Malware Analysis Report

2024-09-11 10:39

Sample ID 240620-qqm43szejc
Target setup.exe
SHA256 7ffdaf476524a9f3c0966b1fa0cb5551d542f310e6ed20d8832ca10b48e29dc9
Tags
amadey b2c2c1 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ffdaf476524a9f3c0966b1fa0cb5551d542f310e6ed20d8832ca10b48e29dc9

Threat Level: Known bad

The file setup.exe was found to be: Known bad.

Malicious Activity Summary

amadey b2c2c1 trojan

Amadey

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-20 13:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 13:28

Reported

2024-06-20 13:30

Platform

win7-20240611-en

Max time kernel

144s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2236 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2236 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2236 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2236 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2236 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 2236 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 greendag.ru udp
MO 60.246.120.127:80 jkshb.su tcp
MO 60.246.120.127:80 jkshb.su tcp
MO 60.246.120.127:80 jkshb.su tcp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 greendag.ru udp

Files

\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

MD5 09371b0ec59d68d008b7c08a10de35cb
SHA1 3f8ea250788004d66680f2837352814f34eb2881
SHA256 7ffdaf476524a9f3c0966b1fa0cb5551d542f310e6ed20d8832ca10b48e29dc9
SHA512 4639e53f144de0d0c7160313f342fd0d25d20e19093b3bd87789a88820d660d5a44b135a0de1b9143ee38404fcd70ac850ee3169082eb46c6107bf82b46ab2d5

memory/2236-13-0x0000000000400000-0x0000000002766000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\969036373035

MD5 de0f8ee1ecb03c34147a0f82d21415d9
SHA1 41cbfbebf7c738dca549f8b6d6f2d6ed95ec8c9a
SHA256 fa851aa660c1221dc4ff20b86cc2452f2df68a5a9ec2b62acbe250d725fa3e13
SHA512 347e8be7063640d51f4b0a5ebf5e5ec64d8e297753a6bc131f16b46a54d7ccd0fa3eca0740b3b96a736f96000fffd380cfcb1ed5ed8ef64aa0e8db9a1b726fca

memory/2564-27-0x0000000000400000-0x0000000002766000-memory.dmp

memory/2564-35-0x0000000000400000-0x0000000002766000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 13:28

Reported

2024-06-20 13:30

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3960 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3960 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe
PID 3960 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3960 -ip 3960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3960 -ip 3960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3960 -ip 3960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3960 -ip 3960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3960 -ip 3960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 1052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3960 -ip 3960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 1056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3960 -ip 3960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 1252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3960 -ip 3960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 1272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3960 -ip 3960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 1388

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 1432

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 844

Network

Country Destination Domain Proto
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 jkshb.su udp
US 8.8.8.8:53 greendag.ru udp
US 8.8.8.8:53 osdhs.in.ne udp
US 8.8.8.8:53 jkshb.su udp

Files

memory/3960-2-0x0000000004150000-0x00000000041BB000-memory.dmp

memory/3960-1-0x0000000002850000-0x0000000002950000-memory.dmp

memory/3960-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e221f72865\Dctooux.exe

MD5 09371b0ec59d68d008b7c08a10de35cb
SHA1 3f8ea250788004d66680f2837352814f34eb2881
SHA256 7ffdaf476524a9f3c0966b1fa0cb5551d542f310e6ed20d8832ca10b48e29dc9
SHA512 4639e53f144de0d0c7160313f342fd0d25d20e19093b3bd87789a88820d660d5a44b135a0de1b9143ee38404fcd70ac850ee3169082eb46c6107bf82b46ab2d5

memory/3960-17-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3960-16-0x0000000004150000-0x00000000041BB000-memory.dmp

memory/3960-15-0x0000000000400000-0x0000000002766000-memory.dmp

memory/5092-19-0x0000000000400000-0x0000000002766000-memory.dmp

memory/5092-20-0x0000000000400000-0x0000000002766000-memory.dmp

memory/5092-25-0x0000000000400000-0x0000000002766000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\124900551406

MD5 83dc6b6172a06b74cbc1bd1e951d1284
SHA1 99697eab514064db7ec1dfc308f7308b729aeb95
SHA256 6620af88a33aa42d23a7cdff13d0680096240e2b9aa484be685597ece6d82db1
SHA512 749f7dc8f780ee2651fbb68e4318a101c22928e9dceff1ccb67947f715b5fbcf71be7ade6c01d996323cdb2bdd5cdd0e4211ed7bac44f13c8b60b61d342c0c65

memory/5092-39-0x0000000000400000-0x0000000002766000-memory.dmp

memory/3492-42-0x0000000000400000-0x0000000002766000-memory.dmp

memory/2108-51-0x0000000000400000-0x0000000002766000-memory.dmp