amadey | 4903447adc3b6baf4c7a4f83a216aa4808af34c6972e7d5a89fbd64088f84804

General

Target

976fc609d841717da80daa35279c65df2dc9d4f928483259b287208b86097a7b.exe
Size

332KB
MD5

933a85f92647e1d6ebc124fabb767475
SHA1

cd5683be2cdcd5bab25b9eb2ce90a6926ced96f3
SHA256

976fc609d841717da80daa35279c65df2dc9d4f928483259b287208b86097a7b
SHA512

5f18a1f0261266e91ebbd88407397c8968302d683e92d4fdf420b65817f41003dc8df896ab8f7caa3e36916b1de7e516b12426fee34315920f62ec6151c77922
SSDEEP

6144:ZQve+k+JZnNEfnxMQFUBVDl42is8Gs3fxSHdbqoWJzRIDceNVS:ZQWf+J/Ux/y542FVoo9GoWJaDceNVS

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

62.204.41.6/p9cWxH/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

gntuud.exegntuud.exegntuud.exe

pid process

3616 gntuud.exe
5116 gntuud.exe
3608 gntuud.exe

pid	process
3616	gntuud.exe
5116	gntuud.exe
3608	gntuud.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

976fc609d841717da80daa35279c65df2dc9d4f928483259b287208b86097a7b.exegntuud.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	976fc609d841717da80daa35279c65df2dc9d4f928483259b287208b86097a7b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	gntuud.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2172	4936	WerFault.exe	976fc609d841717da80daa35279c65df2dc9d4f928483259b287208b86097a7b.exe
1056	5116	WerFault.exe	gntuud.exe
2504	3608	WerFault.exe	gntuud.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4908 schtasks.exe

pid	process
4908	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

976fc609d841717da80daa35279c65df2dc9d4f928483259b287208b86097a7b.exegntuud.exe

description	pid	process	target process
PID 4936 wrote to memory of 3616	4936	976fc609d841717da80daa35279c65df2dc9d4f928483259b287208b86097a7b.exe	gntuud.exe
PID 4936 wrote to memory of 3616	4936	976fc609d841717da80daa35279c65df2dc9d4f928483259b287208b86097a7b.exe	gntuud.exe
PID 4936 wrote to memory of 3616	4936	976fc609d841717da80daa35279c65df2dc9d4f928483259b287208b86097a7b.exe	gntuud.exe
PID 3616 wrote to memory of 4908	3616	gntuud.exe	schtasks.exe
PID 3616 wrote to memory of 4908	3616	gntuud.exe	schtasks.exe
PID 3616 wrote to memory of 4908	3616	gntuud.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\976fc609d841717da80daa35279c65df2dc9d4f928483259b287208b86097a7b.exe
"C:\Users\Admin\AppData\Local\Temp\976fc609d841717da80daa35279c65df2dc9d4f928483259b287208b86097a7b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4936

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 908
2⤵
- Program crash
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4936 -ip 4936
1⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 216
2⤵
- Program crash
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5116 -ip 5116
1⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
1⤵
- Executes dropped EXE
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 416
2⤵
- Program crash
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3608 -ip 3608
1⤵
PID:4536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
332KB

MD5
933a85f92647e1d6ebc124fabb767475

SHA1
cd5683be2cdcd5bab25b9eb2ce90a6926ced96f3

SHA256
976fc609d841717da80daa35279c65df2dc9d4f928483259b287208b86097a7b

SHA512
5f18a1f0261266e91ebbd88407397c8968302d683e92d4fdf420b65817f41003dc8df896ab8f7caa3e36916b1de7e516b12426fee34315920f62ec6151c77922

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
332KB

MD5
933a85f92647e1d6ebc124fabb767475

SHA1
cd5683be2cdcd5bab25b9eb2ce90a6926ced96f3

SHA256
976fc609d841717da80daa35279c65df2dc9d4f928483259b287208b86097a7b

SHA512
5f18a1f0261266e91ebbd88407397c8968302d683e92d4fdf420b65817f41003dc8df896ab8f7caa3e36916b1de7e516b12426fee34315920f62ec6151c77922

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
332KB

MD5
933a85f92647e1d6ebc124fabb767475

SHA1
cd5683be2cdcd5bab25b9eb2ce90a6926ced96f3

SHA256
976fc609d841717da80daa35279c65df2dc9d4f928483259b287208b86097a7b

SHA512
5f18a1f0261266e91ebbd88407397c8968302d683e92d4fdf420b65817f41003dc8df896ab8f7caa3e36916b1de7e516b12426fee34315920f62ec6151c77922

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
332KB

MD5
933a85f92647e1d6ebc124fabb767475

SHA1
cd5683be2cdcd5bab25b9eb2ce90a6926ced96f3

SHA256
976fc609d841717da80daa35279c65df2dc9d4f928483259b287208b86097a7b

SHA512
5f18a1f0261266e91ebbd88407397c8968302d683e92d4fdf420b65817f41003dc8df896ab8f7caa3e36916b1de7e516b12426fee34315920f62ec6151c77922

Download Submit
memory/3608-149-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3608-148-0x000000000071C000-0x000000000073B000-memory.dmp

Filesize
124KB

Download
memory/3616-143-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3616-138-0x0000000000638000-0x0000000000657000-memory.dmp

Filesize
124KB

Download
memory/3616-139-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3616-135-0x0000000000000000-mapping.dmp

Download
memory/4908-140-0x0000000000000000-mapping.dmp

Download
memory/4936-141-0x00000000006A8000-0x00000000006C7000-memory.dmp

Filesize
124KB

Download
memory/4936-132-0x00000000006A8000-0x00000000006C7000-memory.dmp

Filesize
124KB

Download
memory/4936-142-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4936-133-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/4936-134-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/5116-145-0x00000000005BB000-0x00000000005DA000-memory.dmp

Filesize
124KB

Download
memory/5116-146-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads