amadey | 2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

Analysis

max time kernel
266s
max time network
254s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
15-06-2023 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
Size

5.0MB
MD5

890e29d78179dc4611286b863c50df53
SHA1

7bee367b02f66898b9ffb0f2569ca79c04edc19a
SHA256

2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734
SHA512

3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08
SSDEEP

98304:I95KeVzJFLYDAQlsumF2SEGKhq1v/28fV4AAc0cq9FcFzUkKm:ArQm2FGKq28tIbWzSm

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.80

45.15.156.208/jd9dd3Vw/index.php

second.amadgood.com/jd9dd3Vw/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 6 IoCs

pid	Process
2608	oneetx.exe
4796	oneetx.exe
1328	oneetx.exe
4664	oneetx.exe
4944	oneetx.exe
524	oneetx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2132	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
2132	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
2608	oneetx.exe
2608	oneetx.exe
4796	oneetx.exe
4796	oneetx.exe
1328	oneetx.exe
1328	oneetx.exe
4664	oneetx.exe
4664	oneetx.exe
4944	oneetx.exe
4944	oneetx.exe
524	oneetx.exe
524	oneetx.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2132	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2608	2132	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	66
PID 2132 wrote to memory of 2608	2132	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	66
PID 2132 wrote to memory of 2608	2132	2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe	66
PID 2608 wrote to memory of 3932	2608	oneetx.exe	67
PID 2608 wrote to memory of 3932	2608	oneetx.exe	67
PID 2608 wrote to memory of 3932	2608	oneetx.exe	67
PID 2608 wrote to memory of 4224	2608	oneetx.exe	69
PID 2608 wrote to memory of 4224	2608	oneetx.exe	69
PID 2608 wrote to memory of 4224	2608	oneetx.exe	69
PID 4224 wrote to memory of 2612	4224	cmd.exe	71
PID 4224 wrote to memory of 2612	4224	cmd.exe	71
PID 4224 wrote to memory of 2612	4224	cmd.exe	71
PID 4224 wrote to memory of 2008	4224	cmd.exe	72
PID 4224 wrote to memory of 2008	4224	cmd.exe	72
PID 4224 wrote to memory of 2008	4224	cmd.exe	72
PID 4224 wrote to memory of 3516	4224	cmd.exe	73
PID 4224 wrote to memory of 3516	4224	cmd.exe	73
PID 4224 wrote to memory of 3516	4224	cmd.exe	73
PID 4224 wrote to memory of 4728	4224	cmd.exe	75
PID 4224 wrote to memory of 4728	4224	cmd.exe	75
PID 4224 wrote to memory of 4728	4224	cmd.exe	75
PID 4224 wrote to memory of 3732	4224	cmd.exe	74
PID 4224 wrote to memory of 3732	4224	cmd.exe	74
PID 4224 wrote to memory of 3732	4224	cmd.exe	74
PID 4224 wrote to memory of 3456	4224	cmd.exe	76
PID 4224 wrote to memory of 3456	4224	cmd.exe	76
PID 4224 wrote to memory of 3456	4224	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe
"C:\Users\Admin\AppData\Local\Temp\2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
  "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:N"
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:R" /E
      4⤵
      PID:3516
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\eb0f58bce7" /P "Admin:N"
      4⤵
      PID:3732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:4728
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\eb0f58bce7" /P "Admin:R" /E
      4⤵
      PID:3456

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1328

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4664

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4944

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\311743041116

Filesize
75KB

MD5
293e9d67309fd84b9d520bb808dcb79d

SHA1
c6f5520a6eba11026fce9c5e3dd4e6615cabb564

SHA256
26b720cc9fa9841b638ecccbe0661040c702d5569130cd19747cd4b64984214b

SHA512
c02b0f93aa71f7e87e596b841dab51a6fb3d7d1b8cd1196aaeb369d1485b1809408c6d8859b4a65ea47b2b7918282029af2dfe3575cba0c603ab540630fa7997

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe

Filesize
5.0MB

MD5
890e29d78179dc4611286b863c50df53

SHA1
7bee367b02f66898b9ffb0f2569ca79c04edc19a

SHA256
2fd399beb67f956f71061414caf34b5235b34078be4147e67b9f1a9623857734

SHA512
3b94b71c0301ed09c1c3fd40e9be74552e2b17fa957fb6d09c7d05451859d57b851b3b6a63dfc7bf38e9d791028841d72618f6f6deaa92ec51f7bb65f0e36e08

Download Submit
memory/524-200-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/524-205-0x0000000001200000-0x0000000001A47000-memory.dmp

Filesize
8.3MB

Download
memory/524-204-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/524-203-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/524-202-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/524-201-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/524-199-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/1328-175-0x0000000001200000-0x0000000001A47000-memory.dmp

Filesize
8.3MB

Download
memory/1328-174-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/1328-171-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/1328-170-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/1328-169-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1328-172-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/1328-173-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2132-127-0x00000000003C0000-0x0000000000C07000-memory.dmp

Filesize
8.3MB

Download
memory/2132-125-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/2132-123-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/2132-122-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2132-121-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/2132-126-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/2132-124-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/2608-141-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/2608-136-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/2608-142-0x0000000001200000-0x0000000001A47000-memory.dmp

Filesize
8.3MB

Download
memory/2608-140-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/2608-138-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/2608-139-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/2608-137-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/4664-180-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/4664-181-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/4664-183-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/4664-184-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/4664-185-0x0000000001200000-0x0000000001A47000-memory.dmp

Filesize
8.3MB

Download
memory/4664-179-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/4664-182-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/4796-165-0x0000000001200000-0x0000000001A47000-memory.dmp

Filesize
8.3MB

Download
memory/4796-160-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/4796-161-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/4796-162-0x0000000001120000-0x0000000001121000-memory.dmp

Filesize
4KB

Download
memory/4796-163-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4796-164-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/4796-159-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/4944-189-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/4944-195-0x0000000001200000-0x0000000001A47000-memory.dmp

Filesize
8.3MB

Download
memory/4944-194-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/4944-193-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/4944-192-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/4944-191-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/4944-190-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download