amadey | 2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

Resubmissions

15-06-2023 04:44

230615-fda9msef7s 10

15-06-2023 04:22

230615-ezhp6sef24 10

Analysis

max time kernel
110s
max time network
64s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-06-2023 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
Size

5.0MB
MD5

890e29d78179dc4611286b863c50df53
SHA1

7bee367b02f66898b9ffb0f2569ca79c04edc19a
SHA256

2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734
SHA512

3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08
SSDEEP

98304:I95KeVzJFLYDAQlsumF2SEGKhq1v/28fV4AAc0cq9FcFzUkKm:ArQm2FGKq28tIbWzSm

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.80

45.15.156.208/jd9dd3Vw/index.php

second.amadgood.com/jd9dd3Vw/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
524	oneetx.exe
1608	oneetx.exe
1384	oneetx.exe

Loads dropped DLL 1 IoCs

pid	Process
1520	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1520	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
524	oneetx.exe
1608	oneetx.exe
1384	oneetx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1520	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 524	1520	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	28
PID 1520 wrote to memory of 524	1520	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	28
PID 1520 wrote to memory of 524	1520	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	28
PID 1520 wrote to memory of 524	1520	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	28
PID 524 wrote to memory of 792	524	oneetx.exe	29
PID 524 wrote to memory of 792	524	oneetx.exe	29
PID 524 wrote to memory of 792	524	oneetx.exe	29
PID 524 wrote to memory of 792	524	oneetx.exe	29
PID 524 wrote to memory of 824	524	oneetx.exe	31
PID 524 wrote to memory of 824	524	oneetx.exe	31
PID 524 wrote to memory of 824	524	oneetx.exe	31
PID 524 wrote to memory of 824	524	oneetx.exe	31
PID 824 wrote to memory of 652	824	cmd.exe	33
PID 824 wrote to memory of 652	824	cmd.exe	33
PID 824 wrote to memory of 652	824	cmd.exe	33
PID 824 wrote to memory of 652	824	cmd.exe	33
PID 824 wrote to memory of 280	824	cmd.exe	34
PID 824 wrote to memory of 280	824	cmd.exe	34
PID 824 wrote to memory of 280	824	cmd.exe	34
PID 824 wrote to memory of 280	824	cmd.exe	34
PID 824 wrote to memory of 580	824	cmd.exe	35
PID 824 wrote to memory of 580	824	cmd.exe	35
PID 824 wrote to memory of 580	824	cmd.exe	35
PID 824 wrote to memory of 580	824	cmd.exe	35
PID 824 wrote to memory of 1236	824	cmd.exe	36
PID 824 wrote to memory of 1236	824	cmd.exe	36
PID 824 wrote to memory of 1236	824	cmd.exe	36
PID 824 wrote to memory of 1236	824	cmd.exe	36
PID 824 wrote to memory of 1168	824	cmd.exe	37
PID 824 wrote to memory of 1168	824	cmd.exe	37
PID 824 wrote to memory of 1168	824	cmd.exe	37
PID 824 wrote to memory of 1168	824	cmd.exe	37
PID 824 wrote to memory of 924	824	cmd.exe	38
PID 824 wrote to memory of 924	824	cmd.exe	38
PID 824 wrote to memory of 924	824	cmd.exe	38
PID 824 wrote to memory of 924	824	cmd.exe	38
PID 984 wrote to memory of 1608	984	taskeng.exe	42
PID 984 wrote to memory of 1608	984	taskeng.exe	42
PID 984 wrote to memory of 1608	984	taskeng.exe	42
PID 984 wrote to memory of 1608	984	taskeng.exe	42
PID 984 wrote to memory of 1384	984	taskeng.exe	43
PID 984 wrote to memory of 1384	984	taskeng.exe	43
PID 984 wrote to memory of 1384	984	taskeng.exe	43
PID 984 wrote to memory of 1384	984	taskeng.exe	43

C:\Users\Admin\AppData\Local\Temp\2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
"C:\Users\Admin\AppData\Local\Temp\2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:792
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:652
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:N"
      4⤵
      PID:280
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:R" /E
      4⤵
      PID:580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1236
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\eb0f58bce7" /P "Admin:N"
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\eb0f58bce7" /P "Admin:R" /E
      4⤵
      PID:924

C:\Windows\system32\taskeng.exe
taskeng.exe {DA85BADF-02F0-49C8-A01E-131FE84CCB0A} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:984
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1608
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\283023626844

Filesize
73KB

MD5
c8052257b1e96ed4a6f0c6af240bb9a0

SHA1
7a69787ba20544db806667365873eac64137ae56

SHA256
7f9af74862f747e9e80fa24d148be830871cb0645dc13f2ce5e94f9581a086e8

SHA512
d7b7dde7db9faa6f47ab5503edf22b0b700a9325ba938f662b131c29422a3fa3c4ef87637eb72521dfd57e07cda7e821c935a8e8591eb680047460a98147023e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
memory/524-90-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/524-87-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/524-101-0x0000000000B50000-0x0000000001397000-memory.dmp

Filesize
8.3MB

Download
memory/524-100-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/524-99-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/524-97-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/524-96-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/524-94-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/524-93-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/524-91-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/524-88-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/524-84-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/524-85-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1520-59-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1520-56-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1520-55-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1520-61-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1520-62-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1520-72-0x0000000000E70000-0x00000000016B7000-memory.dmp

Filesize
8.3MB

Download
memory/1520-71-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1520-70-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1520-68-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1520-67-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1520-65-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1520-58-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1520-57-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1520-64-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1520-54-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1608-116-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1608-118-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1608-119-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1608-121-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1608-122-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1608-125-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1608-128-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1608-131-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1608-132-0x0000000000B50000-0x0000000001397000-memory.dmp

Filesize
8.3MB

Download
memory/1608-115-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download