amadey | dbcd164e67c1f09f59e7d2ae995c4450bd46868bab11b5fe13beb3e9b40c92b4

General

Target

470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e.exe
Size

244KB
MD5

0906eebf6f5fd1f9029e4bc6f81a636d
SHA1

938df93f0f7ebb8f31a2d2e57c2447d17a0737b8
SHA256

470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e
SHA512

dad5fbcb96ebfb5c29d3fc3f46528ad46dce70acd67ee257b288ad58224117f90919ebce2693b4df9db7ba86f79fa417ff6b6b21c27a837e4d36d7c2b8ef7af6
SSDEEP

6144:wuh1kLkzOqq8CW1V8Hcc9JOkbztWp4vW677CNZwVLL:wuh1kxqq8HrIDvHfCNW

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 4 IoCs

Processes:

rovwer.exerovwer.exerovwer.exerovwer.exe

pid process

4688 rovwer.exe
4200 rovwer.exe
1992 rovwer.exe
2612 rovwer.exe

pid	process
4688	rovwer.exe
4200	rovwer.exe
1992	rovwer.exe
2612	rovwer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e.exerovwer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	rovwer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4332	3540	WerFault.exe	470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e.exe
2024	4200	WerFault.exe	rovwer.exe
4592	1992	WerFault.exe	rovwer.exe
2692	2612	WerFault.exe	rovwer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4524 schtasks.exe

pid	process
4524	schtasks.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e.exerovwer.execmd.exe

description	pid	process	target process
PID 3540 wrote to memory of 4688	3540	470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e.exe	rovwer.exe
PID 3540 wrote to memory of 4688	3540	470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e.exe	rovwer.exe
PID 3540 wrote to memory of 4688	3540	470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e.exe	rovwer.exe
PID 4688 wrote to memory of 4524	4688	rovwer.exe	schtasks.exe
PID 4688 wrote to memory of 4524	4688	rovwer.exe	schtasks.exe
PID 4688 wrote to memory of 4524	4688	rovwer.exe	schtasks.exe
PID 4688 wrote to memory of 4284	4688	rovwer.exe	cmd.exe
PID 4688 wrote to memory of 4284	4688	rovwer.exe	cmd.exe
PID 4688 wrote to memory of 4284	4688	rovwer.exe	cmd.exe
PID 4284 wrote to memory of 2488	4284	cmd.exe	cmd.exe
PID 4284 wrote to memory of 2488	4284	cmd.exe	cmd.exe
PID 4284 wrote to memory of 2488	4284	cmd.exe	cmd.exe
PID 4284 wrote to memory of 1256	4284	cmd.exe	cacls.exe
PID 4284 wrote to memory of 1256	4284	cmd.exe	cacls.exe
PID 4284 wrote to memory of 1256	4284	cmd.exe	cacls.exe
PID 4284 wrote to memory of 1556	4284	cmd.exe	cacls.exe
PID 4284 wrote to memory of 1556	4284	cmd.exe	cacls.exe
PID 4284 wrote to memory of 1556	4284	cmd.exe	cacls.exe
PID 4284 wrote to memory of 2296	4284	cmd.exe	cmd.exe
PID 4284 wrote to memory of 2296	4284	cmd.exe	cmd.exe
PID 4284 wrote to memory of 2296	4284	cmd.exe	cmd.exe
PID 4284 wrote to memory of 892	4284	cmd.exe	cacls.exe
PID 4284 wrote to memory of 892	4284	cmd.exe	cacls.exe
PID 4284 wrote to memory of 892	4284	cmd.exe	cacls.exe
PID 4284 wrote to memory of 2600	4284	cmd.exe	cacls.exe
PID 4284 wrote to memory of 2600	4284	cmd.exe	cacls.exe
PID 4284 wrote to memory of 2600	4284	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e.exe
"C:\Users\Admin\AppData\Local\Temp\470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:4524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2488

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
4⤵
PID:1256

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
4⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2296

