Analysis
-
max time kernel
127s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
28-04-2021 21:12
Static task
static1
Behavioral task
behavioral1
Sample
b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe
Resource
win7v20210410
General
-
Target
b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe
-
Size
283KB
-
MD5
31ab82365078548dcea62da7c2380b2e
-
SHA1
712fbb4df005439b9810090fd3a2962848e252c4
-
SHA256
b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d
-
SHA512
937bfd9845cc25a6739b8df0cac685c5499f4d55d5f70fff5ce61a4569b7be96d84e987e001b8e8109200c485f681bcc86911a29cc5e5e45b978dbace7da2ce3
Malware Config
Extracted
amadey
2.16
176.111.174.114/Hnq8vS/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 30 1120 rundll32.exe 35 2396 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
blfte.exepid process 2736 blfte.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exepid process 1120 rundll32.exe 1120 rundll32.exe 2396 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 1120 rundll32.exe 1120 rundll32.exe 1120 rundll32.exe 1120 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exeblfte.execmd.exedescription pid process target process PID 3904 wrote to memory of 2736 3904 b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe blfte.exe PID 3904 wrote to memory of 2736 3904 b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe blfte.exe PID 3904 wrote to memory of 2736 3904 b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe blfte.exe PID 2736 wrote to memory of 3636 2736 blfte.exe cmd.exe PID 2736 wrote to memory of 3636 2736 blfte.exe cmd.exe PID 2736 wrote to memory of 3636 2736 blfte.exe cmd.exe PID 3636 wrote to memory of 3884 3636 cmd.exe reg.exe PID 3636 wrote to memory of 3884 3636 cmd.exe reg.exe PID 3636 wrote to memory of 3884 3636 cmd.exe reg.exe PID 2736 wrote to memory of 1120 2736 blfte.exe rundll32.exe PID 2736 wrote to memory of 1120 2736 blfte.exe rundll32.exe PID 2736 wrote to memory of 1120 2736 blfte.exe rundll32.exe PID 2736 wrote to memory of 2396 2736 blfte.exe rundll32.exe PID 2736 wrote to memory of 2396 2736 blfte.exe rundll32.exe PID 2736 wrote to memory of 2396 2736 blfte.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe"C:\Users\Admin\AppData\Local\Temp\b5a399c0ea40983abc68b828ccb14efde2db90c047bbf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exe"C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e90e419c61\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e90e419c61\4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\1a9f26b569d5df\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\1a9f26b569d5df\scr.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\1a9f26b569d5df\cred.dllMD5
985f9c4d8bf231ca08046bcd44d558eb
SHA1de5711528d94dab76186d9695ce19c3c6c26eec9
SHA25678322121578342e588375350f56edb5e0a6d4b889c6425814590afd1a967e650
SHA512939ded352bf569ddc0ec01c642fb6ddb12d055b8a785fb717daa63e9e3f141ff13a40291c18df2d8ea28b2860f91067b9cfd1a740a587b7726d9cb293155e44f
-
C:\ProgramData\1a9f26b569d5df\scr.dllMD5
a48dc2da2655fd049e37e36fcda28fba
SHA196ce27ab5fec62c6ac3ed96dd1bdc2defad5499e
SHA25676f6c712403a2f6213390ab2a72a82c98c9c48e1b1bde182aa5932bd02a06d43
SHA51237ad66440213cc29ec658158151366afd077a2ff941323b4190279a4344f1b4c55109a5cf80b96abd9bd4d07741a8cdaec5d3651c53b0dd87f2e720c73264490
-
C:\Users\Admin\AppData\Local\Temp\15213686645723710336MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exeMD5
31ab82365078548dcea62da7c2380b2e
SHA1712fbb4df005439b9810090fd3a2962848e252c4
SHA256b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d
SHA512937bfd9845cc25a6739b8df0cac685c5499f4d55d5f70fff5ce61a4569b7be96d84e987e001b8e8109200c485f681bcc86911a29cc5e5e45b978dbace7da2ce3
-
C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exeMD5
31ab82365078548dcea62da7c2380b2e
SHA1712fbb4df005439b9810090fd3a2962848e252c4
SHA256b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d
SHA512937bfd9845cc25a6739b8df0cac685c5499f4d55d5f70fff5ce61a4569b7be96d84e987e001b8e8109200c485f681bcc86911a29cc5e5e45b978dbace7da2ce3
-
\ProgramData\1a9f26b569d5df\cred.dllMD5
985f9c4d8bf231ca08046bcd44d558eb
SHA1de5711528d94dab76186d9695ce19c3c6c26eec9
SHA25678322121578342e588375350f56edb5e0a6d4b889c6425814590afd1a967e650
SHA512939ded352bf569ddc0ec01c642fb6ddb12d055b8a785fb717daa63e9e3f141ff13a40291c18df2d8ea28b2860f91067b9cfd1a740a587b7726d9cb293155e44f
-
\ProgramData\1a9f26b569d5df\cred.dllMD5
985f9c4d8bf231ca08046bcd44d558eb
SHA1de5711528d94dab76186d9695ce19c3c6c26eec9
SHA25678322121578342e588375350f56edb5e0a6d4b889c6425814590afd1a967e650
SHA512939ded352bf569ddc0ec01c642fb6ddb12d055b8a785fb717daa63e9e3f141ff13a40291c18df2d8ea28b2860f91067b9cfd1a740a587b7726d9cb293155e44f
-
\ProgramData\1a9f26b569d5df\scr.dllMD5
a48dc2da2655fd049e37e36fcda28fba
SHA196ce27ab5fec62c6ac3ed96dd1bdc2defad5499e
SHA25676f6c712403a2f6213390ab2a72a82c98c9c48e1b1bde182aa5932bd02a06d43
SHA51237ad66440213cc29ec658158151366afd077a2ff941323b4190279a4344f1b4c55109a5cf80b96abd9bd4d07741a8cdaec5d3651c53b0dd87f2e720c73264490
-
memory/1120-128-0x0000000000B20000-0x0000000000B44000-memory.dmpFilesize
144KB
-
memory/1120-124-0x0000000000000000-mapping.dmp
-
memory/2396-129-0x0000000000000000-mapping.dmp
-
memory/2736-122-0x0000000000550000-0x00000000005FE000-memory.dmpFilesize
696KB
-
memory/2736-123-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/2736-114-0x0000000000000000-mapping.dmp
-
memory/3636-120-0x0000000000000000-mapping.dmp
-
memory/3884-121-0x0000000000000000-mapping.dmp
-
memory/3904-118-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/3904-117-0x00000000004C0000-0x000000000056E000-memory.dmpFilesize
696KB