amadey | 2d13ca0b05136b40a532df22fff4f06de871b8635b7f49cdadf2c65288ebd9c9

Analysis

max time kernel
140s
max time network
146s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
01-08-2023 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0005000000018fb5-96.exe
Size

227KB
MD5

987d91f989839f79a8f6fa003a43ca18
SHA1

e58429b4acf6d7dfef96ed598d75109ead1ff8d7
SHA256

2d13ca0b05136b40a532df22fff4f06de871b8635b7f49cdadf2c65288ebd9c9
SHA512

aeddcb9fb38cb01a9453db60f2e9862aa7d3394f318e0dcfc60ba86ec530baa47b8473dff85766072c7878d9751257c07efa94a28726af677fa6f5253ee42a49
SSDEEP

3072:3vtV3ROZ6RDwrR3wMUzUVwQ3rInyRnIvPak3hhiHFSbuZhuNcZVKBzqm8LHIkbGB:ftV3euVz6rKyS3yHFHhuNcPKpwU+

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.86

77.91.68.61/rock/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
2956	pdates.exe
976	pdates.exe
1724	pdates.exe

Loads dropped DLL 5 IoCs

pid	Process
2156	0x0005000000018fb5-96.exe
2320	rundll32.exe
2320	rundll32.exe
2320	rundll32.exe
2320	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2964	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2156	0x0005000000018fb5-96.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2956	2156	0x0005000000018fb5-96.exe	28
PID 2156 wrote to memory of 2956	2156	0x0005000000018fb5-96.exe	28
PID 2156 wrote to memory of 2956	2156	0x0005000000018fb5-96.exe	28
PID 2156 wrote to memory of 2956	2156	0x0005000000018fb5-96.exe	28
PID 2956 wrote to memory of 2964	2956	pdates.exe	29
PID 2956 wrote to memory of 2964	2956	pdates.exe	29
PID 2956 wrote to memory of 2964	2956	pdates.exe	29
PID 2956 wrote to memory of 2964	2956	pdates.exe	29
PID 2956 wrote to memory of 2840	2956	pdates.exe	31
PID 2956 wrote to memory of 2840	2956	pdates.exe	31
PID 2956 wrote to memory of 2840	2956	pdates.exe	31
PID 2956 wrote to memory of 2840	2956	pdates.exe	31
PID 2840 wrote to memory of 2752	2840	cmd.exe	33
PID 2840 wrote to memory of 2752	2840	cmd.exe	33
PID 2840 wrote to memory of 2752	2840	cmd.exe	33
PID 2840 wrote to memory of 2752	2840	cmd.exe	33
PID 2840 wrote to memory of 1624	2840	cmd.exe	34
PID 2840 wrote to memory of 1624	2840	cmd.exe	34
PID 2840 wrote to memory of 1624	2840	cmd.exe	34
PID 2840 wrote to memory of 1624	2840	cmd.exe	34
PID 2840 wrote to memory of 2368	2840	cmd.exe	35
PID 2840 wrote to memory of 2368	2840	cmd.exe	35
PID 2840 wrote to memory of 2368	2840	cmd.exe	35
PID 2840 wrote to memory of 2368	2840	cmd.exe	35
PID 2840 wrote to memory of 2892	2840	cmd.exe	36
PID 2840 wrote to memory of 2892	2840	cmd.exe	36
PID 2840 wrote to memory of 2892	2840	cmd.exe	36
PID 2840 wrote to memory of 2892	2840	cmd.exe	36
PID 2840 wrote to memory of 2772	2840	cmd.exe	37
PID 2840 wrote to memory of 2772	2840	cmd.exe	37
PID 2840 wrote to memory of 2772	2840	cmd.exe	37
PID 2840 wrote to memory of 2772	2840	cmd.exe	37
PID 2840 wrote to memory of 2912	2840	cmd.exe	38
PID 2840 wrote to memory of 2912	2840	cmd.exe	38
PID 2840 wrote to memory of 2912	2840	cmd.exe	38
PID 2840 wrote to memory of 2912	2840	cmd.exe	38
PID 1640 wrote to memory of 976	1640	taskeng.exe	43
PID 1640 wrote to memory of 976	1640	taskeng.exe	43
PID 1640 wrote to memory of 976	1640	taskeng.exe	43
PID 1640 wrote to memory of 976	1640	taskeng.exe	43
PID 2956 wrote to memory of 2320	2956	pdates.exe	44
PID 2956 wrote to memory of 2320	2956	pdates.exe	44
PID 2956 wrote to memory of 2320	2956	pdates.exe	44
PID 2956 wrote to memory of 2320	2956	pdates.exe	44
PID 2956 wrote to memory of 2320	2956	pdates.exe	44
PID 2956 wrote to memory of 2320	2956	pdates.exe	44
PID 2956 wrote to memory of 2320	2956	pdates.exe	44
PID 1640 wrote to memory of 1724	1640	taskeng.exe	45
PID 1640 wrote to memory of 1724	1640	taskeng.exe	45
PID 1640 wrote to memory of 1724	1640	taskeng.exe	45
PID 1640 wrote to memory of 1724	1640	taskeng.exe	45

