Malware Analysis Report

2024-09-11 11:33

Sample ID 240621-q65ztswfkr
Target 6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab
SHA256 6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab
Tags
amadey 9a3efc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab

Threat Level: Known bad

The file 6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab was found to be: Known bad.

Malicious Activity Summary

amadey 9a3efc trojan

Amadey

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-21 13:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 13:53

Reported

2024-06-21 13:55

Platform

win10v2004-20240611-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe"

Signatures

Amadey

trojan amadey

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 2472 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 2472 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe

"C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2472 -ip 2472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2472 -ip 2472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2472 -ip 2472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2472 -ip 2472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2472 -ip 2472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2472 -ip 2472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2472 -ip 2472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2472 -ip 2472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2472 -ip 2472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1140

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2472 -ip 2472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 1192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 1212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 3872 -ip 3872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 1360

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1452

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 234.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 check-ftp.ru udp
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 dnschnj.at udp
AR 190.220.21.28:80 check-ftp.ru tcp
AR 190.220.21.28:80 check-ftp.ru tcp
N/A 127.0.0.127:80 tcp
AR 190.220.21.28:80 check-ftp.ru tcp
N/A 127.0.0.127:80 tcp
US 8.8.8.8:53 28.21.220.190.in-addr.arpa udp
N/A 127.0.0.127:80 tcp
N/A 127.0.0.127:80 tcp
N/A 127.0.0.127:80 tcp
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

memory/2472-1-0x0000000000600000-0x0000000000700000-memory.dmp

memory/2472-2-0x0000000002110000-0x000000000217B000-memory.dmp

memory/2472-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

MD5 7e220a898dd2a1d72345a5886356bd34
SHA1 6aece597dd7116d2bba1fe697571ac3f4734da50
SHA256 6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab
SHA512 8a2addd4f0eb2a33c13538d697503b8f0a8cd4f8508deff6bc534efbe5eeba9dae24d52d9ed6df88f7b78ae0d939a44b35901422eac52c9aef341a74cd085abb

memory/2472-16-0x0000000002110000-0x000000000217B000-memory.dmp

memory/2472-15-0x0000000000400000-0x0000000000474000-memory.dmp

memory/2472-17-0x0000000000400000-0x0000000000470000-memory.dmp

memory/3872-19-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3872-20-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3872-21-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3872-26-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3276-29-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\004059303877

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\004059303877

MD5 f7eac3e01956cc0cf5c982406268563c
SHA1 d78d7b98a93db0769bd5e03bc1556d22fe3b2851
SHA256 8ff6f8141b3750043d15b55b2a8f87ca53ccb04737df698737942c4f0eaeec23
SHA512 1e0570d4ecd3836fe69ad185300233e983437aa574b4ad43f1b6bde9934d001046c5830de48b7bacf7712c3a81d6bae8dff4dc07d866e89e86fee78e085307fe

memory/3276-39-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3276-47-0x0000000000400000-0x0000000000474000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 13:53

Reported

2024-06-21 13:55

Platform

win11-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe"

Signatures

Amadey

trojan amadey

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 2660 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe
PID 2660 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe

"C:\Users\Admin\AppData\Local\Temp\6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 1132

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

"C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2660 -ip 2660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 1408

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1344 -ip 1344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 484

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1308 -ip 1308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 416 -ip 416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 900

Network

Country Destination Domain Proto
US 8.8.8.8:53 check-ftp.ru udp
US 8.8.8.8:53 dnschnj.at udp
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 check-ftp.ru udp
US 8.8.8.8:53 techolivls.in udp
US 8.8.8.8:53 dnschnj.at udp
US 8.8.8.8:53 dnschnj.at udp

Files

memory/2660-1-0x00000000006D0000-0x00000000007D0000-memory.dmp

memory/2660-2-0x00000000021B0000-0x000000000221B000-memory.dmp

memory/2660-3-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9695770f1\Dctooux.exe

MD5 7e220a898dd2a1d72345a5886356bd34
SHA1 6aece597dd7116d2bba1fe697571ac3f4734da50
SHA256 6c26c2165f643a2eb667454439e69dceb5ea05d09bbd4ba5a8da7c61edecd5ab
SHA512 8a2addd4f0eb2a33c13538d697503b8f0a8cd4f8508deff6bc534efbe5eeba9dae24d52d9ed6df88f7b78ae0d939a44b35901422eac52c9aef341a74cd085abb

memory/2660-16-0x00000000021B0000-0x000000000221B000-memory.dmp

memory/2660-17-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2660-15-0x0000000000400000-0x0000000000474000-memory.dmp

memory/416-19-0x0000000000400000-0x0000000000474000-memory.dmp

memory/416-20-0x0000000000400000-0x0000000000474000-memory.dmp

memory/416-21-0x0000000000400000-0x0000000000474000-memory.dmp

memory/416-26-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\457560273698

MD5 718cac288922174e79696e0ca889666d
SHA1 c9147cdf764783c20281bb46790622b16c2ef032
SHA256 c780c13e70e0a5a8c680db3e0e67e81697e168e5812d91da5046c830706c552b
SHA512 9ae94ee44dc934ce73076d94e8251163fd132484630545e07f2803551c2fada1409509e800957ab7668718668685fb809d60558f38f8a8a742814a84a543c217

memory/416-31-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1344-42-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1344-41-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1344-43-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1344-44-0x0000000000400000-0x0000000000474000-memory.dmp

memory/416-45-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1308-54-0x0000000000400000-0x0000000000474000-memory.dmp