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
4⤵
PID:892

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
4⤵
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1216
2⤵
- Program crash
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3540 -ip 3540
1⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:4200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 416
2⤵
- Program crash
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4200 -ip 4200
1⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 416
2⤵
- Program crash
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1992 -ip 1992
1⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 416
2⤵
- Program crash
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2612 -ip 2612
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
244KB

MD5
0906eebf6f5fd1f9029e4bc6f81a636d

SHA1
938df93f0f7ebb8f31a2d2e57c2447d17a0737b8

SHA256
470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e

SHA512
dad5fbcb96ebfb5c29d3fc3f46528ad46dce70acd67ee257b288ad58224117f90919ebce2693b4df9db7ba86f79fa417ff6b6b21c27a837e4d36d7c2b8ef7af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
244KB

MD5
0906eebf6f5fd1f9029e4bc6f81a636d

SHA1
938df93f0f7ebb8f31a2d2e57c2447d17a0737b8

SHA256
470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e

SHA512
dad5fbcb96ebfb5c29d3fc3f46528ad46dce70acd67ee257b288ad58224117f90919ebce2693b4df9db7ba86f79fa417ff6b6b21c27a837e4d36d7c2b8ef7af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
244KB

MD5
0906eebf6f5fd1f9029e4bc6f81a636d

SHA1
938df93f0f7ebb8f31a2d2e57c2447d17a0737b8

SHA256
470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e

SHA512
dad5fbcb96ebfb5c29d3fc3f46528ad46dce70acd67ee257b288ad58224117f90919ebce2693b4df9db7ba86f79fa417ff6b6b21c27a837e4d36d7c2b8ef7af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
244KB

MD5
0906eebf6f5fd1f9029e4bc6f81a636d

SHA1
938df93f0f7ebb8f31a2d2e57c2447d17a0737b8

SHA256
470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e

SHA512
dad5fbcb96ebfb5c29d3fc3f46528ad46dce70acd67ee257b288ad58224117f90919ebce2693b4df9db7ba86f79fa417ff6b6b21c27a837e4d36d7c2b8ef7af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe

Filesize
244KB

MD5
0906eebf6f5fd1f9029e4bc6f81a636d

SHA1
938df93f0f7ebb8f31a2d2e57c2447d17a0737b8

SHA256
470138ea67a6aafb0059bd41949d7052a9b9b3fef615acd880c6c29df3db083e

SHA512
dad5fbcb96ebfb5c29d3fc3f46528ad46dce70acd67ee257b288ad58224117f90919ebce2693b4df9db7ba86f79fa417ff6b6b21c27a837e4d36d7c2b8ef7af6

Download Submit
memory/892-144-0x0000000000000000-mapping.dmp

Download
memory/1256-141-0x0000000000000000-mapping.dmp

Download
memory/1556-142-0x0000000000000000-mapping.dmp

Download
memory/1992-157-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/1992-156-0x0000000000690000-0x00000000006AF000-memory.dmp

Filesize
124KB

Download
memory/2296-143-0x0000000000000000-mapping.dmp

Download
memory/2488-140-0x0000000000000000-mapping.dmp

Download
memory/2600-145-0x0000000000000000-mapping.dmp

Download
memory/2612-160-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/2612-159-0x0000000000980000-0x000000000099F000-memory.dmp

Filesize
124KB

Download
memory/3540-146-0x000000000091D000-0x000000000093C000-memory.dmp

Filesize
124KB

Download
memory/3540-147-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/3540-134-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/3540-133-0x00000000006D0000-0x000000000070E000-memory.dmp

Filesize
248KB

Download
memory/3540-132-0x000000000091D000-0x000000000093C000-memory.dmp

Filesize
124KB

Download
memory/4200-151-0x0000000000740000-0x000000000075F000-memory.dmp

Filesize
124KB

Download
memory/4200-152-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/4284-139-0x0000000000000000-mapping.dmp

Download
memory/4524-138-0x0000000000000000-mapping.dmp

Download
memory/4688-154-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/4688-153-0x0000000000A0C000-0x0000000000A2B000-memory.dmp

Filesize
124KB

Download
memory/4688-149-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/4688-148-0x0000000000A0C000-0x0000000000A2B000-memory.dmp

Filesize
124KB

Download
memory/4688-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads