Analysis Overview
SHA256
4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6
Threat Level: Known bad
The file 4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6 was found to be: Known bad.
Malicious Activity Summary
Amadey
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 07:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 07:52
Reported
2024-06-26 07:55
Platform
win7-20240220-en
Max time kernel
144s
Max time network
129s
Command Line
Signatures
Amadey
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe
"C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe"
C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
"C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN npsvga64.exe /TR "C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "npsvga64.exe" /P "Admin:N"&&CACLS "npsvga64.exe" /P "Admin:R" /E&&echo Y|CACLS "..\49f0160cce" /P "Admin:N"&&CACLS "..\49f0160cce" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "npsvga64.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "npsvga64.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\49f0160cce" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\49f0160cce" /P "Admin:R" /E
C:\Windows\system32\taskeng.exe
taskeng.exe {821BB93F-F37B-48E4-9618-59BCB3D02C71} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
Network
| Country | Destination | Domain | Proto |
| DE | 188.40.122.96:80 | 188.40.122.96 | tcp |
| DE | 188.40.122.96:80 | 188.40.122.96 | tcp |
Files
memory/1732-0-0x0000000003990000-0x00000000039CF000-memory.dmp
memory/1732-2-0x00000000041B0000-0x00000000041B1000-memory.dmp
\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
| MD5 | f67e33f48a1cef22ec4ff037fc2da7c2 |
| SHA1 | a7d454e86ccf547561d5bf13d2eea1d471417d5d |
| SHA256 | 4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6 |
| SHA512 | 6bef7e7c412b5f5eb8bd3a00b72e6613822b4333bf5472b2d83f0cdcb25e12bd8fc2bc1cc5aa9c4b872a7dc1876eabdd6b20ad581c4a74a365ae00e4fcbf76a5 |
memory/1732-14-0x0000000003990000-0x00000000039CF000-memory.dmp
memory/1732-16-0x0000000000400000-0x0000000000E70000-memory.dmp
memory/2996-20-0x0000000000E70000-0x0000000000EAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\721934792624
| MD5 | 1c86d5270a37d5ad352031e5dc8f0868 |
| SHA1 | fdb3112e68d80da6cbf4cf60f0d91266e69fd9f8 |
| SHA256 | de47e7151465597b47dfa17712e773a0ebd132bb2127bb5aadb5b43216f1bf4c |
| SHA512 | 65efbc23fad78b645af41280103be8056bd0d59850c66fd86eada977f972e62ac052b761d7f68387a2d58f3b8f51656a2cf347cfdb87753f0d4610b88164e8ba |
memory/2996-33-0x0000000000400000-0x0000000000E70000-memory.dmp
memory/1768-42-0x0000000003960000-0x000000000399F000-memory.dmp
memory/1768-44-0x0000000000400000-0x0000000000E70000-memory.dmp
memory/1684-54-0x0000000003990000-0x00000000039CF000-memory.dmp
memory/1684-55-0x0000000003990000-0x00000000039CF000-memory.dmp
memory/1684-56-0x0000000000400000-0x0000000000E70000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 07:52
Reported
2024-06-26 07:55
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Amadey
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe
"C:\Users\Admin\AppData\Local\Temp\4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6.exe"
C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
"C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN npsvga64.exe /TR "C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "npsvga64.exe" /P "Admin:N"&&CACLS "npsvga64.exe" /P "Admin:R" /E&&echo Y|CACLS "..\49f0160cce" /P "Admin:N"&&CACLS "..\49f0160cce" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "npsvga64.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "npsvga64.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\49f0160cce" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\49f0160cce" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| DE | 188.40.122.96:80 | 188.40.122.96 | tcp |
| DE | 188.40.122.96:80 | 188.40.122.96 | tcp |
| US | 8.8.8.8:53 | 96.122.40.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.229.138.52.in-addr.arpa | udp |
Files
memory/212-1-0x0000000002450000-0x000000000248F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\49f0160cce\npsvga64.exe
| MD5 | f67e33f48a1cef22ec4ff037fc2da7c2 |
| SHA1 | a7d454e86ccf547561d5bf13d2eea1d471417d5d |
| SHA256 | 4daf3337d05daaafe0f71b6075b53a17f191fa229848ccb2209db3f77421e0c6 |
| SHA512 | 6bef7e7c412b5f5eb8bd3a00b72e6613822b4333bf5472b2d83f0cdcb25e12bd8fc2bc1cc5aa9c4b872a7dc1876eabdd6b20ad581c4a74a365ae00e4fcbf76a5 |
memory/212-15-0x0000000002450000-0x000000000248F000-memory.dmp
memory/212-17-0x0000000000400000-0x0000000000E70000-memory.dmp
memory/4944-20-0x0000000003AB0000-0x0000000003AEF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\169499791354
| MD5 | 16de5863612e26db7ffed108e111e9c9 |
| SHA1 | 74a4e8672ec0f506abfc2b94d162f83c0253cfc7 |
| SHA256 | ef4ea0524f1fa2259866278cc93bd59f890eea23ce033ec222789d6ad01f84ed |
| SHA512 | 1cec95df17715c70d38bcaa026a75f4e6c8d36cbb26def5abcd424e44a5bc3e5bbd55023732ef9be629a1c1f2524192f0a36974097b08756ac6a6ce34cc69ffa |
memory/4944-33-0x0000000000400000-0x0000000000E70000-memory.dmp
memory/2924-42-0x0000000001010000-0x000000000104F000-memory.dmp
memory/2924-44-0x0000000000400000-0x0000000000E70000-memory.dmp
memory/5040-54-0x0000000002120000-0x000000000215F000-memory.dmp
memory/5040-55-0x0000000000400000-0x0000000000E70000-memory.dmp