amadey | 27c1fc1722426baa7f2cff544a9b3bdb3c46f83d7e8ebe54d503f5f2d31953b3

General

Target

27c1fc1722426baa7f2cff544a9b3bdb3c46f83d7e8ebe54d503f5f2d31953b3.exe
Size

387KB
MD5

7d1a2c98545bb2882f36ab4082f7f23b
SHA1

02b33e9ec17cd2b2a2e4cc0a5d552dc17e84e155
SHA256

27c1fc1722426baa7f2cff544a9b3bdb3c46f83d7e8ebe54d503f5f2d31953b3
SHA512

9def50f47c6e64aabeef7d3d16cb7091ccd0e65302484a3b78cba108e0bb007a7e99faff3cfb3df9d24bcd797ec96a9ea9f71b53dc1422b123a7d5fab6008d0f
SSDEEP

6144:rHIIeLdACzkpPBHSRmrGW4xNWlbX9uRjMgU:ro9Jzk2MCW4xNWlbXwRQg

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

31.41.244.167/v7eWcjs/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 2 IoCs

pid	Process
2580	gntuud.exe
2504	gntuud.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	27c1fc1722426baa7f2cff544a9b3bdb3c46f83d7e8ebe54d503f5f2d31953b3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	gntuud.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2560	744	WerFault.exe	82
1396	2504	WerFault.exe	92

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3760	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2580	744	27c1fc1722426baa7f2cff544a9b3bdb3c46f83d7e8ebe54d503f5f2d31953b3.exe	83
PID 744 wrote to memory of 2580	744	27c1fc1722426baa7f2cff544a9b3bdb3c46f83d7e8ebe54d503f5f2d31953b3.exe	83
PID 744 wrote to memory of 2580	744	27c1fc1722426baa7f2cff544a9b3bdb3c46f83d7e8ebe54d503f5f2d31953b3.exe	83
PID 2580 wrote to memory of 3760	2580	gntuud.exe	86
PID 2580 wrote to memory of 3760	2580	gntuud.exe	86
PID 2580 wrote to memory of 3760	2580	gntuud.exe	86

C:\Users\Admin\AppData\Local\Temp\27c1fc1722426baa7f2cff544a9b3bdb3c46f83d7e8ebe54d503f5f2d31953b3.exe
"C:\Users\Admin\AppData\Local\Temp\27c1fc1722426baa7f2cff544a9b3bdb3c46f83d7e8ebe54d503f5f2d31953b3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
  "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1260
  2⤵
  - Program crash
  PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 744 -ip 744
1⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe
1⤵
- Executes dropped EXE
PID:2504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 416
  2⤵
  - Program crash
  PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2504 -ip 2504
1⤵
PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe

Filesize
387KB

MD5
7d1a2c98545bb2882f36ab4082f7f23b

SHA1
02b33e9ec17cd2b2a2e4cc0a5d552dc17e84e155

SHA256
27c1fc1722426baa7f2cff544a9b3bdb3c46f83d7e8ebe54d503f5f2d31953b3

SHA512
9def50f47c6e64aabeef7d3d16cb7091ccd0e65302484a3b78cba108e0bb007a7e99faff3cfb3df9d24bcd797ec96a9ea9f71b53dc1422b123a7d5fab6008d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe

Filesize
387KB

MD5
7d1a2c98545bb2882f36ab4082f7f23b

SHA1
02b33e9ec17cd2b2a2e4cc0a5d552dc17e84e155

SHA256
27c1fc1722426baa7f2cff544a9b3bdb3c46f83d7e8ebe54d503f5f2d31953b3

SHA512
9def50f47c6e64aabeef7d3d16cb7091ccd0e65302484a3b78cba108e0bb007a7e99faff3cfb3df9d24bcd797ec96a9ea9f71b53dc1422b123a7d5fab6008d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe

Filesize
387KB

MD5
7d1a2c98545bb2882f36ab4082f7f23b

SHA1
02b33e9ec17cd2b2a2e4cc0a5d552dc17e84e155

SHA256
27c1fc1722426baa7f2cff544a9b3bdb3c46f83d7e8ebe54d503f5f2d31953b3

SHA512
9def50f47c6e64aabeef7d3d16cb7091ccd0e65302484a3b78cba108e0bb007a7e99faff3cfb3df9d24bcd797ec96a9ea9f71b53dc1422b123a7d5fab6008d0f

Download Submit
memory/744-144-0x0000000000507000-0x0000000000526000-memory.dmp

Filesize
124KB

Download
memory/744-133-0x00000000008C0000-0x00000000008FE000-memory.dmp

Filesize
248KB

Download
memory/744-134-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/744-135-0x0000000000507000-0x0000000000526000-memory.dmp

Filesize
124KB

Download
memory/744-132-0x0000000000507000-0x0000000000526000-memory.dmp

Filesize
124KB

Download
memory/744-145-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-148-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2504-147-0x000000000048A000-0x00000000004A9000-memory.dmp

Filesize
124KB

Download
memory/2580-143-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2580-142-0x0000000000776000-0x0000000000795000-memory.dmp

Filesize
124KB

Download
memory/2580-140-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2580-139-0x0000000000776000-0x0000000000795000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads