amadey | 707b6abcad4dcd7ec70be02dea64fb17f90065a13126a022e8046c4dd3d0e34c

General

Target

file.exe
Size

344KB
MD5

75ccd08a0c97ace8136fdb7f8e9595f0
SHA1

0f1a820b10915798e0b4026695fa484f8a44c888
SHA256

707b6abcad4dcd7ec70be02dea64fb17f90065a13126a022e8046c4dd3d0e34c
SHA512

d7e313c253d32b660faf718cd61754b6610ec0799313c9b7a04a292cc769510662e01a9783526aec66246cc98bce80df062cf1a0771f716a4a51fa89a08af7c9
SSDEEP

6144:bK3E/11JKDVqjPtkbSZdRc40hc7oZ22tThsIeGjY6x:R/j0mFYSelhMm22ZVEM

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.194/h49vlBP/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 4 IoCs

pid	Process
2100	rovwer.exe
3856	rovwer.exe
2376	rovwer.exe
3996	rovwer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	rovwer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3788	2548	WerFault.exe	80
1860	3856	WerFault.exe	88
3208	2376	WerFault.exe	98

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
552	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2100	2548	file.exe	82
PID 2548 wrote to memory of 2100	2548	file.exe	82
PID 2548 wrote to memory of 2100	2548	file.exe	82
PID 2100 wrote to memory of 552	2100	rovwer.exe	84
PID 2100 wrote to memory of 552	2100	rovwer.exe	84
PID 2100 wrote to memory of 552	2100	rovwer.exe	84

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1136
  2⤵
  - Program crash
  PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2548 -ip 2548
1⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:3856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 428
  2⤵
  - Program crash
  PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3856 -ip 3856
1⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:2376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 436
  2⤵
  - Program crash
  PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2376 -ip 2376
1⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:3996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
344KB

MD5
75ccd08a0c97ace8136fdb7f8e9595f0

SHA1
0f1a820b10915798e0b4026695fa484f8a44c888

SHA256
707b6abcad4dcd7ec70be02dea64fb17f90065a13126a022e8046c4dd3d0e34c

SHA512
d7e313c253d32b660faf718cd61754b6610ec0799313c9b7a04a292cc769510662e01a9783526aec66246cc98bce80df062cf1a0771f716a4a51fa89a08af7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
344KB

MD5
75ccd08a0c97ace8136fdb7f8e9595f0

SHA1
0f1a820b10915798e0b4026695fa484f8a44c888

SHA256
707b6abcad4dcd7ec70be02dea64fb17f90065a13126a022e8046c4dd3d0e34c

SHA512
d7e313c253d32b660faf718cd61754b6610ec0799313c9b7a04a292cc769510662e01a9783526aec66246cc98bce80df062cf1a0771f716a4a51fa89a08af7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
344KB

MD5
75ccd08a0c97ace8136fdb7f8e9595f0

SHA1
0f1a820b10915798e0b4026695fa484f8a44c888

SHA256
707b6abcad4dcd7ec70be02dea64fb17f90065a13126a022e8046c4dd3d0e34c

SHA512
d7e313c253d32b660faf718cd61754b6610ec0799313c9b7a04a292cc769510662e01a9783526aec66246cc98bce80df062cf1a0771f716a4a51fa89a08af7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
344KB

MD5
75ccd08a0c97ace8136fdb7f8e9595f0

SHA1
0f1a820b10915798e0b4026695fa484f8a44c888

SHA256
707b6abcad4dcd7ec70be02dea64fb17f90065a13126a022e8046c4dd3d0e34c

SHA512
d7e313c253d32b660faf718cd61754b6610ec0799313c9b7a04a292cc769510662e01a9783526aec66246cc98bce80df062cf1a0771f716a4a51fa89a08af7c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
344KB

MD5
75ccd08a0c97ace8136fdb7f8e9595f0

SHA1
0f1a820b10915798e0b4026695fa484f8a44c888

SHA256
707b6abcad4dcd7ec70be02dea64fb17f90065a13126a022e8046c4dd3d0e34c

SHA512
d7e313c253d32b660faf718cd61754b6610ec0799313c9b7a04a292cc769510662e01a9783526aec66246cc98bce80df062cf1a0771f716a4a51fa89a08af7c9

Download Submit
memory/2100-138-0x000000000063B000-0x000000000065A000-memory.dmp

Filesize
124KB

Download
memory/2100-139-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2100-143-0x000000000063B000-0x000000000065A000-memory.dmp

Filesize
124KB

Download
memory/2100-144-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2376-149-0x00000000004AE000-0x00000000004CD000-memory.dmp

Filesize
124KB

Download
memory/2376-150-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2548-142-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2548-132-0x000000000069C000-0x00000000006BB000-memory.dmp

Filesize
124KB

Download
memory/2548-141-0x000000000069C000-0x00000000006BB000-memory.dmp

Filesize
124KB

Download
memory/2548-134-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2548-133-0x00000000004D0000-0x000000000050E000-memory.dmp

Filesize
248KB

Download
memory/3856-146-0x00000000005EF000-0x000000000060E000-memory.dmp

Filesize
124KB

Download
memory/3856-147-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads