	35
PID 1660 wrote to memory of 1944	1660	taskeng.exe	35

C:\Users\Admin\AppData\Local\Temp\D8CF6C04EF24DAE0E6292747296741CEC4AE6849EC5EE.exe
"C:\Users\Admin\AppData\Local\Temp\D8CF6C04EF24DAE0E6292747296741CEC4AE6849EC5EE.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944
- C:\Users\Admin\AppData\Local\Temp\358fd4ed64\wfyoot.exe
  "C:\Users\Admin\AppData\Local\Temp\358fd4ed64\wfyoot.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN wfyoot.exe /TR "C:\Users\Admin\AppData\Local\Temp\358fd4ed64\wfyoot.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1960

C:\Windows\system32\taskeng.exe
taskeng.exe {8CD4C018-D180-49FE-A692-ABE1B60E93C4} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\358fd4ed64\wfyoot.exe
  C:\Users\Admin\AppData\Local\Temp\358fd4ed64\wfyoot.exe
  2⤵
  - Executes dropped EXE
  PID:284
- C:\Users\Admin\AppData\Local\Temp\358fd4ed64\wfyoot.exe
  C:\Users\Admin\AppData\Local\Temp\358fd4ed64\wfyoot.exe
  2⤵
  - Executes dropped EXE
  PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\358fd4ed64\wfyoot.exe

Filesize
222KB

MD5
ad6cf8a4d980c85d0e357003068a74c0

SHA1
09fa60806d733bbfa6088708e9efb9c70abbd962

SHA256
d8cf6c04ef24dae0e6292747296741cec4ae6849ec5ee3be112cd79c8d9757c7

SHA512
1ba27b4428f43bdfd7bd0579314433caff594b2bb546c875c8f6ab07aa22fdff574a140b6f936fcef1e752bc34d1b725f3a263d7ed29c5fc04840c1be6d9d528

Download Submit
C:\Users\Admin\AppData\Local\Temp\358fd4ed64\wfyoot.exe

Filesize
222KB

MD5
ad6cf8a4d980c85d0e357003068a74c0

SHA1
09fa60806d733bbfa6088708e9efb9c70abbd962

SHA256
d8cf6c04ef24dae0e6292747296741cec4ae6849ec5ee3be112cd79c8d9757c7

SHA512
1ba27b4428f43bdfd7bd0579314433caff594b2bb546c875c8f6ab07aa22fdff574a140b6f936fcef1e752bc34d1b725f3a263d7ed29c5fc04840c1be6d9d528

Download Submit
C:\Users\Admin\AppData\Local\Temp\358fd4ed64\wfyoot.exe

Filesize
222KB

MD5
ad6cf8a4d980c85d0e357003068a74c0

SHA1
09fa60806d733bbfa6088708e9efb9c70abbd962

SHA256
d8cf6c04ef24dae0e6292747296741cec4ae6849ec5ee3be112cd79c8d9757c7

SHA512
1ba27b4428f43bdfd7bd0579314433caff594b2bb546c875c8f6ab07aa22fdff574a140b6f936fcef1e752bc34d1b725f3a263d7ed29c5fc04840c1be6d9d528

Download Submit
C:\Users\Admin\AppData\Local\Temp\358fd4ed64\wfyoot.exe

Filesize
222KB

MD5
ad6cf8a4d980c85d0e357003068a74c0

SHA1
09fa60806d733bbfa6088708e9efb9c70abbd962

SHA256
d8cf6c04ef24dae0e6292747296741cec4ae6849ec5ee3be112cd79c8d9757c7

SHA512
1ba27b4428f43bdfd7bd0579314433caff594b2bb546c875c8f6ab07aa22fdff574a140b6f936fcef1e752bc34d1b725f3a263d7ed29c5fc04840c1be6d9d528

Download Submit
\Users\Admin\AppData\Local\Temp\358fd4ed64\wfyoot.exe

Filesize
222KB

MD5
ad6cf8a4d980c85d0e357003068a74c0

SHA1
09fa60806d733bbfa6088708e9efb9c70abbd962

SHA256
d8cf6c04ef24dae0e6292747296741cec4ae6849ec5ee3be112cd79c8d9757c7

SHA512
1ba27b4428f43bdfd7bd0579314433caff594b2bb546c875c8f6ab07aa22fdff574a140b6f936fcef1e752bc34d1b725f3a263d7ed29c5fc04840c1be6d9d528

Download Submit
memory/944-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads