amadey | 34c9970279a53ec2a9fc068e58577f50f42e3dd56e6b0f3c7b3eced0f7843891

Analysis

max time kernel
99s
max time network
126s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28/03/2023, 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

y37qO07.exe
Size

237KB
MD5

58ffa503e308ad0d0650fc328e84560d
SHA1

9001c334d7da058224075468aa26a2f1c1d4b60e
SHA256

34c9970279a53ec2a9fc068e58577f50f42e3dd56e6b0f3c7b3eced0f7843891
SHA512

00469e3c14f111756040dac7f87f342576b8727e11580f699d80d3d3d35eaa2a5855906cb8daea6856a32b5d2e23b7f9808f9a147d1b4650e64fc6b61da43496
SSDEEP

6144:f36hrz456we4lz7zzZ5my2IuViMqJnyJQ:Pxpz7LmeuVi3nN

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
916	legenda.exe
1504	legenda.exe
1972	legenda.exe

Loads dropped DLL 5 IoCs

pid	Process
1400	y37qO07.exe
1228	rundll32.exe
1228	rundll32.exe
1228	rundll32.exe
1228	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
864	schtasks.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 916	1400	y37qO07.exe	27
PID 1400 wrote to memory of 916	1400	y37qO07.exe	27
PID 1400 wrote to memory of 916	1400	y37qO07.exe	27
PID 1400 wrote to memory of 916	1400	y37qO07.exe	27
PID 916 wrote to memory of 864	916	legenda.exe	28
PID 916 wrote to memory of 864	916	legenda.exe	28
PID 916 wrote to memory of 864	916	legenda.exe	28
PID 916 wrote to memory of 864	916	legenda.exe	28
PID 916 wrote to memory of 1164	916	legenda.exe	30
PID 916 wrote to memory of 1164	916	legenda.exe	30
PID 916 wrote to memory of 1164	916	legenda.exe	30
PID 916 wrote to memory of 1164	916	legenda.exe	30
PID 1164 wrote to memory of 660	1164	cmd.exe	32
PID 1164 wrote to memory of 660	1164	cmd.exe	32
PID 1164 wrote to memory of 660	1164	cmd.exe	32
PID 1164 wrote to memory of 660	1164	cmd.exe	32
PID 1164 wrote to memory of 860	1164	cmd.exe	33
PID 1164 wrote to memory of 860	1164	cmd.exe	33
PID 1164 wrote to memory of 860	1164	cmd.exe	33
PID 1164 wrote to memory of 860	1164	cmd.exe	33
PID 1164 wrote to memory of 584	1164	cmd.exe	34
PID 1164 wrote to memory of 584	1164	cmd.exe	34
PID 1164 wrote to memory of 584	1164	cmd.exe	34
PID 1164 wrote to memory of 584	1164	cmd.exe	34
PID 1164 wrote to memory of 1668	1164	cmd.exe	35
PID 1164 wrote to memory of 1668	1164	cmd.exe	35
PID 1164 wrote to memory of 1668	1164	cmd.exe	35
PID 1164 wrote to memory of 1668	1164	cmd.exe	35
PID 1164 wrote to memory of 1924	1164	cmd.exe	36
PID 1164 wrote to memory of 1924	1164	cmd.exe	36
PID 1164 wrote to memory of 1924	1164	cmd.exe	36
PID 1164 wrote to memory of 1924	1164	cmd.exe	36
PID 1164 wrote to memory of 980	1164	cmd.exe	37
PID 1164 wrote to memory of 980	1164	cmd.exe	37
PID 1164 wrote to memory of 980	1164	cmd.exe	37
PID 1164 wrote to memory of 980	1164	cmd.exe	37
PID 524 wrote to memory of 1504	524	taskeng.exe	41
PID 524 wrote to memory of 1504	524	taskeng.exe	41
PID 524 wrote to memory of 1504	524	taskeng.exe	41
PID 524 wrote to memory of 1504	524	taskeng.exe	41
PID 916 wrote to memory of 1228	916	legenda.exe	42
PID 916 wrote to memory of 1228	916	legenda.exe	42
PID 916 wrote to memory of 1228	916	legenda.exe	42
PID 916 wrote to memory of 1228	916	legenda.exe	42
PID 916 wrote to memory of 1228	916	legenda.exe	42
PID 916 wrote to memory of 1228	916	legenda.exe	42
PID 916 wrote to memory of 1228	916	legenda.exe	42
PID 524 wrote to memory of 1972	524	taskeng.exe	43
PID 524 wrote to memory of 1972	524	taskeng.exe	43
PID 524 wrote to memory of 1972	524	taskeng.exe	43
PID 524 wrote to memory of 1972	524	taskeng.exe	43

C:\Users\Admin\AppData\Local\Temp\y37qO07.exe
"C:\Users\Admin\AppData\Local\Temp\y37qO07.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
  "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:864
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:660
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "legenda.exe" /P "Admin:N"
      4⤵
      PID:860
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "legenda.exe" /P "Admin:R" /E
      4⤵
      PID:584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1668
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\f22b669919" /P "Admin:N"
      4⤵
      PID:1924
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\f22b669919" /P "Admin:R" /E
      4⤵
      PID:980
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1228

C:\Windows\system32\taskeng.exe
taskeng.exe {D93F368F-9720-49D6-ADE4-BC5BFCEA719F} S-1-5-21-3948302646-268491222-1934009652-1000:KXZDHPUW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:524
- C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
  C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
  C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
  2⤵
  - Executes dropped EXE
  PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
237KB

MD5
58ffa503e308ad0d0650fc328e84560d

SHA1
9001c334d7da058224075468aa26a2f1c1d4b60e

SHA256
34c9970279a53ec2a9fc068e58577f50f42e3dd56e6b0f3c7b3eced0f7843891

SHA512
00469e3c14f111756040dac7f87f342576b8727e11580f699d80d3d3d35eaa2a5855906cb8daea6856a32b5d2e23b7f9808f9a147d1b4650e64fc6b61da43496

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
237KB

MD5
58ffa503e308ad0d0650fc328e84560d

SHA1
9001c334d7da058224075468aa26a2f1c1d4b60e

SHA256
34c9970279a53ec2a9fc068e58577f50f42e3dd56e6b0f3c7b3eced0f7843891

SHA512
00469e3c14f111756040dac7f87f342576b8727e11580f699d80d3d3d35eaa2a5855906cb8daea6856a32b5d2e23b7f9808f9a147d1b4650e64fc6b61da43496

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
237KB

MD5
58ffa503e308ad0d0650fc328e84560d

SHA1
9001c334d7da058224075468aa26a2f1c1d4b60e

SHA256
34c9970279a53ec2a9fc068e58577f50f42e3dd56e6b0f3c7b3eced0f7843891

SHA512
00469e3c14f111756040dac7f87f342576b8727e11580f699d80d3d3d35eaa2a5855906cb8daea6856a32b5d2e23b7f9808f9a147d1b4650e64fc6b61da43496

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
237KB

MD5
58ffa503e308ad0d0650fc328e84560d

SHA1
9001c334d7da058224075468aa26a2f1c1d4b60e

SHA256
34c9970279a53ec2a9fc068e58577f50f42e3dd56e6b0f3c7b3eced0f7843891

SHA512
00469e3c14f111756040dac7f87f342576b8727e11580f699d80d3d3d35eaa2a5855906cb8daea6856a32b5d2e23b7f9808f9a147d1b4650e64fc6b61da43496

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
237KB

MD5
58ffa503e308ad0d0650fc328e84560d

SHA1
9001c334d7da058224075468aa26a2f1c1d4b60e

SHA256
34c9970279a53ec2a9fc068e58577f50f42e3dd56e6b0f3c7b3eced0f7843891

SHA512
00469e3c14f111756040dac7f87f342576b8727e11580f699d80d3d3d35eaa2a5855906cb8daea6856a32b5d2e23b7f9808f9a147d1b4650e64fc6b61da43496

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe

Filesize
237KB

MD5
58ffa503e308ad0d0650fc328e84560d

SHA1
9001c334d7da058224075468aa26a2f1c1d4b60e

SHA256
34c9970279a53ec2a9fc068e58577f50f42e3dd56e6b0f3c7b3eced0f7843891

SHA512
00469e3c14f111756040dac7f87f342576b8727e11580f699d80d3d3d35eaa2a5855906cb8daea6856a32b5d2e23b7f9808f9a147d1b4650e64fc6b61da43496

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads