amadey | a2d3a31b8a5262d199ef56feaba63ad0da7ac4437a9de346f8f5404b4e5b8c95

General

Target

1e3386190d8323958a031a015f563ba3b99b4b57c7cdbc995a50d6bf56005d62.exe
Size

244KB
MD5

ee1e865bb346ca034571540c7f7a985b
SHA1

fd9ce830e59dbf847f051ea5af5945ab2e7bc1b6
SHA256

1e3386190d8323958a031a015f563ba3b99b4b57c7cdbc995a50d6bf56005d62
SHA512

5beb175ae3e19a5e1bf2486b1a692e0a44daed8373b1330b642daa6b2e9d7efbd23d0746c775ea2b56aeed7483474b5f1745001e74edea41c5589c2dab7ad1fd
SSDEEP

6144:3ycZLC8LC3A14AwKnyWXNvJaayuLnvYm:3yY1LC3AFwKykbR9

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.194/h49vlBP/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 1 IoCs

Processes:

rovwer.exe

pid process

520 rovwer.exe

pid	process
520	rovwer.exe

Loads dropped DLL 2 IoCs

Processes:

1e3386190d8323958a031a015f563ba3b99b4b57c7cdbc995a50d6bf56005d62.exe

pid	process
1660	1e3386190d8323958a031a015f563ba3b99b4b57c7cdbc995a50d6bf56005d62.exe
1660	1e3386190d8323958a031a015f563ba3b99b4b57c7cdbc995a50d6bf56005d62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1272 schtasks.exe

pid	process
1272	schtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1e3386190d8323958a031a015f563ba3b99b4b57c7cdbc995a50d6bf56005d62.exerovwer.exe

description	pid	process	target process
PID 1660 wrote to memory of 520	1660	1e3386190d8323958a031a015f563ba3b99b4b57c7cdbc995a50d6bf56005d62.exe	rovwer.exe
PID 1660 wrote to memory of 520	1660	1e3386190d8323958a031a015f563ba3b99b4b57c7cdbc995a50d6bf56005d62.exe	rovwer.exe
PID 1660 wrote to memory of 520	1660	1e3386190d8323958a031a015f563ba3b99b4b57c7cdbc995a50d6bf56005d62.exe	rovwer.exe
PID 1660 wrote to memory of 520	1660	1e3386190d8323958a031a015f563ba3b99b4b57c7cdbc995a50d6bf56005d62.exe	rovwer.exe
PID 520 wrote to memory of 1272	520	rovwer.exe	schtasks.exe
PID 520 wrote to memory of 1272	520	rovwer.exe	schtasks.exe
PID 520 wrote to memory of 1272	520	rovwer.exe	schtasks.exe
PID 520 wrote to memory of 1272	520	rovwer.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\1e3386190d8323958a031a015f563ba3b99b4b57c7cdbc995a50d6bf56005d62.exe
"C:\Users\Admin\AppData\Local\Temp\1e3386190d8323958a031a015f563ba3b99b4b57c7cdbc995a50d6bf56005d62.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
244KB

MD5
ee1e865bb346ca034571540c7f7a985b

SHA1
fd9ce830e59dbf847f051ea5af5945ab2e7bc1b6

SHA256
1e3386190d8323958a031a015f563ba3b99b4b57c7cdbc995a50d6bf56005d62

SHA512
5beb175ae3e19a5e1bf2486b1a692e0a44daed8373b1330b642daa6b2e9d7efbd23d0746c775ea2b56aeed7483474b5f1745001e74edea41c5589c2dab7ad1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
244KB

MD5
ee1e865bb346ca034571540c7f7a985b

SHA1
fd9ce830e59dbf847f051ea5af5945ab2e7bc1b6

SHA256
1e3386190d8323958a031a015f563ba3b99b4b57c7cdbc995a50d6bf56005d62

SHA512
5beb175ae3e19a5e1bf2486b1a692e0a44daed8373b1330b642daa6b2e9d7efbd23d0746c775ea2b56aeed7483474b5f1745001e74edea41c5589c2dab7ad1fd

Download Submit
\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
244KB

MD5
ee1e865bb346ca034571540c7f7a985b

SHA1
fd9ce830e59dbf847f051ea5af5945ab2e7bc1b6

SHA256
1e3386190d8323958a031a015f563ba3b99b4b57c7cdbc995a50d6bf56005d62

SHA512
5beb175ae3e19a5e1bf2486b1a692e0a44daed8373b1330b642daa6b2e9d7efbd23d0746c775ea2b56aeed7483474b5f1745001e74edea41c5589c2dab7ad1fd

Download Submit
\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
244KB

MD5
ee1e865bb346ca034571540c7f7a985b

SHA1
fd9ce830e59dbf847f051ea5af5945ab2e7bc1b6

SHA256
1e3386190d8323958a031a015f563ba3b99b4b57c7cdbc995a50d6bf56005d62

SHA512
5beb175ae3e19a5e1bf2486b1a692e0a44daed8373b1330b642daa6b2e9d7efbd23d0746c775ea2b56aeed7483474b5f1745001e74edea41c5589c2dab7ad1fd

Download Submit
memory/520-63-0x000000000079B000-0x00000000007BA000-memory.dmp

Filesize
124KB

Download
memory/520-60-0x0000000000000000-mapping.dmp

Download
memory/520-64-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/520-69-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/520-70-0x000000000079B000-0x00000000007BA000-memory.dmp

Filesize
124KB

Download
memory/1272-67-0x0000000000000000-mapping.dmp

Download
memory/1660-55-0x000000000082B000-0x000000000084A000-memory.dmp

Filesize
124KB

Download
memory/1660-57-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/1660-54-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download
memory/1660-65-0x000000000082B000-0x000000000084A000-memory.dmp

Filesize
124KB

Download
memory/1660-66-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/1660-56-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads