amadey | a7c8e0e70b3515692bd52bb96086d5f1dc8751ce7ff51c200b4ced1b5e54d725

General

Target

a7c8e0e70b3515692bd52bb96086d5f1dc8751ce7ff51c200b4ced1b5e54d725.exe
Size

245KB
MD5

9fd5a802438e6564c3624c16356cd317
SHA1

7e8add59856e67ffda114844ff61febe231a3668
SHA256

a7c8e0e70b3515692bd52bb96086d5f1dc8751ce7ff51c200b4ced1b5e54d725
SHA512

19501b927d9c1f4c28339fbeada3b1b30dc90655c9aaa63c619c96b4e3e0a0b12026d864e2ff8593112eb6b61d5f797bc8b3c25e7f9f792cee073d3caeb1475b
SSDEEP

6144:zAonLbThvhuiliBMUJtZLP4BSYAIn0q2q3W:zAonrhvhuiIMUFQBS3e3

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.194/h49vlBP/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

rovwer.exerovwer.exerovwer.exe

pid process

3580 rovwer.exe
3916 rovwer.exe
4224 rovwer.exe

pid	process
3580	rovwer.exe
3916	rovwer.exe
4224	rovwer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a7c8e0e70b3515692bd52bb96086d5f1dc8751ce7ff51c200b4ced1b5e54d725.exerovwer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	a7c8e0e70b3515692bd52bb96086d5f1dc8751ce7ff51c200b4ced1b5e54d725.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	rovwer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2564	2652	WerFault.exe	a7c8e0e70b3515692bd52bb96086d5f1dc8751ce7ff51c200b4ced1b5e54d725.exe
4584	3916	WerFault.exe	rovwer.exe
3796	4224	WerFault.exe	rovwer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5012 schtasks.exe

pid	process
5012	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a7c8e0e70b3515692bd52bb96086d5f1dc8751ce7ff51c200b4ced1b5e54d725.exerovwer.exe

description	pid	process	target process
PID 2652 wrote to memory of 3580	2652	a7c8e0e70b3515692bd52bb96086d5f1dc8751ce7ff51c200b4ced1b5e54d725.exe	rovwer.exe
PID 2652 wrote to memory of 3580	2652	a7c8e0e70b3515692bd52bb96086d5f1dc8751ce7ff51c200b4ced1b5e54d725.exe	rovwer.exe
PID 2652 wrote to memory of 3580	2652	a7c8e0e70b3515692bd52bb96086d5f1dc8751ce7ff51c200b4ced1b5e54d725.exe	rovwer.exe
PID 3580 wrote to memory of 5012	3580	rovwer.exe	schtasks.exe
PID 3580 wrote to memory of 5012	3580	rovwer.exe	schtasks.exe
PID 3580 wrote to memory of 5012	3580	rovwer.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\a7c8e0e70b3515692bd52bb96086d5f1dc8751ce7ff51c200b4ced1b5e54d725.exe
"C:\Users\Admin\AppData\Local\Temp\a7c8e0e70b3515692bd52bb96086d5f1dc8751ce7ff51c200b4ced1b5e54d725.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2652

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 1128
2⤵
- Program crash
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2652 -ip 2652
1⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3916 -s 416
2⤵
- Program crash
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3916 -ip 3916
1⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
1⤵
- Executes dropped EXE
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 416
2⤵
- Program crash
PID:3796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4224 -ip 4224
1⤵
PID:1916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
245KB

MD5
9fd5a802438e6564c3624c16356cd317

SHA1
7e8add59856e67ffda114844ff61febe231a3668

SHA256
a7c8e0e70b3515692bd52bb96086d5f1dc8751ce7ff51c200b4ced1b5e54d725

SHA512
19501b927d9c1f4c28339fbeada3b1b30dc90655c9aaa63c619c96b4e3e0a0b12026d864e2ff8593112eb6b61d5f797bc8b3c25e7f9f792cee073d3caeb1475b

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
245KB

MD5
9fd5a802438e6564c3624c16356cd317

SHA1
7e8add59856e67ffda114844ff61febe231a3668

SHA256
a7c8e0e70b3515692bd52bb96086d5f1dc8751ce7ff51c200b4ced1b5e54d725

SHA512
19501b927d9c1f4c28339fbeada3b1b30dc90655c9aaa63c619c96b4e3e0a0b12026d864e2ff8593112eb6b61d5f797bc8b3c25e7f9f792cee073d3caeb1475b

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
245KB

MD5
9fd5a802438e6564c3624c16356cd317

SHA1
7e8add59856e67ffda114844ff61febe231a3668

SHA256
a7c8e0e70b3515692bd52bb96086d5f1dc8751ce7ff51c200b4ced1b5e54d725

SHA512
19501b927d9c1f4c28339fbeada3b1b30dc90655c9aaa63c619c96b4e3e0a0b12026d864e2ff8593112eb6b61d5f797bc8b3c25e7f9f792cee073d3caeb1475b

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Filesize
245KB

MD5
9fd5a802438e6564c3624c16356cd317

SHA1
7e8add59856e67ffda114844ff61febe231a3668

SHA256
a7c8e0e70b3515692bd52bb96086d5f1dc8751ce7ff51c200b4ced1b5e54d725

SHA512
19501b927d9c1f4c28339fbeada3b1b30dc90655c9aaa63c619c96b4e3e0a0b12026d864e2ff8593112eb6b61d5f797bc8b3c25e7f9f792cee073d3caeb1475b

Download Submit
memory/2652-132-0x00000000029AD000-0x00000000029CC000-memory.dmp

Filesize
124KB

Download
memory/2652-141-0x0000000000400000-0x00000000027F7000-memory.dmp

Filesize
36.0MB

Download
memory/2652-134-0x0000000000400000-0x00000000027F7000-memory.dmp

Filesize
36.0MB

Download
memory/2652-133-0x0000000002870000-0x00000000028AE000-memory.dmp

Filesize
248KB

Download
memory/2652-140-0x00000000029AD000-0x00000000029CC000-memory.dmp

Filesize
124KB

Download
memory/3580-143-0x0000000000400000-0x00000000027F7000-memory.dmp

Filesize
36.0MB

Download
memory/3580-139-0x0000000000400000-0x00000000027F7000-memory.dmp

Filesize
36.0MB

Download
memory/3580-135-0x0000000000000000-mapping.dmp

Download
memory/3580-138-0x00000000028EC000-0x000000000290B000-memory.dmp

Filesize
124KB

Download
memory/3916-145-0x00000000028B0000-0x00000000028CF000-memory.dmp

Filesize
124KB

Download
memory/3916-146-0x0000000000400000-0x00000000027F7000-memory.dmp

Filesize
36.0MB

Download
memory/4224-148-0x00000000028A0000-0x00000000028BF000-memory.dmp

Filesize
124KB

Download
memory/4224-149-0x0000000000400000-0x00000000027F7000-memory.dmp

Filesize
36.0MB

Download
memory/5012-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads