amadey | 11f92e94779bb92b48a6ce6b0f12e262b931ff2d8f1eeb6000d708b5f3059abb

Analysis

max time kernel
142s
max time network
148s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10-07-2023 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a360a5318a93a25cffac26e52.exe
Size

210KB
MD5

a360a5318a93a25cffac26e520664aa0
SHA1

cd5a0b59554767b3d4433fe9b5771352309bd10b
SHA256

11f92e94779bb92b48a6ce6b0f12e262b931ff2d8f1eeb6000d708b5f3059abb
SHA512

976d7d1001c26230e825e087e9f0edf6cf82d3ec0c2fd99667b05eb80729c3c2a5e1b45c3327f84c6283c23bfab1c0e93663c90d4a506c11bdcb34ef0f4c72dc
SSDEEP

3072:mhMCsw9/w+A4cwP+5OzutpHKGruONM4QuZA+67bi83eILfbq5kmh:5Cswq+AXYu7HGOSuZAlAILjq

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.81

77.91.124.20/store/games/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 4 IoCs

pid	Process
2356	oneetx.exe
2144	oneetx.exe
2772	oneetx.exe
2188	oneetx.exe

Loads dropped DLL 5 IoCs

pid	Process
2396	a360a5318a93a25cffac26e52.exe
808	rundll32.exe
808	rundll32.exe
808	rundll32.exe
808	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1968	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2396	a360a5318a93a25cffac26e52.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2356	2396	a360a5318a93a25cffac26e52.exe	29
PID 2396 wrote to memory of 2356	2396	a360a5318a93a25cffac26e52.exe	29
PID 2396 wrote to memory of 2356	2396	a360a5318a93a25cffac26e52.exe	29
PID 2396 wrote to memory of 2356	2396	a360a5318a93a25cffac26e52.exe	29
PID 2356 wrote to memory of 1968	2356	oneetx.exe	30
PID 2356 wrote to memory of 1968	2356	oneetx.exe	30
PID 2356 wrote to memory of 1968	2356	oneetx.exe	30
PID 2356 wrote to memory of 1968	2356	oneetx.exe	30
PID 2356 wrote to memory of 908	2356	oneetx.exe	32
PID 2356 wrote to memory of 908	2356	oneetx.exe	32
PID 2356 wrote to memory of 908	2356	oneetx.exe	32
PID 2356 wrote to memory of 908	2356	oneetx.exe	32
PID 908 wrote to memory of 3048	908	cmd.exe	34
PID 908 wrote to memory of 3048	908	cmd.exe	34
PID 908 wrote to memory of 3048	908	cmd.exe	34
PID 908 wrote to memory of 3048	908	cmd.exe	34
PID 908 wrote to memory of 1820	908	cmd.exe	35
PID 908 wrote to memory of 1820	908	cmd.exe	35
PID 908 wrote to memory of 1820	908	cmd.exe	35
PID 908 wrote to memory of 1820	908	cmd.exe	35
PID 908 wrote to memory of 2968	908	cmd.exe	36
PID 908 wrote to memory of 2968	908	cmd.exe	36
PID 908 wrote to memory of 2968	908	cmd.exe	36
PID 908 wrote to memory of 2968	908	cmd.exe	36
PID 908 wrote to memory of 2140	908	cmd.exe	37
PID 908 wrote to memory of 2140	908	cmd.exe	37
PID 908 wrote to memory of 2140	908	cmd.exe	37
PID 908 wrote to memory of 2140	908	cmd.exe	37
PID 908 wrote to memory of 2996	908	cmd.exe	38
PID 908 wrote to memory of 2996	908	cmd.exe	38
PID 908 wrote to memory of 2996	908	cmd.exe	38
PID 908 wrote to memory of 2996	908	cmd.exe	38
PID 908 wrote to memory of 892	908	cmd.exe	39
PID 908 wrote to memory of 892	908	cmd.exe	39
PID 908 wrote to memory of 892	908	cmd.exe	39
PID 908 wrote to memory of 892	908	cmd.exe	39
PID 1644 wrote to memory of 2144	1644	taskeng.exe	42
PID 1644 wrote to memory of 2144	1644	taskeng.exe	42
PID 1644 wrote to memory of 2144	1644	taskeng.exe	42
PID 1644 wrote to memory of 2144	1644	taskeng.exe	42
PID 2356 wrote to memory of 808	2356	oneetx.exe	43
PID 2356 wrote to memory of 808	2356	oneetx.exe	43
PID 2356 wrote to memory of 808	2356	oneetx.exe	43
PID 2356 wrote to memory of 808	2356	oneetx.exe	43
PID 2356 wrote to memory of 808	2356	oneetx.exe	43
PID 2356 wrote to memory of 808	2356	oneetx.exe	43
PID 2356 wrote to memory of 808	2356	oneetx.exe	43
PID 1644 wrote to memory of 2772	1644	taskeng.exe	44
PID 1644 wrote to memory of 2772	1644	taskeng.exe	44
PID 1644 wrote to memory of 2772	1644	taskeng.exe	44
PID 1644 wrote to memory of 2772	1644	taskeng.exe	44
PID 1644 wrote to memory of 2188	1644	taskeng.exe	45
PID 1644 wrote to memory of 2188	1644	taskeng.exe	45
PID 1644 wrote to memory of 2188	1644	taskeng.exe	45
PID 1644 wrote to memory of 2188	1644	taskeng.exe	45

C:\Users\Admin\AppData\Local\Temp\a360a5318a93a25cffac26e52.exe
"C:\Users\Admin\AppData\Local\Temp\a360a5318a93a25cffac26e52.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:3048
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:N"
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "oneetx.exe" /P "Admin:R" /E
      4⤵
      PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2140
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\c3912af058" /P "Admin:N"
      4⤵
      PID:2996
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\c3912af058" /P "Admin:R" /E
      4⤵
      PID:892
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:808

C:\Windows\system32\taskeng.exe
taskeng.exe {986930D3-42E1-4CC8-8833-0235BE2635C9} S-1-5-21-1724861073-2584418204-2594431177-1000:RXPFQWTW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:2188

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
210KB

MD5
a360a5318a93a25cffac26e520664aa0

SHA1
cd5a0b59554767b3d4433fe9b5771352309bd10b

SHA256
11f92e94779bb92b48a6ce6b0f12e262b931ff2d8f1eeb6000d708b5f3059abb

SHA512
976d7d1001c26230e825e087e9f0edf6cf82d3ec0c2fd99667b05eb80729c3c2a5e1b45c3327f84c6283c23bfab1c0e93663c90d4a506c11bdcb34ef0f4c72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
210KB

MD5
a360a5318a93a25cffac26e520664aa0

SHA1
cd5a0b59554767b3d4433fe9b5771352309bd10b

SHA256
11f92e94779bb92b48a6ce6b0f12e262b931ff2d8f1eeb6000d708b5f3059abb

SHA512
976d7d1001c26230e825e087e9f0edf6cf82d3ec0c2fd99667b05eb80729c3c2a5e1b45c3327f84c6283c23bfab1c0e93663c90d4a506c11bdcb34ef0f4c72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
210KB

MD5
a360a5318a93a25cffac26e520664aa0

SHA1
cd5a0b59554767b3d4433fe9b5771352309bd10b

SHA256
11f92e94779bb92b48a6ce6b0f12e262b931ff2d8f1eeb6000d708b5f3059abb

SHA512
976d7d1001c26230e825e087e9f0edf6cf82d3ec0c2fd99667b05eb80729c3c2a5e1b45c3327f84c6283c23bfab1c0e93663c90d4a506c11bdcb34ef0f4c72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
210KB

MD5
a360a5318a93a25cffac26e520664aa0

SHA1
cd5a0b59554767b3d4433fe9b5771352309bd10b

SHA256
11f92e94779bb92b48a6ce6b0f12e262b931ff2d8f1eeb6000d708b5f3059abb

SHA512
976d7d1001c26230e825e087e9f0edf6cf82d3ec0c2fd99667b05eb80729c3c2a5e1b45c3327f84c6283c23bfab1c0e93663c90d4a506c11bdcb34ef0f4c72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
210KB

MD5
a360a5318a93a25cffac26e520664aa0

SHA1
cd5a0b59554767b3d4433fe9b5771352309bd10b

SHA256
11f92e94779bb92b48a6ce6b0f12e262b931ff2d8f1eeb6000d708b5f3059abb

SHA512
976d7d1001c26230e825e087e9f0edf6cf82d3ec0c2fd99667b05eb80729c3c2a5e1b45c3327f84c6283c23bfab1c0e93663c90d4a506c11bdcb34ef0f4c72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
210KB

MD5
a360a5318a93a25cffac26e520664aa0

SHA1
cd5a0b59554767b3d4433fe9b5771352309bd10b

SHA256
11f92e94779bb92b48a6ce6b0f12e262b931ff2d8f1eeb6000d708b5f3059abb

SHA512
976d7d1001c26230e825e087e9f0edf6cf82d3ec0c2fd99667b05eb80729c3c2a5e1b45c3327f84c6283c23bfab1c0e93663c90d4a506c11bdcb34ef0f4c72dc

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
274B

MD5
dabcfe2687e713bb380b6e25ef283834

SHA1
a4bafd3ccbc7168ec0744da8a7ee479bdca20a86

SHA256
e19229d913de6adcb653e0273736c2962ce8d4a8721d77353ee71d0614d2c19a

SHA512
4634889f2dcc698f0adfa40579d6243517a1c9248d8b3d6d17fbb998a97d862ced3037b55f267d7d2369ca149c48138dd77b509415216527111e3ce483027e8b

Download Submit
\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe

Filesize
210KB

MD5
a360a5318a93a25cffac26e520664aa0

SHA1
cd5a0b59554767b3d4433fe9b5771352309bd10b

SHA256
11f92e94779bb92b48a6ce6b0f12e262b931ff2d8f1eeb6000d708b5f3059abb

SHA512
976d7d1001c26230e825e087e9f0edf6cf82d3ec0c2fd99667b05eb80729c3c2a5e1b45c3327f84c6283c23bfab1c0e93663c90d4a506c11bdcb34ef0f4c72dc

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads