amadey | 773123f439cd65d61c49f0593f74b94d223013d8d2341674e7ee8a514a5a156b

Analysis

max time kernel
18s
max time network
101s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-11-2022 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

259KB
MD5

c6fbed69bf7f6a50dd27c2e4b5dc3607
SHA1

90e5b712608e74b31b7b99ce9b75465c401f47b6
SHA256

773123f439cd65d61c49f0593f74b94d223013d8d2341674e7ee8a514a5a156b
SHA512

ae455aaa304aa8e8f8bfd4459647f6e6e4875d16ffc80ac8233f5bdf1b763577bc34d6634e7e829ca20a0f2acc3fe216ce1ffec867c59465cf45d03d3424e336
SSDEEP

3072:/88XR1VlLhjtoLnhKr2TU/nR22iZMsnOKRwlpmsXbc2/N6gCzsakhExUVUBzsZi3:/N3LQLhKr8wQ3alpigeRkhExxzsbVmn

Score

10^/10

amadey persistence trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

rovwer.exelego.exerovwer.exeblockchainlzt_crypted.exe

pid process

1728 rovwer.exe
624 lego.exe
304 rovwer.exe
1380 blockchainlzt_crypted.exe
Loads dropped DLL 6 IoCs

Processes:

file.exerovwer.exelego.exerovwer.exe

pid process

536 file.exe
536 file.exe
1728 rovwer.exe
624 lego.exe
304 rovwer.exe
304 rovwer.exe

pid	process
1728	rovwer.exe
624	lego.exe
304	rovwer.exe
1380	blockchainlzt_crypted.exe

pid	process
536	file.exe
536	file.exe
1728	rovwer.exe
624	lego.exe
304	rovwer.exe
304	rovwer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rovwer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\lego.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000006000\\lego.exe"	rovwer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

blockchainlzt_crypted.exe

description pid process target process

PID 1380 set thread context of 1696 1380 blockchainlzt_crypted.exe AppLaunch.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1616 schtasks.exe
1312 schtasks.exe

description	pid	process	target process
PID 1380 set thread context of 1696	1380	blockchainlzt_crypted.exe	AppLaunch.exe