C:\Users\Admin\AppData\Local\Temp\0x0005000000018fb5-96.exe
"C:\Users\Admin\AppData\Local\Temp\0x0005000000018fb5-96.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
  "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "pdates.exe" /P "Admin:N"
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "pdates.exe" /P "Admin:R" /E
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\925e7e99c5" /P "Admin:N"
      4⤵
      PID:2772
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\925e7e99c5" /P "Admin:R" /E
      4⤵
      PID:2912
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:2320

C:\Windows\system32\taskeng.exe
taskeng.exe {0579606A-B4CF-41D3-AF26-0978E025D607} S-1-5-21-377084978-2088738870-2818360375-1000:DSWJWADP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
  C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
  C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
  2⤵
  - Executes dropped EXE
  PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
987d91f989839f79a8f6fa003a43ca18

SHA1
e58429b4acf6d7dfef96ed598d75109ead1ff8d7

SHA256
2d13ca0b05136b40a532df22fff4f06de871b8635b7f49cdadf2c65288ebd9c9

SHA512
aeddcb9fb38cb01a9453db60f2e9862aa7d3394f318e0dcfc60ba86ec530baa47b8473dff85766072c7878d9751257c07efa94a28726af677fa6f5253ee42a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
987d91f989839f79a8f6fa003a43ca18

SHA1
e58429b4acf6d7dfef96ed598d75109ead1ff8d7

SHA256
2d13ca0b05136b40a532df22fff4f06de871b8635b7f49cdadf2c65288ebd9c9

SHA512
aeddcb9fb38cb01a9453db60f2e9862aa7d3394f318e0dcfc60ba86ec530baa47b8473dff85766072c7878d9751257c07efa94a28726af677fa6f5253ee42a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
987d91f989839f79a8f6fa003a43ca18

SHA1
e58429b4acf6d7dfef96ed598d75109ead1ff8d7

SHA256
2d13ca0b05136b40a532df22fff4f06de871b8635b7f49cdadf2c65288ebd9c9

SHA512
aeddcb9fb38cb01a9453db60f2e9862aa7d3394f318e0dcfc60ba86ec530baa47b8473dff85766072c7878d9751257c07efa94a28726af677fa6f5253ee42a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
987d91f989839f79a8f6fa003a43ca18

SHA1
e58429b4acf6d7dfef96ed598d75109ead1ff8d7

SHA256
2d13ca0b05136b40a532df22fff4f06de871b8635b7f49cdadf2c65288ebd9c9

SHA512
aeddcb9fb38cb01a9453db60f2e9862aa7d3394f318e0dcfc60ba86ec530baa47b8473dff85766072c7878d9751257c07efa94a28726af677fa6f5253ee42a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
987d91f989839f79a8f6fa003a43ca18

SHA1
e58429b4acf6d7dfef96ed598d75109ead1ff8d7

SHA256
2d13ca0b05136b40a532df22fff4f06de871b8635b7f49cdadf2c65288ebd9c9

SHA512
aeddcb9fb38cb01a9453db60f2e9862aa7d3394f318e0dcfc60ba86ec530baa47b8473dff85766072c7878d9751257c07efa94a28726af677fa6f5253ee42a49

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
9851b884bf4aadfade57d911a3f03332

SHA1
aaadd1c1856c22844bb9fbb030cf4f586ed8866a

SHA256
03afb988f3eec62c2da682af371625adcac5a0e69615298f83d99365ab07ac0f

SHA512
a7de560f51bacd381d3e741f887c3c40ece88521ee93a22a4f7448297e8bda2131be866d9ae6438c528d9f40a277c18bae517deec16b6b723f67d4c308031327

Download Submit
\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
227KB

MD5
987d91f989839f79a8f6fa003a43ca18

SHA1
e58429b4acf6d7dfef96ed598d75109ead1ff8d7

SHA256
2d13ca0b05136b40a532df22fff4f06de871b8635b7f49cdadf2c65288ebd9c9

SHA512
aeddcb9fb38cb01a9453db60f2e9862aa7d3394f318e0dcfc60ba86ec530baa47b8473dff85766072c7878d9751257c07efa94a28726af677fa6f5253ee42a49

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
memory/2156-54-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads