amadey | 7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1

General

Target

7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1.exe
Size

325KB
MD5

ccc9cd1a0772e295f72dbdc593fd1b91
SHA1

673cb93a2ad861349df4ec838a27e19e87a05854
SHA256

7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1
SHA512

242f0bd5afb77feaff5c697c4e960589e1bb80615cc93dcafbb2b10e945f3a14c0d67ad34185104988d6b7cd70cc2e5424e6992270b10079e98604b378d0ecbc
SSDEEP

3072:v5GRgsjPSgA5h45E17LNxEcsEqUhsSz9gjO8hN9fQomjKgvQ/IeXc4yjLUHy3L6n:v3sjKjJlDswsSh679xmjRvyg6yMTW9x

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.243/h8V2cQlbd3/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
1152	rovwer.exe
1164	rovwer.exe
332	rovwer.exe

Loads dropped DLL 2 IoCs

pid	Process
1788	7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1.exe
1788	7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
112	schtasks.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1152	1788	7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1.exe	27
PID 1788 wrote to memory of 1152	1788	7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1.exe	27
PID 1788 wrote to memory of 1152	1788	7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1.exe	27
PID 1788 wrote to memory of 1152	1788	7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1.exe	27
PID 1152 wrote to memory of 112	1152	rovwer.exe	28
PID 1152 wrote to memory of 112	1152	rovwer.exe	28
PID 1152 wrote to memory of 112	1152	rovwer.exe	28
PID 1152 wrote to memory of 112	1152	rovwer.exe	28
PID 1360 wrote to memory of 1164	1360	taskeng.exe	33
PID 1360 wrote to memory of 1164	1360	taskeng.exe	33
PID 1360 wrote to memory of 1164	1360	taskeng.exe	33
PID 1360 wrote to memory of 1164	1360	taskeng.exe	33
PID 1360 wrote to memory of 332	1360	taskeng.exe	34
PID 1360 wrote to memory of 332	1360	taskeng.exe	34
PID 1360 wrote to memory of 332	1360	taskeng.exe	34
PID 1360 wrote to memory of 332	1360	taskeng.exe	34

C:\Users\Admin\AppData\Local\Temp\7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1.exe
"C:\Users\Admin\AppData\Local\Temp\7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:112

C:\Windows\system32\taskeng.exe
taskeng.exe {95588AF0-B56A-4D72-992F-6215F4CBEA04} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  2⤵
  - Executes dropped EXE
  PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
325KB

MD5
ccc9cd1a0772e295f72dbdc593fd1b91

SHA1
673cb93a2ad861349df4ec838a27e19e87a05854

SHA256
7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1

SHA512
242f0bd5afb77feaff5c697c4e960589e1bb80615cc93dcafbb2b10e945f3a14c0d67ad34185104988d6b7cd70cc2e5424e6992270b10079e98604b378d0ecbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
325KB

MD5
ccc9cd1a0772e295f72dbdc593fd1b91

SHA1
673cb93a2ad861349df4ec838a27e19e87a05854

SHA256
7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1

SHA512
242f0bd5afb77feaff5c697c4e960589e1bb80615cc93dcafbb2b10e945f3a14c0d67ad34185104988d6b7cd70cc2e5424e6992270b10079e98604b378d0ecbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
325KB

MD5
ccc9cd1a0772e295f72dbdc593fd1b91

SHA1
673cb93a2ad861349df4ec838a27e19e87a05854

SHA256
7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1

SHA512
242f0bd5afb77feaff5c697c4e960589e1bb80615cc93dcafbb2b10e945f3a14c0d67ad34185104988d6b7cd70cc2e5424e6992270b10079e98604b378d0ecbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
325KB

MD5
ccc9cd1a0772e295f72dbdc593fd1b91

SHA1
673cb93a2ad861349df4ec838a27e19e87a05854

SHA256
7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1

SHA512
242f0bd5afb77feaff5c697c4e960589e1bb80615cc93dcafbb2b10e945f3a14c0d67ad34185104988d6b7cd70cc2e5424e6992270b10079e98604b378d0ecbc

Download Submit
\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
325KB

MD5
ccc9cd1a0772e295f72dbdc593fd1b91

SHA1
673cb93a2ad861349df4ec838a27e19e87a05854

SHA256
7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1

SHA512
242f0bd5afb77feaff5c697c4e960589e1bb80615cc93dcafbb2b10e945f3a14c0d67ad34185104988d6b7cd70cc2e5424e6992270b10079e98604b378d0ecbc

Download Submit
\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
325KB

MD5
ccc9cd1a0772e295f72dbdc593fd1b91

SHA1
673cb93a2ad861349df4ec838a27e19e87a05854

SHA256
7b5a3705613370566fc71e12612c3952c763476a3df5f66c83bea6f64660e3b1

SHA512
242f0bd5afb77feaff5c697c4e960589e1bb80615cc93dcafbb2b10e945f3a14c0d67ad34185104988d6b7cd70cc2e5424e6992270b10079e98604b378d0ecbc

Download Submit
memory/332-78-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/332-77-0x0000000000A1E000-0x0000000000A3D000-memory.dmp

Filesize
124KB

Download
memory/1152-63-0x00000000009FE000-0x0000000000A1D000-memory.dmp

Filesize
124KB

Download
memory/1152-67-0x00000000009FE000-0x0000000000A1D000-memory.dmp

Filesize
124KB

Download
memory/1152-68-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1152-65-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1164-72-0x0000000000CDE000-0x0000000000CFD000-memory.dmp

Filesize
124KB

Download
memory/1164-73-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1788-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1788-62-0x0000000000400000-0x0000000000855000-memory.dmp

Filesize
4.3MB

Download
memory/1788-61-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1788-59-0x00000000009AE000-0x00000000009CD000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads