amadey | 1a260322bd17696d664dc7e8023e287113d28dbeae9f0d9e0b6f0ab8e23dde10

General

Target

8e3a84fe51240b2f9a1e981e153b9c57.exe
Size

273KB
MD5

8e3a84fe51240b2f9a1e981e153b9c57
SHA1

b9ab34555604eb20d5e6ab3d3c729adafd43bbc9
SHA256

1a260322bd17696d664dc7e8023e287113d28dbeae9f0d9e0b6f0ab8e23dde10
SHA512

8f83f72d995ad80e62051219e7b47a7bd738ed3c630c4d1508ab7b30cf5265783c84157559791ded45e268c6ec0d1f99bda73957e096b5e466115c08c4661bfb
SSDEEP

6144:CpGJ8Lk3B3oSvcjS4e0nCX4V7r/mezTyZM:CpGyo3B37Tw75z

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.66

C2

193.233.20.2/Bn89hku/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

mnolyk.exemnolyk.exemnolyk.exe

pid process

228 mnolyk.exe
4540 mnolyk.exe
1020 mnolyk.exe

pid	process
228	mnolyk.exe
4540	mnolyk.exe
1020	mnolyk.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8e3a84fe51240b2f9a1e981e153b9c57.exemnolyk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	8e3a84fe51240b2f9a1e981e153b9c57.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	mnolyk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 26 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1960	5060	WerFault.exe	8e3a84fe51240b2f9a1e981e153b9c57.exe
2960	5060	WerFault.exe	8e3a84fe51240b2f9a1e981e153b9c57.exe
668	5060	WerFault.exe	8e3a84fe51240b2f9a1e981e153b9c57.exe
4576	5060	WerFault.exe	8e3a84fe51240b2f9a1e981e153b9c57.exe
1660	5060	WerFault.exe	8e3a84fe51240b2f9a1e981e153b9c57.exe
4208	5060	WerFault.exe	8e3a84fe51240b2f9a1e981e153b9c57.exe
1996	5060	WerFault.exe	8e3a84fe51240b2f9a1e981e153b9c57.exe
652	228	WerFault.exe	mnolyk.exe
1316	228	WerFault.exe	mnolyk.exe
1048	228	WerFault.exe	mnolyk.exe
1864	228	WerFault.exe	mnolyk.exe
4016	228	WerFault.exe	mnolyk.exe
2516	228	WerFault.exe	mnolyk.exe
3576	228	WerFault.exe	mnolyk.exe
3284	228	WerFault.exe	mnolyk.exe
1032	228	WerFault.exe	mnolyk.exe
3280	228	WerFault.exe	mnolyk.exe
3856	228	WerFault.exe	mnolyk.exe
2228	228	WerFault.exe	mnolyk.exe
4384	228	WerFault.exe	mnolyk.exe
572	228	WerFault.exe	mnolyk.exe
624	4540	WerFault.exe	mnolyk.exe
4760	228	WerFault.exe	mnolyk.exe
4664	1020	WerFault.exe	mnolyk.exe
4356	228	WerFault.exe	mnolyk.exe
4804	228	WerFault.exe	mnolyk.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1608 schtasks.exe

pid	process
1608	schtasks.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

8e3a84fe51240b2f9a1e981e153b9c57.exemnolyk.execmd.exe

description	pid	process	target process
PID 5060 wrote to memory of 228	5060	8e3a84fe51240b2f9a1e981e153b9c57.exe	mnolyk.exe
PID 5060 wrote to memory of 228	5060	8e3a84fe51240b2f9a1e981e153b9c57.exe	mnolyk.exe
PID 5060 wrote to memory of 228	5060	8e3a84fe51240b2f9a1e981e153b9c57.exe	mnolyk.exe
PID 228 wrote to memory of 1608	228	mnolyk.exe	schtasks.exe
PID 228 wrote to memory of 1608	228	mnolyk.exe	schtasks.exe
PID 228 wrote to memory of 1608	228	mnolyk.exe	schtasks.exe
PID 228 wrote to memory of 3424	228	mnolyk.exe	cmd.exe
PID 228 wrote to memory of 3424	228	mnolyk.exe	cmd.exe
PID 228 wrote to memory of 3424	228	mnolyk.exe	cmd.exe
PID 3424 wrote to memory of 4868	3424	cmd.exe	cmd.exe
PID 3424 wrote to memory of 4868	3424	cmd.exe	cmd.exe
PID 3424 wrote to memory of 4868	3424	cmd.exe	cmd.exe
PID 3424 wrote to memory of 4204	3424	cmd.exe	cacls.exe
PID 3424 wrote to memory of 4204	3424	cmd.exe	cacls.exe
PID 3424 wrote to memory of 4204	3424	cmd.exe	cacls.exe
PID 3424 wrote to memory of 3384	3424	cmd.exe	cacls.exe
PID 3424 wrote to memory of 3384	3424	cmd.exe	cacls.exe
PID 3424 wrote to memory of 3384	3424	cmd.exe	cacls.exe
PID 3424 wrote to memory of 2272	3424	cmd.exe	cmd.exe
PID 3424 wrote to memory of 2272	3424	cmd.exe	cmd.exe
PID 3424 wrote to memory of 2272	3424	cmd.exe	cmd.exe
PID 3424 wrote to memory of 2092	3424	cmd.exe	cacls.exe
PID 3424 wrote to memory of 2092	3424	cmd.exe	cacls.exe
PID 3424 wrote to memory of 2092	3424	cmd.exe	cacls.exe
PID 3424 wrote to memory of 3980	3424	cmd.exe	cacls.exe
PID 3424 wrote to memory of 3980	3424	cmd.exe	cacls.exe
PID 3424 wrote to memory of 3980	3424	cmd.exe	cacls.exe

C:\Users\Admin\AppData\Local\Temp\8e3a84fe51240b2f9a1e981e153b9c57.exe
"C:\Users\Admin\AppData\Local\Temp\8e3a84fe51240b2f9a1e981e153b9c57.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 876
2⤵
- Program crash
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 876
2⤵
- Program crash
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1052
2⤵
- Program crash
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1060
2⤵
- Program crash
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1040
2⤵
- Program crash
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1060
2⤵
- Program crash
PID:4208

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 348
3⤵
- Program crash
PID:652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 720
3⤵
- Program crash
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 800
3⤵
- Program crash
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 944
3⤵
- Program crash
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 952
3⤵
- Program crash
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 956
3⤵
- Program crash
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 988
3⤵
- Program crash
PID:3576

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe" /F
3⤵
- Creates scheduled task(s)
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 892
3⤵
- Program crash
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1192
3⤵
- Program crash
PID:1032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4868

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:N"
4⤵
PID:4204

C:\Windows\SysWOW64\cacls.exe
CACLS "mnolyk.exe" /P "Admin:R" /E
4⤵
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2272

C:\Windows\SysWOW64\cacls.exe
CACLS "..\4b9a106e76" /P "Admin:N"
4⤵
PID:2092

C:\Windows\SysWOW64\cacls.exe
CACLS "..\4b9a106e76" /P "Admin:R" /E
4⤵
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1236
3⤵
- Program crash
PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 348
3⤵
- Program crash
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 668
3⤵
- Program crash
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1224
3⤵
- Program crash
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1000
3⤵
- Program crash
PID:572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1032
3⤵
- Program crash
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1312
3⤵
- Program crash
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 980
3⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 772
2⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5060 -ip 5060
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5060 -ip 5060
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5060 -ip 5060
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5060 -ip 5060
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5060 -ip 5060
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5060 -ip 5060
1⤵
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5060 -ip 5060
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 228 -ip 228
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 228 -ip 228
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 228 -ip 228
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 228 -ip 228
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 228 -ip 228
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 228 -ip 228
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 228 -ip 228
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 228 -ip 228
1⤵
PID:2196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 228 -ip 228
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 228 -ip 228
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 228 -ip 228
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 228 -ip 228
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 228 -ip 228
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 228 -ip 228
1⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 320
2⤵
- Program crash
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4540 -ip 4540
1⤵
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 228 -ip 228
1⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
1⤵
- Executes dropped EXE
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 320
2⤵
- Program crash
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1020 -ip 1020
1⤵
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 228 -ip 228
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 228 -ip 228
1⤵
PID:4344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
Filesize
273KB

MD5
8e3a84fe51240b2f9a1e981e153b9c57

SHA1
b9ab34555604eb20d5e6ab3d3c729adafd43bbc9

SHA256
1a260322bd17696d664dc7e8023e287113d28dbeae9f0d9e0b6f0ab8e23dde10

SHA512
8f83f72d995ad80e62051219e7b47a7bd738ed3c630c4d1508ab7b30cf5265783c84157559791ded45e268c6ec0d1f99bda73957e096b5e466115c08c4661bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
Filesize
273KB

MD5
8e3a84fe51240b2f9a1e981e153b9c57

SHA1
b9ab34555604eb20d5e6ab3d3c729adafd43bbc9

SHA256
1a260322bd17696d664dc7e8023e287113d28dbeae9f0d9e0b6f0ab8e23dde10

SHA512
8f83f72d995ad80e62051219e7b47a7bd738ed3c630c4d1508ab7b30cf5265783c84157559791ded45e268c6ec0d1f99bda73957e096b5e466115c08c4661bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
Filesize
273KB

MD5
8e3a84fe51240b2f9a1e981e153b9c57

SHA1
b9ab34555604eb20d5e6ab3d3c729adafd43bbc9

SHA256
1a260322bd17696d664dc7e8023e287113d28dbeae9f0d9e0b6f0ab8e23dde10

SHA512
8f83f72d995ad80e62051219e7b47a7bd738ed3c630c4d1508ab7b30cf5265783c84157559791ded45e268c6ec0d1f99bda73957e096b5e466115c08c4661bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\mnolyk.exe
Filesize
273KB

MD5
8e3a84fe51240b2f9a1e981e153b9c57

SHA1
b9ab34555604eb20d5e6ab3d3c729adafd43bbc9

SHA256
1a260322bd17696d664dc7e8023e287113d28dbeae9f0d9e0b6f0ab8e23dde10

SHA512
8f83f72d995ad80e62051219e7b47a7bd738ed3c630c4d1508ab7b30cf5265783c84157559791ded45e268c6ec0d1f99bda73957e096b5e466115c08c4661bfb

Download Submit
memory/228-135-0x0000000000000000-mapping.dmp

Download
memory/228-141-0x0000000002E78000-0x0000000002E97000-memory.dmp

Filesize
124KB

Download
memory/228-142-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/228-152-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/228-151-0x0000000002E78000-0x0000000002E97000-memory.dmp

Filesize
124KB

Download
memory/1020-157-0x0000000002DCC000-0x0000000002DEB000-memory.dmp

Filesize
124KB

Download
memory/1020-158-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/1020-159-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/1608-143-0x0000000000000000-mapping.dmp

Download
memory/2092-149-0x0000000000000000-mapping.dmp

Download
memory/2272-148-0x0000000000000000-mapping.dmp

Download
memory/3384-147-0x0000000000000000-mapping.dmp

Download
memory/3424-144-0x0000000000000000-mapping.dmp

Download
memory/3980-150-0x0000000000000000-mapping.dmp

Download
memory/4204-146-0x0000000000000000-mapping.dmp

Download
memory/4540-155-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/4868-145-0x0000000000000000-mapping.dmp

Download
memory/5060-132-0x0000000002D99000-0x0000000002DB7000-memory.dmp

Filesize
120KB

Download
memory/5060-140-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/5060-139-0x0000000004920000-0x000000000495C000-memory.dmp

Filesize
240KB

Download
memory/5060-138-0x0000000002D99000-0x0000000002DB7000-memory.dmp

Filesize
120KB

Download
memory/5060-134-0x0000000000400000-0x0000000002BAD000-memory.dmp

Filesize
39.7MB

Download
memory/5060-133-0x0000000004920000-0x000000000495C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads