Analysis Overview
SHA256
1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc
Threat Level: Known bad
The file c80864ec4f40c15a4589d19a1e6cd3ca was found to be: Known bad.
Malicious Activity Summary
Amadey
SystemBC
Downloads MZ/PE file
Blocklisted process makes network request
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Program crash
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-02 10:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-02 10:35
Reported
2023-05-02 10:38
Platform
win7-20230220-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Amadey
SystemBC
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000020050\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\sc64.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000021061\\sc64.dll, rundll" | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe
"C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe"
C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe
"C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe"
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe" /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 1536
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
"C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll
C:\Windows\system32\taskeng.exe
taskeng.exe {B2FC6C52-1B25-4B18-9BE4-1D4EC6E84B2E} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nftday.art | udp |
| US | 172.67.151.248:443 | nftday.art | tcp |
| US | 8.8.8.8:53 | tadogem.com | udp |
| US | 172.67.183.249:80 | tadogem.com | tcp |
| US | 172.67.151.248:443 | nftday.art | tcp |
| FI | 65.21.119.52:4277 | tcp |
Files
memory/1560-54-0x0000000001090000-0x0000000001124000-memory.dmp
memory/1560-55-0x0000000000340000-0x0000000000341000-memory.dmp
memory/1560-56-0x00000000091A0000-0x00000000091E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\KvoBySQFC.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
memory/268-65-0x00000000001F0000-0x00000000001F1000-memory.dmp
\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\563773381203
| MD5 | 5ffe67cca13684e1a7f16ccb4811ccf8 |
| SHA1 | cb8fda23989d035e57337e1e91e82f6e04344365 |
| SHA256 | 9c8899173941c766505646a795baa12d8d7e4f6dc5611b44d850bdf96e0b9982 |
| SHA512 | 28181df7688208a56e95af14b5758d48859f5f531d60a0848238f102336f53e8f4f882ca961a2b79203a4eabd918a1e8d6cc230bf9fe57c72a9dd21176d24721 |
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
| MD5 | 1d81057710dc737ffee88f7f8b0ef90c |
| SHA1 | 8a13b1fe68d5010e5e9b14719a279c4037d7c446 |
| SHA256 | c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc |
| SHA512 | a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49 |
\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
| MD5 | 1d81057710dc737ffee88f7f8b0ef90c |
| SHA1 | 8a13b1fe68d5010e5e9b14719a279c4037d7c446 |
| SHA256 | c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc |
| SHA512 | a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49 |
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
| MD5 | 1d81057710dc737ffee88f7f8b0ef90c |
| SHA1 | 8a13b1fe68d5010e5e9b14719a279c4037d7c446 |
| SHA256 | c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc |
| SHA512 | a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49 |
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
| MD5 | 1d81057710dc737ffee88f7f8b0ef90c |
| SHA1 | 8a13b1fe68d5010e5e9b14719a279c4037d7c446 |
| SHA256 | c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc |
| SHA512 | a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49 |
memory/1560-112-0x00000000091A0000-0x00000000091E0000-memory.dmp
memory/972-113-0x00000000001C0000-0x0000000000200000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
| MD5 | 4c09e8e3a1d837f125ea9f9c0c2c5380 |
| SHA1 | 0221f489cdef441afad424b5954d07b432d0b8e8 |
| SHA256 | 44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace |
| SHA512 | d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Roaming\d3ed71f752c04f\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
memory/972-151-0x0000000009820000-0x0000000009860000-memory.dmp
memory/972-152-0x0000000009820000-0x0000000009860000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-02 10:35
Reported
2023-05-02 10:38
Platform
win10v2004-20230220-en
Max time kernel
147s
Max time network
126s
Command Line
Signatures
Amadey
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\r30CZ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\r30CZ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\r30CZ.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe
"C:\Users\Admin\AppData\Local\Temp\c80864ec4f40c15a4589d19a1e6cd3ca.exe"
C:\Users\Admin\AppData\Local\Temp\r30CZ.exe
"C:\Users\Admin\AppData\Local\Temp\r30CZ.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1856
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe" /F
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nftday.art | udp |
| US | 172.67.151.248:443 | nftday.art | tcp |
| US | 8.8.8.8:53 | 248.151.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tadogem.com | udp |
| US | 172.67.183.249:80 | tadogem.com | tcp |
| US | 172.67.183.249:80 | tadogem.com | tcp |
| US | 8.8.8.8:53 | 249.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.5.248.8.in-addr.arpa | udp |
| NL | 52.178.17.3:443 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp |
Files
memory/5084-133-0x0000000000CD0000-0x0000000000D64000-memory.dmp
memory/5084-134-0x0000000003050000-0x0000000003051000-memory.dmp
memory/5084-135-0x00000000056E0000-0x00000000056F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\r30CZ.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\r30CZ.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\013461898371
| MD5 | 48e2cff2641f085dda47a12780dcaaf5 |
| SHA1 | e9623a75bc5cfdd87bb90a659e9f64c70e8295c2 |
| SHA256 | b7aa4f6e18baf296266a760c73331b793711935c700164f7a04f39ee5fd3e84a |
| SHA512 | a36d66018f8b672e0fbb9934dbe67c7fbf0740030d0f2ebc0636cfe10077a4d84e419b0ff2b90bb833f06f9a035605ca6db280bc9f9f6691f8902bdf3da2ae6e |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Roaming\d3ed71f752c04f\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
| MD5 | c23d62c9166ae248fe9fe078328182f9 |
| SHA1 | ce684054121205b1cd7befc016644680fd5b29d5 |
| SHA256 | 90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e |
| SHA512 | 1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57 |