Analysis Overview
SHA256
339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99
Threat Level: Known bad
The file 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99 was found to be: Known bad.
Malicious Activity Summary
Amadey
Downloads MZ/PE file
Blocklisted process makes network request
Executes dropped EXE
Reads local data of messenger clients
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Reads WinSCP keys stored on the system
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-24 18:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-24 18:52
Reported
2024-03-24 18:54
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Amadey
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe
"C:\Users\Admin\AppData\Local\Temp\339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2848 -ip 2848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2848 -ip 2848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2848 -ip 2848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2848 -ip 2848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2848 -ip 2848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2848 -ip 2848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2848 -ip 2848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 1120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2848 -ip 2848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 1184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2848 -ip 2848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 1120
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2848 -ip 2848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 1000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 912
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 1320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 1460
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\660967641992_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 1092
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2368 -ip 2368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 1572
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4280 -ip 4280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 440
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | topgamecheats.dev | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.39.123.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| GB | 96.17.178.191:80 | tcp |
Files
memory/2848-1-0x0000000000EC0000-0x0000000000FC0000-memory.dmp
memory/2848-2-0x0000000000C60000-0x0000000000CCF000-memory.dmp
memory/2848-3-0x0000000000400000-0x0000000000B17000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
| MD5 | 34468074c946943518ab33be24c01ef9 |
| SHA1 | 742cf7ff13dcab6a99b372dc99f362f45be3d69c |
| SHA256 | 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99 |
| SHA512 | b13def10893e34d5efcb52d5b11b16c14881c27aca7f263d59a19fdad99e27681cd8cee85ba83762772ecbbf4e32eb373006627b932047eff00cbb725e9f942b |
memory/3320-16-0x0000000000E90000-0x0000000000F90000-memory.dmp
memory/3320-17-0x0000000000DC0000-0x0000000000E2F000-memory.dmp
memory/3320-18-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/2848-19-0x0000000000400000-0x0000000000B17000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\660967641992
| MD5 | 7651643a8dc92015360ee49bb507abcc |
| SHA1 | f6b337ce9e687fc921b0f60dcbc2028cfef0981e |
| SHA256 | 8991b4ce0ef54407ac65aa6fd01fd931b0af436259c84578639e0ee8b93eff8b |
| SHA512 | 99718974b53bc7109d682c018cde6aeb0c95ef19245dbd4e87cc5d54add05268b933b88d1bccb50cf812bf473c48fdb28cfb16a06450e66f0d5d7cc3c78f82d1 |
memory/3320-29-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/3320-30-0x0000000000E90000-0x0000000000F90000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 4876ee75ce2712147c41ff1277cd2d30 |
| SHA1 | 3733dc92318f0c6b92cb201e49151686281acda6 |
| SHA256 | bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed |
| SHA512 | 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9 |
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | dd6f1c7e4efd4848e6588f9424ced11a |
| SHA1 | 9d554e41bafb2e3d85b97fc236a9728bbd35a217 |
| SHA256 | b6ed52a1c1058ff4d2578c08e1933074029fb7af05b1a1cedb3a2d73ba1ea81a |
| SHA512 | f30f10317c07f1f9124d8915431bd89d641c7fa94fcadf562c27e6ed38d9f585cbffd531236a531f5296d908fbf888d34c89ba078257e11c93eef8876f6d1aac |
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 4b5bc0a64223e816baa40b83b614f780 |
| SHA1 | 964dae125ab33a30893428401baf0478de463d2c |
| SHA256 | 2570a6acb6bc678a9783541db3d72dc5e2cc64c742c7d40293debd436c2a723d |
| SHA512 | fcf906f78761745ba4c23f5c588b23874241e189b16510ec4a90d9c4415d48ba5da7de5364e8dcd7c54e19494204f71621d7d07d1d5f898b910679bd8247cdc1 |
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 7ce94a9117e765665b334321f7f501dd |
| SHA1 | a898a1ffac771499d6bb9f4938b80422c0a5fe39 |
| SHA256 | 9a33c75cf95688a254b0768649624d1d3aebcf7c01515f1c890e4861097e8303 |
| SHA512 | 19dd62656f077e3cad95f351250e38d0040b6ad8c5236e0b9057021cfa80a0ea67b520ebe507eaf610deaaffd09caf82ee89ef7e346a33fc908a9f9c56fab24b |
memory/452-43-0x000001DB711A0000-0x000001DB711C2000-memory.dmp
memory/452-44-0x00007FF9B8250000-0x00007FF9B8D11000-memory.dmp
memory/452-45-0x000001DB711F0000-0x000001DB71200000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ey03pu5l.l32.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/452-46-0x000001DB711F0000-0x000001DB71200000-memory.dmp
