Malware Analysis Report

2025-08-05 14:35

Sample ID 250702-x4seaagj8x
Target rl_3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27
SHA256 3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27
Tags
c3c3ff amadey discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27

Threat Level: Known bad

The file rl_3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27 was found to be: Known bad.

Malicious Activity Summary

c3c3ff amadey discovery

Amadey family

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-02 19:24

Signatures

Amadey family

amadey

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-02 19:24

Reported

2025-07-02 19:27

Platform

win10v2004-20250502-en

Max time kernel

130s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\rl_3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rl_3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\nudwee.job C:\Users\Admin\AppData\Local\Temp\rl_3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rl_3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fd7d287510\nudwee.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rl_3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\rl_3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27.exe

"C:\Users\Admin\AppData\Local\Temp\rl_3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27.exe"

C:\Users\Admin\AppData\Local\Temp\fd7d287510\nudwee.exe

"C:\Users\Admin\AppData\Local\Temp\fd7d287510\nudwee.exe"

C:\Users\Admin\AppData\Local\Temp\fd7d287510\nudwee.exe

C:\Users\Admin\AppData\Local\Temp\fd7d287510\nudwee.exe

C:\Users\Admin\AppData\Local\Temp\fd7d287510\nudwee.exe

C:\Users\Admin\AppData\Local\Temp\fd7d287510\nudwee.exe

C:\Users\Admin\AppData\Local\Temp\fd7d287510\nudwee.exe

C:\Users\Admin\AppData\Local\Temp\fd7d287510\nudwee.exe

Network

Country Destination Domain Proto
NL 196.251.85.220:80 196.251.85.220 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\fd7d287510\nudwee.exe

MD5 79875579217d38930dfe270fd7e14df1
SHA1 64138d4d9e4e6615ae74083e14726bcd90e88ff9
SHA256 3633b51985b6b9175755b0caad89fbcfd81aef6914aeb327ce2dedfb1f1c8b27
SHA512 e52c0a297a36d11af497c1531427b8674c7f3de67cf277855e3685e5e5a28febb7effa68864b521b324c32b4fa253a394c1e05f7893847e4c7167d94fac6ccc3