amadey | 84567d4d000ee419bbaccd630c406f2029b88e42e1b67f6d1a670c974403df87

Analysis

max time kernel
182s
max time network
261s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
04-09-2023 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

t0793336.exe
Size

315KB
MD5

57f92b3fe4257b9b5e87bba5cd9d01d0
SHA1

a2b08e8254efc9326f6d9b8370b22218ef3320e8
SHA256

84567d4d000ee419bbaccd630c406f2029b88e42e1b67f6d1a670c974403df87
SHA512

8c5bb901ae4c7434cb718699b55af3a2906ecef1165a201818300e3e10cbbe0e50117925a22709b9f425c31eef0fa1931bef27324c2155d2bd475919f4de49bb
SSDEEP

6144:zR/tsQnf6X0M6+koYhXMxjwigfwfgbePu97rrAOQ322222KTq:zRlHVckoaXMxcePu97Hg22222iq

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.87

193.233.255.9/nasa/index.php

Attributes

install_dir
ebb444342c
install_file
legosa.exe
strings_key
0b59a358b8646634fe523e0d5fe7fc43

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 2 IoCs

pid	Process
2988	legosa.exe
2204	legosa.exe

Loads dropped DLL 1 IoCs

pid	Process
3112	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1124	schtasks.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 2988	3720	t0793336.exe	70
PID 3720 wrote to memory of 2988	3720	t0793336.exe	70
PID 3720 wrote to memory of 2988	3720	t0793336.exe	70
PID 2988 wrote to memory of 1124	2988	legosa.exe	71
PID 2988 wrote to memory of 1124	2988	legosa.exe	71
PID 2988 wrote to memory of 1124	2988	legosa.exe	71
PID 2988 wrote to memory of 1368	2988	legosa.exe	72
PID 2988 wrote to memory of 1368	2988	legosa.exe	72
PID 2988 wrote to memory of 1368	2988	legosa.exe	72
PID 1368 wrote to memory of 5080	1368	cmd.exe	75
PID 1368 wrote to memory of 5080	1368	cmd.exe	75
PID 1368 wrote to memory of 5080	1368	cmd.exe	75
PID 1368 wrote to memory of 5112	1368	cmd.exe	76
PID 1368 wrote to memory of 5112	1368	cmd.exe	76
PID 1368 wrote to memory of 5112	1368	cmd.exe	76
PID 1368 wrote to memory of 3308	1368	cmd.exe	77
PID 1368 wrote to memory of 3308	1368	cmd.exe	77
PID 1368 wrote to memory of 3308	1368	cmd.exe	77
PID 1368 wrote to memory of 1128	1368	cmd.exe	78
PID 1368 wrote to memory of 1128	1368	cmd.exe	78
PID 1368 wrote to memory of 1128	1368	cmd.exe	78
PID 1368 wrote to memory of 3456	1368	cmd.exe	79
PID 1368 wrote to memory of 3456	1368	cmd.exe	79
PID 1368 wrote to memory of 3456	1368	cmd.exe	79
PID 1368 wrote to memory of 4524	1368	cmd.exe	80
PID 1368 wrote to memory of 4524	1368	cmd.exe	80
PID 1368 wrote to memory of 4524	1368	cmd.exe	80
PID 2988 wrote to memory of 3112	2988	legosa.exe	81
PID 2988 wrote to memory of 3112	2988	legosa.exe	81
PID 2988 wrote to memory of 3112	2988	legosa.exe	81

C:\Users\Admin\AppData\Local\Temp\t0793336.exe
"C:\Users\Admin\AppData\Local\Temp\t0793336.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
  "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legosa.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legosa.exe" /P "Admin:N"&&CACLS "legosa.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:5080
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "legosa.exe" /P "Admin:N"
      4⤵
      PID:5112
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "legosa.exe" /P "Admin:R" /E
      4⤵
      PID:3308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\ebb444342c" /P "Admin:N"
      4⤵
      PID:3456
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\ebb444342c" /P "Admin:R" /E
      4⤵
      PID:4524
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:3112

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
1⤵
- Executes dropped EXE
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
315KB

MD5
57f92b3fe4257b9b5e87bba5cd9d01d0

SHA1
a2b08e8254efc9326f6d9b8370b22218ef3320e8

SHA256
84567d4d000ee419bbaccd630c406f2029b88e42e1b67f6d1a670c974403df87

SHA512
8c5bb901ae4c7434cb718699b55af3a2906ecef1165a201818300e3e10cbbe0e50117925a22709b9f425c31eef0fa1931bef27324c2155d2bd475919f4de49bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
315KB

MD5
57f92b3fe4257b9b5e87bba5cd9d01d0

SHA1
a2b08e8254efc9326f6d9b8370b22218ef3320e8

SHA256
84567d4d000ee419bbaccd630c406f2029b88e42e1b67f6d1a670c974403df87

SHA512
8c5bb901ae4c7434cb718699b55af3a2906ecef1165a201818300e3e10cbbe0e50117925a22709b9f425c31eef0fa1931bef27324c2155d2bd475919f4de49bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe

Filesize
315KB

MD5
57f92b3fe4257b9b5e87bba5cd9d01d0

SHA1
a2b08e8254efc9326f6d9b8370b22218ef3320e8

SHA256
84567d4d000ee419bbaccd630c406f2029b88e42e1b67f6d1a670c974403df87

SHA512
8c5bb901ae4c7434cb718699b55af3a2906ecef1165a201818300e3e10cbbe0e50117925a22709b9f425c31eef0fa1931bef27324c2155d2bd475919f4de49bb

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads