amadey | 92e9d5140a119a0c8a38baf9156895378626ad171be5475585e383fbed885e2e

Analysis

max time kernel
106s
max time network
121s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
16/06/2023, 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92e9d5140a119a0c8a38baf9156895378626ad171be5475585e383fbed885e2e.exe
Size

205KB
MD5

4d8ac2539b358f46d1807f2dbd7fa17d
SHA1

49f643dd44870e3ce8b779822bdf990184c7e5f5
SHA256

92e9d5140a119a0c8a38baf9156895378626ad171be5475585e383fbed885e2e
SHA512

5600c88350a7e9964d98ad778076be44654eef1d73fb79639e75c984424c795cc347606b812ce79fbbae1b02c96660a1fb8fb6907c15d8fd5b0aa6237b55738f
SSDEEP

3072:CXkSckkHbzG1iXAt60p0zuNmnKG7peNMQbuZAIOb2y3xfbT:8kSDAzG1iciuInRexuZAIKj

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.84

77.91.68.63/doma/net/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
4256	rugen.exe
2744	rugen.exe
4936	rugen.exe

Loads dropped DLL 1 IoCs

pid	Process
1372	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4012	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1484	92e9d5140a119a0c8a38baf9156895378626ad171be5475585e383fbed885e2e.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 4256	1484	92e9d5140a119a0c8a38baf9156895378626ad171be5475585e383fbed885e2e.exe	66
PID 1484 wrote to memory of 4256	1484	92e9d5140a119a0c8a38baf9156895378626ad171be5475585e383fbed885e2e.exe	66
PID 1484 wrote to memory of 4256	1484	92e9d5140a119a0c8a38baf9156895378626ad171be5475585e383fbed885e2e.exe	66
PID 4256 wrote to memory of 4012	4256	rugen.exe	67
PID 4256 wrote to memory of 4012	4256	rugen.exe	67
PID 4256 wrote to memory of 4012	4256	rugen.exe	67
PID 4256 wrote to memory of 4016	4256	rugen.exe	69
PID 4256 wrote to memory of 4016	4256	rugen.exe	69
PID 4256 wrote to memory of 4016	4256	rugen.exe	69
PID 4016 wrote to memory of 2772	4016	cmd.exe	71
PID 4016 wrote to memory of 2772	4016	cmd.exe	71
PID 4016 wrote to memory of 2772	4016	cmd.exe	71
PID 4016 wrote to memory of 4744	4016	cmd.exe	72
PID 4016 wrote to memory of 4744	4016	cmd.exe	72
PID 4016 wrote to memory of 4744	4016	cmd.exe	72
PID 4016 wrote to memory of 3540	4016	cmd.exe	73
PID 4016 wrote to memory of 3540	4016	cmd.exe	73
PID 4016 wrote to memory of 3540	4016	cmd.exe	73
PID 4016 wrote to memory of 3648	4016	cmd.exe	74
PID 4016 wrote to memory of 3648	4016	cmd.exe	74
PID 4016 wrote to memory of 3648	4016	cmd.exe	74
PID 4016 wrote to memory of 3532	4016	cmd.exe	75
PID 4016 wrote to memory of 3532	4016	cmd.exe	75
PID 4016 wrote to memory of 3532	4016	cmd.exe	75
PID 4016 wrote to memory of 3736	4016	cmd.exe	76
PID 4016 wrote to memory of 3736	4016	cmd.exe	76
PID 4016 wrote to memory of 3736	4016	cmd.exe	76
PID 4256 wrote to memory of 1372	4256	rugen.exe	78
PID 4256 wrote to memory of 1372	4256	rugen.exe	78
PID 4256 wrote to memory of 1372	4256	rugen.exe	78

C:\Users\Admin\AppData\Local\Temp\92e9d5140a119a0c8a38baf9156895378626ad171be5475585e383fbed885e2e.exe
"C:\Users\Admin\AppData\Local\Temp\92e9d5140a119a0c8a38baf9156895378626ad171be5475585e383fbed885e2e.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
  "C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rugen.exe /TR "C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rugen.exe" /P "Admin:N"&&CACLS "rugen.exe" /P "Admin:R" /E&&echo Y|CACLS "..\200f691d32" /P "Admin:N"&&CACLS "..\200f691d32" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "rugen.exe" /P "Admin:N"
      4⤵
      PID:4744
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "rugen.exe" /P "Admin:R" /E
      4⤵
      PID:3540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:3648
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\200f691d32" /P "Admin:N"
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\200f691d32" /P "Admin:R" /E
      4⤵
      PID:3736
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1372

C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe
1⤵
- Executes dropped EXE
PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
4d8ac2539b358f46d1807f2dbd7fa17d

SHA1
49f643dd44870e3ce8b779822bdf990184c7e5f5

SHA256
92e9d5140a119a0c8a38baf9156895378626ad171be5475585e383fbed885e2e

SHA512
5600c88350a7e9964d98ad778076be44654eef1d73fb79639e75c984424c795cc347606b812ce79fbbae1b02c96660a1fb8fb6907c15d8fd5b0aa6237b55738f

Download Submit
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
4d8ac2539b358f46d1807f2dbd7fa17d

SHA1
49f643dd44870e3ce8b779822bdf990184c7e5f5

SHA256
92e9d5140a119a0c8a38baf9156895378626ad171be5475585e383fbed885e2e

SHA512
5600c88350a7e9964d98ad778076be44654eef1d73fb79639e75c984424c795cc347606b812ce79fbbae1b02c96660a1fb8fb6907c15d8fd5b0aa6237b55738f

Download Submit
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
4d8ac2539b358f46d1807f2dbd7fa17d

SHA1
49f643dd44870e3ce8b779822bdf990184c7e5f5

SHA256
92e9d5140a119a0c8a38baf9156895378626ad171be5475585e383fbed885e2e

SHA512
5600c88350a7e9964d98ad778076be44654eef1d73fb79639e75c984424c795cc347606b812ce79fbbae1b02c96660a1fb8fb6907c15d8fd5b0aa6237b55738f

Download Submit
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
4d8ac2539b358f46d1807f2dbd7fa17d

SHA1
49f643dd44870e3ce8b779822bdf990184c7e5f5

SHA256
92e9d5140a119a0c8a38baf9156895378626ad171be5475585e383fbed885e2e

SHA512
5600c88350a7e9964d98ad778076be44654eef1d73fb79639e75c984424c795cc347606b812ce79fbbae1b02c96660a1fb8fb6907c15d8fd5b0aa6237b55738f

Download Submit
C:\Users\Admin\AppData\Local\Temp\200f691d32\rugen.exe

Filesize
205KB

MD5
4d8ac2539b358f46d1807f2dbd7fa17d

SHA1
49f643dd44870e3ce8b779822bdf990184c7e5f5

SHA256
92e9d5140a119a0c8a38baf9156895378626ad171be5475585e383fbed885e2e

SHA512
5600c88350a7e9964d98ad778076be44654eef1d73fb79639e75c984424c795cc347606b812ce79fbbae1b02c96660a1fb8fb6907c15d8fd5b0aa6237b55738f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
83fc14fb36516facb19e0e96286f7f48

SHA1
40082ca06de4c377585cd164fb521bacadb673da

SHA256
08dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e

SHA512
ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
83fc14fb36516facb19e0e96286f7f48

SHA1
40082ca06de4c377585cd164fb521bacadb673da

SHA256
08dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e

SHA512
ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
83fc14fb36516facb19e0e96286f7f48

SHA1
40082ca06de4c377585cd164fb521bacadb673da

SHA256
08dabdd0b0fb13d5d748daf1173f392aa27eb9943eef78bd29e6a8fa61007a6e

SHA512
ba60d28195b8ce60fd6f4cd57919a190c910af3e71e2858ed266a958314798ed51323d3c870c572d2fb873aae34387afa0dd8c7624e5f5cf51e586aafb76efcf

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads