Malware Analysis Report

2024-09-11 13:42

Sample ID 240614-aeeessxajf
Target e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99
SHA256 e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99
Tags
amadey 8fc809 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99

Threat Level: Known bad

The file e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99 was found to be: Known bad.

Malicious Activity Summary

amadey 8fc809 trojan

Amadey

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 00:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 00:07

Reported

2024-06-14 00:12

Platform

win7-20240508-en

Max time kernel

297s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2428 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2428 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2428 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2428 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe

"C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe"

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 selltix.org udp

Files

memory/2428-1-0x0000000000820000-0x0000000000920000-memory.dmp

memory/2428-2-0x0000000000230000-0x000000000029F000-memory.dmp

memory/2428-3-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2428-5-0x0000000000400000-0x00000000006AA000-memory.dmp

\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 1dd4cd6304347c679d169ca2c78a75c3
SHA1 d7a3c3b9540e3e714b3b284b7f0c6cde9502d362
SHA256 e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99
SHA512 56fe9eac130f475a1ed6349dd4401e0c37e5a67d13480caf6295234add5b0168e331af61dcab66037d9299a879e2b2b18bd8f36d1c79e6212a342fcc099f58c7

memory/2428-20-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2428-21-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/2428-19-0x0000000000230000-0x000000000029F000-memory.dmp

memory/2428-18-0x0000000000820000-0x0000000000920000-memory.dmp

memory/2448-23-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/2448-24-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/2448-30-0x0000000000400000-0x00000000006AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\680803933149

MD5 5c646ffcecca597ec4ce2dbe7904b50d
SHA1 12ab0eba659f84549a65066d10309ac690fff95d
SHA256 71b5312835075601f6c1f8a3df6c38001e8251baeb2449a66832e73f35d01f68
SHA512 0c1617a78684e2b91f4f2b6a6700da9a3d4ad7d713f387c89027fc286de9b35350b2fb1e081948720861109a67af21cf45b7b9f222fa470a2d5216fe9e3e41bf

memory/2448-35-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/2448-43-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/2448-47-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/2448-69-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/2448-76-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/2448-82-0x0000000000400000-0x00000000006AA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 00:07

Reported

2024-06-14 00:12

Platform

win10-20240611-en

Max time kernel

292s

Max time network

263s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe"

Signatures

Amadey

trojan amadey

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe

"C:\Users\Admin\AppData\Local\Temp\e53309c5cb2113515bca71c3b4cb822d230f8ed16eecd741ba23c43884a13f99.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1100

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 50.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/1384-1-0x0000000000830000-0x0000000000930000-memory.dmp

memory/1384-2-0x00000000022D0000-0x000000000233F000-memory.dmp

memory/1384-3-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1384-5-0x0000000000400000-0x00000000006AA000-memory.dmp

memory/1384-7-0x0000000000830000-0x0000000000930000-memory.dmp

memory/1384-8-0x00000000022D0000-0x000000000233F000-memory.dmp

memory/1384-9-0x0000000000400000-0x0000000000472000-memory.dmp