Analysis
-
max time kernel
130s -
max time network
136s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-02-2021 21:21
Static task
static1
Behavioral task
behavioral1
Sample
Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe
Resource
win7v20201028
General
-
Target
Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe
-
Size
250KB
-
MD5
5144f2c618edf5a258b02fc2b71beefd
-
SHA1
69a27371c6c2f8db55ed23160945149a9011736e
-
SHA256
4ae3ca87d8086b3d8beaca35c8d69db7b477f84111486caba6ff9682c5704b57
-
SHA512
74a4e4be5b859f8edb999f0004cd7d13b4c56453de13379a073d6b077da691e291f89d3d0dcf791e623b6fd6bf5d16d3dfcc6df27fa43552a563227e98449567
Malware Config
Extracted
amadey
2.11
176.111.174.67/7Ndd3SnW/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 9 528 rundll32.exe 12 1552 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
rween.exepid process 880 rween.exe -
Loads dropped DLL 10 IoCs
Processes:
Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exerundll32.exerundll32.exepid process 1784 Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe 1784 Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 1552 rundll32.exe 1552 rundll32.exe 1552 rundll32.exe 1552 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe 528 rundll32.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exerween.execmd.exedescription pid process target process PID 1784 wrote to memory of 880 1784 Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe rween.exe PID 1784 wrote to memory of 880 1784 Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe rween.exe PID 1784 wrote to memory of 880 1784 Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe rween.exe PID 1784 wrote to memory of 880 1784 Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe rween.exe PID 880 wrote to memory of 620 880 rween.exe cmd.exe PID 880 wrote to memory of 620 880 rween.exe cmd.exe PID 880 wrote to memory of 620 880 rween.exe cmd.exe PID 880 wrote to memory of 620 880 rween.exe cmd.exe PID 620 wrote to memory of 768 620 cmd.exe reg.exe PID 620 wrote to memory of 768 620 cmd.exe reg.exe PID 620 wrote to memory of 768 620 cmd.exe reg.exe PID 620 wrote to memory of 768 620 cmd.exe reg.exe PID 880 wrote to memory of 528 880 rween.exe rundll32.exe PID 880 wrote to memory of 528 880 rween.exe rundll32.exe PID 880 wrote to memory of 528 880 rween.exe rundll32.exe PID 880 wrote to memory of 528 880 rween.exe rundll32.exe PID 880 wrote to memory of 528 880 rween.exe rundll32.exe PID 880 wrote to memory of 528 880 rween.exe rundll32.exe PID 880 wrote to memory of 528 880 rween.exe rundll32.exe PID 880 wrote to memory of 1552 880 rween.exe rundll32.exe PID 880 wrote to memory of 1552 880 rween.exe rundll32.exe PID 880 wrote to memory of 1552 880 rween.exe rundll32.exe PID 880 wrote to memory of 1552 880 rween.exe rundll32.exe PID 880 wrote to memory of 1552 880 rween.exe rundll32.exe PID 880 wrote to memory of 1552 880 rween.exe rundll32.exe PID 880 wrote to memory of 1552 880 rween.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe"C:\Users\Admin\AppData\Local\Temp\Ejecución_De_Embargo1087682524110440457384889987429350028591104178436174773663625753785856169508441070649.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\ProgramData\011ab573a3\rween.exe"C:\ProgramData\011ab573a3\rween.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\3⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\011ab573a3\4⤵PID:768
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\5eba991cccd123\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:528
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\5eba991cccd123\scr.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1552
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
5144f2c618edf5a258b02fc2b71beefd
SHA169a27371c6c2f8db55ed23160945149a9011736e
SHA2564ae3ca87d8086b3d8beaca35c8d69db7b477f84111486caba6ff9682c5704b57
SHA51274a4e4be5b859f8edb999f0004cd7d13b4c56453de13379a073d6b077da691e291f89d3d0dcf791e623b6fd6bf5d16d3dfcc6df27fa43552a563227e98449567
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
69b7615f2767c3435f2479efdca30177
SHA1a6d8c6d2bdef56a7197fef6fe79774338df50531
SHA2566f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64
SHA512749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee
-
MD5
f1c71bbc5b99ab01a8ec7c63a2e12242
SHA1ad9b2fd325fff790b732be40d3b2182daa43cfa2
SHA2563d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644
SHA51250b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2
-
MD5
5144f2c618edf5a258b02fc2b71beefd
SHA169a27371c6c2f8db55ed23160945149a9011736e
SHA2564ae3ca87d8086b3d8beaca35c8d69db7b477f84111486caba6ff9682c5704b57
SHA51274a4e4be5b859f8edb999f0004cd7d13b4c56453de13379a073d6b077da691e291f89d3d0dcf791e623b6fd6bf5d16d3dfcc6df27fa43552a563227e98449567
-
MD5
5144f2c618edf5a258b02fc2b71beefd
SHA169a27371c6c2f8db55ed23160945149a9011736e
SHA2564ae3ca87d8086b3d8beaca35c8d69db7b477f84111486caba6ff9682c5704b57
SHA51274a4e4be5b859f8edb999f0004cd7d13b4c56453de13379a073d6b077da691e291f89d3d0dcf791e623b6fd6bf5d16d3dfcc6df27fa43552a563227e98449567
-
MD5
69b7615f2767c3435f2479efdca30177
SHA1a6d8c6d2bdef56a7197fef6fe79774338df50531
SHA2566f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64
SHA512749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee
-
MD5
69b7615f2767c3435f2479efdca30177
SHA1a6d8c6d2bdef56a7197fef6fe79774338df50531
SHA2566f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64
SHA512749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee
-
MD5
69b7615f2767c3435f2479efdca30177
SHA1a6d8c6d2bdef56a7197fef6fe79774338df50531
SHA2566f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64
SHA512749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee
-
MD5
69b7615f2767c3435f2479efdca30177
SHA1a6d8c6d2bdef56a7197fef6fe79774338df50531
SHA2566f917b86c623a4ef2326de062cb206208b25d93f6d7a2911bc7c10f7c83ffd64
SHA512749ef5551228d6b92288e4a725a27cb0023f5e3d73d7b76b9e42cbb88d3ff8a5cf12978da46b814f921fd850570a94194b571fb330f09ad4fc7540ecf823fcee
-
MD5
f1c71bbc5b99ab01a8ec7c63a2e12242
SHA1ad9b2fd325fff790b732be40d3b2182daa43cfa2
SHA2563d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644
SHA51250b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2
-
MD5
f1c71bbc5b99ab01a8ec7c63a2e12242
SHA1ad9b2fd325fff790b732be40d3b2182daa43cfa2
SHA2563d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644
SHA51250b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2
-
MD5
f1c71bbc5b99ab01a8ec7c63a2e12242
SHA1ad9b2fd325fff790b732be40d3b2182daa43cfa2
SHA2563d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644
SHA51250b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2
-
MD5
f1c71bbc5b99ab01a8ec7c63a2e12242
SHA1ad9b2fd325fff790b732be40d3b2182daa43cfa2
SHA2563d0efa67d54ee1452aa53f35db5552fe079adfd14f1fe312097b266943dd9644
SHA51250b3909ff042b8bb20b87fbb6a29ffb102b83519845f36d99d7ffb0d0441354e7c77dd5db10662b6f6bb7ff9761104bc2243b2616b8ade90119ad79b430f1fc2