amadey | c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

Analysis

max time kernel
250s
max time network
255s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04-09-2023 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

u8542029.exe
Size

316KB
MD5

9be7155d4a92aee655188c13f3fb8a77
SHA1

fb89091adce9edb48f90539154d566b710df5f3e
SHA256

c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8
SHA512

e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc
SSDEEP

6144:zR/tsQnf6X0M6+koYhXMxjwigfwfgbePu97rrAOQ322222KTq:zRlHVckoaXMxcePu97Hg22222iq

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.87

193.233.255.9/nasa/index.php

Attributes

install_dir
ebb444342c
install_file
legosa.exe
strings_key
0b59a358b8646634fe523e0d5fe7fc43

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Executes dropped EXE 6 IoCs

Processes:

legosa.exelegosa.exelegosa.exelegosa.exelegosa.exelegosa.exe

pid process

1484 legosa.exe
2536 legosa.exe
2832 legosa.exe
1036 legosa.exe
836 legosa.exe
2240 legosa.exe
Loads dropped DLL 5 IoCs

Processes:

u8542029.exerundll32.exe

pid process

2404 u8542029.exe
2700 rundll32.exe
2700 rundll32.exe
2700 rundll32.exe
2700 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3024 schtasks.exe

pid	process
1484	legosa.exe
2536	legosa.exe
2832	legosa.exe
1036	legosa.exe
836	legosa.exe
2240	legosa.exe

pid	process
2404	u8542029.exe
2700	rundll32.exe
2700	rundll32.exe
2700	rundll32.exe
2700	rundll32.exe

pid	process
3024	schtasks.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

u8542029.exelegosa.execmd.exetaskeng.exe

description	pid	process	target process
PID 2404 wrote to memory of 1484	2404	u8542029.exe	legosa.exe
PID 2404 wrote to memory of 1484	2404	u8542029.exe	legosa.exe
PID 2404 wrote to memory of 1484	2404	u8542029.exe	legosa.exe
PID 2404 wrote to memory of 1484	2404	u8542029.exe	legosa.exe
PID 1484 wrote to memory of 3024	1484	legosa.exe	schtasks.exe
PID 1484 wrote to memory of 3024	1484	legosa.exe	schtasks.exe
PID 1484 wrote to memory of 3024	1484	legosa.exe	schtasks.exe
PID 1484 wrote to memory of 3024	1484	legosa.exe	schtasks.exe
PID 1484 wrote to memory of 2628	1484	legosa.exe	cmd.exe
PID 1484 wrote to memory of 2628	1484	legosa.exe	cmd.exe
PID 1484 wrote to memory of 2628	1484	legosa.exe	cmd.exe
PID 1484 wrote to memory of 2628	1484	legosa.exe	cmd.exe
PID 2628 wrote to memory of 2760	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 2760	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 2760	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 2760	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 2732	2628	cmd.exe	cacls.exe
PID 2628 wrote to memory of 2732	2628	cmd.exe	cacls.exe
PID 2628 wrote to memory of 2732	2628	cmd.exe	cacls.exe
PID 2628 wrote to memory of 2732	2628	cmd.exe	cacls.exe
PID 2628 wrote to memory of 2728	2628	cmd.exe	cacls.exe
PID 2628 wrote to memory of 2728	2628	cmd.exe	cacls.exe
PID 2628 wrote to memory of 2728	2628	cmd.exe	cacls.exe
PID 2628 wrote to memory of 2728	2628	cmd.exe	cacls.exe
PID 2628 wrote to memory of 2772	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 2772	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 2772	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 2772	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 2612	2628	cmd.exe	cacls.exe
PID 2628 wrote to memory of 2612	2628	cmd.exe	cacls.exe
PID 2628 wrote to memory of 2612	2628	cmd.exe	cacls.exe
PID 2628 wrote to memory of 2612	2628	cmd.exe	cacls.exe
PID 2628 wrote to memory of 2856	2628	cmd.exe	cacls.exe
PID 2628 wrote to memory of 2856	2628	cmd.exe	cacls.exe
PID 2628 wrote to memory of 2856	2628	cmd.exe	cacls.exe
PID 2628 wrote to memory of 2856	2628	cmd.exe	cacls.exe
PID 2564 wrote to memory of 2536	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 2536	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 2536	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 2536	2564	taskeng.exe	legosa.exe
PID 1484 wrote to memory of 2700	1484	legosa.exe	rundll32.exe
PID 1484 wrote to memory of 2700	1484	legosa.exe	rundll32.exe
PID 1484 wrote to memory of 2700	1484	legosa.exe	rundll32.exe
PID 1484 wrote to memory of 2700	1484	legosa.exe	rundll32.exe
PID 1484 wrote to memory of 2700	1484	legosa.exe	rundll32.exe
PID 1484 wrote to memory of 2700	1484	legosa.exe	rundll32.exe
PID 1484 wrote to memory of 2700	1484	legosa.exe	rundll32.exe
PID 2564 wrote to memory of 2832	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 2832	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 2832	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 2832	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 1036	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 1036	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 1036	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 1036	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 836	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 836	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 836	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 836	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 2240	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 2240	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 2240	2564	taskeng.exe	legosa.exe
PID 2564 wrote to memory of 2240	2564	taskeng.exe	legosa.exe

C:\Users\Admin\AppData\Local\Temp\u8542029.exe
"C:\Users\Admin\AppData\Local\Temp\u8542029.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
"C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legosa.exe /TR "C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe" /F
3⤵
- Creates scheduled task(s)
PID:3024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legosa.exe" /P "Admin:N"&&CACLS "legosa.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ebb444342c" /P "Admin:N"&&CACLS "..\ebb444342c" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2760

C:\Windows\SysWOW64\cacls.exe
CACLS "legosa.exe" /P "Admin:N"
4⤵
PID:2732

C:\Windows\SysWOW64\cacls.exe
CACLS "legosa.exe" /P "Admin:R" /E
4⤵
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:2772

C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:N"
4⤵
PID:2612

C:\Windows\SysWOW64\cacls.exe
CACLS "..\ebb444342c" /P "Admin:R" /E
4⤵
PID:2856

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
3⤵
- Loads dropped DLL
PID:2700

C:\Windows\system32\taskeng.exe
taskeng.exe {981C4976-DDEB-4137-B54B-E007A072701B} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
2⤵
- Executes dropped EXE
PID:2536

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
2⤵
- Executes dropped EXE
PID:2832

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
2⤵
- Executes dropped EXE
PID:1036

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
2⤵
- Executes dropped EXE
PID:836

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
2⤵
- Executes dropped EXE
PID:2240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
\Users\Admin\AppData\Local\Temp\ebb444342c\legosa.exe
Filesize
316KB

MD5
9be7155d4a92aee655188c13f3fb8a77

SHA1
fb89091adce9edb48f90539154d566b710df5f3e

SHA256
c8f3c74d30f1700a5c6a971318486e0ec9d67f29ce1ae32f3278bdfd21192cc8

SHA512
e9983afb7d5e6669ae2e5f471678e44e0ab54391cb22a59c914adccaebe5ab0dd57d788d7edcf032f68550a064f6685b7bf181c3a55da18fff3702b0850bf7cc

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
43762ddccb9db44ea9914e448ba3e43e

SHA1
87e5766061740cf4a570133af6108399a11dbd1b

SHA256
459b0a16d82e7150ad3fa2cbc740a2b6a33606894669f5febe5d15c20b4cc0ef

SHA512
ea0ef8d32c3776baf2e1bd2456797d64ff8214810af41b3a59ee649ecd67e1fffeebe2f4b21c4e2671909a2d1ab8071d8eac261c4233662a686a575c1145d651

Download Submit