amadey | dd09ac854d8cf93643c1cc08fa0184855e0e9719042980741f80516d99b92db5

Reason

Machine shutdown

General

Target

dd09ac854d8cf93643c1cc08fa0184855e0e9719042980741f80516d99b92db5.exe
Size

1.4MB
MD5

2317f3393576d390a9cfedabc929d076
SHA1

b9e79ab5d0577e198e3c7359ef1cbce0ceaf0078
SHA256

dd09ac854d8cf93643c1cc08fa0184855e0e9719042980741f80516d99b92db5
SHA512

6c174841d0e7d7ebc3e55357a6cd89cbf532fc30b8ae10502b368c5e1faf227331c85e1a1f85bdcea8f1faf2870a8903ba294be994feba02809528c1e4ae7dfd
SSDEEP

24576:iyDEgu+4ymK2YKJGvLFI1wGPUs/BrjEJt/NtTJlerUsse62A6ZmKv:JDEgbPmkKJGvLe1UyrjEJtlB/wWT+H

Score

10^/10

amadey persistence trojan

Malware Config

Extracted

Family

amadey

Version

3.87

C2

77.91.68.18/nice/index.php

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 4 IoCs

pid	Process
2152	y5580511.exe
2636	y0539609.exe
4428	y4760351.exe
4496	l9553959.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dd09ac854d8cf93643c1cc08fa0184855e0e9719042980741f80516d99b92db5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5580511.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0539609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y4760351.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2292	shutdown.exe
Token: SeRemoteShutdownPrivilege	2292	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2164	LogonUI.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 2152	4664	dd09ac854d8cf93643c1cc08fa0184855e0e9719042980741f80516d99b92db5.exe	70
PID 4664 wrote to memory of 2152	4664	dd09ac854d8cf93643c1cc08fa0184855e0e9719042980741f80516d99b92db5.exe	70
PID 4664 wrote to memory of 2152	4664	dd09ac854d8cf93643c1cc08fa0184855e0e9719042980741f80516d99b92db5.exe	70
PID 2152 wrote to memory of 2636	2152	y5580511.exe	71
PID 2152 wrote to memory of 2636	2152	y5580511.exe	71
PID 2152 wrote to memory of 2636	2152	y5580511.exe	71
PID 2636 wrote to memory of 4428	2636	y0539609.exe	72
PID 2636 wrote to memory of 4428	2636	y0539609.exe	72
PID 2636 wrote to memory of 4428	2636	y0539609.exe	72
PID 4428 wrote to memory of 4496	4428	y4760351.exe	73
PID 4428 wrote to memory of 4496	4428	y4760351.exe	73
PID 4428 wrote to memory of 4496	4428	y4760351.exe	73
PID 4496 wrote to memory of 772	4496	l9553959.exe	74
PID 4496 wrote to memory of 772	4496	l9553959.exe	74
PID 4496 wrote to memory of 772	4496	l9553959.exe	74
PID 772 wrote to memory of 2292	772	cmd.exe	76
PID 772 wrote to memory of 2292	772	cmd.exe	76
PID 772 wrote to memory of 2292	772	cmd.exe	76

C:\Users\Admin\AppData\Local\Temp\dd09ac854d8cf93643c1cc08fa0184855e0e9719042980741f80516d99b92db5.exe
"C:\Users\Admin\AppData\Local\Temp\dd09ac854d8cf93643c1cc08fa0184855e0e9719042980741f80516d99b92db5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5580511.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5580511.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0539609.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0539609.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4760351.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4760351.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4428
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l9553959.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l9553959.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4496
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k shutdown -s -t 0
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\shutdown.exe
        
        shutdown -s -t 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ae2855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5580511.exe

Filesize
1.3MB

MD5
35ea4417d86949ef2a17be1a5578ec7f

SHA1
a45f1c8176e3ca58b46f1b8c0f9682a85ac0fbf9

SHA256
dcbce8e7d80b8ddeec1ceaf22032a5bd97a95719c52ee08202c6044ece294843

SHA512
b12ecbd9f3aa068e0c00310357a3b362a7f5e56eaf04b4176e0d7d532d41ca7f2250ca57119668fa172da145851cc47af9102df0bfc52b9629845d07887229c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5580511.exe

Filesize
1.3MB

MD5
35ea4417d86949ef2a17be1a5578ec7f

SHA1
a45f1c8176e3ca58b46f1b8c0f9682a85ac0fbf9

SHA256
dcbce8e7d80b8ddeec1ceaf22032a5bd97a95719c52ee08202c6044ece294843

SHA512
b12ecbd9f3aa068e0c00310357a3b362a7f5e56eaf04b4176e0d7d532d41ca7f2250ca57119668fa172da145851cc47af9102df0bfc52b9629845d07887229c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0539609.exe

Filesize
475KB

MD5
29282e5d04b64e1ec91fff36572a519a

SHA1
e39e8e6153d58f6157475bb907a8a3a430655a60

SHA256
d2729f1901155cd00b491e012e4c86c0fdf3de1761530be47da69bf8d55f26f2

SHA512
16836d0bce70a9c2581811c6e5e520322e004026016641380beb04bc0353865884045f970a1aa4d264125e9c66aa5a17730d8d8769c14bcb627898dc70afca0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0539609.exe

Filesize
475KB

MD5
29282e5d04b64e1ec91fff36572a519a

SHA1
e39e8e6153d58f6157475bb907a8a3a430655a60

SHA256
d2729f1901155cd00b491e012e4c86c0fdf3de1761530be47da69bf8d55f26f2

SHA512
16836d0bce70a9c2581811c6e5e520322e004026016641380beb04bc0353865884045f970a1aa4d264125e9c66aa5a17730d8d8769c14bcb627898dc70afca0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4760351.exe

Filesize
319KB

MD5
26324e7eeeacd8c7198cd09f142b9bc1

SHA1
b730e3697d9d207823fecd70fbd2d19f61485f16

SHA256
ae08e569924d62d9897861c72736d6905fd823117836f175c952f647e73c17af

SHA512
31787d7866ce5431be47fdd0245c8f61187a8ee9c5422cbf5d2f1ede1b2ecfeb6033a50a2306567a25b443999c97679abef489248df02a44982e38eb3c5b626a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4760351.exe

Filesize
319KB

MD5
26324e7eeeacd8c7198cd09f142b9bc1

SHA1
b730e3697d9d207823fecd70fbd2d19f61485f16

SHA256
ae08e569924d62d9897861c72736d6905fd823117836f175c952f647e73c17af

SHA512
31787d7866ce5431be47fdd0245c8f61187a8ee9c5422cbf5d2f1ede1b2ecfeb6033a50a2306567a25b443999c97679abef489248df02a44982e38eb3c5b626a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l9553959.exe

Filesize
328KB

MD5
2be72c7c2a2347cdba517384810a0509

SHA1
6d4476aede50168466c3c148544980c89c53e3e0

SHA256
b5459c3ffccf4a0d013394050f5951d75aaa8ea10409993a2fdac9648049ee33

SHA512
164807c5238224d0bb33715054141c757e9798ed1a394032516bbb38a8d34abf19eff489735e6b84af6b2d9d6aa238ff699d451e869f67e14cb321f6ef8fd867

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l9553959.exe

Filesize
328KB

MD5
2be72c7c2a2347cdba517384810a0509

SHA1
6d4476aede50168466c3c148544980c89c53e3e0

SHA256
b5459c3ffccf4a0d013394050f5951d75aaa8ea10409993a2fdac9648049ee33

SHA512
164807c5238224d0bb33715054141c757e9798ed1a394032516bbb38a8d34abf19eff489735e6b84af6b2d9d6aa238ff699d451e869f67e14cb321f6ef8fd867

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads