amadey | fcaa3b47fc9a61baf5e8317fb8bd62028bb6c5190702d21c3645c346a4b66d53

General

Target

file.exe
Size

352KB
MD5

b1146ec9318c55479bd80be9ae6410ad
SHA1

3b73d97d82c088c9b9e4343b1eb231b3097b146d
SHA256

fcaa3b47fc9a61baf5e8317fb8bd62028bb6c5190702d21c3645c346a4b66d53
SHA512

9bd3c136c40c2858fda2eeab233f07271d975b539efb35d88c3a6a609c0a0e8a0396b0b315e9f97365b9261a8edab01d2debf1f35424a02c8325d158a5af018c
SSDEEP

6144:T/LomuF9DSbA2q8tL9mrDhvW6UvSCXK/o9/CJTk637eQfnd5SCyHCB:jGFI28ahvPUXXko9CJb7d5S

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.66

C2

193.233.20.2/Bn89hku/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

mnolyk.exemnolyk.exemnolyk.exe

pid process

4376 mnolyk.exe
4040 mnolyk.exe
3020 mnolyk.exe

pid	process
4376	mnolyk.exe
4040	mnolyk.exe
3020	mnolyk.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exemnolyk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	mnolyk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 26 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1036	4604	WerFault.exe	file.exe
1100	4604	WerFault.exe	file.exe
1356	4604	WerFault.exe	file.exe
1744	4604	WerFault.exe	file.exe
2736	4604	WerFault.exe	file.exe
4244	4604	WerFault.exe	file.exe
1532	4604	WerFault.exe	file.exe
3844	4376	WerFault.exe	mnolyk.exe
1652	4376	WerFault.exe	mnolyk.exe
204	4376	WerFault.exe	mnolyk.exe
8	4376	WerFault.exe	mnolyk.exe
3480	4376	WerFault.exe	mnolyk.exe
1376	4376	WerFault.exe	mnolyk.exe
3636	4376	WerFault.exe	mnolyk.exe
4600	4376	WerFault.exe	mnolyk.exe
720	4376	WerFault.exe	mnolyk.exe
3648	4376	WerFault.exe	mnolyk.exe
3940	4376	WerFault.exe	mnolyk.exe
3176	4376	WerFault.exe	mnolyk.exe
2028	4376	WerFault.exe	mnolyk.exe
2676	4376	WerFault.exe	mnolyk.exe
1744	4376	WerFault.exe	mnolyk.exe
1280	4040	WerFault.exe	mnolyk.exe
1496	4376	WerFault.exe	mnolyk.exe
2580	3020	WerFault.exe	mnolyk.exe
116	4376	WerFault.exe	mnolyk.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1900 schtasks.exe

pid	process
1900	schtasks.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

file.exemnolyk.execmd.exe

description	pid	process	target process
PID 4604 wrote to memory of 4376	4604	file.exe	mnolyk.exe
PID 4604 wrote to memory of 4376	4604	file.exe	mnolyk.exe
PID 4604 wrote to memory of 4376	4604	file.exe	mnolyk.exe
PID 4376 wrote to memory of 1900	4376	mnolyk.exe	schtasks.exe
PID 4376 wrote to memory of 1900	4376	mnolyk.exe	schtasks.exe
PID 4376 wrote to memory of 1900	4376	mnolyk.exe	schtasks.exe
PID 4376 wrote to memory of 3692	4376	mnolyk.exe	cmd.exe
PID 4376 wrote to memory of 3692	4376	mnolyk.exe	cmd.exe
PID 4376 wrote to memory of 3692	4376	mnolyk.exe	cmd.exe
PID 3692 wrote to memory of 3784	3692	cmd.exe	cmd.exe
PID 3692 wrote to memory of 3784	3692	cmd.exe	cmd.exe
PID 3692 wrote to memory of 3784	3692	cmd.exe	cmd.exe
PID 3692 wrote to memory of 4676	3692	cmd.exe	cacls.exe
PID 3692 wrote to memory of 4676	3692	cmd.exe	cacls.exe
PID 3692 wrote to memory of 4676	3692	cmd.exe	cacls.exe
PID 3692 wrote to memory of 3876	3692	cmd.exe	cacls.exe
PID 3692 wrote to memory of 3876	3692	cmd.exe	cacls.exe
PID 3692 wrote to memory of 3876	3692	cmd.exe	cacls.exe
PID 3692 wrote to memory of 1796	3692	cmd.exe	cmd.exe
PID 3692 wrote to memory of 1796	3692	cmd.exe	cmd.exe
PID 3692 wrote to memory of 1796	3692	cmd.exe	cmd.exe
PID 3692 wrote to memory of 2424	3692	cmd.exe	cacls.exe
PID 3692 wrote to memory of 2424	3692	cmd.exe	cacls.exe
PID 3692 wrote to memory of 2424	3692	cmd.exe	cacls.exe
PID 3692 wrote to memory of 2812	3692	cmd.exe	cacls.exe
PID 3692 wrote to memory of 2812	3692	cmd.exe	cacls.exe
PID 3692 wrote to memory of 2812	3692	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 896
2⤵
- Program crash
PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 972
2⤵
- Program crash
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 980
2⤵
- Program crash
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1104
2⤵
- Program crash
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1076
2⤵
- Program crash
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1092
2⤵
- Program crash
PID:4244

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 588
3⤵
- Program crash
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 776
3⤵
- Program crash
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 768
3⤵
- Program crash
PID:204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 948
3⤵
- Program crash
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 948
3⤵
- Program crash
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 948
3⤵
- Program crash
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1012
3⤵
- Program crash
PID:3636

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F
3⤵
- Creates scheduled task(s)
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 892
3⤵
- Program crash
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 620
3⤵
- Program crash
PID:720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3692

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
4⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3784

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
4⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1796

C:\Windows\SysWOW64\cacls.exe
CACLS "..\4b9a106e76" /P "Admin:N"
4⤵
PID:2424

C:\Windows\SysWOW64\cacls.exe
CACLS "..\4b9a106e76" /P "Admin:R" /E
4⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 776
3⤵
- Program crash
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 588
3⤵
- Program crash
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1188
3⤵
- Program crash
PID:3176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 816
3⤵
- Program crash
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1388
3⤵
- Program crash
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 996
3⤵
- Program crash
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 988
3⤵
- Program crash
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 1288
3⤵
- Program crash
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 924
2⤵
- Program crash
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4604 -ip 4604
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4604 -ip 4604
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4604 -ip 4604
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4604 -ip 4604
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4604 -ip 4604
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4604 -ip 4604
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4604 -ip 4604
1⤵
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4376 -ip 4376
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4376 -ip 4376
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4376 -ip 4376
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4376 -ip 4376
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4376 -ip 4376
1⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4376 -ip 4376
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4376 -ip 4376
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4376 -ip 4376
1⤵
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4376 -ip 4376
1⤵
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4376 -ip 4376
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4376 -ip 4376
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4376 -ip 4376
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4376 -ip 4376
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4376 -ip 4376
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4376 -ip 4376
1⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
1⤵
- Executes dropped EXE
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 328
2⤵
- Program crash
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4040 -ip 4040
1⤵
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4376 -ip 4376
1⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
1⤵
- Executes dropped EXE
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 316
2⤵
- Program crash
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3020 -ip 3020
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4376 -ip 4376
1⤵
PID:2172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
Filesize
352KB

MD5
b1146ec9318c55479bd80be9ae6410ad

SHA1
3b73d97d82c088c9b9e4343b1eb231b3097b146d

SHA256
fcaa3b47fc9a61baf5e8317fb8bd62028bb6c5190702d21c3645c346a4b66d53

SHA512
9bd3c136c40c2858fda2eeab233f07271d975b539efb35d88c3a6a609c0a0e8a0396b0b315e9f97365b9261a8edab01d2debf1f35424a02c8325d158a5af018c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
Filesize
352KB

MD5
b1146ec9318c55479bd80be9ae6410ad

SHA1
3b73d97d82c088c9b9e4343b1eb231b3097b146d

SHA256
fcaa3b47fc9a61baf5e8317fb8bd62028bb6c5190702d21c3645c346a4b66d53

SHA512
9bd3c136c40c2858fda2eeab233f07271d975b539efb35d88c3a6a609c0a0e8a0396b0b315e9f97365b9261a8edab01d2debf1f35424a02c8325d158a5af018c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
Filesize
352KB

MD5
b1146ec9318c55479bd80be9ae6410ad

SHA1
3b73d97d82c088c9b9e4343b1eb231b3097b146d

SHA256
fcaa3b47fc9a61baf5e8317fb8bd62028bb6c5190702d21c3645c346a4b66d53

SHA512
9bd3c136c40c2858fda2eeab233f07271d975b539efb35d88c3a6a609c0a0e8a0396b0b315e9f97365b9261a8edab01d2debf1f35424a02c8325d158a5af018c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
Filesize
352KB

MD5
b1146ec9318c55479bd80be9ae6410ad

SHA1
3b73d97d82c088c9b9e4343b1eb231b3097b146d

SHA256
fcaa3b47fc9a61baf5e8317fb8bd62028bb6c5190702d21c3645c346a4b66d53

SHA512
9bd3c136c40c2858fda2eeab233f07271d975b539efb35d88c3a6a609c0a0e8a0396b0b315e9f97365b9261a8edab01d2debf1f35424a02c8325d158a5af018c

Download Submit
memory/1796-147-0x0000000000000000-mapping.dmp

Download
memory/1900-142-0x0000000000000000-mapping.dmp

Download
memory/2424-148-0x0000000000000000-mapping.dmp

Download
memory/2812-149-0x0000000000000000-mapping.dmp

Download
memory/3020-156-0x00000000005FF000-0x000000000061D000-memory.dmp

Filesize
120KB

Download
memory/3020-157-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/3692-143-0x0000000000000000-mapping.dmp

Download
memory/3784-144-0x0000000000000000-mapping.dmp

Download
memory/3876-146-0x0000000000000000-mapping.dmp

Download
memory/4040-153-0x00000000004FF000-0x000000000051D000-memory.dmp

Filesize
120KB

Download
memory/4040-154-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4376-150-0x00000000006BC000-0x00000000006DB000-memory.dmp

Filesize
124KB

Download
memory/4376-141-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4376-151-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4376-140-0x00000000006BC000-0x00000000006DB000-memory.dmp

Filesize
124KB

Download
memory/4376-135-0x0000000000000000-mapping.dmp

Download
memory/4604-132-0x000000000072D000-0x000000000074C000-memory.dmp

Filesize
124KB

Download
memory/4604-138-0x000000000072D000-0x000000000074C000-memory.dmp

Filesize
124KB

Download
memory/4604-139-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4604-134-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/4604-133-0x00000000021B0000-0x00000000021EC000-memory.dmp

Filesize
240KB

Download
memory/4676-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads