Malware Analysis Report

2024-09-11 14:23

Sample ID 240621-px3bxatfqk
Target a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25
SHA256 a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25
Tags
amadey 8fc809 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25

Threat Level: Known bad

The file a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25 was found to be: Known bad.

Malicious Activity Summary

amadey 8fc809 trojan

Amadey

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-21 12:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 12:43

Reported

2024-06-21 12:45

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 988 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 988 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 988 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe

"C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 988 -ip 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 988 -ip 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 988 -ip 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 988 -ip 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 988 -ip 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 988 -ip 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 988 -ip 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 988 -ip 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 988 -ip 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1264

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 988 -ip 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 988 -ip 988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 1476

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1096 -ip 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 448

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3608 -ip 3608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 780

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 nudump.com udp
MD 188.237.2.116:80 selltix.org tcp
MD 188.237.2.116:80 selltix.org tcp
US 8.8.8.8:53 otyt.ru udp
MD 188.237.2.116:80 selltix.org tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 116.2.237.188.in-addr.arpa udp
US 8.8.8.8:53 nudump.com udp
MD 188.237.2.116:80 selltix.org tcp
MD 188.237.2.116:80 selltix.org tcp
MD 188.237.2.116:80 selltix.org tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
MD 188.237.2.116:80 selltix.org tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
MD 188.237.2.116:80 selltix.org tcp
MD 188.237.2.116:80 selltix.org tcp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 udp

Files

memory/988-2-0x00000000020C0000-0x000000000212F000-memory.dmp

memory/988-1-0x0000000000720000-0x0000000000820000-memory.dmp

memory/988-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 61f57206e3d3d3d1621fe10c0a7f2d71
SHA1 13657383a9fac80797fed9027b19dc14996dd3ac
SHA256 a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25
SHA512 5940c324406527ceaf1b37d0e00759e2c7831a4db01adf2339036ab113280ae01aee00254f2d87961b8f896fe29c331ec803f25cf0e8b88e33e6b4ca6132ef98

memory/988-16-0x00000000020C0000-0x000000000212F000-memory.dmp

memory/988-17-0x0000000000400000-0x0000000000472000-memory.dmp

memory/988-15-0x0000000000400000-0x0000000000475000-memory.dmp

memory/3144-20-0x0000000000400000-0x0000000000475000-memory.dmp

memory/3144-19-0x0000000000400000-0x0000000000475000-memory.dmp

memory/3144-21-0x0000000000400000-0x0000000000475000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\204450073126

MD5 4154139df84e27acbed452c969722120
SHA1 3c100aa4b8ecf6417deb6b8f16e255159cc57c40
SHA256 1ef9e8bf8fcd7d64a941d8f2bddd16e27f5065c7cb27b31525c1fc489e97aa30
SHA512 facfad4c1b18a0494fe43f5b8a93d4e7787d240d0cbb8e35f2c0665315d7da39bcc0e2c93f9c06a312be4ee2433778e22cf93b3ffee34fc093c9764c71a08e4c

memory/3144-34-0x0000000000400000-0x0000000000475000-memory.dmp

memory/3144-38-0x0000000000400000-0x0000000000475000-memory.dmp

memory/1096-44-0x0000000000400000-0x0000000000475000-memory.dmp

memory/1096-43-0x0000000000400000-0x0000000000475000-memory.dmp

memory/1096-45-0x0000000000400000-0x0000000000475000-memory.dmp

memory/1096-46-0x0000000000400000-0x0000000000475000-memory.dmp

memory/3608-55-0x0000000000400000-0x0000000000475000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 12:43

Reported

2024-06-21 12:45

Platform

win11-20240611-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2404 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe
PID 2404 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe

"C:\Users\Admin\AppData\Local\Temp\a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2404 -ip 2404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2404 -ip 2404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2404 -ip 2404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2404 -ip 2404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2404 -ip 2404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2404 -ip 2404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2404 -ip 2404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2404 -ip 2404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2404 -ip 2404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1136

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2404 -ip 2404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 1188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1500

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1508 -ip 1508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 480

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3140 -ip 3140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2852 -ip 2852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1636

Network

Country Destination Domain Proto
US 8.8.8.8:53 otyt.ru udp
US 8.8.8.8:53 selltix.org udp
US 8.8.8.8:53 nudump.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
MD 188.237.2.116:80 selltix.org tcp
MD 188.237.2.116:80 selltix.org tcp
MD 188.237.2.116:80 selltix.org tcp
MD 188.237.2.116:80 selltix.org tcp
MD 188.237.2.116:80 selltix.org tcp
MD 188.237.2.116:80 selltix.org tcp
MD 188.237.2.116:80 selltix.org tcp
MD 188.237.2.116:80 selltix.org tcp
MD 188.237.2.116:80 selltix.org tcp

Files

memory/2404-1-0x0000000000720000-0x0000000000820000-memory.dmp

memory/2404-2-0x00000000021C0000-0x000000000222F000-memory.dmp

memory/2404-3-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b739b37d80\Dctooux.exe

MD5 61f57206e3d3d3d1621fe10c0a7f2d71
SHA1 13657383a9fac80797fed9027b19dc14996dd3ac
SHA256 a7a92d89003582772abd453355a3bf6eacb2c71ebd3ee286ad51b8b4eb2ebf25
SHA512 5940c324406527ceaf1b37d0e00759e2c7831a4db01adf2339036ab113280ae01aee00254f2d87961b8f896fe29c331ec803f25cf0e8b88e33e6b4ca6132ef98

memory/2404-17-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2404-16-0x00000000021C0000-0x000000000222F000-memory.dmp

memory/2404-15-0x0000000000400000-0x0000000000475000-memory.dmp

memory/2852-19-0x0000000000400000-0x0000000000475000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\235821424191

MD5 e2376d49c97ecc0727caf2f4167a2028
SHA1 e1439dc437a09cca36b76f1d440ac7725d03e4f7
SHA256 be39b46b569b8eb48a3fa6e6ced2edd5700ae21d3013c5b7ea1f975e9147bd29
SHA512 9cc5db232e5f003f75e59ee59e2809ef8992989e4808866fc07d4406a8f6b289499d9adb44abe3ae0d3bffc1429f1c15bce73517363fae75525c5b09dc10beb8

memory/2852-35-0x0000000000400000-0x0000000000475000-memory.dmp

memory/2852-36-0x0000000000400000-0x0000000000475000-memory.dmp

memory/1508-40-0x0000000000400000-0x0000000000475000-memory.dmp

memory/1508-41-0x0000000000400000-0x0000000000475000-memory.dmp

memory/3140-50-0x0000000000400000-0x0000000000475000-memory.dmp