Analysis
-
max time kernel
124s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-04-2021 06:47
Static task
static1
Behavioral task
behavioral1
Sample
5 th Dimension LTD Oy signed.exe
Resource
win7v20210410
General
-
Target
5 th Dimension LTD Oy signed.exe
-
Size
367KB
-
MD5
a2a86cf41448cc5a375919a2ed050ea4
-
SHA1
bc8767fd4d9ad5635f114d277a4561c5e5583e89
-
SHA256
7788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0
-
SHA512
a6bf977776370b49b1094ee920ad07e4862d2e649c9603722ae9dced0f104d0560eff5d7724ee5eea617d89808c5604b9fa8647a83a8f2cc04442fd7c6ad42a2
Malware Config
Extracted
amadey
2.16
185.215.113.74/4dcYcWsw3/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 14 1556 rundll32.exe 20 3212 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
blfte.exepid process 2636 blfte.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exepid process 1556 rundll32.exe 3212 rundll32.exe 3212 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 1556 rundll32.exe 1556 rundll32.exe 1556 rundll32.exe 1556 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
5 th Dimension LTD Oy signed.exeblfte.execmd.exedescription pid process target process PID 2208 wrote to memory of 2636 2208 5 th Dimension LTD Oy signed.exe blfte.exe PID 2208 wrote to memory of 2636 2208 5 th Dimension LTD Oy signed.exe blfte.exe PID 2208 wrote to memory of 2636 2208 5 th Dimension LTD Oy signed.exe blfte.exe PID 2636 wrote to memory of 1796 2636 blfte.exe cmd.exe PID 2636 wrote to memory of 1796 2636 blfte.exe cmd.exe PID 2636 wrote to memory of 1796 2636 blfte.exe cmd.exe PID 1796 wrote to memory of 744 1796 cmd.exe reg.exe PID 1796 wrote to memory of 744 1796 cmd.exe reg.exe PID 1796 wrote to memory of 744 1796 cmd.exe reg.exe PID 2636 wrote to memory of 1556 2636 blfte.exe rundll32.exe PID 2636 wrote to memory of 1556 2636 blfte.exe rundll32.exe PID 2636 wrote to memory of 1556 2636 blfte.exe rundll32.exe PID 2636 wrote to memory of 3212 2636 blfte.exe rundll32.exe PID 2636 wrote to memory of 3212 2636 blfte.exe rundll32.exe PID 2636 wrote to memory of 3212 2636 blfte.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5 th Dimension LTD Oy signed.exe"C:\Users\Admin\AppData\Local\Temp\5 th Dimension LTD Oy signed.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exe"C:\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\52e587793b\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\52e587793b\4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\3826790d0e5a5e\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\3826790d0e5a5e\scr.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\3826790d0e5a5e\cred.dllMD5
f195dbf9f3449a5434edf834e43b0ff6
SHA15a22cf9d196df19e5184d1f786e59a609de13345
SHA2562b0cfb46b5c4981f267b7208192bf443a082920f2625ba09a7e929e743aa655a
SHA51225fcec1590e0863f17258c136cec73ebb5dea5606c84472a469d7d1d81f2f10b3ea803574354d2f6c889c3fc517c7dbc47efb2993ae4a471777a4aa7323beecd
-
C:\ProgramData\3826790d0e5a5e\scr.dllMD5
756cee4ee058d9d8d05dab2dcb142684
SHA1d9e476769e4f7f6477c00a08f4b206cc1431f655
SHA256a4c29bcbd40e822f69121a1c57b72181442b58f46d264e648db60ebe5cff5155
SHA5125c4c8787af32679994cc1421a6ae5e55800b9bd2af876b1cea3932ae4f64c61ec374654d1db206ee972527633e34f4d47bdedc5650e7e431eff1b9113479c450
-
C:\Users\Admin\AppData\Local\Temp\15213686645723710336MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exeMD5
a2a86cf41448cc5a375919a2ed050ea4
SHA1bc8767fd4d9ad5635f114d277a4561c5e5583e89
SHA2567788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0
SHA512a6bf977776370b49b1094ee920ad07e4862d2e649c9603722ae9dced0f104d0560eff5d7724ee5eea617d89808c5604b9fa8647a83a8f2cc04442fd7c6ad42a2
-
C:\Users\Admin\AppData\Local\Temp\52e587793b\blfte.exeMD5
a2a86cf41448cc5a375919a2ed050ea4
SHA1bc8767fd4d9ad5635f114d277a4561c5e5583e89
SHA2567788316d7c265de3857cd869311e3227bad84465e2ae93f95fa5eeada4bdddd0
SHA512a6bf977776370b49b1094ee920ad07e4862d2e649c9603722ae9dced0f104d0560eff5d7724ee5eea617d89808c5604b9fa8647a83a8f2cc04442fd7c6ad42a2
-
\ProgramData\3826790d0e5a5e\cred.dllMD5
f195dbf9f3449a5434edf834e43b0ff6
SHA15a22cf9d196df19e5184d1f786e59a609de13345
SHA2562b0cfb46b5c4981f267b7208192bf443a082920f2625ba09a7e929e743aa655a
SHA51225fcec1590e0863f17258c136cec73ebb5dea5606c84472a469d7d1d81f2f10b3ea803574354d2f6c889c3fc517c7dbc47efb2993ae4a471777a4aa7323beecd
-
\ProgramData\3826790d0e5a5e\scr.dllMD5
756cee4ee058d9d8d05dab2dcb142684
SHA1d9e476769e4f7f6477c00a08f4b206cc1431f655
SHA256a4c29bcbd40e822f69121a1c57b72181442b58f46d264e648db60ebe5cff5155
SHA5125c4c8787af32679994cc1421a6ae5e55800b9bd2af876b1cea3932ae4f64c61ec374654d1db206ee972527633e34f4d47bdedc5650e7e431eff1b9113479c450
-
\ProgramData\3826790d0e5a5e\scr.dllMD5
756cee4ee058d9d8d05dab2dcb142684
SHA1d9e476769e4f7f6477c00a08f4b206cc1431f655
SHA256a4c29bcbd40e822f69121a1c57b72181442b58f46d264e648db60ebe5cff5155
SHA5125c4c8787af32679994cc1421a6ae5e55800b9bd2af876b1cea3932ae4f64c61ec374654d1db206ee972527633e34f4d47bdedc5650e7e431eff1b9113479c450
-
memory/744-121-0x0000000000000000-mapping.dmp
-
memory/1556-124-0x0000000000000000-mapping.dmp
-
memory/1796-120-0x0000000000000000-mapping.dmp
-
memory/2208-114-0x00000000001C0000-0x00000000001F1000-memory.dmpFilesize
196KB
-
memory/2208-115-0x0000000000400000-0x0000000003DC2000-memory.dmpFilesize
57.8MB
-
memory/2636-123-0x0000000000400000-0x0000000003DC2000-memory.dmpFilesize
57.8MB
-
memory/2636-116-0x0000000000000000-mapping.dmp
-
memory/3212-127-0x0000000000000000-mapping.dmp
-
memory/3212-131-0x0000000002370000-0x00000000023AD000-memory.dmpFilesize
244KB