amadey | 4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136

General

Target

file.exe
Size

273KB
MD5

766683884bbe6a2c0e0ea7d76b6b13ea
SHA1

793d7b457f36a560d7094e4d0fee7270cc0e6842
SHA256

4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136
SHA512

52bc438968e68e967c1513e9bb1376cf55987a3f1976cd4eb0c463bfc30eb34220c3cfb38713c24d0d6513df3823d1b18aa24857eb8010537cf986ffde6bb12a
SSDEEP

6144:vlr2XLlX3MjWzpuXgs8edJwibHbCJfAg:vlr8RX3S+AXew7bHeY

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.66

C2

193.233.20.2/Bn89hku/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

mnolyk.exemnolyk.exemnolyk.exe

pid process

4232 mnolyk.exe
3900 mnolyk.exe
2752 mnolyk.exe

pid	process
4232	mnolyk.exe
3900	mnolyk.exe
2752	mnolyk.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exemnolyk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	mnolyk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 27 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4696	448	WerFault.exe	file.exe
3864	448	WerFault.exe	file.exe
2252	448	WerFault.exe	file.exe
2960	448	WerFault.exe	file.exe
1332	448	WerFault.exe	file.exe
2616	448	WerFault.exe	file.exe
2772	448	WerFault.exe	file.exe
3364	448	WerFault.exe	file.exe
3264	4232	WerFault.exe	mnolyk.exe
4288	4232	WerFault.exe	mnolyk.exe
1368	4232	WerFault.exe	mnolyk.exe
4628	4232	WerFault.exe	mnolyk.exe
2372	4232	WerFault.exe	mnolyk.exe
1788	4232	WerFault.exe	mnolyk.exe
1396	4232	WerFault.exe	mnolyk.exe
2644	4232	WerFault.exe	mnolyk.exe
3880	4232	WerFault.exe	mnolyk.exe
3708	4232	WerFault.exe	mnolyk.exe
5012	4232	WerFault.exe	mnolyk.exe
1316	4232	WerFault.exe	mnolyk.exe
4408	4232	WerFault.exe	mnolyk.exe
2720	4232	WerFault.exe	mnolyk.exe
724	3900	WerFault.exe	mnolyk.exe
4056	4232	WerFault.exe	mnolyk.exe
2576	2752	WerFault.exe	mnolyk.exe
4212	4232	WerFault.exe	mnolyk.exe
4280	4232	WerFault.exe	mnolyk.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2076 schtasks.exe

pid	process
2076	schtasks.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

file.exemnolyk.execmd.exe

description	pid	process	target process
PID 448 wrote to memory of 4232	448	file.exe	mnolyk.exe
PID 448 wrote to memory of 4232	448	file.exe	mnolyk.exe
PID 448 wrote to memory of 4232	448	file.exe	mnolyk.exe
PID 4232 wrote to memory of 2076	4232	mnolyk.exe	schtasks.exe
PID 4232 wrote to memory of 2076	4232	mnolyk.exe	schtasks.exe
PID 4232 wrote to memory of 2076	4232	mnolyk.exe	schtasks.exe
PID 4232 wrote to memory of 4040	4232	mnolyk.exe	cmd.exe
PID 4232 wrote to memory of 4040	4232	mnolyk.exe	cmd.exe
PID 4232 wrote to memory of 4040	4232	mnolyk.exe	cmd.exe
PID 4040 wrote to memory of 5056	4040	cmd.exe	cmd.exe
PID 4040 wrote to memory of 5056	4040	cmd.exe	cmd.exe
PID 4040 wrote to memory of 5056	4040	cmd.exe	cmd.exe
PID 4040 wrote to memory of 5080	4040	cmd.exe	cacls.exe
PID 4040 wrote to memory of 5080	4040	cmd.exe	cacls.exe
PID 4040 wrote to memory of 5080	4040	cmd.exe	cacls.exe
PID 4040 wrote to memory of 5076	4040	cmd.exe	cacls.exe
PID 4040 wrote to memory of 5076	4040	cmd.exe	cacls.exe
PID 4040 wrote to memory of 5076	4040	cmd.exe	cacls.exe
PID 4040 wrote to memory of 4364	4040	cmd.exe	cmd.exe
PID 4040 wrote to memory of 4364	4040	cmd.exe	cmd.exe
PID 4040 wrote to memory of 4364	4040	cmd.exe	cmd.exe
PID 4040 wrote to memory of 4448	4040	cmd.exe	cacls.exe
PID 4040 wrote to memory of 4448	4040	cmd.exe	cacls.exe
PID 4040 wrote to memory of 4448	4040	cmd.exe	cacls.exe
PID 4040 wrote to memory of 2116	4040	cmd.exe	cacls.exe
PID 4040 wrote to memory of 2116	4040	cmd.exe	cacls.exe
PID 4040 wrote to memory of 2116	4040	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 848
2⤵
- Program crash
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 940
2⤵
- Program crash
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 1100
2⤵
- Program crash
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 936
2⤵
- Program crash
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 948
2⤵
- Program crash
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 1124
2⤵
- Program crash
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 936
2⤵
- Program crash
PID:2772

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 584
3⤵
- Program crash
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 744
3⤵
- Program crash
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 744
3⤵
- Program crash
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 952
3⤵
- Program crash
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 972
3⤵
- Program crash
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 952
3⤵
- Program crash
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 940
3⤵
- Program crash
PID:1396

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F
3⤵
- Creates scheduled task(s)
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 920
3⤵
- Program crash
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 668
3⤵
- Program crash
PID:3880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:5056

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
4⤵
PID:5080

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
4⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4364

C:\Windows\SysWOW64\cacls.exe
CACLS "..\4b9a106e76" /P "Admin:N"
4⤵
PID:4448

C:\Windows\SysWOW64\cacls.exe
CACLS "..\4b9a106e76" /P "Admin:R" /E
4⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1148
3⤵
- Program crash
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 616
3⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 648
3⤵
- Program crash
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 796
3⤵
- Program crash
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 996
3⤵
- Program crash
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 972
3⤵
- Program crash
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1312
3⤵
- Program crash
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 980
3⤵
- Program crash
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 768
2⤵
- Program crash
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 448 -ip 448
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 448 -ip 448
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 448 -ip 448
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 448 -ip 448
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 448 -ip 448
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 448 -ip 448
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 448 -ip 448
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 448 -ip 448
1⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4232 -ip 4232
1⤵
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4232 -ip 4232
1⤵
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4232 -ip 4232
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4232 -ip 4232
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4232 -ip 4232
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4232 -ip 4232
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4232 -ip 4232
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4232 -ip 4232
1⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4232 -ip 4232
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4232 -ip 4232
1⤵
PID:3444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4232 -ip 4232
1⤵
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4232 -ip 4232
1⤵
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4232 -ip 4232
1⤵
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4232 -ip 4232
1⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
1⤵
- Executes dropped EXE
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 316
2⤵
- Program crash
PID:724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3900 -ip 3900
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4232 -ip 4232
1⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
1⤵
- Executes dropped EXE
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 312
2⤵
- Program crash
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2752 -ip 2752
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4232 -ip 4232
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4232 -ip 4232
1⤵
PID:4828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
Filesize
273KB

MD5
766683884bbe6a2c0e0ea7d76b6b13ea

SHA1
793d7b457f36a560d7094e4d0fee7270cc0e6842

SHA256
4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136

SHA512
52bc438968e68e967c1513e9bb1376cf55987a3f1976cd4eb0c463bfc30eb34220c3cfb38713c24d0d6513df3823d1b18aa24857eb8010537cf986ffde6bb12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
Filesize
273KB

MD5
766683884bbe6a2c0e0ea7d76b6b13ea

SHA1
793d7b457f36a560d7094e4d0fee7270cc0e6842

SHA256
4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136

SHA512
52bc438968e68e967c1513e9bb1376cf55987a3f1976cd4eb0c463bfc30eb34220c3cfb38713c24d0d6513df3823d1b18aa24857eb8010537cf986ffde6bb12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
Filesize
273KB

MD5
766683884bbe6a2c0e0ea7d76b6b13ea

SHA1
793d7b457f36a560d7094e4d0fee7270cc0e6842

SHA256
4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136

SHA512
52bc438968e68e967c1513e9bb1376cf55987a3f1976cd4eb0c463bfc30eb34220c3cfb38713c24d0d6513df3823d1b18aa24857eb8010537cf986ffde6bb12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
Filesize
273KB

MD5
766683884bbe6a2c0e0ea7d76b6b13ea

SHA1
793d7b457f36a560d7094e4d0fee7270cc0e6842

SHA256
4ed06a694ba1832bb5526f2a5d52f6455f7ed317191f910d2e01d35bd8fba136

SHA512
52bc438968e68e967c1513e9bb1376cf55987a3f1976cd4eb0c463bfc30eb34220c3cfb38713c24d0d6513df3823d1b18aa24857eb8010537cf986ffde6bb12a

Download Submit
memory/448-133-0x00000000048F0000-0x000000000492C000-memory.dmp

Filesize
240KB

Download
memory/448-134-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/448-132-0x0000000002D29000-0x0000000002D48000-memory.dmp

Filesize
124KB

Download
memory/448-138-0x0000000002D29000-0x0000000002D48000-memory.dmp

Filesize
124KB

Download
memory/448-139-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/2076-143-0x0000000000000000-mapping.dmp

Download
memory/2116-150-0x0000000000000000-mapping.dmp

Download
memory/2752-157-0x0000000002F4C000-0x0000000002F6A000-memory.dmp

Filesize
120KB

Download
memory/2752-158-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/3900-155-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/3900-154-0x0000000002DEC000-0x0000000002E0B000-memory.dmp

Filesize
124KB

Download
memory/4040-144-0x0000000000000000-mapping.dmp

Download
memory/4232-151-0x0000000002BB0000-0x0000000002CB0000-memory.dmp

Filesize
1024KB

Download
memory/4232-152-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/4232-142-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/4232-141-0x0000000002BB0000-0x0000000002CB0000-memory.dmp

Filesize
1024KB

Download
memory/4232-135-0x0000000000000000-mapping.dmp

Download
memory/4364-148-0x0000000000000000-mapping.dmp

Download
memory/4448-149-0x0000000000000000-mapping.dmp

Download
memory/5056-145-0x0000000000000000-mapping.dmp

Download
memory/5076-147-0x0000000000000000-mapping.dmp

Download
memory/5080-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads