amadey | 21b04efbece079308c0ca3b857218f7a5ed2f610d0aa061cac0ca2c8eff84988

Analysis

max time kernel
144s
max time network
181s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
15/01/2023, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21b04efbece079308c0ca3b857218f7a5ed2f610d0aa061cac0ca2c8eff84988.exe
Size

321KB
MD5

01a12338b391b1b6d1aab0905ac0dd10
SHA1

86b68ecbdda7b1376464a7a551acea6a3a0e0e82
SHA256

21b04efbece079308c0ca3b857218f7a5ed2f610d0aa061cac0ca2c8eff84988
SHA512

7af0f659cbca7fa1897b8c311acdda31ab1108d4bd5d38f32e0602c4d0fc0418d7d22494865ffb050f671c72c0706d058c05902c1bec988ebec655ac055f2c01
SSDEEP

6144:r5h+V0D4HQRK1/WoY5hUGXPhgOTuw8MhpgpRjFE:rb+mc+3UGXPhgOTLhSL

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.66

maximumpushtodaynotnowbut.com/Nmkn5d9Dn/index.php

motiontodaynotgogoodnowok.com/Nmkn5d9Dn/index.php

sogoodnowtodaynow.com/Nmkn5d9Dn/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 1 IoCs

pid	Process
3732	nbveek.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2116	2404	WerFault.exe	65
4808	2404	WerFault.exe	65
4884	2404	WerFault.exe	65
4252	2404	WerFault.exe	65
1940	2404	WerFault.exe	65
3464	2404	WerFault.exe	65
3636	3732	WerFault.exe	73
4272	3732	WerFault.exe	73
4068	3732	WerFault.exe	73
4852	3732	WerFault.exe	73
4104	3732	WerFault.exe	73
4008	3732	WerFault.exe	73
4860	3732	WerFault.exe	73
4532	3732	WerFault.exe	73
3092	3732	WerFault.exe	73

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 3732	2404	21b04efbece079308c0ca3b857218f7a5ed2f610d0aa061cac0ca2c8eff84988.exe	73
PID 2404 wrote to memory of 3732	2404	21b04efbece079308c0ca3b857218f7a5ed2f610d0aa061cac0ca2c8eff84988.exe	73
PID 2404 wrote to memory of 3732	2404	21b04efbece079308c0ca3b857218f7a5ed2f610d0aa061cac0ca2c8eff84988.exe	73

C:\Users\Admin\AppData\Local\Temp\21b04efbece079308c0ca3b857218f7a5ed2f610d0aa061cac0ca2c8eff84988.exe
"C:\Users\Admin\AppData\Local\Temp\21b04efbece079308c0ca3b857218f7a5ed2f610d0aa061cac0ca2c8eff84988.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 836
  2⤵
  - Program crash
  PID:2116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 964
  2⤵
  - Program crash
  PID:4808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1016
  2⤵
  - Program crash
  PID:4884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1044
  2⤵
  - Program crash
  PID:4252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1020
  2⤵
  - Program crash
  PID:1940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1068
  2⤵
  - Program crash
  PID:3464
- C:\Users\Admin\AppData\Local\Temp\727358c059\nbveek.exe
  "C:\Users\Admin\AppData\Local\Temp\727358c059\nbveek.exe"
  2⤵
  - Executes dropped EXE
  PID:3732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 556
    3⤵
    - Program crash
    PID:3636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 676
    3⤵
    - Program crash
    PID:4272
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 708
    3⤵
    - Program crash
    PID:4068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 732
    3⤵
    - Program crash
    PID:4852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 864
    3⤵
    - Program crash
    PID:4104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 964
    3⤵
    - Program crash
    PID:4008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 920
    3⤵
    - Program crash
    PID:4860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 1056
    3⤵
    - Program crash
    PID:4532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 1048
    3⤵
    - Program crash
    PID:3092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\727358c059\nbveek.exe

Filesize
321KB

MD5
01a12338b391b1b6d1aab0905ac0dd10

SHA1
86b68ecbdda7b1376464a7a551acea6a3a0e0e82

SHA256
21b04efbece079308c0ca3b857218f7a5ed2f610d0aa061cac0ca2c8eff84988

SHA512
7af0f659cbca7fa1897b8c311acdda31ab1108d4bd5d38f32e0602c4d0fc0418d7d22494865ffb050f671c72c0706d058c05902c1bec988ebec655ac055f2c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\727358c059\nbveek.exe

Filesize
321KB

MD5
01a12338b391b1b6d1aab0905ac0dd10

SHA1
86b68ecbdda7b1376464a7a551acea6a3a0e0e82

SHA256
21b04efbece079308c0ca3b857218f7a5ed2f610d0aa061cac0ca2c8eff84988

SHA512
7af0f659cbca7fa1897b8c311acdda31ab1108d4bd5d38f32e0602c4d0fc0418d7d22494865ffb050f671c72c0706d058c05902c1bec988ebec655ac055f2c01

Download Submit
memory/2404-116-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-117-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-118-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-119-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-120-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-121-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-122-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-123-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-124-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-125-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-126-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-127-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-128-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-130-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-129-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-131-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-132-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-133-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-134-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-135-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-136-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-138-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-140-0x0000000002C70000-0x0000000002D1E000-memory.dmp

Filesize
696KB

Download
memory/2404-141-0x0000000004910000-0x000000000494F000-memory.dmp

Filesize
252KB

Download
memory/2404-142-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-139-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-143-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-144-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-145-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-146-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-147-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-148-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-149-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-150-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-151-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-152-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-153-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-154-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-155-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-156-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-157-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-158-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-159-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-160-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-161-0x0000000000400000-0x0000000002BB8000-memory.dmp

Filesize
39.7MB

Download
memory/2404-162-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-163-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-164-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-165-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-166-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-167-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/2404-171-0x0000000004910000-0x000000000494F000-memory.dmp

Filesize
252KB

Download
memory/2404-180-0x0000000000400000-0x0000000002BB8000-memory.dmp

Filesize
39.7MB

Download
memory/3732-172-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-170-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-173-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-174-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-175-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-176-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-177-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-179-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-181-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-182-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-183-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-184-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-185-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-186-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-187-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-188-0x0000000076EF0000-0x000000007707E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-215-0x0000000002C70000-0x0000000002DBA000-memory.dmp

Filesize
1.3MB

Download
memory/3732-218-0x0000000000400000-0x0000000002BB8000-memory.dmp

Filesize
39.7MB

Download
memory/3732-224-0x0000000002C70000-0x0000000002DBA000-memory.dmp

Filesize
1.3MB

Download