amadey | f79945c9617fcdbf6d813e2af995550ef820dbc92013d22cb3e48c6cc733c1a1

Analysis

max time kernel
133s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2023 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0006000000023211-166.exe
Size

230KB
MD5

7330ca9da317e5617c4ff4838142ac20
SHA1

09f570bff0298fb80f6d95717a0971ae55829f60
SHA256

f79945c9617fcdbf6d813e2af995550ef820dbc92013d22cb3e48c6cc733c1a1
SHA512

a5cc45fe09dfbd298eabd6a9b69e464f0693ebdd4ff8b28a4b579fec7eaa73774b66e3ea22d4667c129d15e7399802bf0f5bdc3c4ef30713753e52c61d472c39
SSDEEP

3072:3vtV3ROZ6RDwrR3wMUzUVwQ3rInyRnIvPak3hhiHFSbuZhuNcZVKBzqm8LHIkbGB:ftV3euVz6rKyS3yHFHhuNcPKpwU+

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.86

77.91.68.61/rock/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 3 IoCs

pid	Process
752	pdates.exe
1300	pdates.exe
1600	pdates.exe

Loads dropped DLL 1 IoCs

pid	Process
3668	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4480	schtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1352	0x0006000000023211-166.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 752	1352	0x0006000000023211-166.exe	82
PID 1352 wrote to memory of 752	1352	0x0006000000023211-166.exe	82
PID 1352 wrote to memory of 752	1352	0x0006000000023211-166.exe	82
PID 752 wrote to memory of 4480	752	pdates.exe	83
PID 752 wrote to memory of 4480	752	pdates.exe	83
PID 752 wrote to memory of 4480	752	pdates.exe	83
PID 752 wrote to memory of 4580	752	pdates.exe	85
PID 752 wrote to memory of 4580	752	pdates.exe	85
PID 752 wrote to memory of 4580	752	pdates.exe	85
PID 4580 wrote to memory of 3504	4580	cmd.exe	87
PID 4580 wrote to memory of 3504	4580	cmd.exe	87
PID 4580 wrote to memory of 3504	4580	cmd.exe	87
PID 4580 wrote to memory of 2888	4580	cmd.exe	88
PID 4580 wrote to memory of 2888	4580	cmd.exe	88
PID 4580 wrote to memory of 2888	4580	cmd.exe	88
PID 4580 wrote to memory of 384	4580	cmd.exe	89
PID 4580 wrote to memory of 384	4580	cmd.exe	89
PID 4580 wrote to memory of 384	4580	cmd.exe	89
PID 4580 wrote to memory of 2156	4580	cmd.exe	91
PID 4580 wrote to memory of 2156	4580	cmd.exe	91
PID 4580 wrote to memory of 2156	4580	cmd.exe	91
PID 4580 wrote to memory of 3728	4580	cmd.exe	90
PID 4580 wrote to memory of 3728	4580	cmd.exe	90
PID 4580 wrote to memory of 3728	4580	cmd.exe	90
PID 4580 wrote to memory of 2172	4580	cmd.exe	92
PID 4580 wrote to memory of 2172	4580	cmd.exe	92
PID 4580 wrote to memory of 2172	4580	cmd.exe	92
PID 752 wrote to memory of 3668	752	pdates.exe	103
PID 752 wrote to memory of 3668	752	pdates.exe	103
PID 752 wrote to memory of 3668	752	pdates.exe	103

C:\Users\Admin\AppData\Local\Temp\0x0006000000023211-166.exe
"C:\Users\Admin\AppData\Local\Temp\0x0006000000023211-166.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
  "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:3504
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "pdates.exe" /P "Admin:N"
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "pdates.exe" /P "Admin:R" /E
      4⤵
      PID:384
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\925e7e99c5" /P "Admin:N"
      4⤵
      PID:3728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2156
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\925e7e99c5" /P "Admin:R" /E
      4⤵
      PID:2172
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:3668

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:1300

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
1⤵
- Executes dropped EXE
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
230KB

MD5
7330ca9da317e5617c4ff4838142ac20

SHA1
09f570bff0298fb80f6d95717a0971ae55829f60

SHA256
f79945c9617fcdbf6d813e2af995550ef820dbc92013d22cb3e48c6cc733c1a1

SHA512
a5cc45fe09dfbd298eabd6a9b69e464f0693ebdd4ff8b28a4b579fec7eaa73774b66e3ea22d4667c129d15e7399802bf0f5bdc3c4ef30713753e52c61d472c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
230KB

MD5
7330ca9da317e5617c4ff4838142ac20

SHA1
09f570bff0298fb80f6d95717a0971ae55829f60

SHA256
f79945c9617fcdbf6d813e2af995550ef820dbc92013d22cb3e48c6cc733c1a1

SHA512
a5cc45fe09dfbd298eabd6a9b69e464f0693ebdd4ff8b28a4b579fec7eaa73774b66e3ea22d4667c129d15e7399802bf0f5bdc3c4ef30713753e52c61d472c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
230KB

MD5
7330ca9da317e5617c4ff4838142ac20

SHA1
09f570bff0298fb80f6d95717a0971ae55829f60

SHA256
f79945c9617fcdbf6d813e2af995550ef820dbc92013d22cb3e48c6cc733c1a1

SHA512
a5cc45fe09dfbd298eabd6a9b69e464f0693ebdd4ff8b28a4b579fec7eaa73774b66e3ea22d4667c129d15e7399802bf0f5bdc3c4ef30713753e52c61d472c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
230KB

MD5
7330ca9da317e5617c4ff4838142ac20

SHA1
09f570bff0298fb80f6d95717a0971ae55829f60

SHA256
f79945c9617fcdbf6d813e2af995550ef820dbc92013d22cb3e48c6cc733c1a1

SHA512
a5cc45fe09dfbd298eabd6a9b69e464f0693ebdd4ff8b28a4b579fec7eaa73774b66e3ea22d4667c129d15e7399802bf0f5bdc3c4ef30713753e52c61d472c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

Filesize
230KB

MD5
7330ca9da317e5617c4ff4838142ac20

SHA1
09f570bff0298fb80f6d95717a0971ae55829f60

SHA256
f79945c9617fcdbf6d813e2af995550ef820dbc92013d22cb3e48c6cc733c1a1

SHA512
a5cc45fe09dfbd298eabd6a9b69e464f0693ebdd4ff8b28a4b579fec7eaa73774b66e3ea22d4667c129d15e7399802bf0f5bdc3c4ef30713753e52c61d472c39

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2392b231cf4a80739b5cb09bf808127d

SHA1
41b5cf81c50884954911d96444fe83cfd0da465b

SHA256
2244b4dc9afc6cfab7ef1dea92420e2acd275bac7349b929a69f3c1ae25f5e2f

SHA512
19ceba063fa1cc1d0116eb11b18d6301a0e1eeda1cb5b983e331e59e4f12e4d0e36d7b4a1d8259dff57a79c47fdcedf89de8e255d932452e441762e4d440ce34

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
9851b884bf4aadfade57d911a3f03332

SHA1
aaadd1c1856c22844bb9fbb030cf4f586ed8866a

SHA256
03afb988f3eec62c2da682af371625adcac5a0e69615298f83d99365ab07ac0f

SHA512
a7de560f51bacd381d3e741f887c3c40ece88521ee93a22a4f7448297e8bda2131be866d9ae6438c528d9f40a277c18bae517deec16b6b723f67d4c308031327

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads