amadey | f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b

Analysis

max time kernel
96s
max time network
125s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
31-01-2023 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe
Size

235KB
MD5

67bb41448f41511e169c83230d7e9486
SHA1

dde5a6577a966a9e8713e66ad7ef50b840dd114e
SHA256

f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b
SHA512

84baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84
SSDEEP

6144:ILUoeyDABOdDubDXqgraG0JzSRuVyL+VY9QqgE:Ilu0LgwJ4uVyaVgJ

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.66

62.204.41.72/hn85jlUn/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

nbveek.exenbveek.exenbveek.exe

pid process

1200 nbveek.exe
1516 nbveek.exe
940 nbveek.exe
Loads dropped DLL 5 IoCs

Processes:

f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exerundll32.exe

pid process

832 f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe
1788 rundll32.exe
1788 rundll32.exe
1788 rundll32.exe
1788 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

856 schtasks.exe

pid	process
1200	nbveek.exe
1516	nbveek.exe
940	nbveek.exe

pid	process
832	f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe

pid	process
856	schtasks.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exenbveek.execmd.exetaskeng.exe

description	pid	process	target process
PID 832 wrote to memory of 1200	832	f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe	nbveek.exe
PID 832 wrote to memory of 1200	832	f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe	nbveek.exe
PID 832 wrote to memory of 1200	832	f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe	nbveek.exe
PID 832 wrote to memory of 1200	832	f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe	nbveek.exe
PID 1200 wrote to memory of 856	1200	nbveek.exe	schtasks.exe
PID 1200 wrote to memory of 856	1200	nbveek.exe	schtasks.exe
PID 1200 wrote to memory of 856	1200	nbveek.exe	schtasks.exe
PID 1200 wrote to memory of 856	1200	nbveek.exe	schtasks.exe
PID 1200 wrote to memory of 1460	1200	nbveek.exe	cmd.exe
PID 1200 wrote to memory of 1460	1200	nbveek.exe	cmd.exe
PID 1200 wrote to memory of 1460	1200	nbveek.exe	cmd.exe
PID 1200 wrote to memory of 1460	1200	nbveek.exe	cmd.exe
PID 1460 wrote to memory of 1712	1460	cmd.exe	cmd.exe
PID 1460 wrote to memory of 1712	1460	cmd.exe	cmd.exe
PID 1460 wrote to memory of 1712	1460	cmd.exe	cmd.exe
PID 1460 wrote to memory of 1712	1460	cmd.exe	cmd.exe
PID 1460 wrote to memory of 1988	1460	cmd.exe	cacls.exe
PID 1460 wrote to memory of 1988	1460	cmd.exe	cacls.exe
PID 1460 wrote to memory of 1988	1460	cmd.exe	cacls.exe
PID 1460 wrote to memory of 1988	1460	cmd.exe	cacls.exe
PID 1460 wrote to memory of 1844	1460	cmd.exe	cacls.exe
PID 1460 wrote to memory of 1844	1460	cmd.exe	cacls.exe
PID 1460 wrote to memory of 1844	1460	cmd.exe	cacls.exe
PID 1460 wrote to memory of 1844	1460	cmd.exe	cacls.exe
PID 1460 wrote to memory of 904	1460	cmd.exe	cmd.exe
PID 1460 wrote to memory of 904	1460	cmd.exe	cmd.exe
PID 1460 wrote to memory of 904	1460	cmd.exe	cmd.exe
PID 1460 wrote to memory of 904	1460	cmd.exe	cmd.exe
PID 1460 wrote to memory of 748	1460	cmd.exe	cacls.exe
PID 1460 wrote to memory of 748	1460	cmd.exe	cacls.exe
PID 1460 wrote to memory of 748	1460	cmd.exe	cacls.exe
PID 1460 wrote to memory of 748	1460	cmd.exe	cacls.exe
PID 1460 wrote to memory of 644	1460	cmd.exe	cacls.exe
PID 1460 wrote to memory of 644	1460	cmd.exe	cacls.exe
PID 1460 wrote to memory of 644	1460	cmd.exe	cacls.exe
PID 1460 wrote to memory of 644	1460	cmd.exe	cacls.exe
PID 1652 wrote to memory of 1516	1652	taskeng.exe	nbveek.exe
PID 1652 wrote to memory of 1516	1652	taskeng.exe	nbveek.exe
PID 1652 wrote to memory of 1516	1652	taskeng.exe	nbveek.exe
PID 1652 wrote to memory of 1516	1652	taskeng.exe	nbveek.exe
PID 1200 wrote to memory of 1788	1200	nbveek.exe	rundll32.exe
PID 1200 wrote to memory of 1788	1200	nbveek.exe	rundll32.exe
PID 1200 wrote to memory of 1788	1200	nbveek.exe	rundll32.exe
PID 1200 wrote to memory of 1788	1200	nbveek.exe	rundll32.exe
PID 1200 wrote to memory of 1788	1200	nbveek.exe	rundll32.exe
PID 1200 wrote to memory of 1788	1200	nbveek.exe	rundll32.exe
PID 1200 wrote to memory of 1788	1200	nbveek.exe	rundll32.exe
PID 1652 wrote to memory of 940	1652	taskeng.exe	nbveek.exe
PID 1652 wrote to memory of 940	1652	taskeng.exe	nbveek.exe
PID 1652 wrote to memory of 940	1652	taskeng.exe	nbveek.exe
PID 1652 wrote to memory of 940	1652	taskeng.exe	nbveek.exe

C:\Users\Admin\AppData\Local\Temp\f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe
"C:\Users\Admin\AppData\Local\Temp\f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe" /F
3⤵
- Creates scheduled task(s)
PID:856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1712

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
4⤵
PID:1988

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
4⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:904

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5eb6b96734" /P "Admin:N"
4⤵
PID:748

C:\Windows\SysWOW64\cacls.exe
CACLS "..\5eb6b96734" /P "Admin:R" /E
4⤵
PID:644

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:1788

C:\Windows\system32\taskeng.exe
taskeng.exe {9A65E0EC-D5D8-4278-9D3D-45D41E9F9FFB} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe
2⤵
- Executes dropped EXE
PID:1516

C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe
2⤵
- Executes dropped EXE
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe
Filesize
235KB

MD5
67bb41448f41511e169c83230d7e9486

SHA1
dde5a6577a966a9e8713e66ad7ef50b840dd114e

SHA256
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b

SHA512
84baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe
Filesize
235KB

MD5
67bb41448f41511e169c83230d7e9486

SHA1
dde5a6577a966a9e8713e66ad7ef50b840dd114e

SHA256
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b

SHA512
84baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe
Filesize
235KB

MD5
67bb41448f41511e169c83230d7e9486

SHA1
dde5a6577a966a9e8713e66ad7ef50b840dd114e

SHA256
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b

SHA512
84baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe
Filesize
235KB

MD5
67bb41448f41511e169c83230d7e9486

SHA1
dde5a6577a966a9e8713e66ad7ef50b840dd114e

SHA256
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b

SHA512
84baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
ce31169603a7eed43430aa62a758676d

SHA1
1721383e86d8181f3175ac9bf2fe66c87fea3ed7

SHA256
15bc34f8b63e66495ebc0b9133ad8b66672114b7dc100d65aa91b26e9ab8a6c1

SHA512
e322cec6c5cc3f0ea83e0f96af82700eeff9b6b353d378a99bb38cc605011eb29b36b6e286e6a2e8bf0d0d3d3276c49ae5440266bf586dbe3f8dd5e0e10ddca0

Download Submit
\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe
Filesize
235KB

MD5
67bb41448f41511e169c83230d7e9486

SHA1
dde5a6577a966a9e8713e66ad7ef50b840dd114e

SHA256
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b

SHA512
84baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
ce31169603a7eed43430aa62a758676d

SHA1
1721383e86d8181f3175ac9bf2fe66c87fea3ed7

SHA256
15bc34f8b63e66495ebc0b9133ad8b66672114b7dc100d65aa91b26e9ab8a6c1

SHA512
e322cec6c5cc3f0ea83e0f96af82700eeff9b6b353d378a99bb38cc605011eb29b36b6e286e6a2e8bf0d0d3d3276c49ae5440266bf586dbe3f8dd5e0e10ddca0

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
ce31169603a7eed43430aa62a758676d

SHA1
1721383e86d8181f3175ac9bf2fe66c87fea3ed7

SHA256
15bc34f8b63e66495ebc0b9133ad8b66672114b7dc100d65aa91b26e9ab8a6c1

SHA512
e322cec6c5cc3f0ea83e0f96af82700eeff9b6b353d378a99bb38cc605011eb29b36b6e286e6a2e8bf0d0d3d3276c49ae5440266bf586dbe3f8dd5e0e10ddca0

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
ce31169603a7eed43430aa62a758676d

SHA1
1721383e86d8181f3175ac9bf2fe66c87fea3ed7

SHA256
15bc34f8b63e66495ebc0b9133ad8b66672114b7dc100d65aa91b26e9ab8a6c1

SHA512
e322cec6c5cc3f0ea83e0f96af82700eeff9b6b353d378a99bb38cc605011eb29b36b6e286e6a2e8bf0d0d3d3276c49ae5440266bf586dbe3f8dd5e0e10ddca0

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
ce31169603a7eed43430aa62a758676d

SHA1
1721383e86d8181f3175ac9bf2fe66c87fea3ed7

SHA256
15bc34f8b63e66495ebc0b9133ad8b66672114b7dc100d65aa91b26e9ab8a6c1

SHA512
e322cec6c5cc3f0ea83e0f96af82700eeff9b6b353d378a99bb38cc605011eb29b36b6e286e6a2e8bf0d0d3d3276c49ae5440266bf586dbe3f8dd5e0e10ddca0

Download Submit
memory/644-67-0x0000000000000000-mapping.dmp

Download
memory/748-66-0x0000000000000000-mapping.dmp

Download
memory/832-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/856-59-0x0000000000000000-mapping.dmp

Download
memory/904-65-0x0000000000000000-mapping.dmp

Download
memory/940-78-0x0000000000000000-mapping.dmp

Download
memory/1200-56-0x0000000000000000-mapping.dmp

Download
memory/1460-60-0x0000000000000000-mapping.dmp

Download
memory/1516-68-0x0000000000000000-mapping.dmp

Download
memory/1712-61-0x0000000000000000-mapping.dmp

Download
memory/1788-71-0x0000000000000000-mapping.dmp

Download
memory/1844-64-0x0000000000000000-mapping.dmp

Download
memory/1988-62-0x0000000000000000-mapping.dmp

Download