amadey | b14b683234bd237221ad730c33a2053a7606dcc3396ffc6cb6853f9fdde3123d

Analysis

max time kernel
130s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2023, 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x00070000000133d2-127.exe
Size

205KB
MD5

d07ba8a664d4975c09c5f3f7466d63b2
SHA1

18000001c51e5ae6331fe0af325ab7afe3be3805
SHA256

b14b683234bd237221ad730c33a2053a7606dcc3396ffc6cb6853f9fdde3123d
SHA512

e0869634f2f3da631dd4584ee0af7c52ea881408434714a3ce5eb5eda39ddf1be94a9418d727950c7db5231c616c8dcaacb3652d28b7069865fbbe18a9639f8b
SSDEEP

3072:CXkSckkHbzG1iXAt60p0zuNmnKG7peNMQbuZAIOb2y3xfbT:8kSDAzG1iciuInRexuZAIKj

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.84

77.91.68.63/doma/net/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	0x00070000000133d2-127.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	rugen.exe

Executes dropped EXE 4 IoCs

pid	Process
3180	rugen.exe
3244	rugen.exe
3016	rugen.exe
4796	rugen.exe

Loads dropped DLL 1 IoCs

pid	Process
3892	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3712	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1036	0x00070000000133d2-127.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 3180	1036	0x00070000000133d2-127.exe	84
PID 1036 wrote to memory of 3180	1036	0x00070000000133d2-127.exe	84
PID 1036 wrote to memory of 3180	1036	0x00070000000133d2-127.exe	84
PID 3180 wrote to memory of 3712	3180	rugen.exe	85
PID 3180 wrote to memory of 3712	3180	rugen.exe	85
PID 3180 wrote to memory of 3712	3180	rugen.exe	85
PID 3180 wrote to memory of 3120	3180	rugen.exe	87
PID 3180 wrote to memory of 3120	3180	rugen.exe	87
PID 3180 wrote to memory of 3120	3180	rugen.exe	87
PID 3120 wrote to memory of 4692	3120	cmd.exe	89
PID 3120 wrote to memory of 4692	3120	cmd.exe	89
PID 3120 wrote to memory of 4692	3120	cmd.exe	89
PID 3120 wrote to memory of 1424	3120	cmd.exe	90
PID 3120 wrote to memory of 1424	3120	cmd.exe	90
PID 3120 wrote to memory of 1424	3120	cmd.exe	90
PID 3120 wrote to memory of 4272	3120	cmd.exe	91
PID 3120 wrote to memory of 4272	3120	cmd.exe	91
PID 3120 wrote to memory of 4272	3120	cmd.exe	91
PID 3120 wrote to memory of 4540	3120	cmd.exe	92
PID 3120 wrote to memory of 4540	3120	cmd.exe	92
PID 3120 wrote to memory of 4540	3120	cmd.exe	92
PID 3120 wrote to memory of 4904	3120	cmd.exe	93
PID 3120 wrote to memory of 4904	3120	cmd.exe	93
PID 3120 wrote to memory of 4904	3120	cmd.exe	93
PID 3120 wrote to memory of 1420	3120	cmd.exe	94
PID 3120 wrote to memory of 1420	3120	cmd.exe	94
PID 3120 wrote to memory of 1420	3120	cmd.exe	94
PID 3180 wrote to memory of 3892	3180	rugen.exe	103
PID 3180 wrote to memory of 3892	3180	rugen.exe	103
PID 3180 wrote to memory of 3892	3180	rugen.exe	103

C:\Users\Admin\AppData\Local\Temp\0x00070000000133d2-127.exe
"C:\Users\Admin\AppData\Local\Temp\0x00070000000133d2-127.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
  "C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rugen.exe" /P "Admin:N"&&CACLS "rugen.exe" /P "Admin:R" /E&&echo Y|CACLS "..\200f691d32" /P "Admin:N"&&CACLS "..\200f691d32" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4692
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "rugen.exe" /P "Admin:N"
      4⤵
      PID:1424
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "rugen.exe" /P "Admin:R" /E
      4⤵
      PID:4272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4540
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\200f691d32" /P "Admin:N"
      4⤵
      PID:4904
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\200f691d32" /P "Admin:R" /E
      4⤵
      PID:1420
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:3892

C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
1⤵
- Executes dropped EXE
PID:3244

C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
1⤵
- Executes dropped EXE
PID:3016

C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
1⤵
- Executes dropped EXE
PID:4796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
d07ba8a664d4975c09c5f3f7466d63b2

SHA1
18000001c51e5ae6331fe0af325ab7afe3be3805

SHA256
b14b683234bd237221ad730c33a2053a7606dcc3396ffc6cb6853f9fdde3123d

SHA512
e0869634f2f3da631dd4584ee0af7c52ea881408434714a3ce5eb5eda39ddf1be94a9418d727950c7db5231c616c8dcaacb3652d28b7069865fbbe18a9639f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
d07ba8a664d4975c09c5f3f7466d63b2

SHA1
18000001c51e5ae6331fe0af325ab7afe3be3805

SHA256
b14b683234bd237221ad730c33a2053a7606dcc3396ffc6cb6853f9fdde3123d

SHA512
e0869634f2f3da631dd4584ee0af7c52ea881408434714a3ce5eb5eda39ddf1be94a9418d727950c7db5231c616c8dcaacb3652d28b7069865fbbe18a9639f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
d07ba8a664d4975c09c5f3f7466d63b2

SHA1
18000001c51e5ae6331fe0af325ab7afe3be3805

SHA256
b14b683234bd237221ad730c33a2053a7606dcc3396ffc6cb6853f9fdde3123d

SHA512
e0869634f2f3da631dd4584ee0af7c52ea881408434714a3ce5eb5eda39ddf1be94a9418d727950c7db5231c616c8dcaacb3652d28b7069865fbbe18a9639f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
d07ba8a664d4975c09c5f3f7466d63b2

SHA1
18000001c51e5ae6331fe0af325ab7afe3be3805

SHA256
b14b683234bd237221ad730c33a2053a7606dcc3396ffc6cb6853f9fdde3123d

SHA512
e0869634f2f3da631dd4584ee0af7c52ea881408434714a3ce5eb5eda39ddf1be94a9418d727950c7db5231c616c8dcaacb3652d28b7069865fbbe18a9639f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
d07ba8a664d4975c09c5f3f7466d63b2

SHA1
18000001c51e5ae6331fe0af325ab7afe3be3805

SHA256
b14b683234bd237221ad730c33a2053a7606dcc3396ffc6cb6853f9fdde3123d

SHA512
e0869634f2f3da631dd4584ee0af7c52ea881408434714a3ce5eb5eda39ddf1be94a9418d727950c7db5231c616c8dcaacb3652d28b7069865fbbe18a9639f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
d07ba8a664d4975c09c5f3f7466d63b2

SHA1
18000001c51e5ae6331fe0af325ab7afe3be3805

SHA256
b14b683234bd237221ad730c33a2053a7606dcc3396ffc6cb6853f9fdde3123d

SHA512
e0869634f2f3da631dd4584ee0af7c52ea881408434714a3ce5eb5eda39ddf1be94a9418d727950c7db5231c616c8dcaacb3652d28b7069865fbbe18a9639f8b

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
83fc14fb36516facb19e0e96286f7f48

SHA1
40082ca06de4c377585cd164fb521bacadb673da

SHA256
08dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e

SHA512
ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
83fc14fb36516facb19e0e96286f7f48

SHA1
40082ca06de4c377585cd164fb521bacadb673da

SHA256
08dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e

SHA512
ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
83fc14fb36516facb19e0e96286f7f48

SHA1
40082ca06de4c377585cd164fb521bacadb673da

SHA256
08dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e

SHA512
ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads