Analysis Overview
SHA256
bfaf0cfd1a1e072b98697fe0058006009933c17a6669fca19f490b021b93ba3f
Threat Level: Known bad
The file NEAS.28ba42affc32f55c7ba5bcea219cae20.exe was found to be: Known bad.
Malicious Activity Summary
Amadey family
Amadey
SystemBC
Downloads MZ/PE file
Loads dropped DLL
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-13 20:03
Signatures
Amadey family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-13 20:03
Reported
2023-10-13 21:02
Platform
win7-20230831-en
Max time kernel
153s
Max time network
143s
Command Line
Signatures
Amadey
SystemBC
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\fveapibase.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000009060\\fveapibase.dll, rundll" | C:\Users\Admin\AppData\Local\Temp\NEAS.28ba42affc32f55c7ba5bcea219cae20.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.28ba42affc32f55c7ba5bcea219cae20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.28ba42affc32f55c7ba5bcea219cae20.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000009060\fveapibase.dll, rundll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cncdevelopment.org | udp |
| US | 188.114.96.0:80 | cncdevelopment.org | tcp |
| US | 188.114.96.0:80 | cncdevelopment.org | tcp |
| US | 8.8.8.8:53 | gcdnbabl3global.rakudotek.fun | udp |
| US | 188.114.97.0:443 | gcdnbabl3global.rakudotek.fun | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\185155662718
| MD5 | 5ed88a409c57799a16ba1a8a5957c112 |
| SHA1 | 288caaefc496bbfee0ea69b263d892bb63ebe909 |
| SHA256 | b6a35f44202fcece7e46cca8558a2d7f30a52e6357387a6968af50e2063bf0f7 |
| SHA512 | e86307e56b34a6601186520622c57b640514a89d3332611738be88c9ad2fb032ab72b9f2f6e800400fa06befada776ac91e290d287500c8040e3f1025ea5cfa2 |
C:\Users\Admin\AppData\Roaming\1000009060\fveapibase.dll
| MD5 | 6f288920336f1a1d2aa03622f02461a5 |
| SHA1 | f3751eb8c1dfe51cbddb259a236cfbbe516d1f2a |
| SHA256 | 3102898c3f6829528aff9ada49354418e086948c4313bf174058b1cf2a955cad |
| SHA512 | 469850c823cb08340e5ff20705267bb238f853834dd564b3698438f21b0d7f56c7048570facb776f3a7c4b15c451fa1b1c3fbad7436ad666fa8f40ae8f5c4ad0 |
C:\Users\Admin\AppData\Roaming\1000009060\fveapibase.dll
| MD5 | 6f288920336f1a1d2aa03622f02461a5 |
| SHA1 | f3751eb8c1dfe51cbddb259a236cfbbe516d1f2a |
| SHA256 | 3102898c3f6829528aff9ada49354418e086948c4313bf174058b1cf2a955cad |
| SHA512 | 469850c823cb08340e5ff20705267bb238f853834dd564b3698438f21b0d7f56c7048570facb776f3a7c4b15c451fa1b1c3fbad7436ad666fa8f40ae8f5c4ad0 |
\Users\Admin\AppData\Roaming\1000009060\fveapibase.dll
| MD5 | 6f288920336f1a1d2aa03622f02461a5 |
| SHA1 | f3751eb8c1dfe51cbddb259a236cfbbe516d1f2a |
| SHA256 | 3102898c3f6829528aff9ada49354418e086948c4313bf174058b1cf2a955cad |
| SHA512 | 469850c823cb08340e5ff20705267bb238f853834dd564b3698438f21b0d7f56c7048570facb776f3a7c4b15c451fa1b1c3fbad7436ad666fa8f40ae8f5c4ad0 |
\Users\Admin\AppData\Roaming\1000009060\fveapibase.dll
| MD5 | 6f288920336f1a1d2aa03622f02461a5 |
| SHA1 | f3751eb8c1dfe51cbddb259a236cfbbe516d1f2a |
| SHA256 | 3102898c3f6829528aff9ada49354418e086948c4313bf174058b1cf2a955cad |
| SHA512 | 469850c823cb08340e5ff20705267bb238f853834dd564b3698438f21b0d7f56c7048570facb776f3a7c4b15c451fa1b1c3fbad7436ad666fa8f40ae8f5c4ad0 |
\Users\Admin\AppData\Roaming\1000009060\fveapibase.dll
| MD5 | 6f288920336f1a1d2aa03622f02461a5 |
| SHA1 | f3751eb8c1dfe51cbddb259a236cfbbe516d1f2a |
| SHA256 | 3102898c3f6829528aff9ada49354418e086948c4313bf174058b1cf2a955cad |
| SHA512 | 469850c823cb08340e5ff20705267bb238f853834dd564b3698438f21b0d7f56c7048570facb776f3a7c4b15c451fa1b1c3fbad7436ad666fa8f40ae8f5c4ad0 |
memory/2772-34-0x0000000010000000-0x00000000100BC000-memory.dmp
\Users\Admin\AppData\Roaming\1000009060\fveapibase.dll
| MD5 | 6f288920336f1a1d2aa03622f02461a5 |
| SHA1 | f3751eb8c1dfe51cbddb259a236cfbbe516d1f2a |
| SHA256 | 3102898c3f6829528aff9ada49354418e086948c4313bf174058b1cf2a955cad |
| SHA512 | 469850c823cb08340e5ff20705267bb238f853834dd564b3698438f21b0d7f56c7048570facb776f3a7c4b15c451fa1b1c3fbad7436ad666fa8f40ae8f5c4ad0 |
memory/2772-37-0x0000000010000000-0x00000000100BC000-memory.dmp
memory/2772-38-0x0000000010000000-0x00000000100BC000-memory.dmp
memory/2772-40-0x0000000000270000-0x0000000000350000-memory.dmp
memory/2772-39-0x00000000000B0000-0x00000000000B4000-memory.dmp
memory/2772-36-0x0000000010000000-0x00000000100BC000-memory.dmp
memory/2772-42-0x00000000000B0000-0x00000000000B4000-memory.dmp
memory/2772-43-0x0000000000270000-0x0000000000350000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-13 20:03
Reported
2023-10-13 21:02
Platform
win10v2004-20230915-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Amadey
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.28ba42affc32f55c7ba5bcea219cae20.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.28ba42affc32f55c7ba5bcea219cae20.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cncdevelopment.org | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 188.114.96.0:80 | cncdevelopment.org | tcp |
| US | 188.114.96.0:80 | cncdevelopment.org | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.111.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\890696111233
| MD5 | d5844bb8869090cbe82ed92f1a906c1f |
| SHA1 | 058faf9e59ef3b14addce2a60d87ade7eb421142 |
| SHA256 | fe2072ab1238ba62fbd3a6fc67fcd256be705c5e5e9f821df545bcdef6fde06a |
| SHA512 | cd5e077b5b08e7db33b96e88174dbad71bcf7052caa9e0c01049c81243b1745a2c5ff9d7099654e5d405374b55412f2c244e0a302092b52626f1e3f691eb20ef |