Analysis
-
max time kernel
129s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-04-2021 12:10
Static task
static1
Behavioral task
behavioral1
Sample
7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0.exe
Resource
win7v20210410
General
-
Target
7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0.exe
-
Size
367KB
-
MD5
a2a86cf41448cc5a375919a2ed050ea4
-
SHA1
bc8767fd4d9ad5635f114d277a4561c5e5583e89
-
SHA256
7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0
-
SHA512
a6bf977776370b49b1094ee920ad07e4862d2e649c9603722ae9dced0f104d0560eff5d7724ee5eea617d89808c5604b9fa8647a83a8f2cc04442fd7c6ad42a2
Malware Config
Extracted
amadey
2.16
185.215.113.74/4dcYcWsw3/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 19 3752 rundll32.exe 22 2096 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
blfte.exepid process 3252 blfte.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 3752 rundll32.exe 2096 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 3752 rundll32.exe 3752 rundll32.exe 3752 rundll32.exe 3752 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0.exeblfte.execmd.exedescription pid process target process PID 856 wrote to memory of 3252 856 7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0.exe blfte.exe PID 856 wrote to memory of 3252 856 7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0.exe blfte.exe PID 856 wrote to memory of 3252 856 7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0.exe blfte.exe PID 3252 wrote to memory of 496 3252 blfte.exe cmd.exe PID 3252 wrote to memory of 496 3252 blfte.exe cmd.exe PID 3252 wrote to memory of 496 3252 blfte.exe cmd.exe PID 496 wrote to memory of 3468 496 cmd.exe reg.exe PID 496 wrote to memory of 3468 496 cmd.exe reg.exe PID 496 wrote to memory of 3468 496 cmd.exe reg.exe PID 3252 wrote to memory of 3752 3252 blfte.exe rundll32.exe PID 3252 wrote to memory of 3752 3252 blfte.exe rundll32.exe PID 3252 wrote to memory of 3752 3252 blfte.exe rundll32.exe PID 3252 wrote to memory of 2096 3252 blfte.exe rundll32.exe PID 3252 wrote to memory of 2096 3252 blfte.exe rundll32.exe PID 3252 wrote to memory of 2096 3252 blfte.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0.exe"C:\Users\Admin\AppData\Local\Temp\7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exe"C:\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\52e587793b\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\52e587793b\4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\3826790d0e5a5e\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\3826790d0e5a5e\scr.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\3826790d0e5a5e\cred.dllMD5
f195dbf9f3449a5434edf834e43b0ff6
SHA15a22cf9d196df19e5184d1f786e59a609de13345
SHA2562b0cfb46b5c4981f267b7208192bf443a082920f2625ba09a7e929e743aa655a
SHA51225fcec1590e0863f17258c136cec73ebb5dea5606c84472a469d7d1d81f2f10b3ea803574354d2f6c889c3fc517c7dbc47efb2993ae4a471777a4aa7323beecd
-
C:\ProgramData\3826790d0e5a5e\scr.dllMD5
756cee4ee058d9d8d05dab2dcb142684
SHA1d9e476769e4f7f6477c00a08f4b206cc1431f655
SHA256a4c29bcbd40e822f69121a1c57b72181442b58f46d264e648db60ebe5cff5155
SHA5125c4c8787af32679994cc1421a6ae5e55800b9bd2af876b1cea3932ae4f64c61ec374654d1db206ee972527633e34f4d47bdedc5650e7e431eff1b9113479c450
-
C:\Users\Admin\AppData\Local\Temp\15211594587808204709MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exeMD5
a2a86cf41448cc5a375919a2ed050ea4
SHA1bc8767fd4d9ad5635f114d277a4561c5e5583e89
SHA2567788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0
SHA512a6bf977776370b49b1094ee920ad07e4862d2e649c9603722ae9dced0f104d0560eff5d7724ee5eea617d89808c5604b9fa8647a83a8f2cc04442fd7c6ad42a2
-
C:\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exeMD5
a2a86cf41448cc5a375919a2ed050ea4
SHA1bc8767fd4d9ad5635f114d277a4561c5e5583e89
SHA2567788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0
SHA512a6bf977776370b49b1094ee920ad07e4862d2e649c9603722ae9dced0f104d0560eff5d7724ee5eea617d89808c5604b9fa8647a83a8f2cc04442fd7c6ad42a2
-
\ProgramData\3826790d0e5a5e\cred.dllMD5
f195dbf9f3449a5434edf834e43b0ff6
SHA15a22cf9d196df19e5184d1f786e59a609de13345
SHA2562b0cfb46b5c4981f267b7208192bf443a082920f2625ba09a7e929e743aa655a
SHA51225fcec1590e0863f17258c136cec73ebb5dea5606c84472a469d7d1d81f2f10b3ea803574354d2f6c889c3fc517c7dbc47efb2993ae4a471777a4aa7323beecd
-
\ProgramData\3826790d0e5a5e\scr.dllMD5
756cee4ee058d9d8d05dab2dcb142684
SHA1d9e476769e4f7f6477c00a08f4b206cc1431f655
SHA256a4c29bcbd40e822f69121a1c57b72181442b58f46d264e648db60ebe5cff5155
SHA5125c4c8787af32679994cc1421a6ae5e55800b9bd2af876b1cea3932ae4f64c61ec374654d1db206ee972527633e34f4d47bdedc5650e7e431eff1b9113479c450
-
memory/496-122-0x0000000000000000-mapping.dmp
-
memory/856-114-0x0000000003DD0000-0x0000000003F1A000-memory.dmpFilesize
1.3MB
-
memory/856-115-0x0000000000400000-0x0000000003DC2000-memory.dmpFilesize
57.8MB
-
memory/2096-127-0x0000000000000000-mapping.dmp
-
memory/3252-120-0x0000000003ED0000-0x000000000401A000-memory.dmpFilesize
1.3MB
-
memory/3252-121-0x0000000000400000-0x0000000003DC2000-memory.dmpFilesize
57.8MB
-
memory/3252-116-0x0000000000000000-mapping.dmp
-
memory/3468-123-0x0000000000000000-mapping.dmp
-
memory/3752-124-0x0000000000000000-mapping.dmp