Malware Analysis Report

2025-04-03 09:39

Sample ID 230502-mmxbssce6s
Target c80864ec4f40c15a4589d19a1e6cd3ca
SHA256 1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc
Tags
amadey systembc persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc

Threat Level: Known bad

The file c80864ec4f40c15a4589d19a1e6cd3ca was found to be: Known bad.

Malicious Activity Summary

amadey systembc persistence trojan

Amadey

SystemBC

Downloads MZ/PE file

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Program crash

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-02 10:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-02 10:35

Reported

2023-05-02 10:38

Platform

win7-20230220-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe"

Signatures

Amadey

trojan amadey

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000020050\\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\sc64.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000021061\\sc64.dll, rundll" C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1560 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe
PID 1560 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe
PID 1560 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe
PID 1560 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe
PID 268 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 268 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 268 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 268 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1376 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1376 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1376 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1376 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1560 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Windows\SysWOW64\WerFault.exe
PID 1560 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Windows\SysWOW64\WerFault.exe
PID 1560 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Windows\SysWOW64\WerFault.exe
PID 1560 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe C:\Windows\SysWOW64\WerFault.exe
PID 1376 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 1376 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 1376 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 1376 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 1376 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 1376 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 1376 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
PID 1376 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1376 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1376 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1376 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1376 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1376 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 1376 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe C:\Windows\SysWOW64\rundll32.exe
PID 532 wrote to memory of 1676 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 532 wrote to memory of 1676 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 532 wrote to memory of 1676 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 532 wrote to memory of 1676 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1748 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1748 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1748 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1748 wrote to memory of 1504 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1748 wrote to memory of 936 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1748 wrote to memory of 936 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1748 wrote to memory of 936 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1748 wrote to memory of 936 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1748 wrote to memory of 1904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1748 wrote to memory of 1904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1748 wrote to memory of 1904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
PID 1748 wrote to memory of 1904 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe

"C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe"

C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe

"C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe"

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 1536

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

"C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll

C:\Windows\system32\taskeng.exe

taskeng.exe {B2FC6C52-1B25-4B18-9BE4-1D4EC6E84B2E} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 nftday.art udp
US 172.67.151.248:443 nftday.art tcp
US 8.8.8.8:53 tadogem.com udp
US 172.67.183.249:80 tadogem.com tcp
US 172.67.151.248:443 nftday.art tcp
FI 65.21.119.52:4277 tcp

Files

memory/1560-54-0x0000000001090000-0x0000000001124000-memory.dmp

memory/1560-55-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1560-56-0x00000000091A0000-0x00000000091E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

memory/268-65-0x00000000001F0000-0x00000000001F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\563773381203

MD5 5ffe67cca13684e1a7f16ccb4811ccf8
SHA1 cb8fda23989d035e57337e1e91e82f6e04344365
SHA256 9c8899173941c766505646a795baa12d8d7e4f6dc5611b44d850bdf96e0b9982
SHA512 28181df7688208a56e95af14b5758d48859f5f531d60a0848238f102336f53e8f4f882ca961a2b79203a4eabd918a1e8d6cc230bf9fe57c72a9dd21176d24721

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe

MD5 1d81057710dc737ffee88f7f8b0ef90c
SHA1 8a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256 c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512 a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

memory/1560-112-0x00000000091A0000-0x00000000091E0000-memory.dmp

memory/972-113-0x00000000001C0000-0x0000000000200000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll

MD5 4c09e8e3a1d837f125ea9f9c0c2c5380
SHA1 0221f489cdef441afad424b5954d07b432d0b8e8
SHA256 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512 d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Roaming\d3ed71f752c04f\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

memory/972-151-0x0000000009820000-0x0000000009860000-memory.dmp

memory/972-152-0x0000000009820000-0x0000000009860000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-02 10:35

Reported

2023-05-02 10:38

Platform

win10v2004-20230220-en

Max time kernel

147s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe"

Signatures

Amadey

trojan amadey

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\r30CZ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\r30CZ.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe

"C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe"

C:\Users\Admin\AppData\Local\Temp\r30CZ.exe

"C:\Users\Admin\AppData\Local\Temp\r30CZ.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1856

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe" /F

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 nftday.art udp
US 172.67.151.248:443 nftday.art tcp
US 8.8.8.8:53 248.151.67.172.in-addr.arpa udp
US 8.8.8.8:53 tadogem.com udp
US 172.67.183.249:80 tadogem.com tcp
US 172.67.183.249:80 tadogem.com tcp
US 8.8.8.8:53 249.183.67.172.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
NL 52.178.17.3:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp

Files

memory/5084-133-0x0000000000CD0000-0x0000000000D64000-memory.dmp

memory/5084-134-0x0000000003050000-0x0000000003051000-memory.dmp

memory/5084-135-0x00000000056E0000-0x00000000056F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\r30CZ.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\r30CZ.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\013461898371

MD5 48e2cff2641f085dda47a12780dcaaf5
SHA1 e9623a75bc5cfdd87bb90a659e9f64c70e8295c2
SHA256 b7aa4f6e18baf296266a760c73331b793711935c700164f7a04f39ee5fd3e84a
SHA512 a36d66018f8b672e0fbb9934dbe67c7fbf0740030d0f2ebc0636cfe10077a4d84e419b0ff2b90bb833f06f9a035605ca6db280bc9f9f6691f8902bdf3da2ae6e

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Roaming\d3ed71f752c04f\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe

MD5 c23d62c9166ae248fe9fe078328182f9
SHA1 ce684054121205b1cd7befc016644680fd5b29d5
SHA256 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA512 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57