pid	process
1616	schtasks.exe
1312	schtasks.exe

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

file.exerovwer.exelego.exerovwer.execmd.exeblockchainlzt_crypted.exe

description	pid	process	target process
PID 536 wrote to memory of 1728	536	file.exe	rovwer.exe
PID 536 wrote to memory of 1728	536	file.exe	rovwer.exe
PID 536 wrote to memory of 1728	536	file.exe	rovwer.exe
PID 536 wrote to memory of 1728	536	file.exe	rovwer.exe
PID 1728 wrote to memory of 1312	1728	rovwer.exe	schtasks.exe
PID 1728 wrote to memory of 1312	1728	rovwer.exe	schtasks.exe
PID 1728 wrote to memory of 1312	1728	rovwer.exe	schtasks.exe
PID 1728 wrote to memory of 1312	1728	rovwer.exe	schtasks.exe
PID 1728 wrote to memory of 624	1728	rovwer.exe	lego.exe
PID 1728 wrote to memory of 624	1728	rovwer.exe	lego.exe
PID 1728 wrote to memory of 624	1728	rovwer.exe	lego.exe
PID 1728 wrote to memory of 624	1728	rovwer.exe	lego.exe
PID 624 wrote to memory of 304	624	lego.exe	rovwer.exe
PID 624 wrote to memory of 304	624	lego.exe	rovwer.exe
PID 624 wrote to memory of 304	624	lego.exe	rovwer.exe
PID 624 wrote to memory of 304	624	lego.exe	rovwer.exe
PID 304 wrote to memory of 1616	304	rovwer.exe	schtasks.exe
PID 304 wrote to memory of 1616	304	rovwer.exe	schtasks.exe
PID 304 wrote to memory of 1616	304	rovwer.exe	schtasks.exe
PID 304 wrote to memory of 1616	304	rovwer.exe	schtasks.exe
PID 304 wrote to memory of 296	304	rovwer.exe	cmd.exe
PID 304 wrote to memory of 296	304	rovwer.exe	cmd.exe
PID 304 wrote to memory of 296	304	rovwer.exe	cmd.exe
PID 304 wrote to memory of 296	304	rovwer.exe	cmd.exe
PID 296 wrote to memory of 996	296	cmd.exe	cmd.exe
PID 296 wrote to memory of 996	296	cmd.exe	cmd.exe
PID 296 wrote to memory of 996	296	cmd.exe	cmd.exe
PID 296 wrote to memory of 996	296	cmd.exe	cmd.exe
PID 296 wrote to memory of 1028	296	cmd.exe	cacls.exe
PID 296 wrote to memory of 1028	296	cmd.exe	cacls.exe
PID 296 wrote to memory of 1028	296	cmd.exe	cacls.exe
PID 296 wrote to memory of 1028	296	cmd.exe	cacls.exe
PID 296 wrote to memory of 924	296	cmd.exe	cacls.exe
PID 296 wrote to memory of 924	296	cmd.exe	cacls.exe
PID 296 wrote to memory of 924	296	cmd.exe	cacls.exe
PID 296 wrote to memory of 924	296	cmd.exe	cacls.exe
PID 296 wrote to memory of 1472	296	cmd.exe	cmd.exe
PID 296 wrote to memory of 1472	296	cmd.exe	cmd.exe
PID 296 wrote to memory of 1472	296	cmd.exe	cmd.exe
PID 296 wrote to memory of 1472	296	cmd.exe	cmd.exe
PID 296 wrote to memory of 1476	296	cmd.exe	cacls.exe
PID 296 wrote to memory of 1476	296	cmd.exe	cacls.exe
PID 296 wrote to memory of 1476	296	cmd.exe	cacls.exe
PID 296 wrote to memory of 1476	296	cmd.exe	cacls.exe
PID 296 wrote to memory of 1984	296	cmd.exe	cacls.exe
PID 296 wrote to memory of 1984	296	cmd.exe	cacls.exe
PID 296 wrote to memory of 1984	296	cmd.exe	cacls.exe
PID 296 wrote to memory of 1984	296	cmd.exe	cacls.exe
PID 304 wrote to memory of 1380	304	rovwer.exe	blockchainlzt_crypted.exe
PID 304 wrote to memory of 1380	304	rovwer.exe	blockchainlzt_crypted.exe
PID 304 wrote to memory of 1380	304	rovwer.exe	blockchainlzt_crypted.exe
PID 304 wrote to memory of 1380	304	rovwer.exe	blockchainlzt_crypted.exe
PID 1380 wrote to memory of 1696	1380	blockchainlzt_crypted.exe	AppLaunch.exe
PID 1380 wrote to memory of 1696	1380	blockchainlzt_crypted.exe	AppLaunch.exe
PID 1380 wrote to memory of 1696	1380	blockchainlzt_crypted.exe	AppLaunch.exe
PID 1380 wrote to memory of 1696	1380	blockchainlzt_crypted.exe	AppLaunch.exe
PID 1380 wrote to memory of 1696	1380	blockchainlzt_crypted.exe	AppLaunch.exe
PID 1380 wrote to memory of 1696	1380	blockchainlzt_crypted.exe	AppLaunch.exe
PID 1380 wrote to memory of 1696	1380	blockchainlzt_crypted.exe	AppLaunch.exe
PID 1380 wrote to memory of 1696	1380	blockchainlzt_crypted.exe	AppLaunch.exe
PID 1380 wrote to memory of 1696	1380	blockchainlzt_crypted.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:1312

C:\Users\Admin\AppData\Roaming\1000006000\lego.exe
"C:\Users\Admin\AppData\Roaming\1000006000\lego.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
5⤵
- Creates scheduled task(s)
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:996

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
6⤵
PID:1028

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
6⤵
PID:924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1472

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
6⤵
PID:1476

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
6⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\1000038001\blockchainlzt_crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000038001\blockchainlzt_crypted.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000038001\blockchainlzt_crypted.exe
Filesize
2.7MB

MD5
e7f46144892fe5bdef99bdf819d1b9a6

SHA1
763ac1ea8c3de617457f64a8ce4eabe7ab8a3abb

SHA256
e252a54e441ea88aafa694259386afd002153481af25a5b7b2df46d17ac53fcc

SHA512
0165fe66620ef9c621b1f3b37e5ef69d636f4f6ec341011d9d6b45fdf9b634151937c139e928b8641183ff2f469844a1370a4ac0253d84ec81992cd9c67b963f

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
259KB

MD5
c6fbed69bf7f6a50dd27c2e4b5dc3607

SHA1
90e5b712608e74b31b7b99ce9b75465c401f47b6

SHA256
773123f439cd65d61c49f0593f74b94d223013d8d2341674e7ee8a514a5a156b

SHA512
ae455aaa304aa8e8f8bfd4459647f6e6e4875d16ffc80ac8233f5bdf1b763577bc34d6634e7e829ca20a0f2acc3fe216ce1ffec867c59465cf45d03d3424e336

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
259KB

MD5
c6fbed69bf7f6a50dd27c2e4b5dc3607

SHA1
90e5b712608e74b31b7b99ce9b75465c401f47b6

SHA256
773123f439cd65d61c49f0593f74b94d223013d8d2341674e7ee8a514a5a156b

SHA512
ae455aaa304aa8e8f8bfd4459647f6e6e4875d16ffc80ac8233f5bdf1b763577bc34d6634e7e829ca20a0f2acc3fe216ce1ffec867c59465cf45d03d3424e336

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Roaming\1000006000\lego.exe
Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
C:\Users\Admin\AppData\Roaming\1000006000\lego.exe
Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
\Users\Admin\AppData\Local\Temp\1000038001\blockchainlzt_crypted.exe
Filesize
2.7MB

MD5
e7f46144892fe5bdef99bdf819d1b9a6

SHA1
763ac1ea8c3de617457f64a8ce4eabe7ab8a3abb

SHA256
e252a54e441ea88aafa694259386afd002153481af25a5b7b2df46d17ac53fcc

SHA512
0165fe66620ef9c621b1f3b37e5ef69d636f4f6ec341011d9d6b45fdf9b634151937c139e928b8641183ff2f469844a1370a4ac0253d84ec81992cd9c67b963f

Download Submit
\Users\Admin\AppData\Local\Temp\1000038001\blockchainlzt_crypted.exe
Filesize
2.7MB

MD5
e7f46144892fe5bdef99bdf819d1b9a6

SHA1
763ac1ea8c3de617457f64a8ce4eabe7ab8a3abb

SHA256
e252a54e441ea88aafa694259386afd002153481af25a5b7b2df46d17ac53fcc

SHA512
0165fe66620ef9c621b1f3b37e5ef69d636f4f6ec341011d9d6b45fdf9b634151937c139e928b8641183ff2f469844a1370a4ac0253d84ec81992cd9c67b963f

Download Submit
\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
259KB

MD5
c6fbed69bf7f6a50dd27c2e4b5dc3607

SHA1
90e5b712608e74b31b7b99ce9b75465c401f47b6

SHA256
773123f439cd65d61c49f0593f74b94d223013d8d2341674e7ee8a514a5a156b

SHA512
ae455aaa304aa8e8f8bfd4459647f6e6e4875d16ffc80ac8233f5bdf1b763577bc34d6634e7e829ca20a0f2acc3fe216ce1ffec867c59465cf45d03d3424e336

Download Submit
\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
259KB

MD5
c6fbed69bf7f6a50dd27c2e4b5dc3607

SHA1
90e5b712608e74b31b7b99ce9b75465c401f47b6

SHA256
773123f439cd65d61c49f0593f74b94d223013d8d2341674e7ee8a514a5a156b

SHA512
ae455aaa304aa8e8f8bfd4459647f6e6e4875d16ffc80ac8233f5bdf1b763577bc34d6634e7e829ca20a0f2acc3fe216ce1ffec867c59465cf45d03d3424e336

Download Submit
\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
\Users\Admin\AppData\Roaming\1000006000\lego.exe
Filesize
241KB

MD5
b466f58861bb4069db99312de146a2e8

SHA1
295f06794b26ba5ac7c73fbf636c581624f897cd

SHA256
6cfe5fe62ed600c72c474e6dfee6be689c74a820f789fbc9310fab1f68a87420

SHA512
8693e5a87844600c5e3ac04a74f01c801cefba09216c87e707c07fa34565693a98d74547470eef64ce9b277db4a466ee1176ca0015dddb665c9a84b7e6886c5d

Download Submit
memory/296-79-0x0000000000000000-mapping.dmp

Download
memory/304-75-0x0000000000000000-mapping.dmp

Download
memory/536-63-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/536-62-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/536-55-0x000000000069B000-0x00000000006BA000-memory.dmp

Filesize
124KB

Download
memory/536-56-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/536-61-0x000000000069B000-0x00000000006BA000-memory.dmp

Filesize
124KB

Download
memory/536-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/624-70-0x0000000000000000-mapping.dmp

Download
memory/924-83-0x0000000000000000-mapping.dmp

Download
memory/996-80-0x0000000000000000-mapping.dmp

Download
memory/1028-81-0x0000000000000000-mapping.dmp

Download
memory/1312-65-0x0000000000000000-mapping.dmp

Download
memory/1380-89-0x0000000000000000-mapping.dmp

Download
memory/1472-84-0x0000000000000000-mapping.dmp

Download
memory/1476-85-0x0000000000000000-mapping.dmp

Download
memory/1616-78-0x0000000000000000-mapping.dmp

Download
memory/1696-91-0x0000000000440000-0x0000000000639000-memory.dmp

Filesize
2.0MB

Download
memory/1696-96-0x00000000005E5000-0x000000000062A000-memory.dmp

Filesize
276KB

Download
memory/1696-97-0x0000000000440000-0x0000000000639000-memory.dmp

Filesize
2.0MB

Download
memory/1696-101-0x000000000049ECA0-mapping.dmp

Download
memory/1728-67-0x00000000006FB000-0x000000000071A000-memory.dmp

Filesize
124KB

Download
memory/1728-59-0x0000000000000000-mapping.dmp

Download
memory/1728-68-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/1984-86-0x0000000000000000-mapping.dmp

Download