amadey | 8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f

General

Target

0x00090000000122ea-1068.exe
Size

228KB
MD5

d6b7bfaed247ac3d9668cd1af4e92fd0
SHA1

e0228189cc5aaee3be86c6e9e604b82b3e3b96a3
SHA256

8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f
SHA512

d8263c2a6f42186be5a5461f73dcb8809a13e1dc1518abb864b2c920157e898d3becdfb538013f26dd7304cd03fc419448156cafa29c8e1219393b9beeea4c7b
SSDEEP

6144:4rzyIG8IcCnD5A2QdY8rWpau1CYUqfhYdMBg:KmlLnD5qdY8Fu1CYUehrBg

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.68

C2

31.41.244.200/games/category/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	0x00090000000122ea-1068.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	metafor.exe

Executes dropped EXE 4 IoCs

pid	Process
520	metafor.exe
4828	metafor.exe
3180	metafor.exe
4748	metafor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5064	schtasks.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 520	2828	0x00090000000122ea-1068.exe	84
PID 2828 wrote to memory of 520	2828	0x00090000000122ea-1068.exe	84
PID 2828 wrote to memory of 520	2828	0x00090000000122ea-1068.exe	84
PID 520 wrote to memory of 5064	520	metafor.exe	85
PID 520 wrote to memory of 5064	520	metafor.exe	85
PID 520 wrote to memory of 5064	520	metafor.exe	85
PID 520 wrote to memory of 4268	520	metafor.exe	87
PID 520 wrote to memory of 4268	520	metafor.exe	87
PID 520 wrote to memory of 4268	520	metafor.exe	87
PID 4268 wrote to memory of 3872	4268	cmd.exe	89
PID 4268 wrote to memory of 3872	4268	cmd.exe	89
PID 4268 wrote to memory of 3872	4268	cmd.exe	89
PID 4268 wrote to memory of 640	4268	cmd.exe	90
PID 4268 wrote to memory of 640	4268	cmd.exe	90
PID 4268 wrote to memory of 640	4268	cmd.exe	90
PID 4268 wrote to memory of 4796	4268	cmd.exe	91
PID 4268 wrote to memory of 4796	4268	cmd.exe	91
PID 4268 wrote to memory of 4796	4268	cmd.exe	91
PID 4268 wrote to memory of 1480	4268	cmd.exe	92
PID 4268 wrote to memory of 1480	4268	cmd.exe	92
PID 4268 wrote to memory of 1480	4268	cmd.exe	92
PID 4268 wrote to memory of 1580	4268	cmd.exe	93
PID 4268 wrote to memory of 1580	4268	cmd.exe	93
PID 4268 wrote to memory of 1580	4268	cmd.exe	93
PID 4268 wrote to memory of 816	4268	cmd.exe	94
PID 4268 wrote to memory of 816	4268	cmd.exe	94
PID 4268 wrote to memory of 816	4268	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\0x00090000000122ea-1068.exe
"C:\Users\Admin\AppData\Local\Temp\0x00090000000122ea-1068.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
  "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metafor.exe /TR "C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:5064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metafor.exe" /P "Admin:N"&&CACLS "metafor.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5975271bda" /P "Admin:N"&&CACLS "..\5975271bda" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:3872
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "metafor.exe" /P "Admin:N"
      4⤵
      PID:640
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "metafor.exe" /P "Admin:R" /E
      4⤵
      PID:4796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\5975271bda" /P "Admin:N"
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\5975271bda" /P "Admin:R" /E
      4⤵
      PID:816

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4828

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:3180

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe
1⤵
- Executes dropped EXE
PID:4748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
228KB

MD5
d6b7bfaed247ac3d9668cd1af4e92fd0

SHA1
e0228189cc5aaee3be86c6e9e604b82b3e3b96a3

SHA256
8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f

SHA512
d8263c2a6f42186be5a5461f73dcb8809a13e1dc1518abb864b2c920157e898d3becdfb538013f26dd7304cd03fc419448156cafa29c8e1219393b9beeea4c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
228KB

MD5
d6b7bfaed247ac3d9668cd1af4e92fd0

SHA1
e0228189cc5aaee3be86c6e9e604b82b3e3b96a3

SHA256
8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f

SHA512
d8263c2a6f42186be5a5461f73dcb8809a13e1dc1518abb864b2c920157e898d3becdfb538013f26dd7304cd03fc419448156cafa29c8e1219393b9beeea4c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
228KB

MD5
d6b7bfaed247ac3d9668cd1af4e92fd0

SHA1
e0228189cc5aaee3be86c6e9e604b82b3e3b96a3

SHA256
8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f

SHA512
d8263c2a6f42186be5a5461f73dcb8809a13e1dc1518abb864b2c920157e898d3becdfb538013f26dd7304cd03fc419448156cafa29c8e1219393b9beeea4c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
228KB

MD5
d6b7bfaed247ac3d9668cd1af4e92fd0

SHA1
e0228189cc5aaee3be86c6e9e604b82b3e3b96a3

SHA256
8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f

SHA512
d8263c2a6f42186be5a5461f73dcb8809a13e1dc1518abb864b2c920157e898d3becdfb538013f26dd7304cd03fc419448156cafa29c8e1219393b9beeea4c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
228KB

MD5
d6b7bfaed247ac3d9668cd1af4e92fd0

SHA1
e0228189cc5aaee3be86c6e9e604b82b3e3b96a3

SHA256
8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f

SHA512
d8263c2a6f42186be5a5461f73dcb8809a13e1dc1518abb864b2c920157e898d3becdfb538013f26dd7304cd03fc419448156cafa29c8e1219393b9beeea4c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5975271bda\metafor.exe

Filesize
228KB

MD5
d6b7bfaed247ac3d9668cd1af4e92fd0

SHA1
e0228189cc5aaee3be86c6e9e604b82b3e3b96a3

SHA256
8bff018ecf629fbcc40824596e7b1d693e4eb4540b1bb67c31ebe14a09ba927f

SHA512
d8263c2a6f42186be5a5461f73dcb8809a13e1dc1518abb864b2c920157e898d3becdfb538013f26dd7304cd03fc419448156cafa29c8e1219393b9beeea4c7b

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads