Analysis Overview
SHA256
cfe865ff674950f8d2bde9161d0b0a34b26b9f742022754f212077d9068a3ea4
Threat Level: Known bad
The file am.exe was found to be: Known bad.
Malicious Activity Summary
Amadey
Blocklisted process makes network request
Suspicious use of SetThreadContext
Drops file in Windows directory
Command and Scripting Interpreter: PowerShell
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-27 17:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 17:26
Reported
2024-06-27 17:29
Platform
win7-20240508-en
Max time kernel
148s
Max time network
121s
Command Line
Signatures
Amadey
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2188 set thread context of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | C:\Windows\SysWOW64\more.com |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Synapse Service.job | C:\Windows\SysWOW64\more.com | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\am.exe
"C:\Users\Admin\AppData\Local\Temp\am.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pixeldrain.com | udp |
| NL | 50.7.22.10:443 | pixeldrain.com | tcp |
| NL | 50.7.22.10:443 | pixeldrain.com | tcp |
| US | 8.8.8.8:53 | s6.imgcdn.dev | udp |
| US | 172.67.144.147:443 | s6.imgcdn.dev | tcp |
| US | 8.8.8.8:53 | filesoftdownload.com | udp |
| US | 8.8.8.8:53 | downloadsoftfiles.com | udp |
| US | 8.8.8.8:53 | downloadfilesoft.com | udp |
| RU | 80.76.42.67:80 | downloadfilesoft.com | tcp |
| RU | 80.76.42.67:80 | downloadfilesoft.com | tcp |
| RU | 80.76.42.67:80 | downloadfilesoft.com | tcp |
| US | 8.8.8.8:53 | contur2fa.recipeupdates.rest | udp |
| US | 104.21.76.173:443 | contur2fa.recipeupdates.rest | tcp |
| US | 104.21.76.173:443 | contur2fa.recipeupdates.rest | tcp |
Files
memory/2188-2-0x0000000000400000-0x0000000000873000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c2dd8327
| MD5 | 470247c1e7e216800f656be7ae39571c |
| SHA1 | 53565deeb9d546a943018d40447e64192348e567 |
| SHA256 | 13147df98f9460cad39ccb1ba6305c2773c9183eeb67f6caa22eb725b113c631 |
| SHA512 | 5d073a44b2853ce2c85a31ca72252472597dd6d4e99780a0a374599f391435470ccc077ac99b15f6f26b992d19533fc9378bab5bd867b55d181e6f4eee6debdf |
memory/2188-8-0x00000000745B0000-0x0000000074724000-memory.dmp
memory/2188-9-0x0000000077820000-0x00000000779C9000-memory.dmp
memory/2188-11-0x00000000745B0000-0x0000000074724000-memory.dmp
memory/2188-10-0x00000000745C2000-0x00000000745C4000-memory.dmp
memory/2188-12-0x00000000745B0000-0x0000000074724000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c5a22110
| MD5 | b72579d13f716f0da989b263438792fc |
| SHA1 | 870969143c3eda315d9af28b1ffc53ae3dae900c |
| SHA256 | 561b49d39fb31c0172c8058b4e8a34669997e7afb82944fee3f4d9d326b0153d |
| SHA512 | e3e088ab209dc1bffa001b51a66db169f58947219849d53afd88abb1d6b68264ca5466ff84dae9e741faee8e5cebd331177f8db24fe890721667514a3e47c90d |
memory/2140-14-0x00000000745B0000-0x0000000074724000-memory.dmp
memory/2140-16-0x0000000077820000-0x00000000779C9000-memory.dmp
memory/2140-17-0x00000000745B0000-0x0000000074724000-memory.dmp
memory/2140-18-0x00000000745B0000-0x0000000074724000-memory.dmp
memory/2140-23-0x00000000745B0000-0x0000000074724000-memory.dmp
memory/2140-24-0x00000000745B0000-0x0000000074724000-memory.dmp
memory/2732-26-0x0000000077820000-0x00000000779C9000-memory.dmp
memory/2732-27-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2732-29-0x0000000000C00000-0x0000000000C08000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1
| MD5 | 1e49c49df1e9bb5a3646fbdd72fff72d |
| SHA1 | ca3b2f92797030ad96341c5551812e679e9746d3 |
| SHA256 | df52ed4a147cad99aec03614368f8781e806c45be6e046ec4a73a26e7ec9cd10 |
| SHA512 | b0c96599de30f1822ddc99d1fed6341ae06f25a171c52b9a78f6304d02a30f8da41738d4af4b4c8365b0b52739b3df03be99dddf764f12f724bd24a91b59c82d |
memory/2732-54-0x0000000000400000-0x0000000000470000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-27 17:26
Reported
2024-06-27 17:28
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Amadey
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2220 set thread context of 224 | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | C:\Windows\SysWOW64\more.com |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Synapse Service.job | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2220 wrote to memory of 224 | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | C:\Windows\SysWOW64\more.com |
| PID 2220 wrote to memory of 224 | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | C:\Windows\SysWOW64\more.com |
| PID 2220 wrote to memory of 224 | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | C:\Windows\SysWOW64\more.com |
| PID 2220 wrote to memory of 224 | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | C:\Windows\SysWOW64\more.com |
| PID 224 wrote to memory of 1204 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\explorer.exe |
| PID 224 wrote to memory of 1204 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\explorer.exe |
| PID 224 wrote to memory of 1204 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\explorer.exe |
| PID 224 wrote to memory of 1204 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\am.exe
"C:\Users\Admin\AppData\Local\Temp\am.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pixeldrain.com | udp |
| DE | 188.241.219.191:443 | pixeldrain.com | tcp |
| US | 8.8.8.8:53 | s6.imgcdn.dev | udp |
| US | 172.67.144.147:443 | s6.imgcdn.dev | tcp |
| US | 8.8.8.8:53 | 191.219.241.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.144.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | downloadsoftfiles.com | udp |
| US | 8.8.8.8:53 | filesoftdownload.com | udp |
| US | 8.8.8.8:53 | downloadfilesoft.com | udp |
| RU | 80.76.42.67:80 | downloadfilesoft.com | tcp |
| RU | 80.76.42.67:80 | downloadfilesoft.com | tcp |
| RU | 80.76.42.67:80 | downloadfilesoft.com | tcp |
| US | 8.8.8.8:53 | 67.42.76.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/2220-2-0x0000000000400000-0x0000000000873000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9ff7ebc0
| MD5 | 470247c1e7e216800f656be7ae39571c |
| SHA1 | 53565deeb9d546a943018d40447e64192348e567 |
| SHA256 | 13147df98f9460cad39ccb1ba6305c2773c9183eeb67f6caa22eb725b113c631 |
| SHA512 | 5d073a44b2853ce2c85a31ca72252472597dd6d4e99780a0a374599f391435470ccc077ac99b15f6f26b992d19533fc9378bab5bd867b55d181e6f4eee6debdf |
memory/2220-8-0x00000000738C0000-0x0000000073A3B000-memory.dmp
memory/2220-9-0x00007FFBB40D0000-0x00007FFBB42C5000-memory.dmp
memory/2220-11-0x00000000738C0000-0x0000000073A3B000-memory.dmp
memory/2220-10-0x00000000738D2000-0x00000000738D4000-memory.dmp
memory/2220-12-0x00000000738C0000-0x0000000073A3B000-memory.dmp
memory/224-14-0x00000000738C0000-0x0000000073A3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a342daab
| MD5 | 5102320cf5eb451f2e03371b952dbe03 |
| SHA1 | f735d3e315567b8c876587e7fc8d034cc9def31c |
| SHA256 | 1422f1021f4a52a3f79c79fbea7ce617876cbdea1d08868dca855fb1bc73434a |
| SHA512 | 613ae8871b50b122b40b2914dfd8b3e52534c519a80d632fc9df1d86834c0405df111d35549e25eb9ed17c2f91e224b3a3b1aca360420fd8eaa788bdd3823b9b |
memory/224-16-0x00007FFBB40D0000-0x00007FFBB42C5000-memory.dmp
memory/224-17-0x00000000738C0000-0x0000000073A3B000-memory.dmp
memory/224-18-0x00000000738C0000-0x0000000073A3B000-memory.dmp
memory/224-23-0x00000000738C0000-0x0000000073A3B000-memory.dmp
memory/224-24-0x00000000738C0000-0x0000000073A3B000-memory.dmp
memory/224-26-0x00000000738C0000-0x0000000073A3B000-memory.dmp
memory/1204-27-0x00007FFBB40D0000-0x00007FFBB42C5000-memory.dmp
memory/1204-28-0x0000000000560000-0x00000000005D0000-memory.dmp
memory/1204-31-0x0000000000560000-0x00000000005D0000-memory.dmp
memory/1204-32-0x0000000000BC3000-0x0000000000BCB000-memory.dmp
memory/1204-33-0x0000000000560000-0x00000000005D0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-27 17:26
Reported
2024-06-27 17:28
Platform
win11-20240611-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Amadey
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4148 set thread context of 5040 | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | C:\Windows\SysWOW64\more.com |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Synapse Service.job | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4148 wrote to memory of 5040 | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | C:\Windows\SysWOW64\more.com |
| PID 4148 wrote to memory of 5040 | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | C:\Windows\SysWOW64\more.com |
| PID 4148 wrote to memory of 5040 | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | C:\Windows\SysWOW64\more.com |
| PID 4148 wrote to memory of 5040 | N/A | C:\Users\Admin\AppData\Local\Temp\am.exe | C:\Windows\SysWOW64\more.com |
| PID 5040 wrote to memory of 688 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\explorer.exe |
| PID 5040 wrote to memory of 688 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\explorer.exe |
| PID 5040 wrote to memory of 688 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\explorer.exe |
| PID 5040 wrote to memory of 688 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\explorer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\am.exe
"C:\Users\Admin\AppData\Local\Temp\am.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pixeldrain.com | udp |
| NL | 50.7.22.10:443 | pixeldrain.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.22.7.50.in-addr.arpa | udp |
| US | 104.21.39.110:443 | s6.imgcdn.dev | tcp |
| US | 8.8.8.8:53 | downloadfilesoft.com | udp |
| RU | 80.76.42.67:80 | downloadfilesoft.com | tcp |
| RU | 80.76.42.67:80 | downloadfilesoft.com | tcp |
| RU | 80.76.42.67:80 | downloadfilesoft.com | tcp |
| N/A | 2.22.144.81:80 | tcp | |
| N/A | 192.229.221.95:80 | tcp |
Files
memory/4148-2-0x0000000000400000-0x0000000000873000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aa36df14
| MD5 | 470247c1e7e216800f656be7ae39571c |
| SHA1 | 53565deeb9d546a943018d40447e64192348e567 |
| SHA256 | 13147df98f9460cad39ccb1ba6305c2773c9183eeb67f6caa22eb725b113c631 |
| SHA512 | 5d073a44b2853ce2c85a31ca72252472597dd6d4e99780a0a374599f391435470ccc077ac99b15f6f26b992d19533fc9378bab5bd867b55d181e6f4eee6debdf |
memory/4148-8-0x00000000735B0000-0x000000007372D000-memory.dmp
memory/4148-9-0x00007FFAA2700000-0x00007FFAA2909000-memory.dmp
memory/4148-10-0x00000000735C2000-0x00000000735C4000-memory.dmp
memory/4148-11-0x00000000735B0000-0x000000007372D000-memory.dmp
memory/4148-12-0x00000000735B0000-0x000000007372D000-memory.dmp
memory/5040-14-0x00000000735B0000-0x000000007372D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\acc04c1f
| MD5 | bc9e35e7255bbc93eb9412ddbd5663d1 |
| SHA1 | 892df950542d76f5307225dc3ce0405b0cd47bf8 |
| SHA256 | a6924737d029466d74eb4feab8236be00d84b16938a5f903e0783c07bda58a5d |
| SHA512 | 74cffa3575750de263ffcef3e589beb80833985800f20d51fa77c730797c4129ae6c4f1e15fc3363a12ad8935440cd90ad3d544bcbbf36c1acdac4f975ab2286 |
memory/5040-16-0x00007FFAA2700000-0x00007FFAA2909000-memory.dmp
memory/5040-17-0x00000000735B0000-0x000000007372D000-memory.dmp
memory/5040-18-0x00000000735B0000-0x000000007372D000-memory.dmp
memory/5040-23-0x00000000735B0000-0x000000007372D000-memory.dmp
memory/5040-24-0x00000000735B0000-0x000000007372D000-memory.dmp
memory/5040-26-0x00000000735B0000-0x000000007372D000-memory.dmp
memory/688-27-0x00007FFAA2700000-0x00007FFAA2909000-memory.dmp
memory/688-28-0x0000000000B40000-0x0000000000BB0000-memory.dmp
memory/688-30-0x0000000000B40000-0x0000000000BB0000-memory.dmp