memory/452-56-0x000001DB711F0000-0x000001DB71200000-memory.dmp
memory/452-57-0x000001DB71240000-0x000001DB71252000-memory.dmp
memory/452-58-0x000001DB71190000-0x000001DB7119A000-memory.dmp
memory/452-64-0x00007FF9B8250000-0x00007FF9B8D11000-memory.dmp
memory/3320-65-0x0000000000400000-0x0000000000B17000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll
| MD5 | ca684dc5ebed4381701a39f1cc3a0fb2 |
| SHA1 | 8c4a375aa583bd1c705597a7f45fd18934276770 |
| SHA256 | b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2 |
| SHA512 | 8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510 |
memory/2368-78-0x0000000000C80000-0x0000000000D80000-memory.dmp
memory/2368-79-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/2368-80-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/3320-81-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/4280-89-0x0000000000D40000-0x0000000000E40000-memory.dmp
memory/4280-90-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/4280-91-0x0000000000400000-0x0000000000B17000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-24 18:52
Reported
2024-03-24 18:54
Platform
win11-20240221-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Amadey
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads WinSCP keys stored on the system
Reads local data of messenger clients
Reads user/profile data of web browsers
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe
"C:\Users\Admin\AppData\Local\Temp\339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1132
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4736 -ip 4736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 1060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 1068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 1364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 1628
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 1488
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2840 -ip 2840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 1620
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3832 -ip 3832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 1196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 1064
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | topgamecheats.dev | udp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| BG | 93.123.39.96:80 | topgamecheats.dev | tcp |
| US | 52.111.229.48:443 | tcp |
Files
memory/4736-1-0x0000000000DD0000-0x0000000000ED0000-memory.dmp
memory/4736-2-0x0000000002970000-0x00000000029DF000-memory.dmp
memory/4736-3-0x0000000000400000-0x0000000000B17000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
| MD5 | 34468074c946943518ab33be24c01ef9 |
| SHA1 | 742cf7ff13dcab6a99b372dc99f362f45be3d69c |
| SHA256 | 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99 |
| SHA512 | b13def10893e34d5efcb52d5b11b16c14881c27aca7f263d59a19fdad99e27681cd8cee85ba83762772ecbbf4e32eb373006627b932047eff00cbb725e9f942b |
memory/3604-16-0x0000000000C90000-0x0000000000D90000-memory.dmp
memory/3604-17-0x0000000002860000-0x00000000028CF000-memory.dmp
memory/3604-18-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/4736-19-0x0000000000400000-0x0000000000B17000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\930051783255
| MD5 | 83930350dc29fad869034695a36201cb |
| SHA1 | 4bc0af17dd2748e39305993c50deec49a128e45c |
| SHA256 | 7298089a8c62ab2e8da4bd1ef09b5bad3b0fc8e9d9b48b60f6711940f24fd995 |
| SHA512 | cd8c9305376f1ef67b85959ffc3181de9aba64d54bfe5b93e1e9fe90cee9bec180bbf00ebd8bf4884f59134a80eb9dafb4070b9ff7f093e7eaa4b23141b28d59 |
memory/3604-29-0x0000000000400000-0x0000000000B17000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll
| MD5 | 4876ee75ce2712147c41ff1277cd2d30 |
| SHA1 | 3733dc92318f0c6b92cb201e49151686281acda6 |
| SHA256 | bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed |
| SHA512 | 9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9 |
memory/3604-41-0x0000000000400000-0x0000000000B17000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xjvrsqsf.h1c.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/400-47-0x0000029FDC790000-0x0000029FDC7B2000-memory.dmp
memory/400-51-0x00007FFBF5650000-0x00007FFBF6112000-memory.dmp
memory/400-52-0x0000029FDC610000-0x0000029FDC620000-memory.dmp
memory/400-53-0x0000029FDC610000-0x0000029FDC620000-memory.dmp
memory/3604-54-0x0000000000C90000-0x0000000000D90000-memory.dmp
memory/400-55-0x0000029FDC610000-0x0000029FDC620000-memory.dmp
memory/400-57-0x0000029FDC820000-0x0000029FDC82A000-memory.dmp
memory/400-56-0x0000029FDC840000-0x0000029FDC852000-memory.dmp
memory/400-63-0x00007FFBF5650000-0x00007FFBF6112000-memory.dmp
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll
| MD5 | ca684dc5ebed4381701a39f1cc3a0fb2 |
| SHA1 | 8c4a375aa583bd1c705597a7f45fd18934276770 |
| SHA256 | b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2 |
| SHA512 | 8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510 |
memory/3604-74-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/2840-77-0x0000000000DE0000-0x0000000000EE0000-memory.dmp
memory/2840-78-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/2840-79-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/3832-89-0x0000000000EB0000-0x0000000000FB0000-memory.dmp
memory/3832-90-0x0000000000400000-0x0000000000B17000-memory.dmp
memory/3832-91-0x0000000000400000-0x0000000000B17000-memory.dmp