amadey | 16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e

General

Target

16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e.exe
Size

245KB
MD5

3a09a713b206226caf0bf7e6d28ea115
SHA1

c68ae0c28f6715379f9b59b644b4d040bb7320ce
SHA256

16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e
SHA512

a212956bab3806d1d6086f0a3e9a4a5abb12f1c6ec0fa83f381222a3743d1745291d61ebbdaad8d2d0cfff886a375312b970ee4ec2dcf0aefc3ad792ae702bfa
SSDEEP

3072:YsKqjLS5/lIEWOLxR3Rc0Kl50mEblWTis8jxKwJxEpyXp4ajzmBLJUhq4Xehz:mqzULxR3PdoTis8jxr8py546Ss4

Score

10^/10

amadey persistence spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.174/g84kvj4jck/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

rovwer.exezzz.exerovwer.exe

pid process

3404 rovwer.exe
312 zzz.exe
3088 rovwer.exe

pid	process
3404	rovwer.exe
312	zzz.exe
3088	rovwer.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000214001\zzz.exe	upx
C:\Users\Admin\AppData\Local\Temp\1000214001\zzz.exe	upx
behavioral1/memory/312-155-0x00000000004D0000-0x0000000000CB2000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e.exerovwer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	rovwer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rovwer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zzz.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000214001\\zzz.exe"	rovwer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4148 924 WerFault.exe 16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4948 schtasks.exe

pid	pid_target	process	target process
4148	924	WerFault.exe	16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e.exe

pid	process
4948	schtasks.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e.exerovwer.execmd.exezzz.execmd.exe

description	pid	process	target process
PID 924 wrote to memory of 3404	924	16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e.exe	rovwer.exe
PID 924 wrote to memory of 3404	924	16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e.exe	rovwer.exe
PID 924 wrote to memory of 3404	924	16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e.exe	rovwer.exe
PID 3404 wrote to memory of 4948	3404	rovwer.exe	schtasks.exe
PID 3404 wrote to memory of 4948	3404	rovwer.exe	schtasks.exe
PID 3404 wrote to memory of 4948	3404	rovwer.exe	schtasks.exe
PID 3404 wrote to memory of 4128	3404	rovwer.exe	cmd.exe
PID 3404 wrote to memory of 4128	3404	rovwer.exe	cmd.exe
PID 3404 wrote to memory of 4128	3404	rovwer.exe	cmd.exe
PID 4128 wrote to memory of 1752	4128	cmd.exe	cmd.exe
PID 4128 wrote to memory of 1752	4128	cmd.exe	cmd.exe
PID 4128 wrote to memory of 1752	4128	cmd.exe	cmd.exe
PID 4128 wrote to memory of 3836	4128	cmd.exe	cacls.exe
PID 4128 wrote to memory of 3836	4128	cmd.exe	cacls.exe
PID 4128 wrote to memory of 3836	4128	cmd.exe	cacls.exe
PID 4128 wrote to memory of 3236	4128	cmd.exe	cacls.exe
PID 4128 wrote to memory of 3236	4128	cmd.exe	cacls.exe
PID 4128 wrote to memory of 3236	4128	cmd.exe	cacls.exe
PID 4128 wrote to memory of 1736	4128	cmd.exe	cmd.exe
PID 4128 wrote to memory of 1736	4128	cmd.exe	cmd.exe
PID 4128 wrote to memory of 1736	4128	cmd.exe	cmd.exe
PID 4128 wrote to memory of 2496	4128	cmd.exe	cacls.exe
PID 4128 wrote to memory of 2496	4128	cmd.exe	cacls.exe
PID 4128 wrote to memory of 2496	4128	cmd.exe	cacls.exe
PID 4128 wrote to memory of 2436	4128	cmd.exe	cacls.exe
PID 4128 wrote to memory of 2436	4128	cmd.exe	cacls.exe
PID 4128 wrote to memory of 2436	4128	cmd.exe	cacls.exe
PID 3404 wrote to memory of 312	3404	rovwer.exe	zzz.exe
PID 3404 wrote to memory of 312	3404	rovwer.exe	zzz.exe
PID 312 wrote to memory of 2352	312	zzz.exe	cmd.exe
PID 312 wrote to memory of 2352	312	zzz.exe	cmd.exe
PID 2352 wrote to memory of 2156	2352	cmd.exe	choice.exe
PID 2352 wrote to memory of 2156	2352	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e.exe
"C:\Users\Admin\AppData\Local\Temp\16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:4948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1752

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
4⤵
PID:3836

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
4⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1736

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
4⤵
PID:2496

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
4⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\1000214001\zzz.exe
"C:\Users\Admin\AppData\Local\Temp\1000214001\zzz.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\1000214001\zzz.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
5⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 1232
2⤵
- Program crash
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 924 -ip 924
1⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3088 -ip 3088
1⤵
PID:4644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000214001\zzz.exe
Filesize
2.4MB

MD5
e289e55c96e8c077a682aa0530841161

SHA1
d5154044ff465fa535955c857118b59124c85547

SHA256
a9e18560e367a43b940ba8ff800dc6eb77c44d03ebc9e1686d0f2e8e5496814a

SHA512
a9a33b18c30a0016b7d2d5818c9922afa31e79e6783021dfa838672c7900b22a8b9041df6b0847a54e39b40fb7e62b2c341de64b140b24d54c0cb41a49301eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000214001\zzz.exe
Filesize
2.4MB

MD5
e289e55c96e8c077a682aa0530841161

SHA1
d5154044ff465fa535955c857118b59124c85547

SHA256
a9e18560e367a43b940ba8ff800dc6eb77c44d03ebc9e1686d0f2e8e5496814a

SHA512
a9a33b18c30a0016b7d2d5818c9922afa31e79e6783021dfa838672c7900b22a8b9041df6b0847a54e39b40fb7e62b2c341de64b140b24d54c0cb41a49301eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
245KB

MD5
3a09a713b206226caf0bf7e6d28ea115

SHA1
c68ae0c28f6715379f9b59b644b4d040bb7320ce

SHA256
16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e

SHA512
a212956bab3806d1d6086f0a3e9a4a5abb12f1c6ec0fa83f381222a3743d1745291d61ebbdaad8d2d0cfff886a375312b970ee4ec2dcf0aefc3ad792ae702bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
245KB

MD5
3a09a713b206226caf0bf7e6d28ea115

SHA1
c68ae0c28f6715379f9b59b644b4d040bb7320ce

SHA256
16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e

SHA512
a212956bab3806d1d6086f0a3e9a4a5abb12f1c6ec0fa83f381222a3743d1745291d61ebbdaad8d2d0cfff886a375312b970ee4ec2dcf0aefc3ad792ae702bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
245KB

MD5
3a09a713b206226caf0bf7e6d28ea115

SHA1
c68ae0c28f6715379f9b59b644b4d040bb7320ce

SHA256
16927d33dd16219899d1810436b57151d99b2ae3d6992d93366f7b2b3acf9d4e

SHA512
a212956bab3806d1d6086f0a3e9a4a5abb12f1c6ec0fa83f381222a3743d1745291d61ebbdaad8d2d0cfff886a375312b970ee4ec2dcf0aefc3ad792ae702bfa

Download Submit
memory/312-160-0x00000000004D0000-0x0000000000CB2000-memory.dmp

Filesize
7.9MB

Download
memory/312-155-0x00000000004D0000-0x0000000000CB2000-memory.dmp

Filesize
7.9MB

Download
memory/312-151-0x0000000000000000-mapping.dmp

Download
memory/924-132-0x000000000083E000-0x000000000085D000-memory.dmp

Filesize
124KB

Download
memory/924-134-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/924-133-0x0000000002400000-0x000000000243E000-memory.dmp

Filesize
248KB

Download
memory/924-150-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/924-149-0x000000000083E000-0x000000000085D000-memory.dmp

Filesize
124KB

Download
memory/1736-146-0x0000000000000000-mapping.dmp

Download
memory/1752-143-0x0000000000000000-mapping.dmp

Download
memory/2156-156-0x0000000000000000-mapping.dmp

Download
memory/2352-154-0x0000000000000000-mapping.dmp

Download
memory/2436-148-0x0000000000000000-mapping.dmp

Download
memory/2496-147-0x0000000000000000-mapping.dmp

Download
memory/3088-158-0x00000000006F0000-0x000000000070F000-memory.dmp

Filesize
124KB

Download
memory/3088-159-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/3236-145-0x0000000000000000-mapping.dmp

Download
memory/3404-135-0x0000000000000000-mapping.dmp

Download
memory/3404-140-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/3404-139-0x00000000006E0000-0x000000000071E000-memory.dmp

Filesize
248KB

Download
memory/3404-138-0x000000000075C000-0x000000000077B000-memory.dmp

Filesize
124KB

Download
memory/3836-144-0x0000000000000000-mapping.dmp

Download
memory/4128-142-0x0000000000000000-mapping.dmp

Download
memory/4948-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads