Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 7, 2023, 9:09 a.m.	Aug. 7, 2023, 9:11 a.m.

Size	231.0KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`90e1482208611ebf4b36413d6bf05f42`
SHA256	`0e41ffd44bc8a085a3bd49058ff0051538476c8a05f086593b02bc87b30268dc`
CRC32	`1BA51FB9`
ssdeep	`3072:eSO3Te83mI75HrE+kqQUULV5J3T1XiRuiibP5o/l7RSKFyLiJGu7dqvyEzkzwkr8:se83mQ4LBVvZT1ilF/WKFrGu7duMAVa`
PDB Path	D:\Mktmp\Amadey\Release\Amadey.pdb
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description)

O77vNQG6.exe "C:\Users\test22\AppData\Local\Temp\O77vNQG6.exe"
792
- bstyoops.exe "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe"
  2112
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F
    2212
  - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "bstyoops.exe" /P "test22:N"&&CACLS "bstyoops.exe" /P "test22:R" /E&&echo Y|CACLS "..\b6ba12ff32" /P "test22:N"&&CACLS "..\b6ba12ff32" /P "test22:R" /E&&Exit
    2264
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2340
    - cacls.exe CACLS "bstyoops.exe" /P "test22:N"
      2380
    - cacls.exe CACLS "bstyoops.exe" /P "test22:R" /E
      2448
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2496
    - cacls.exe CACLS "..\b6ba12ff32" /P "test22:N"
      2532
    - cacls.exe CACLS "..\b6ba12ff32" /P "test22:R" /E
      2588
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
xyl.lat

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Aug. 7, 2023, 9:09 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 7, 2023, 9:09 a.m.	buffer: SUCCESS: The scheduled task "bstyoops.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Aug. 7, 2023, 9:09 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW Aug. 7, 2023, 9:09 a.m.	buffer: C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA Aug. 7, 2023, 9:09 a.m.	buffer: r console_handle: 0x00000007	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Mktmp\Amadey\Release\Amadey.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 7, 2023, 9:09 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 7, 2023, 9:09 a.m.	process_identifier: 792 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02100000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Aug. 7, 2023, 9:09 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

bstyoops.exe tried to sleep 141 seconds, actually delayed analysis time by 141 seconds

Creates a suspicious process (4 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "bstyoops.exe" /P "test22:N"&&CACLS "bstyoops.exe" /P "test22:R" /E&&echo Y\|CACLS "..\b6ba12ff32" /P "test22:N"&&CACLS "..\b6ba12ff32" /P "test22:R" /E&&Exit
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 7, 2023, 9:09 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe	1	1
ShellExecuteExW Aug. 7, 2023, 9:09 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Aug. 7, 2023, 9:09 a.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "bstyoops.exe" /P "test22:N"&&CACLS "bstyoops.exe" /P "test22:R" /E&&echo Y\|CACLS "..\b6ba12ff32" /P "test22:N"&&CACLS "..\b6ba12ff32" /P "test22:R" /E&&Exit filepath: cmd	1	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\test22\AppData\Local\Temp\b6ba12ff32\bstyoops.exe" /F

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Aug. 7, 2023, 9:09 a.m.	key_handle: 0x00000324 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	CACLS "..\b6ba12ff32" /P "test22:R" /E
cmdline	CACLS "bstyoops.exe" /P "test22:R" /E
cmdline	CACLS "bstyoops.exe" /P "test22:N"
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "bstyoops.exe" /P "test22:N"&&CACLS "bstyoops.exe" /P "test22:R" /E&&echo Y\|CACLS "..\b6ba12ff32" /P "test22:N"&&CACLS "..\b6ba12ff32" /P "test22:R" /E&&Exit
cmdline	cmd /k echo Y\|CACLS "bstyoops.exe" /P "test22:N"&&CACLS "bstyoops.exe" /P "test22:R" /E&&echo Y\|CACLS "..\b6ba12ff32" /P "test22:N"&&CACLS "..\b6ba12ff32" /P "test22:R" /E&&Exit
cmdline	CACLS "..\b6ba12ff32" /P "test22:N"

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

Bkav	W32.AIDetectMalware
Elastic	Windows.Trojan.Amadey
Cynet	Malicious (score: 100)
McAfee	Downloader-FCND!90E148220861
Cylance	unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 005a7a4a1 )
Alibaba	TrojanDownloader:Win32/Amadey.3586b182
K7GW	Trojan ( 005a7a4a1 )
Cybereason	malicious.208611
Cyren	W32/Amadey.C1.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.A
APEX	Malicious
ClamAV	Win.Malware.Doina-10001799-0
Kaspersky	HEUR:Trojan-Downloader.Win32.Deyma.gen
BitDefender	Gen:Variant.Doina.60896
MicroWorld-eScan	Gen:Variant.Doina.60896
Avast	Win32:BotX-gen [Trj]
Rising	Spyware.Agent!8.C6 (TFE:5:Ff7t0kYd78J)
Emsisoft	Gen:Variant.Doina.60896 (B)
F-Secure	Heuristic.HEUR/AGEN.1319380
VIPRE	Gen:Variant.Doina.60896
TrendMicro	Trojan.Win32.AMADEY.YXDHEZ
McAfee-GW-Edition	BehavesLike.Win32.Generic.dh
FireEye	Generic.mg.90e1482208611ebf
Sophos	Mal/Generic-R
SentinelOne	Static AI - Malicious PE
GData	Gen:Variant.Doina.60896
Avira	HEUR/AGEN.1319380
MAX	malware (ai score=88)
Antiy-AVL	Trojan[Downloader]/Win32.Amadey
Arcabit	Trojan.Doina.DEDE0
ZoneAlarm	HEUR:Trojan-Downloader.Win32.Deyma.gen
Microsoft	Trojan:Win32/Amadey.RDH!MTB
Google	Detected
AhnLab-V3	Malware/Win.Trojanspy.C5238800
BitDefenderTheta	Gen:NN.ZexaF.36348.ouW@amEIRFpi
ALYac	Gen:Variant.Doina.60896
Malwarebytes	Backdoor.Amadey
Panda	Trj/Genetic.gen
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXDHEZ
Tencent	Win32.Trojan.Agen.Ddhl
Ikarus	Trojan-Downloader.Win32.Amadey
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Amadey.A!tr
AVG	Win32:BotX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_100% (W)

O77vNQG6.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All