Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe	N/A

Drops file in Windows directory

Description	Indicator	Process	Target
File created	C:\Windows\Tasks\Dctooux.job	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe	N/A

Enumerates physical storage devices

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4516 wrote to memory of 3264	N/A	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 4516 wrote to memory of 3264	N/A	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 4516 wrote to memory of 3264	N/A	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe

"C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1172

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 1308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3264 -ip 3264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 480

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 644 -ip 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1444

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp

Files

memory/4516-2-0x0000000003830000-0x000000000389B000-memory.dmp

memory/4516-1-0x0000000001CC0000-0x0000000001DC0000-memory.dmp

memory/4516-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

MD5	a7407c043ce8a33d7497ebc47edab73f
SHA1	bf2049acf367fdbd0a287e841ad57abeb5669f4b
SHA256	ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6
SHA512	c8aee62f22fd771d2ff820874879b36d77d2403459532cc6cb141a0aea559f0cc54dbd85d1eddd5d65e8f785178aa31846e32c7b1db9acf0a4118c3c307b1c45

memory/3264-16-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/4516-18-0x0000000003830000-0x000000000389B000-memory.dmp

memory/4516-19-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4516-17-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/3264-21-0x0000000000400000-0x0000000001BF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\558294865367

MD5	9bfd15a09abd0afec2f29c6259550cff
SHA1	f4b84350212fa175d73afaabf23c0f94ca4be278
SHA256	ace49e5444e2bf1128f707ad3b40d06c45674399faff127a6b3d0644b48fdf25
SHA512	6ee2b9334c4f89b95087b7ceec76a4cc92767eac98cd12cadf6d5415eafb7984f595782cd0a45cc2f2411c78279f1ec19022c61ec5a1d976ead04c349bb449df

memory/644-39-0x0000000000400000-0x0000000001BF8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 09:25

Reported

2024-06-12 09:27

Platform

win11-20240508-en

Max time kernel

144s

Max time network

67s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe	N/A

Drops file in Windows directory

Description	Indicator	Process	Target
File created	C:\Windows\Tasks\Dctooux.job	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe	N/A

Enumerates physical storage devices

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2324 wrote to memory of 4120	N/A	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 2324 wrote to memory of 4120	N/A	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 2324 wrote to memory of 4120	N/A	C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe	C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe

"C:\Users\Admin\AppData\Local\Temp\ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2324 -ip 2324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2324 -ip 2324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2324 -ip 2324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2324 -ip 2324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2324 -ip 2324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2324 -ip 2324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2324 -ip 2324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2324 -ip 2324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2324 -ip 2324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1136

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2324 -ip 2324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 1600

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4396 -ip 4396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 472

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3112 -ip 3112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3112 -s 472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 900

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	check-ftp.ru	udp
US	8.8.8.8:53	techolivls.in	udp
US	8.8.8.8:53	dnschnj.at	udp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	check-ftp.ru	udp
US	8.8.8.8:53	techolivls.in	udp
US	8.8.8.8:53	dnschnj.at	udp
US	8.8.8.8:53	check-ftp.ru	udp

Files

memory/2324-1-0x0000000001E30000-0x0000000001F30000-memory.dmp

memory/2324-2-0x0000000003910000-0x000000000397B000-memory.dmp

memory/2324-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

MD5	a7407c043ce8a33d7497ebc47edab73f
SHA1	bf2049acf367fdbd0a287e841ad57abeb5669f4b
SHA256	ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6
SHA512	c8aee62f22fd771d2ff820874879b36d77d2403459532cc6cb141a0aea559f0cc54dbd85d1eddd5d65e8f785178aa31846e32c7b1db9acf0a4118c3c307b1c45

memory/4120-16-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/2324-19-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2324-18-0x0000000003910000-0x000000000397B000-memory.dmp

memory/2324-17-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/4120-24-0x0000000000400000-0x0000000001BF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\001105534270

MD5	77fd231f85d628c057c21478cd558348
SHA1	34dc3fb072dc490b8d9acaa4e465cb39ba90f3cc
SHA256	d54b52ffe0fb9aaeb2c36dab6e21a1d263800064293607a1e3af6088576dc688
SHA512	75e5638676a6d062374c038bcd3e9fee7c3e6498174b448fb5022da0227c86ddb7ebabcd45a05c09b01f7c5cd4f3ded59e8381f93886b4555536565e11df4786

memory/4120-37-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/4396-40-0x0000000000400000-0x0000000001BF8000-memory.dmp

memory/3112-49-0x0000000000400000-0x0000000001BF8000-memory.dmp

Sample ID	240612-ldp1paxdln
Target	ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6
SHA256	ffec908fd6c542e67509ffa4330dbab4b77c15c24d4e2c085c3101490126c4b6
Tags	amadey 9a3efc trojan

Malware Analysis Report

2024-09-11 10:29

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files