amadey | afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd

Analysis

max time kernel
132s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x00060000000162e0-52.exe
Size

313KB
MD5

b1ddc0d016640f8f31dee59948bfeea8
SHA1

d10117c0c5a2ce9adddb84ab3c067f43b5f39a36
SHA256

afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd
SHA512

01aee10e6bbf78866921d178f906123579606be83d4f58275ea3cc47a365d51111470e12ef0744c6b3f509887caa4ad54831cdf72f2bfe780317cc684ed3360a
SSDEEP

6144:SR9eh569+UR6P3zIwkp4p2k/DPaZHwc3eoe6u17MgAOIMs8Bq:Sfm5BB7kpi2k/ae6u17pa8Bq

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.87

http://77.91.68.18/nice/index.php

Attributes

install_dir
b40d11255d
install_file
saves.exe
strings_key
fa622dfc42544927a6471829ee1fa9fe

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Executes dropped EXE 4 IoCs

pid	Process
2612	saves.exe
2856	saves.exe
2748	saves.exe
2728	saves.exe

Loads dropped DLL 1 IoCs

pid	Process
2840	0x00060000000162e0-52.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2668	schtasks.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2612	2840	0x00060000000162e0-52.exe	28
PID 2840 wrote to memory of 2612	2840	0x00060000000162e0-52.exe	28
PID 2840 wrote to memory of 2612	2840	0x00060000000162e0-52.exe	28
PID 2840 wrote to memory of 2612	2840	0x00060000000162e0-52.exe	28
PID 2612 wrote to memory of 2668	2612	saves.exe	29
PID 2612 wrote to memory of 2668	2612	saves.exe	29
PID 2612 wrote to memory of 2668	2612	saves.exe	29
PID 2612 wrote to memory of 2668	2612	saves.exe	29
PID 2612 wrote to memory of 2976	2612	saves.exe	31
PID 2612 wrote to memory of 2976	2612	saves.exe	31
PID 2612 wrote to memory of 2976	2612	saves.exe	31
PID 2612 wrote to memory of 2976	2612	saves.exe	31
PID 2976 wrote to memory of 2792	2976	cmd.exe	33
PID 2976 wrote to memory of 2792	2976	cmd.exe	33
PID 2976 wrote to memory of 2792	2976	cmd.exe	33
PID 2976 wrote to memory of 2792	2976	cmd.exe	33
PID 2976 wrote to memory of 2652	2976	cmd.exe	34
PID 2976 wrote to memory of 2652	2976	cmd.exe	34
PID 2976 wrote to memory of 2652	2976	cmd.exe	34
PID 2976 wrote to memory of 2652	2976	cmd.exe	34
PID 2976 wrote to memory of 2776	2976	cmd.exe	35
PID 2976 wrote to memory of 2776	2976	cmd.exe	35
PID 2976 wrote to memory of 2776	2976	cmd.exe	35
PID 2976 wrote to memory of 2776	2976	cmd.exe	35
PID 2976 wrote to memory of 2808	2976	cmd.exe	36
PID 2976 wrote to memory of 2808	2976	cmd.exe	36
PID 2976 wrote to memory of 2808	2976	cmd.exe	36
PID 2976 wrote to memory of 2808	2976	cmd.exe	36
PID 2976 wrote to memory of 2556	2976	cmd.exe	37
PID 2976 wrote to memory of 2556	2976	cmd.exe	37
PID 2976 wrote to memory of 2556	2976	cmd.exe	37
PID 2976 wrote to memory of 2556	2976	cmd.exe	37
PID 2976 wrote to memory of 1676	2976	cmd.exe	38
PID 2976 wrote to memory of 1676	2976	cmd.exe	38
PID 2976 wrote to memory of 1676	2976	cmd.exe	38
PID 2976 wrote to memory of 1676	2976	cmd.exe	38
PID 2592 wrote to memory of 2856	2592	taskeng.exe	41
PID 2592 wrote to memory of 2856	2592	taskeng.exe	41
PID 2592 wrote to memory of 2856	2592	taskeng.exe	41
PID 2592 wrote to memory of 2856	2592	taskeng.exe	41
PID 2592 wrote to memory of 2748	2592	taskeng.exe	45
PID 2592 wrote to memory of 2748	2592	taskeng.exe	45
PID 2592 wrote to memory of 2748	2592	taskeng.exe	45
PID 2592 wrote to memory of 2748	2592	taskeng.exe	45
PID 2592 wrote to memory of 2728	2592	taskeng.exe	46
PID 2592 wrote to memory of 2728	2592	taskeng.exe	46
PID 2592 wrote to memory of 2728	2592	taskeng.exe	46
PID 2592 wrote to memory of 2728	2592	taskeng.exe	46

C:\Users\Admin\AppData\Local\Temp\0x00060000000162e0-52.exe
"C:\Users\Admin\AppData\Local\Temp\0x00060000000162e0-52.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
  "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2792
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "saves.exe" /P "Admin:N"
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "saves.exe" /P "Admin:R" /E
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\b40d11255d" /P "Admin:N"
      4⤵
      PID:2556
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\b40d11255d" /P "Admin:R" /E
      4⤵
      PID:1676

C:\Windows\system32\taskeng.exe
taskeng.exe {8A033C17-D7B7-451B-B7E7-82B2ECA9005E} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
  C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
  C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
  C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
  2⤵
  - Executes dropped EXE
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
313KB

MD5
b1ddc0d016640f8f31dee59948bfeea8

SHA1
d10117c0c5a2ce9adddb84ab3c067f43b5f39a36

SHA256
afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd

SHA512
01aee10e6bbf78866921d178f906123579606be83d4f58275ea3cc47a365d51111470e12ef0744c6b3f509887caa4ad54831cdf72f2bfe780317cc684ed3360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
313KB

MD5
b1ddc0d016640f8f31dee59948bfeea8

SHA1
d10117c0c5a2ce9adddb84ab3c067f43b5f39a36

SHA256
afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd

SHA512
01aee10e6bbf78866921d178f906123579606be83d4f58275ea3cc47a365d51111470e12ef0744c6b3f509887caa4ad54831cdf72f2bfe780317cc684ed3360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
313KB

MD5
b1ddc0d016640f8f31dee59948bfeea8

SHA1
d10117c0c5a2ce9adddb84ab3c067f43b5f39a36

SHA256
afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd

SHA512
01aee10e6bbf78866921d178f906123579606be83d4f58275ea3cc47a365d51111470e12ef0744c6b3f509887caa4ad54831cdf72f2bfe780317cc684ed3360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
313KB

MD5
b1ddc0d016640f8f31dee59948bfeea8

SHA1
d10117c0c5a2ce9adddb84ab3c067f43b5f39a36

SHA256
afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd

SHA512
01aee10e6bbf78866921d178f906123579606be83d4f58275ea3cc47a365d51111470e12ef0744c6b3f509887caa4ad54831cdf72f2bfe780317cc684ed3360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
313KB

MD5
b1ddc0d016640f8f31dee59948bfeea8

SHA1
d10117c0c5a2ce9adddb84ab3c067f43b5f39a36

SHA256
afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd

SHA512
01aee10e6bbf78866921d178f906123579606be83d4f58275ea3cc47a365d51111470e12ef0744c6b3f509887caa4ad54831cdf72f2bfe780317cc684ed3360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
313KB

MD5
b1ddc0d016640f8f31dee59948bfeea8

SHA1
d10117c0c5a2ce9adddb84ab3c067f43b5f39a36

SHA256
afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd

SHA512
01aee10e6bbf78866921d178f906123579606be83d4f58275ea3cc47a365d51111470e12ef0744c6b3f509887caa4ad54831cdf72f2bfe780317cc684ed3360a

Download Submit
\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

Filesize
313KB

MD5
b1ddc0d016640f8f31dee59948bfeea8

SHA1
d10117c0c5a2ce9adddb84ab3c067f43b5f39a36

SHA256
afb4cab6dbc47b044fb8b0deb6a7ec9368062bbce0d553cbafce4156052d45fd

SHA512
01aee10e6bbf78866921d178f906123579606be83d4f58275ea3cc47a365d51111470e12ef0744c6b3f509887caa4ad54831cdf72f2bfe780317cc684ed3360a

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads