Analysis
-
max time kernel
129s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-02-2021 21:25
Static task
static1
Behavioral task
behavioral1
Sample
Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exe
Resource
win7v20201028
General
-
Target
Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exe
-
Size
325KB
-
MD5
f8bdaa4de9861b0d490490deaa372625
-
SHA1
f72e8b2d815af12760656339adb7f9ca6f633e2a
-
SHA256
2f1103e99fb464143a58c654763fe9c8ea25dfa84d04cfa9a1557fcb891330f5
-
SHA512
e5c61deed4df89f3fcfa3671ba3ddaa9fe8ef8f32815160e51f233dd400dbc8fd19716f4e04edd482ffe0a47577bb6b627464d7c1d8156547d988b07e4013875
Malware Config
Extracted
amadey
2.07
91.241.19.159/m7vvsw2dsQ/index.php
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bween.exepid process 1432 bween.exe -
Loads dropped DLL 2 IoCs
Processes:
Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exepid process 1888 Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exe 1888 Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exebween.execmd.exedescription pid process target process PID 1888 wrote to memory of 1432 1888 Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exe bween.exe PID 1888 wrote to memory of 1432 1888 Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exe bween.exe PID 1888 wrote to memory of 1432 1888 Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exe bween.exe PID 1888 wrote to memory of 1432 1888 Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exe bween.exe PID 1432 wrote to memory of 1708 1432 bween.exe cmd.exe PID 1432 wrote to memory of 1708 1432 bween.exe cmd.exe PID 1432 wrote to memory of 1708 1432 bween.exe cmd.exe PID 1432 wrote to memory of 1708 1432 bween.exe cmd.exe PID 1708 wrote to memory of 1648 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1648 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1648 1708 cmd.exe reg.exe PID 1708 wrote to memory of 1648 1708 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exe"C:\Users\Admin\AppData\Local\Temp\Adj_Proceso77727212556164025699106096354430573416984700123904824645273838987440239601743035.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\ProgramData\8ad2f1a034\bween.exe"C:\ProgramData\8ad2f1a034\bween.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\8ad2f1a034\3⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\8ad2f1a034\4⤵PID:1648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
f8bdaa4de9861b0d490490deaa372625
SHA1f72e8b2d815af12760656339adb7f9ca6f633e2a
SHA2562f1103e99fb464143a58c654763fe9c8ea25dfa84d04cfa9a1557fcb891330f5
SHA512e5c61deed4df89f3fcfa3671ba3ddaa9fe8ef8f32815160e51f233dd400dbc8fd19716f4e04edd482ffe0a47577bb6b627464d7c1d8156547d988b07e4013875
-
MD5
f8bdaa4de9861b0d490490deaa372625
SHA1f72e8b2d815af12760656339adb7f9ca6f633e2a
SHA2562f1103e99fb464143a58c654763fe9c8ea25dfa84d04cfa9a1557fcb891330f5
SHA512e5c61deed4df89f3fcfa3671ba3ddaa9fe8ef8f32815160e51f233dd400dbc8fd19716f4e04edd482ffe0a47577bb6b627464d7c1d8156547d988b07e4013875
-
MD5
f8bdaa4de9861b0d490490deaa372625
SHA1f72e8b2d815af12760656339adb7f9ca6f633e2a
SHA2562f1103e99fb464143a58c654763fe9c8ea25dfa84d04cfa9a1557fcb891330f5
SHA512e5c61deed4df89f3fcfa3671ba3ddaa9fe8ef8f32815160e51f233dd400dbc8fd19716f4e04edd482ffe0a47577bb6b627464d7c1d8156547d988b07e4013875