Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe	N/A

Drops file in Windows directory

Description	Indicator	Process	Target
File created	C:\Windows\Tasks\Dctooux.job	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe	N/A

Enumerates physical storage devices

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1244 wrote to memory of 3416	N/A	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 1244 wrote to memory of 3416	N/A	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 1244 wrote to memory of 3416	N/A	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe

"C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1244 -ip 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1244 -ip 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1244 -ip 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1244 -ip 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1244 -ip 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1244 -ip 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1244 -ip 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1244 -ip 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1244 -ip 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 1264

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1244 -ip 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 1340

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2744 -ip 2744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 440

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1748 -ip 1748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3416 -ip 3416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 888

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2804 -ip 2804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 448

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
NL	23.62.61.194:443	www.bing.com	tcp
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	25.24.18.2.in-addr.arpa	udp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
US	8.8.8.8:53	194.61.62.23.in-addr.arpa	udp
US	8.8.8.8:53	205.47.74.20.in-addr.arpa	udp
US	8.8.8.8:53	osdhs.in.ne	udp
US	8.8.8.8:53	greendag.ru	udp
US	8.8.8.8:53	jkshb.su	udp
KW	78.89.199.216:80	jkshb.su	tcp
KW	78.89.199.216:80	jkshb.su	tcp
KW	78.89.199.216:80	jkshb.su	tcp
US	8.8.8.8:53	216.199.89.78.in-addr.arpa	udp
US	8.8.8.8:53	183.59.114.20.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	140.71.91.104.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	18.24.18.2.in-addr.arpa	udp
US	8.8.8.8:53	13.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53		udp

Files

memory/1244-1-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1244-2-0x00000000006F0000-0x000000000075B000-memory.dmp

memory/1244-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

MD5	c97ca64b5426ddb64fff9bbbe7cab799
SHA1	b06c301fef737fe0dabf3d2270671aa1919b453c
SHA256	162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f
SHA512	2aa3e3e47d76eeeaa8b2f200e725493a48436a3288de2b0a2cb4346611f44ec6a49e4c1f7dfd728e15373c63fda759d0546f6a31bf20f682305f0719a948c203

memory/1244-19-0x00000000006F0000-0x000000000075B000-memory.dmp

memory/1244-20-0x0000000000400000-0x0000000000470000-memory.dmp

memory/1244-18-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3416-22-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3416-23-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3416-24-0x0000000000400000-0x0000000000484000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\447855248390

MD5	c1c7799c45c4a83e4ecaa8c63f28171d
SHA1	271bad09815578e878569e31d47333b2717abd2a
SHA256	567807c6c173eb96f9ebe15c7043d638da2a5b73f8351bef0cbd68f422661a42
SHA512	f771552912081bf361723fce3efb1394581e2967704257f1d711faacf18054700bcdafbd25ead085000db2b267bd14caec3bce59e31599d8d6149384960287f8

memory/3416-41-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2744-43-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2744-44-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1748-53-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1748-54-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2804-63-0x0000000000400000-0x0000000000484000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 16:45

Reported

2024-06-16 16:48

Platform

win11-20240508-en

Max time kernel

145s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe	N/A

Drops file in Windows directory

Description	Indicator	Process	Target
File created	C:\Windows\Tasks\Dctooux.job	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe	N/A

Enumerates physical storage devices

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4324 wrote to memory of 564	N/A	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4324 wrote to memory of 564	N/A	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 4324 wrote to memory of 564	N/A	C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe	C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe

"C:\Users\Admin\AppData\Local\Temp\162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4324 -ip 4324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4324 -ip 4324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4324 -ip 4324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4324 -ip 4324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4324 -ip 4324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4324 -ip 4324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4324 -ip 4324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4324 -ip 4324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4324 -ip 4324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 1136

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4324 -ip 4324

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 1524

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 4924 -ip 4924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 488

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 3744 -ip 3744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 564 -ip 564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 900

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 1148 -ip 1148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 488

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	jkshb.su	udp
US	8.8.8.8:53	osdhs.in.ne	udp
US	8.8.8.8:53	greendag.ru	udp
US	8.8.8.8:53	jkshb.su	udp
US	8.8.8.8:53	greendag.ru	udp
US	8.8.8.8:53	osdhs.in.ne	udp
US	8.8.8.8:53	jkshb.su	udp
US	8.8.8.8:53	greendag.ru	udp
IE	52.111.236.22:443		tcp

Files

memory/4324-1-0x0000000000670000-0x0000000000770000-memory.dmp

memory/4324-2-0x00000000021C0000-0x000000000222B000-memory.dmp

memory/4324-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

MD5	c97ca64b5426ddb64fff9bbbe7cab799
SHA1	b06c301fef737fe0dabf3d2270671aa1919b453c
SHA256	162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f
SHA512	2aa3e3e47d76eeeaa8b2f200e725493a48436a3288de2b0a2cb4346611f44ec6a49e4c1f7dfd728e15373c63fda759d0546f6a31bf20f682305f0719a948c203

memory/4324-20-0x0000000000400000-0x0000000000470000-memory.dmp

memory/4324-19-0x00000000021C0000-0x000000000222B000-memory.dmp

memory/4324-18-0x0000000000400000-0x0000000000484000-memory.dmp

memory/564-23-0x0000000000400000-0x0000000000484000-memory.dmp

memory/564-22-0x0000000000400000-0x0000000000484000-memory.dmp

memory/564-24-0x0000000000400000-0x0000000000484000-memory.dmp

memory/564-30-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4924-32-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4924-33-0x0000000000400000-0x0000000000484000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\672260578815

MD5	ce7dd198a760f06df2c2564e4937cf86
SHA1	f44e29634eaebef2f9d687f6de89ceb85716048b
SHA256	6f1f7b3a155e231d243f5aaf902a4bddff3cd2f43da642efa979e04f99c241da
SHA512	e53a88b94f6da98bccfd24e8b9bc47881bae88c135c3090baccd7e30a931c4f3d3bdafe54fae496c4a40333f59c461fd75e7fb33a0297e4cfa331212c7c0ae5b

memory/564-46-0x0000000000400000-0x0000000000484000-memory.dmp

memory/3744-53-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1148-62-0x0000000000400000-0x0000000000484000-memory.dmp

Sample ID	240616-t9q7mathkp
Target	162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f
SHA256	162dee9191552c92b47ecffb617d5bb1ae7d59afbadddb8b4066e8289e03027f
Tags	amadey b2c2c1 trojan

Malware Analysis Report

2024-09-11 10:27

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files