amadey | d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70

General

Target

d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70.exe
Size

324KB
MD5

abf699474de0d2f67c6a86b17070f79f
SHA1

ce1e2d038e1806081ac2efee8a6c92cf5af43f8f
SHA256

d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70
SHA512

acb89e5413bdb6c6c10ea3f4ccbe28e4f7c114a0220e3e1a5b7a1c8fe4e7e54815e0a976be9d8b48a3c53e425c780bc1df15375c368cc3ef174bd4e70866fb2b
SSDEEP

3072:Y/cql+amAgTt5NFI1/Cf+o2CEGoRbUQx3Tibu0TRUmGr0ch6lokfMMjm/s4E:/qoTt6o2CEpRbhx3QlAZUNM

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

193.56.146.243/h8V2cQlbd3/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 4 IoCs

pid	Process
1216	rovwer.exe
852	rovwer.exe
2012	rovwer.exe
560	rovwer.exe

Loads dropped DLL 2 IoCs

pid	Process
1192	d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70.exe
1192	d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1056	schtasks.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1216	1192	d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70.exe	28
PID 1192 wrote to memory of 1216	1192	d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70.exe	28
PID 1192 wrote to memory of 1216	1192	d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70.exe	28
PID 1192 wrote to memory of 1216	1192	d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70.exe	28
PID 1216 wrote to memory of 1056	1216	rovwer.exe	29
PID 1216 wrote to memory of 1056	1216	rovwer.exe	29
PID 1216 wrote to memory of 1056	1216	rovwer.exe	29
PID 1216 wrote to memory of 1056	1216	rovwer.exe	29
PID 1856 wrote to memory of 852	1856	taskeng.exe	34
PID 1856 wrote to memory of 852	1856	taskeng.exe	34
PID 1856 wrote to memory of 852	1856	taskeng.exe	34
PID 1856 wrote to memory of 852	1856	taskeng.exe	34
PID 1856 wrote to memory of 2012	1856	taskeng.exe	35
PID 1856 wrote to memory of 2012	1856	taskeng.exe	35
PID 1856 wrote to memory of 2012	1856	taskeng.exe	35
PID 1856 wrote to memory of 2012	1856	taskeng.exe	35
PID 1856 wrote to memory of 560	1856	taskeng.exe	37
PID 1856 wrote to memory of 560	1856	taskeng.exe	37
PID 1856 wrote to memory of 560	1856	taskeng.exe	37
PID 1856 wrote to memory of 560	1856	taskeng.exe	37

C:\Users\Admin\AppData\Local\Temp\d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70.exe
"C:\Users\Admin\AppData\Local\Temp\d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1056

C:\Windows\system32\taskeng.exe
taskeng.exe {E39091D3-55C5-4939-B567-BF8182333B1E} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
  2⤵
  - Executes dropped EXE
  PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
324KB

MD5
abf699474de0d2f67c6a86b17070f79f

SHA1
ce1e2d038e1806081ac2efee8a6c92cf5af43f8f

SHA256
d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70

SHA512
acb89e5413bdb6c6c10ea3f4ccbe28e4f7c114a0220e3e1a5b7a1c8fe4e7e54815e0a976be9d8b48a3c53e425c780bc1df15375c368cc3ef174bd4e70866fb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
324KB

MD5
abf699474de0d2f67c6a86b17070f79f

SHA1
ce1e2d038e1806081ac2efee8a6c92cf5af43f8f

SHA256
d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70

SHA512
acb89e5413bdb6c6c10ea3f4ccbe28e4f7c114a0220e3e1a5b7a1c8fe4e7e54815e0a976be9d8b48a3c53e425c780bc1df15375c368cc3ef174bd4e70866fb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
324KB

MD5
abf699474de0d2f67c6a86b17070f79f

SHA1
ce1e2d038e1806081ac2efee8a6c92cf5af43f8f

SHA256
d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70

SHA512
acb89e5413bdb6c6c10ea3f4ccbe28e4f7c114a0220e3e1a5b7a1c8fe4e7e54815e0a976be9d8b48a3c53e425c780bc1df15375c368cc3ef174bd4e70866fb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
324KB

MD5
abf699474de0d2f67c6a86b17070f79f

SHA1
ce1e2d038e1806081ac2efee8a6c92cf5af43f8f

SHA256
d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70

SHA512
acb89e5413bdb6c6c10ea3f4ccbe28e4f7c114a0220e3e1a5b7a1c8fe4e7e54815e0a976be9d8b48a3c53e425c780bc1df15375c368cc3ef174bd4e70866fb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
324KB

MD5
abf699474de0d2f67c6a86b17070f79f

SHA1
ce1e2d038e1806081ac2efee8a6c92cf5af43f8f

SHA256
d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70

SHA512
acb89e5413bdb6c6c10ea3f4ccbe28e4f7c114a0220e3e1a5b7a1c8fe4e7e54815e0a976be9d8b48a3c53e425c780bc1df15375c368cc3ef174bd4e70866fb2b

Download Submit
\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
324KB

MD5
abf699474de0d2f67c6a86b17070f79f

SHA1
ce1e2d038e1806081ac2efee8a6c92cf5af43f8f

SHA256
d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70

SHA512
acb89e5413bdb6c6c10ea3f4ccbe28e4f7c114a0220e3e1a5b7a1c8fe4e7e54815e0a976be9d8b48a3c53e425c780bc1df15375c368cc3ef174bd4e70866fb2b

Download Submit
\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe

Filesize
324KB

MD5
abf699474de0d2f67c6a86b17070f79f

SHA1
ce1e2d038e1806081ac2efee8a6c92cf5af43f8f

SHA256
d2a7c5d0009a9e382295763e4f62ef22ea064a5877d1e78750e0a17c8d938b70

SHA512
acb89e5413bdb6c6c10ea3f4ccbe28e4f7c114a0220e3e1a5b7a1c8fe4e7e54815e0a976be9d8b48a3c53e425c780bc1df15375c368cc3ef174bd4e70866fb2b

Download Submit
memory/560-81-0x000000000091C000-0x000000000093B000-memory.dmp

Filesize
124KB

Download
memory/560-82-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/852-72-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/852-71-0x00000000009EC000-0x0000000000A0B000-memory.dmp

Filesize
124KB

Download
memory/1192-60-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/1192-61-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/1192-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1192-59-0x000000000097C000-0x000000000099B000-memory.dmp

Filesize
124KB

Download
memory/1216-67-0x00000000008EC000-0x000000000090B000-memory.dmp

Filesize
124KB

Download
memory/1216-66-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/1216-65-0x00000000008EC000-0x000000000090B000-memory.dmp

Filesize
124KB

Download
memory/2012-76-0x000000000092C000-0x000000000094B000-memory.dmp

Filesize
124KB

Download
memory/2012-77-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads