Analysis
-
max time kernel
128s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-04-2021 06:47
Static task
static1
Behavioral task
behavioral1
Sample
5 th Dimension LTD Oy signed.exe
Resource
win7v20210410
General
-
Target
5 th Dimension LTD Oy signed.exe
-
Size
367KB
-
MD5
a2a86cf41448cc5a375919a2ed050ea4
-
SHA1
bc8767fd4d9ad5635f114d277a4561c5e5583e89
-
SHA256
7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0
-
SHA512
a6bf977776370b49b1094ee920ad07e4862d2e649c9603722ae9dced0f104d0560eff5d7724ee5eea617d89808c5604b9fa8647a83a8f2cc04442fd7c6ad42a2
Malware Config
Extracted
amadey
2.16
185.215.113.74/4dcYcWsw3/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 9 756 rundll32.exe 12 820 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
blfte.exepid process 1988 blfte.exe -
Loads dropped DLL 10 IoCs
Processes:
5 th Dimension LTD Oy signed.exerundll32.exerundll32.exepid process 1756 5 th Dimension LTD Oy signed.exe 1756 5 th Dimension LTD Oy signed.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 820 rundll32.exe 820 rundll32.exe 820 rundll32.exe 820 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe 756 rundll32.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
5 th Dimension LTD Oy signed.exeblfte.execmd.exedescription pid process target process PID 1756 wrote to memory of 1988 1756 5 th Dimension LTD Oy signed.exe blfte.exe PID 1756 wrote to memory of 1988 1756 5 th Dimension LTD Oy signed.exe blfte.exe PID 1756 wrote to memory of 1988 1756 5 th Dimension LTD Oy signed.exe blfte.exe PID 1756 wrote to memory of 1988 1756 5 th Dimension LTD Oy signed.exe blfte.exe PID 1988 wrote to memory of 1740 1988 blfte.exe cmd.exe PID 1988 wrote to memory of 1740 1988 blfte.exe cmd.exe PID 1988 wrote to memory of 1740 1988 blfte.exe cmd.exe PID 1988 wrote to memory of 1740 1988 blfte.exe cmd.exe PID 1740 wrote to memory of 1284 1740 cmd.exe reg.exe PID 1740 wrote to memory of 1284 1740 cmd.exe reg.exe PID 1740 wrote to memory of 1284 1740 cmd.exe reg.exe PID 1740 wrote to memory of 1284 1740 cmd.exe reg.exe PID 1988 wrote to memory of 756 1988 blfte.exe rundll32.exe PID 1988 wrote to memory of 756 1988 blfte.exe rundll32.exe PID 1988 wrote to memory of 756 1988 blfte.exe rundll32.exe PID 1988 wrote to memory of 756 1988 blfte.exe rundll32.exe PID 1988 wrote to memory of 756 1988 blfte.exe rundll32.exe PID 1988 wrote to memory of 756 1988 blfte.exe rundll32.exe PID 1988 wrote to memory of 756 1988 blfte.exe rundll32.exe PID 1988 wrote to memory of 820 1988 blfte.exe rundll32.exe PID 1988 wrote to memory of 820 1988 blfte.exe rundll32.exe PID 1988 wrote to memory of 820 1988 blfte.exe rundll32.exe PID 1988 wrote to memory of 820 1988 blfte.exe rundll32.exe PID 1988 wrote to memory of 820 1988 blfte.exe rundll32.exe PID 1988 wrote to memory of 820 1988 blfte.exe rundll32.exe PID 1988 wrote to memory of 820 1988 blfte.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5 th Dimension LTD Oy signed.exe"C:\Users\Admin\AppData\Local\Temp\5 th Dimension LTD Oy signed.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exe"C:\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\52e587793b\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\52e587793b\4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\3826790d0e5a5e\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\3826790d0e5a5e\scr.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\3826790d0e5a5e\cred.dllMD5
f195dbf9f3449a5434edf834e43b0ff6
SHA15a22cf9d196df19e5184d1f786e59a609de13345
SHA2562b0cfb46b5c4981f267b7208192bf443a082920f2625ba09a7e929e743aa655a
SHA51225fcec1590e0863f17258c136cec73ebb5dea5606c84472a469d7d1d81f2f10b3ea803574354d2f6c889c3fc517c7dbc47efb2993ae4a471777a4aa7323beecd
-
C:\ProgramData\3826790d0e5a5e\scr.dllMD5
756cee4ee058d9d8d05dab2dcb142684
SHA1d9e476769e4f7f6477c00a08f4b206cc1431f655
SHA256a4c29bcbd40e822f69121a1c57b72181442b58f46d264e648db60ebe5cff5155
SHA5125c4c8787af32679994cc1421a6ae5e55800b9bd2af876b1cea3932ae4f64c61ec374654d1db206ee972527633e34f4d47bdedc5650e7e431eff1b9113479c450
-
C:\Users\Admin\AppData\Local\Temp\15212513283230931923MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exeMD5
a2a86cf41448cc5a375919a2ed050ea4
SHA1bc8767fd4d9ad5635f114d277a4561c5e5583e89
SHA2567788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0
SHA512a6bf977776370b49b1094ee920ad07e4862d2e649c9603722ae9dced0f104d0560eff5d7724ee5eea617d89808c5604b9fa8647a83a8f2cc04442fd7c6ad42a2
-
\ProgramData\3826790d0e5a5e\cred.dllMD5
f195dbf9f3449a5434edf834e43b0ff6
SHA15a22cf9d196df19e5184d1f786e59a609de13345
SHA2562b0cfb46b5c4981f267b7208192bf443a082920f2625ba09a7e929e743aa655a
SHA51225fcec1590e0863f17258c136cec73ebb5dea5606c84472a469d7d1d81f2f10b3ea803574354d2f6c889c3fc517c7dbc47efb2993ae4a471777a4aa7323beecd
-
\ProgramData\3826790d0e5a5e\cred.dllMD5
f195dbf9f3449a5434edf834e43b0ff6
SHA15a22cf9d196df19e5184d1f786e59a609de13345
SHA2562b0cfb46b5c4981f267b7208192bf443a082920f2625ba09a7e929e743aa655a
SHA51225fcec1590e0863f17258c136cec73ebb5dea5606c84472a469d7d1d81f2f10b3ea803574354d2f6c889c3fc517c7dbc47efb2993ae4a471777a4aa7323beecd
-
\ProgramData\3826790d0e5a5e\cred.dllMD5
f195dbf9f3449a5434edf834e43b0ff6
SHA15a22cf9d196df19e5184d1f786e59a609de13345
SHA2562b0cfb46b5c4981f267b7208192bf443a082920f2625ba09a7e929e743aa655a
SHA51225fcec1590e0863f17258c136cec73ebb5dea5606c84472a469d7d1d81f2f10b3ea803574354d2f6c889c3fc517c7dbc47efb2993ae4a471777a4aa7323beecd
-
\ProgramData\3826790d0e5a5e\cred.dllMD5
f195dbf9f3449a5434edf834e43b0ff6
SHA15a22cf9d196df19e5184d1f786e59a609de13345
SHA2562b0cfb46b5c4981f267b7208192bf443a082920f2625ba09a7e929e743aa655a
SHA51225fcec1590e0863f17258c136cec73ebb5dea5606c84472a469d7d1d81f2f10b3ea803574354d2f6c889c3fc517c7dbc47efb2993ae4a471777a4aa7323beecd
-
\ProgramData\3826790d0e5a5e\scr.dllMD5
756cee4ee058d9d8d05dab2dcb142684
SHA1d9e476769e4f7f6477c00a08f4b206cc1431f655
SHA256a4c29bcbd40e822f69121a1c57b72181442b58f46d264e648db60ebe5cff5155
SHA5125c4c8787af32679994cc1421a6ae5e55800b9bd2af876b1cea3932ae4f64c61ec374654d1db206ee972527633e34f4d47bdedc5650e7e431eff1b9113479c450
-
\ProgramData\3826790d0e5a5e\scr.dllMD5
756cee4ee058d9d8d05dab2dcb142684
SHA1d9e476769e4f7f6477c00a08f4b206cc1431f655
SHA256a4c29bcbd40e822f69121a1c57b72181442b58f46d264e648db60ebe5cff5155
SHA5125c4c8787af32679994cc1421a6ae5e55800b9bd2af876b1cea3932ae4f64c61ec374654d1db206ee972527633e34f4d47bdedc5650e7e431eff1b9113479c450
-
\ProgramData\3826790d0e5a5e\scr.dllMD5
756cee4ee058d9d8d05dab2dcb142684
SHA1d9e476769e4f7f6477c00a08f4b206cc1431f655
SHA256a4c29bcbd40e822f69121a1c57b72181442b58f46d264e648db60ebe5cff5155
SHA5125c4c8787af32679994cc1421a6ae5e55800b9bd2af876b1cea3932ae4f64c61ec374654d1db206ee972527633e34f4d47bdedc5650e7e431eff1b9113479c450
-
\ProgramData\3826790d0e5a5e\scr.dllMD5
756cee4ee058d9d8d05dab2dcb142684
SHA1d9e476769e4f7f6477c00a08f4b206cc1431f655
SHA256a4c29bcbd40e822f69121a1c57b72181442b58f46d264e648db60ebe5cff5155
SHA5125c4c8787af32679994cc1421a6ae5e55800b9bd2af876b1cea3932ae4f64c61ec374654d1db206ee972527633e34f4d47bdedc5650e7e431eff1b9113479c450
-
\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exeMD5
a2a86cf41448cc5a375919a2ed050ea4
SHA1bc8767fd4d9ad5635f114d277a4561c5e5583e89
SHA2567788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0
SHA512a6bf977776370b49b1094ee920ad07e4862d2e649c9603722ae9dced0f104d0560eff5d7724ee5eea617d89808c5604b9fa8647a83a8f2cc04442fd7c6ad42a2
-
\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exeMD5
a2a86cf41448cc5a375919a2ed050ea4
SHA1bc8767fd4d9ad5635f114d277a4561c5e5583e89
SHA2567788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0
SHA512a6bf977776370b49b1094ee920ad07e4862d2e649c9603722ae9dced0f104d0560eff5d7724ee5eea617d89808c5604b9fa8647a83a8f2cc04442fd7c6ad42a2
-
memory/756-73-0x0000000000000000-mapping.dmp
-
memory/756-80-0x0000000000260000-0x0000000000284000-memory.dmpFilesize
144KB
-
memory/820-81-0x0000000000000000-mapping.dmp
-
memory/820-88-0x0000000000720000-0x000000000075D000-memory.dmpFilesize
244KB
-
memory/1284-72-0x0000000000000000-mapping.dmp
-
memory/1740-71-0x0000000000000000-mapping.dmp
-
memory/1756-65-0x0000000000220000-0x0000000000251000-memory.dmpFilesize
196KB
-
memory/1756-60-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB
-
memory/1756-66-0x0000000000400000-0x0000000003DC2000-memory.dmpFilesize
57.8MB
-
memory/1988-63-0x0000000000000000-mapping.dmp
-
memory/1988-70-0x0000000000400000-0x0000000003DC2000-memory.dmpFilesize
57.8MB