amadey | 5655d71f4e4151e4e6117a5ba0d5ca8592354a97a18b4df74201846dd1a4f88c

General

Target

5655d71f4e4151e4e6117a5ba0d5ca8592354a97a18b4df74201846dd1a4f88c.exe
Size

324KB
MD5

05f30530f22d03d8454e8eed115d1425
SHA1

868a1b1ccbe54427fcb2f918b1be3d0b0f1889c6
SHA256

5655d71f4e4151e4e6117a5ba0d5ca8592354a97a18b4df74201846dd1a4f88c
SHA512

caca6e63db3053177258c6bdc86098b27850a1b5960bebcc3f9471cdfa83f48f3fd0fb6a12d410129eebd0cce0b7611f52d931b0332c4920e57d423bad6ece5d
SSDEEP

3072:Sp/Tqf+jAg/t5N50Yr3EZW+opHiX7Lig9tjY75Y2JAjC/mJUcA35or15Cr2cYE:Mqo/ti8UU+oRlg96XJAG+Op2c

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

31.41.244.15/Mb1sDv3/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
5076	rovwer.exe
2636	rovwer.exe
3336	rovwer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	5655d71f4e4151e4e6117a5ba0d5ca8592354a97a18b4df74201846dd1a4f88c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	rovwer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2344	5016	WerFault.exe	81
3828	2636	WerFault.exe	92
2784	3336	WerFault.exe	98

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5040	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 5076	5016	5655d71f4e4151e4e6117a5ba0d5ca8592354a97a18b4df74201846dd1a4f88c.exe	82
PID 5016 wrote to memory of 5076	5016	5655d71f4e4151e4e6117a5ba0d5ca8592354a97a18b4df74201846dd1a4f88c.exe	82
PID 5016 wrote to memory of 5076	5016	5655d71f4e4151e4e6117a5ba0d5ca8592354a97a18b4df74201846dd1a4f88c.exe	82
PID 5076 wrote to memory of 5040	5076	rovwer.exe	85
PID 5076 wrote to memory of 5040	5076	rovwer.exe	85
PID 5076 wrote to memory of 5040	5076	rovwer.exe	85

C:\Users\Admin\AppData\Local\Temp\5655d71f4e4151e4e6117a5ba0d5ca8592354a97a18b4df74201846dd1a4f88c.exe
"C:\Users\Admin\AppData\Local\Temp\5655d71f4e4151e4e6117a5ba0d5ca8592354a97a18b4df74201846dd1a4f88c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:5040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1144
  2⤵
  - Program crash
  PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5016 -ip 5016
1⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
1⤵
- Executes dropped EXE
PID:2636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 420
  2⤵
  - Program crash
  PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2636 -ip 2636
1⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
1⤵
- Executes dropped EXE
PID:3336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 428
  2⤵
  - Program crash
  PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3336 -ip 3336
1⤵
PID:3460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe

Filesize
324KB

MD5
05f30530f22d03d8454e8eed115d1425

SHA1
868a1b1ccbe54427fcb2f918b1be3d0b0f1889c6

SHA256
5655d71f4e4151e4e6117a5ba0d5ca8592354a97a18b4df74201846dd1a4f88c

SHA512
caca6e63db3053177258c6bdc86098b27850a1b5960bebcc3f9471cdfa83f48f3fd0fb6a12d410129eebd0cce0b7611f52d931b0332c4920e57d423bad6ece5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe

Filesize
324KB

MD5
05f30530f22d03d8454e8eed115d1425

SHA1
868a1b1ccbe54427fcb2f918b1be3d0b0f1889c6

SHA256
5655d71f4e4151e4e6117a5ba0d5ca8592354a97a18b4df74201846dd1a4f88c

SHA512
caca6e63db3053177258c6bdc86098b27850a1b5960bebcc3f9471cdfa83f48f3fd0fb6a12d410129eebd0cce0b7611f52d931b0332c4920e57d423bad6ece5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe

Filesize
324KB

MD5
05f30530f22d03d8454e8eed115d1425

SHA1
868a1b1ccbe54427fcb2f918b1be3d0b0f1889c6

SHA256
5655d71f4e4151e4e6117a5ba0d5ca8592354a97a18b4df74201846dd1a4f88c

SHA512
caca6e63db3053177258c6bdc86098b27850a1b5960bebcc3f9471cdfa83f48f3fd0fb6a12d410129eebd0cce0b7611f52d931b0332c4920e57d423bad6ece5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe

Filesize
324KB

MD5
05f30530f22d03d8454e8eed115d1425

SHA1
868a1b1ccbe54427fcb2f918b1be3d0b0f1889c6

SHA256
5655d71f4e4151e4e6117a5ba0d5ca8592354a97a18b4df74201846dd1a4f88c

SHA512
caca6e63db3053177258c6bdc86098b27850a1b5960bebcc3f9471cdfa83f48f3fd0fb6a12d410129eebd0cce0b7611f52d931b0332c4920e57d423bad6ece5d

Download Submit
memory/2636-145-0x00000000008EC000-0x000000000090B000-memory.dmp

Filesize
124KB

Download
memory/2636-146-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/3336-149-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/3336-148-0x00000000009EC000-0x0000000000A0B000-memory.dmp

Filesize
124KB

Download
memory/5016-132-0x0000000000AC8000-0x0000000000AE7000-memory.dmp

Filesize
124KB

Download
memory/5016-139-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/5016-138-0x0000000000AC8000-0x0000000000AE7000-memory.dmp

Filesize
124KB

Download
memory/5016-133-0x0000000002450000-0x000000000248E000-memory.dmp

Filesize
248KB

Download
memory/5016-134-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/5076-141-0x0000000000B18000-0x0000000000B37000-memory.dmp

Filesize
124KB

Download
memory/5076-142-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/5076-143-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads