Analysis
-
max time kernel
130s -
max time network
136s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29-04-2021 00:04
Static task
static1
Behavioral task
behavioral1
Sample
b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d.exe
Resource
win7v20210408
General
-
Target
b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d.exe
-
Size
283KB
-
MD5
31ab82365078548dcea62da7c2380b2e
-
SHA1
712fbb4df005439b9810090fd3a2962848e252c4
-
SHA256
b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d
-
SHA512
937bfd9845cc25a6739b8df0cac685c5499f4d55d5f70fff5ce61a4569b7be96d84e987e001b8e8109200c485f681bcc86911a29cc5e5e45b978dbace7da2ce3
Malware Config
Extracted
amadey
2.16
176.111.174.114/Hnq8vS/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 18 476 rundll32.exe 22 384 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
blfte.exepid process 644 blfte.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exepid process 476 rundll32.exe 476 rundll32.exe 384 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 476 rundll32.exe 476 rundll32.exe 476 rundll32.exe 476 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d.exeblfte.execmd.exedescription pid process target process PID 860 wrote to memory of 644 860 b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d.exe blfte.exe PID 860 wrote to memory of 644 860 b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d.exe blfte.exe PID 860 wrote to memory of 644 860 b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d.exe blfte.exe PID 644 wrote to memory of 1856 644 blfte.exe cmd.exe PID 644 wrote to memory of 1856 644 blfte.exe cmd.exe PID 644 wrote to memory of 1856 644 blfte.exe cmd.exe PID 1856 wrote to memory of 3396 1856 cmd.exe reg.exe PID 1856 wrote to memory of 3396 1856 cmd.exe reg.exe PID 1856 wrote to memory of 3396 1856 cmd.exe reg.exe PID 644 wrote to memory of 476 644 blfte.exe rundll32.exe PID 644 wrote to memory of 476 644 blfte.exe rundll32.exe PID 644 wrote to memory of 476 644 blfte.exe rundll32.exe PID 644 wrote to memory of 384 644 blfte.exe rundll32.exe PID 644 wrote to memory of 384 644 blfte.exe rundll32.exe PID 644 wrote to memory of 384 644 blfte.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d.exe"C:\Users\Admin\AppData\Local\Temp\b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exe"C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e90e419c61\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e90e419c61\4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\1a9f26b569d5df\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\1a9f26b569d5df\scr.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\1a9f26b569d5df\cred.dllMD5
985f9c4d8bf231ca08046bcd44d558eb
SHA1de5711528d94dab76186d9695ce19c3c6c26eec9
SHA25678322121578342e588375350f56edb5e0a6d4b889c6425814590afd1a967e650
SHA512939ded352bf569ddc0ec01c642fb6ddb12d055b8a785fb717daa63e9e3f141ff13a40291c18df2d8ea28b2860f91067b9cfd1a740a587b7726d9cb293155e44f
-
C:\ProgramData\1a9f26b569d5df\scr.dllMD5
a48dc2da2655fd049e37e36fcda28fba
SHA196ce27ab5fec62c6ac3ed96dd1bdc2defad5499e
SHA25676f6c712403a2f6213390ab2a72a82c98c9c48e1b1bde182aa5932bd02a06d43
SHA51237ad66440213cc29ec658158151366afd077a2ff941323b4190279a4344f1b4c55109a5cf80b96abd9bd4d07741a8cdaec5d3651c53b0dd87f2e720c73264490
-
C:\Users\Admin\AppData\Local\Temp\15211594587808204709MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exeMD5
31ab82365078548dcea62da7c2380b2e
SHA1712fbb4df005439b9810090fd3a2962848e252c4
SHA256b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d
SHA512937bfd9845cc25a6739b8df0cac685c5499f4d55d5f70fff5ce61a4569b7be96d84e987e001b8e8109200c485f681bcc86911a29cc5e5e45b978dbace7da2ce3
-
C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exeMD5
31ab82365078548dcea62da7c2380b2e
SHA1712fbb4df005439b9810090fd3a2962848e252c4
SHA256b5a399c0ea40983abc68b828ccb14efde2db90c047bbfba9ae418317ce7f036d
SHA512937bfd9845cc25a6739b8df0cac685c5499f4d55d5f70fff5ce61a4569b7be96d84e987e001b8e8109200c485f681bcc86911a29cc5e5e45b978dbace7da2ce3
-
\ProgramData\1a9f26b569d5df\cred.dllMD5
985f9c4d8bf231ca08046bcd44d558eb
SHA1de5711528d94dab76186d9695ce19c3c6c26eec9
SHA25678322121578342e588375350f56edb5e0a6d4b889c6425814590afd1a967e650
SHA512939ded352bf569ddc0ec01c642fb6ddb12d055b8a785fb717daa63e9e3f141ff13a40291c18df2d8ea28b2860f91067b9cfd1a740a587b7726d9cb293155e44f
-
\ProgramData\1a9f26b569d5df\cred.dllMD5
985f9c4d8bf231ca08046bcd44d558eb
SHA1de5711528d94dab76186d9695ce19c3c6c26eec9
SHA25678322121578342e588375350f56edb5e0a6d4b889c6425814590afd1a967e650
SHA512939ded352bf569ddc0ec01c642fb6ddb12d055b8a785fb717daa63e9e3f141ff13a40291c18df2d8ea28b2860f91067b9cfd1a740a587b7726d9cb293155e44f
-
\ProgramData\1a9f26b569d5df\scr.dllMD5
a48dc2da2655fd049e37e36fcda28fba
SHA196ce27ab5fec62c6ac3ed96dd1bdc2defad5499e
SHA25676f6c712403a2f6213390ab2a72a82c98c9c48e1b1bde182aa5932bd02a06d43
SHA51237ad66440213cc29ec658158151366afd077a2ff941323b4190279a4344f1b4c55109a5cf80b96abd9bd4d07741a8cdaec5d3651c53b0dd87f2e720c73264490
-
memory/384-129-0x0000000000000000-mapping.dmp
-
memory/476-124-0x0000000000000000-mapping.dmp
-
memory/476-128-0x00000000006D0000-0x00000000006F4000-memory.dmpFilesize
144KB
-
memory/644-123-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/644-122-0x00000000004C0000-0x000000000056E000-memory.dmpFilesize
696KB
-
memory/644-116-0x0000000000000000-mapping.dmp
-
memory/860-114-0x0000000000620000-0x0000000000651000-memory.dmpFilesize
196KB
-
memory/860-115-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/1856-120-0x0000000000000000-mapping.dmp
-
memory/3396-121-0x0000000000000000-mapping.dmp