amadey | 8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f

Analysis

max time kernel
145s
max time network
127s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-03-2023 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x00090000000122ea-1068.exe
Size

228KB
MD5

d6b7bfaed247ac3d9668cd1af4e92fd0
SHA1

e0228189cc5aaee3be86c6e9e604b82b3e3b96a3
SHA256

8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f
SHA512

d8263c2a6f42186be5a5461f73dcb8809a13e1dc1518abb864b2c920157e898d3becdfb538013f26dd7304cd03fc419448156cafa29c8e1219393b9beeea4c7b
SSDEEP

6144:4rzyIG8IcCnD5A2QdY8rWpau1CYUqfhYdMBg:KmlLnD5qdY8Fu1CYUehrBg

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.68

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 4 IoCs

pid	Process
2012	metafor.exe
1932	metafor.exe
932	metafor.exe
1516	metafor.exe

Loads dropped DLL 1 IoCs

pid	Process
1048	0x00090000000122ea-1068.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1296	schtasks.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2012	1048	0x00090000000122ea-1068.exe	26
PID 1048 wrote to memory of 2012	1048	0x00090000000122ea-1068.exe	26
PID 1048 wrote to memory of 2012	1048	0x00090000000122ea-1068.exe	26
PID 1048 wrote to memory of 2012	1048	0x00090000000122ea-1068.exe	26
PID 2012 wrote to memory of 1296	2012	metafor.exe	27
PID 2012 wrote to memory of 1296	2012	metafor.exe	27
PID 2012 wrote to memory of 1296	2012	metafor.exe	27
PID 2012 wrote to memory of 1296	2012	metafor.exe	27
PID 2012 wrote to memory of 2020	2012	metafor.exe	29
PID 2012 wrote to memory of 2020	2012	metafor.exe	29
PID 2012 wrote to memory of 2020	2012	metafor.exe	29
PID 2012 wrote to memory of 2020	2012	metafor.exe	29
PID 2020 wrote to memory of 1716	2020	cmd.exe	31
PID 2020 wrote to memory of 1716	2020	cmd.exe	31
PID 2020 wrote to memory of 1716	2020	cmd.exe	31
PID 2020 wrote to memory of 1716	2020	cmd.exe	31
PID 2020 wrote to memory of 472	2020	cmd.exe	32
PID 2020 wrote to memory of 472	2020	cmd.exe	32
PID 2020 wrote to memory of 472	2020	cmd.exe	32
PID 2020 wrote to memory of 472	2020	cmd.exe	32
PID 2020 wrote to memory of 1224	2020	cmd.exe	33
PID 2020 wrote to memory of 1224	2020	cmd.exe	33
PID 2020 wrote to memory of 1224	2020	cmd.exe	33
PID 2020 wrote to memory of 1224	2020	cmd.exe	33
PID 2020 wrote to memory of 2000	2020	cmd.exe	34
PID 2020 wrote to memory of 2000	2020	cmd.exe	34
PID 2020 wrote to memory of 2000	2020	cmd.exe	34
PID 2020 wrote to memory of 2000	2020	cmd.exe	34
PID 2020 wrote to memory of 1824	2020	cmd.exe	35
PID 2020 wrote to memory of 1824	2020	cmd.exe	35
PID 2020 wrote to memory of 1824	2020	cmd.exe	35
PID 2020 wrote to memory of 1824	2020	cmd.exe	35
PID 2020 wrote to memory of 1984	2020	cmd.exe	36
PID 2020 wrote to memory of 1984	2020	cmd.exe	36
PID 2020 wrote to memory of 1984	2020	cmd.exe	36
PID 2020 wrote to memory of 1984	2020	cmd.exe	36
PID 1940 wrote to memory of 1932	1940	taskeng.exe	40
PID 1940 wrote to memory of 1932	1940	taskeng.exe	40
PID 1940 wrote to memory of 1932	1940	taskeng.exe	40
PID 1940 wrote to memory of 1932	1940	taskeng.exe	40
PID 1940 wrote to memory of 932	1940	taskeng.exe	41
PID 1940 wrote to memory of 932	1940	taskeng.exe	41
PID 1940 wrote to memory of 932	1940	taskeng.exe	41
PID 1940 wrote to memory of 932	1940	taskeng.exe	41
PID 1940 wrote to memory of 1516	1940	taskeng.exe	42
PID 1940 wrote to memory of 1516	1940	taskeng.exe	42
PID 1940 wrote to memory of 1516	1940	taskeng.exe	42
PID 1940 wrote to memory of 1516	1940	taskeng.exe	42

C:\Users\Admin\AppData\Local\Temp\0x00090000000122ea-1068.exe
"C:\Users\Admin\AppData\Local\Temp\0x00090000000122ea-1068.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
  "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "metafor.exe" /P "Admin:N"
      4⤵
      PID:472
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "metafor.exe" /P "Admin:R" /E
      4⤵
      PID:1224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\5975271bda" /P "Admin:N"
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\5975271bda" /P "Admin:R" /E
      4⤵
      PID:1984

C:\Windows\system32\taskeng.exe
taskeng.exe {0DB09324-5721-49DB-B0C9-6881E178881C} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
  C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
  C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
  C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
  2⤵
  - Executes dropped EXE
  PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
228KB

MD5
d6b7bfaed247ac3d9668cd1af4e92fd0

SHA1
e0228189cc5aaee3be86c6e9e604b82b3e3b96a3

SHA256
8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f

SHA512
d8263c2a6f42186be5a5461f73dcb8809a13e1dc1518abb864b2c920157e898d3becdfb538013f26dd7304cd03fc419448156cafa29c8e1219393b9beeea4c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
228KB

MD5
d6b7bfaed247ac3d9668cd1af4e92fd0

SHA1
e0228189cc5aaee3be86c6e9e604b82b3e3b96a3

SHA256
8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f

SHA512
d8263c2a6f42186be5a5461f73dcb8809a13e1dc1518abb864b2c920157e898d3becdfb538013f26dd7304cd03fc419448156cafa29c8e1219393b9beeea4c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
228KB

MD5
d6b7bfaed247ac3d9668cd1af4e92fd0

SHA1
e0228189cc5aaee3be86c6e9e604b82b3e3b96a3

SHA256
8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f

SHA512
d8263c2a6f42186be5a5461f73dcb8809a13e1dc1518abb864b2c920157e898d3becdfb538013f26dd7304cd03fc419448156cafa29c8e1219393b9beeea4c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
228KB

MD5
d6b7bfaed247ac3d9668cd1af4e92fd0

SHA1
e0228189cc5aaee3be86c6e9e604b82b3e3b96a3

SHA256
8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f

SHA512
d8263c2a6f42186be5a5461f73dcb8809a13e1dc1518abb864b2c920157e898d3becdfb538013f26dd7304cd03fc419448156cafa29c8e1219393b9beeea4c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
228KB

MD5
d6b7bfaed247ac3d9668cd1af4e92fd0

SHA1
e0228189cc5aaee3be86c6e9e604b82b3e3b96a3

SHA256
8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f

SHA512
d8263c2a6f42186be5a5461f73dcb8809a13e1dc1518abb864b2c920157e898d3becdfb538013f26dd7304cd03fc419448156cafa29c8e1219393b9beeea4c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
228KB

MD5
d6b7bfaed247ac3d9668cd1af4e92fd0

SHA1
e0228189cc5aaee3be86c6e9e604b82b3e3b96a3

SHA256
8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f

SHA512
d8263c2a6f42186be5a5461f73dcb8809a13e1dc1518abb864b2c920157e898d3becdfb538013f26dd7304cd03fc419448156cafa29c8e1219393b9beeea4c7b

Download Submit
\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
228KB

MD5
d6b7bfaed247ac3d9668cd1af4e92fd0

SHA1
e0228189cc5aaee3be86c6e9e604b82b3e3b96a3

SHA256
8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f

SHA512
d8263c2a6f42186be5a5461f73dcb8809a13e1dc1518abb864b2c920157e898d3becdfb538013f26dd7304cd03fc419448156cafa29c8e1219393b9beeea4c7b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads