Malware Analysis Report

2024-09-11 13:42

Sample ID 240613-2pqdlatdmh
Target 3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25
SHA256 3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25
Tags
amadey 8fc809 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25

Threat Level: Known bad

The file 3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25 was found to be: Known bad.

Malicious Activity Summary

amadey 8fc809 trojan

Amadey

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:45

Reported

2024-06-13 22:50

Platform

win7-20240611-en

Max time kernel

294s

Max time network

240s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2420 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2420 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2420 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe

"C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe"

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
RU 91.189.114.21:80 otyt.ru tcp
US 8.8.8.8:53 nudump.com udp
MX 187.204.69.21:80 selltix.org tcp
MX 187.204.69.21:80 selltix.org tcp
MX 187.204.69.21:80 selltix.org tcp
US 8.8.8.8:53 nudump.com udp
MX 187.204.69.21:80 selltix.org tcp
MX 187.204.69.21:80 selltix.org tcp
MX 187.204.69.21:80 selltix.org tcp
MX 187.204.69.21:80 selltix.org tcp
MX 187.204.69.21:80 selltix.org tcp
IR 46.100.50.5:80 selltix.org tcp
BR 189.61.54.32:80 selltix.org tcp
BR 189.61.54.32:80 selltix.org tcp
RU 91.189.114.21:80 otyt.ru tcp
US 8.8.8.8:53 nudump.com udp
BR 189.61.54.32:80 selltix.org tcp
BR 189.61.54.32:80 selltix.org tcp
US 8.8.8.8:53 nudump.com udp
BR 189.61.54.32:80 selltix.org tcp
US 8.8.8.8:53 nudump.com udp

Files

memory/2420-1-0x0000000001900000-0x0000000001A00000-memory.dmp

memory/2420-2-0x0000000000300000-0x000000000036F000-memory.dmp

memory/2420-3-0x0000000000400000-0x0000000000472000-memory.dmp

\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 7f67a0e298fd3da2dd0ec69f71e427d4
SHA1 06c4cd0ea5a9352ce86033ff8333fc0330fde8fb
SHA256 3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25
SHA512 a2ac71bd548a35e74125b8190551d09e5625e4fa4c095391e0d155c4f0ff88aa7f39a48b1c7906fe1dc7919c47bc4df07810df9058fabbfd724653ba5865f4a4

memory/2420-18-0x0000000001900000-0x0000000001A00000-memory.dmp

memory/2420-20-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2420-21-0x0000000000400000-0x0000000001827000-memory.dmp

memory/2420-19-0x0000000000300000-0x000000000036F000-memory.dmp

memory/2420-16-0x0000000000400000-0x0000000001827000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\969036373035

MD5 8012ed0b925b8c93ac25f501f52a074b
SHA1 d5429c3580702567870dbbae6c891e89d3a7b5be
SHA256 ee81a83023aa8669b57718596c7824360f8d61e130d9516984531b37aa84e55e
SHA512 7f0fef3669c7793e574cf0d947412776cd99d8066f94c2cccf5aacd12dfa66796e51520f74cd1a1af59c15b3661ffd0544e719b44093bdcf1c221dc659e85578

memory/2612-35-0x0000000000400000-0x0000000001827000-memory.dmp

memory/2612-39-0x0000000000400000-0x0000000001827000-memory.dmp

memory/2420-40-0x0000000000400000-0x0000000001827000-memory.dmp

C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll

MD5 d47b646093dd84d34885a714ce4bd74e
SHA1 c4df23671b6440e29159093dc52cb8c4aa184597
SHA256 6807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352
SHA512 906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338

memory/2612-49-0x0000000000400000-0x0000000001827000-memory.dmp

memory/2612-55-0x0000000000400000-0x0000000001827000-memory.dmp

memory/2612-75-0x0000000000400000-0x0000000001827000-memory.dmp

memory/2612-81-0x0000000000400000-0x0000000001827000-memory.dmp

memory/2612-97-0x0000000000400000-0x0000000001827000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:45

Reported

2024-06-13 22:50

Platform

win10-20240404-en

Max time kernel

295s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe"

Signatures

Amadey

trojan amadey

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe

"C:\Users\Admin\AppData\Local\Temp\3f753cb5c996b5df5b4b039ad9b23dc6ff73023fca191fbe3c6ed01f58ae2d25.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 1140

Network

Country Destination Domain Proto
US 8.8.8.8:53 25.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 169.253.116.51.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp

Files

memory/1292-1-0x0000000001BC0000-0x0000000001CC0000-memory.dmp

memory/1292-2-0x0000000001970000-0x00000000019DF000-memory.dmp

memory/1292-3-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1292-5-0x0000000000400000-0x0000000001827000-memory.dmp

memory/1292-8-0x0000000001970000-0x00000000019DF000-memory.dmp

memory/1292-7-0x0000000001BC0000-0x0000000001CC0000-memory.dmp

memory/1292-9-0x0000000000400000-0x0000000000472000-memory.dmp