Malware Analysis Report

2024-09-11 14:30

Sample ID 240620-fcwh7azare
Target ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc
SHA256 ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc
Tags
amadey 8fc809 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc

Threat Level: Known bad

The file ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc was found to be: Known bad.

Malicious Activity Summary

amadey 8fc809 trojan

Amadey

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-20 04:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 04:44

Reported

2024-06-20 04:46

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 456 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 456 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 456 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe

"C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 456 -ip 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 456 -ip 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 456 -ip 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 456 -ip 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 456 -ip 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 456 -ip 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 456 -ip 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 456 -ip 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 456 -ip 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 456 -ip 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4160,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 456 -ip 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 456 -ip 456

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 456 -ip 456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 456 -s 1352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 1456

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4484 -ip 4484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 440

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4852 -ip 4852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2620 -ip 2620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 848

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
CO 190.147.128.172:80 selltix.org tcp
CO 190.147.128.172:80 selltix.org tcp
CO 190.147.128.172:80 selltix.org tcp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 172.128.147.190.in-addr.arpa udp
CO 190.147.128.172:80 selltix.org tcp
CO 190.147.128.172:80 selltix.org tcp
CO 190.147.128.172:80 selltix.org tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
CO 190.147.128.172:80 selltix.org tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
CO 190.147.128.172:80 selltix.org tcp
CO 190.147.128.172:80 selltix.org tcp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 92.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp

Files

memory/456-2-0x00000000020E0000-0x000000000214F000-memory.dmp

memory/456-1-0x0000000000690000-0x0000000000790000-memory.dmp

memory/456-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 93b7836799653e4866a48f777ec122b8
SHA1 d7f2bed37014b2e0805796f48fa02430d5152dc7
SHA256 ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc
SHA512 df4666f5ba464016a16d2ef15dd08c02c7fb68a553d37359efccf0d596f24e6d0db3d0e2a496318d633f678edeb4001b36b72bf57ddfbb382d33f9a58aaeabaf

memory/456-17-0x0000000000400000-0x0000000000472000-memory.dmp

memory/456-16-0x00000000020E0000-0x000000000214F000-memory.dmp

memory/2620-20-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2620-19-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2620-21-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\181767204200

MD5 988faf5d2de99ef7275e29b510cd60e4
SHA1 0cf9b29e00dc77bd8da259e7338f283e088383da
SHA256 5dfcb128aeca9a95de1d8fb63efa11f161677ef91a93275b10b34679a0b35337
SHA512 8ac3865991cdd2d8e478218099f723ab4c39e7ac9b79450ef6044149a0b2cc4cde6fe8f530108e9d07af6625223c51733a715dae8c6b9074bae0064d582c4da2

memory/2620-37-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2620-38-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4484-43-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4484-44-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4852-53-0x0000000000400000-0x0000000000472000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 04:44

Reported

2024-06-20 04:46

Platform

win11-20240611-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1452 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1452 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 1452 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe

"C:\Users\Admin\AppData\Local\Temp\ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1452 -ip 1452

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 1536

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 948 -ip 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 480

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 2028 -ip 2028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 4104 -ip 4104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 904

Network

Country Destination Domain Proto
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 nudump.com udp
MK 77.29.48.123:80 selltix.org tcp
MK 77.29.48.123:80 selltix.org tcp
MK 77.29.48.123:80 selltix.org tcp
MK 77.29.48.123:80 selltix.org tcp
MK 77.29.48.123:80 selltix.org tcp
MK 77.29.48.123:80 selltix.org tcp
MK 77.29.48.123:80 selltix.org tcp
MK 77.29.48.123:80 selltix.org tcp
MK 77.29.48.123:80 selltix.org tcp

Files

memory/1452-2-0x00000000021D0000-0x000000000223F000-memory.dmp

memory/1452-1-0x0000000000660000-0x0000000000760000-memory.dmp

memory/1452-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 93b7836799653e4866a48f777ec122b8
SHA1 d7f2bed37014b2e0805796f48fa02430d5152dc7
SHA256 ba914bb4a1e4481d32e8a7f332dde9b2ecbeccaa291a34477f11e3bbccb346cc
SHA512 df4666f5ba464016a16d2ef15dd08c02c7fb68a553d37359efccf0d596f24e6d0db3d0e2a496318d633f678edeb4001b36b72bf57ddfbb382d33f9a58aaeabaf

memory/1452-16-0x00000000021D0000-0x000000000223F000-memory.dmp

memory/1452-17-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4104-19-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\198854727384

MD5 e7e512601502d2b579d83312e08221da
SHA1 4007d9f017eb50f871aba45077b9f16eb97e35ff
SHA256 82eebf78992dd2760ddfb2c6e0d1f64ae887039a4efcadbb6f5353f171e63ce3
SHA512 ba227f9a3209bbe1ea45dc7384f0a20d7bd08ae6261e68fd1924206317f01f7eef47501fbffb94cfc6ff4c89fdf34791cc205188267bcd382a0b4a64da68d228

memory/4104-35-0x0000000000400000-0x0000000000472000-memory.dmp

memory/4104-36-0x0000000000400000-0x0000000000472000-memory.dmp

memory/948-41-0x0000000000400000-0x0000000000472000-memory.dmp

memory/948-42-0x0000000000400000-0x0000000000472000-memory.dmp

memory/948-43-0x0000000000400000-0x0000000000472000-memory.dmp

memory/948-44-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2028-53-0x0000000000400000-0x0000000000472000-memory.dmp