amadey | 9efab77020b2e4681efe47a0362805c66b5c257d465c2811b364fca40c15b5c2

Analysis

max time kernel
97s
max time network
125s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-06-2023 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x00070000000126ed-92.exe
Size

211KB
MD5

6508c789b5dec2d917720ee4e0b0333b
SHA1

535b4b10909b09d6faa4aed045037c5cbc8c99ab
SHA256

9efab77020b2e4681efe47a0362805c66b5c257d465c2811b364fca40c15b5c2
SHA512

9f519f4846d05e3812012772c06f0fc30bf07687c48f12e140289d10c89cc6b99e83f793f848a3b644d86012c3240b19db5bf71a4fabbc78a68fe0604148358c
SSDEEP

3072:H/DmgskHbfHN+Pst60p0zuNmnKG7peNMQbuZAIqbey3lfbi:fDmfAfHN+wiuInRexuZAIij

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.83

77.91.68.30/music/rock/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 3 IoCs

Processes:

lamod.exelamod.exelamod.exe

pid process

1768 lamod.exe
328 lamod.exe
1988 lamod.exe
Loads dropped DLL 5 IoCs

Processes:

0x00070000000126ed-92.exerundll32.exe

pid process

1096 0x00070000000126ed-92.exe
912 rundll32.exe
912 rundll32.exe
912 rundll32.exe
912 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

692 schtasks.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0x00070000000126ed-92.exe

pid process

1096 0x00070000000126ed-92.exe

pid	process
1768	lamod.exe
328	lamod.exe
1988	lamod.exe

pid	process
1096	0x00070000000126ed-92.exe
912	rundll32.exe
912	rundll32.exe
912	rundll32.exe
912	rundll32.exe

pid	process
692	schtasks.exe

pid	process
1096	0x00070000000126ed-92.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

0x00070000000126ed-92.exelamod.execmd.exetaskeng.exe

description	pid	process	target process
PID 1096 wrote to memory of 1768	1096	0x00070000000126ed-92.exe	lamod.exe
PID 1096 wrote to memory of 1768	1096	0x00070000000126ed-92.exe	lamod.exe
PID 1096 wrote to memory of 1768	1096	0x00070000000126ed-92.exe	lamod.exe
PID 1096 wrote to memory of 1768	1096	0x00070000000126ed-92.exe	lamod.exe
PID 1768 wrote to memory of 692	1768	lamod.exe	schtasks.exe
PID 1768 wrote to memory of 692	1768	lamod.exe	schtasks.exe
PID 1768 wrote to memory of 692	1768	lamod.exe	schtasks.exe
PID 1768 wrote to memory of 692	1768	lamod.exe	schtasks.exe
PID 1768 wrote to memory of 268	1768	lamod.exe	cmd.exe
PID 1768 wrote to memory of 268	1768	lamod.exe	cmd.exe
PID 1768 wrote to memory of 268	1768	lamod.exe	cmd.exe
PID 1768 wrote to memory of 268	1768	lamod.exe	cmd.exe
PID 268 wrote to memory of 108	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 108	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 108	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 108	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 1740	268	cmd.exe	cacls.exe
PID 268 wrote to memory of 1740	268	cmd.exe	cacls.exe
PID 268 wrote to memory of 1740	268	cmd.exe	cacls.exe
PID 268 wrote to memory of 1740	268	cmd.exe	cacls.exe
PID 268 wrote to memory of 1520	268	cmd.exe	cacls.exe
PID 268 wrote to memory of 1520	268	cmd.exe	cacls.exe
PID 268 wrote to memory of 1520	268	cmd.exe	cacls.exe
PID 268 wrote to memory of 1520	268	cmd.exe	cacls.exe
PID 268 wrote to memory of 1980	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 1980	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 1980	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 1980	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 904	268	cmd.exe	cacls.exe
PID 268 wrote to memory of 904	268	cmd.exe	cacls.exe
PID 268 wrote to memory of 904	268	cmd.exe	cacls.exe
PID 268 wrote to memory of 904	268	cmd.exe	cacls.exe
PID 268 wrote to memory of 1776	268	cmd.exe	cacls.exe
PID 268 wrote to memory of 1776	268	cmd.exe	cacls.exe
PID 268 wrote to memory of 1776	268	cmd.exe	cacls.exe
PID 268 wrote to memory of 1776	268	cmd.exe	cacls.exe
PID 1688 wrote to memory of 328	1688	taskeng.exe	lamod.exe
PID 1688 wrote to memory of 328	1688	taskeng.exe	lamod.exe
PID 1688 wrote to memory of 328	1688	taskeng.exe	lamod.exe
PID 1688 wrote to memory of 328	1688	taskeng.exe	lamod.exe
PID 1768 wrote to memory of 912	1768	lamod.exe	rundll32.exe
PID 1768 wrote to memory of 912	1768	lamod.exe	rundll32.exe
PID 1768 wrote to memory of 912	1768	lamod.exe	rundll32.exe
PID 1768 wrote to memory of 912	1768	lamod.exe	rundll32.exe
PID 1768 wrote to memory of 912	1768	lamod.exe	rundll32.exe
PID 1768 wrote to memory of 912	1768	lamod.exe	rundll32.exe
PID 1768 wrote to memory of 912	1768	lamod.exe	rundll32.exe
PID 1688 wrote to memory of 1988	1688	taskeng.exe	lamod.exe
PID 1688 wrote to memory of 1988	1688	taskeng.exe	lamod.exe
PID 1688 wrote to memory of 1988	1688	taskeng.exe	lamod.exe
PID 1688 wrote to memory of 1988	1688	taskeng.exe	lamod.exe

C:\Users\Admin\AppData\Local\Temp\0x00070000000126ed-92.exe
"C:\Users\Admin\AppData\Local\Temp\0x00070000000126ed-92.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
3⤵
- Creates scheduled task(s)
PID:692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:108

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
4⤵
PID:1740

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
4⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1980

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
4⤵
PID:904

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
4⤵
PID:1776

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:912

C:\Windows\system32\taskeng.exe
taskeng.exe {33506574-CF87-425E-8B2E-101BB9F34570} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
2⤵
- Executes dropped EXE
PID:328

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
2⤵
- Executes dropped EXE
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
211KB

MD5
6508c789b5dec2d917720ee4e0b0333b

SHA1
535b4b10909b09d6faa4aed045037c5cbc8c99ab

SHA256
9efab77020b2e4681efe47a0362805c66b5c257d465c2811b364fca40c15b5c2

SHA512
9f519f4846d05e3812012772c06f0fc30bf07687c48f12e140289d10c89cc6b99e83f793f848a3b644d86012c3240b19db5bf71a4fabbc78a68fe0604148358c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
211KB

MD5
6508c789b5dec2d917720ee4e0b0333b

SHA1
535b4b10909b09d6faa4aed045037c5cbc8c99ab

SHA256
9efab77020b2e4681efe47a0362805c66b5c257d465c2811b364fca40c15b5c2

SHA512
9f519f4846d05e3812012772c06f0fc30bf07687c48f12e140289d10c89cc6b99e83f793f848a3b644d86012c3240b19db5bf71a4fabbc78a68fe0604148358c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
211KB

MD5
6508c789b5dec2d917720ee4e0b0333b

SHA1
535b4b10909b09d6faa4aed045037c5cbc8c99ab

SHA256
9efab77020b2e4681efe47a0362805c66b5c257d465c2811b364fca40c15b5c2

SHA512
9f519f4846d05e3812012772c06f0fc30bf07687c48f12e140289d10c89cc6b99e83f793f848a3b644d86012c3240b19db5bf71a4fabbc78a68fe0604148358c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
211KB

MD5
6508c789b5dec2d917720ee4e0b0333b

SHA1
535b4b10909b09d6faa4aed045037c5cbc8c99ab

SHA256
9efab77020b2e4681efe47a0362805c66b5c257d465c2811b364fca40c15b5c2

SHA512
9f519f4846d05e3812012772c06f0fc30bf07687c48f12e140289d10c89cc6b99e83f793f848a3b644d86012c3240b19db5bf71a4fabbc78a68fe0604148358c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
211KB

MD5
6508c789b5dec2d917720ee4e0b0333b

SHA1
535b4b10909b09d6faa4aed045037c5cbc8c99ab

SHA256
9efab77020b2e4681efe47a0362805c66b5c257d465c2811b364fca40c15b5c2

SHA512
9f519f4846d05e3812012772c06f0fc30bf07687c48f12e140289d10c89cc6b99e83f793f848a3b644d86012c3240b19db5bf71a4fabbc78a68fe0604148358c

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
211KB

MD5
6508c789b5dec2d917720ee4e0b0333b

SHA1
535b4b10909b09d6faa4aed045037c5cbc8c99ab

SHA256
9efab77020b2e4681efe47a0362805c66b5c257d465c2811b364fca40c15b5c2

SHA512
9f519f4846d05e3812012772c06f0fc30bf07687c48f12e140289d10c89cc6b99e83f793f848a3b644d86012c3240b19db5bf71a4fabbc78a68fe0604148358c

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit