Analysis
-
max time kernel
127s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
01-05-2021 02:01
Static task
static1
Behavioral task
behavioral1
Sample
xsrv2.exe
Resource
win7v20210408
General
-
Target
xsrv2.exe
-
Size
277KB
-
MD5
6ee6360780735d4be90b6eb64df15a56
-
SHA1
74b8352d724cf8757f646042cbc3e9339e09c193
-
SHA256
c14ea29de50a8295487fea090d9313dfff27bd3c30b67b82e5d2634dc30ce738
-
SHA512
e981609af406bb73943ec0fff88ad2833d6d3037527e1d1e988cf213b5ca6929180e2ae5421b7c631b63d5629cf01a699c0b701124b75fbf76a9de7500b59d36
Malware Config
Extracted
amadey
2.16
176.111.174.114/Hnq8vS/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 17 2096 rundll32.exe 20 1052 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
blfte.exepid process 2104 blfte.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 2096 rundll32.exe 1052 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 2096 rundll32.exe 2096 rundll32.exe 2096 rundll32.exe 2096 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
xsrv2.exeblfte.execmd.exedescription pid process target process PID 1968 wrote to memory of 2104 1968 xsrv2.exe blfte.exe PID 1968 wrote to memory of 2104 1968 xsrv2.exe blfte.exe PID 1968 wrote to memory of 2104 1968 xsrv2.exe blfte.exe PID 2104 wrote to memory of 2648 2104 blfte.exe cmd.exe PID 2104 wrote to memory of 2648 2104 blfte.exe cmd.exe PID 2104 wrote to memory of 2648 2104 blfte.exe cmd.exe PID 2648 wrote to memory of 3864 2648 cmd.exe reg.exe PID 2648 wrote to memory of 3864 2648 cmd.exe reg.exe PID 2648 wrote to memory of 3864 2648 cmd.exe reg.exe PID 2104 wrote to memory of 2096 2104 blfte.exe rundll32.exe PID 2104 wrote to memory of 2096 2104 blfte.exe rundll32.exe PID 2104 wrote to memory of 2096 2104 blfte.exe rundll32.exe PID 2104 wrote to memory of 1052 2104 blfte.exe rundll32.exe PID 2104 wrote to memory of 1052 2104 blfte.exe rundll32.exe PID 2104 wrote to memory of 1052 2104 blfte.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\xsrv2.exe"C:\Users\Admin\AppData\Local\Temp\xsrv2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exe"C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e90e419c61\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e90e419c61\4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\1a9f26b569d5df\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\1a9f26b569d5df\scr.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\1a9f26b569d5df\cred.dllMD5
985f9c4d8bf231ca08046bcd44d558eb
SHA1de5711528d94dab76186d9695ce19c3c6c26eec9
SHA25678322121578342e588375350f56edb5e0a6d4b889c6425814590afd1a967e650
SHA512939ded352bf569ddc0ec01c642fb6ddb12d055b8a785fb717daa63e9e3f141ff13a40291c18df2d8ea28b2860f91067b9cfd1a740a587b7726d9cb293155e44f
-
C:\ProgramData\1a9f26b569d5df\scr.dllMD5
a48dc2da2655fd049e37e36fcda28fba
SHA196ce27ab5fec62c6ac3ed96dd1bdc2defad5499e
SHA25676f6c712403a2f6213390ab2a72a82c98c9c48e1b1bde182aa5932bd02a06d43
SHA51237ad66440213cc29ec658158151366afd077a2ff941323b4190279a4344f1b4c55109a5cf80b96abd9bd4d07741a8cdaec5d3651c53b0dd87f2e720c73264490
-
C:\Users\Admin\AppData\Local\Temp\15213686645723710336MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exeMD5
6ee6360780735d4be90b6eb64df15a56
SHA174b8352d724cf8757f646042cbc3e9339e09c193
SHA256c14ea29de50a8295487fea090d9313dfff27bd3c30b67b82e5d2634dc30ce738
SHA512e981609af406bb73943ec0fff88ad2833d6d3037527e1d1e988cf213b5ca6929180e2ae5421b7c631b63d5629cf01a699c0b701124b75fbf76a9de7500b59d36
-
C:\Users\Admin\AppData\Local\Temp\e90e419c61\blfte.exeMD5
6ee6360780735d4be90b6eb64df15a56
SHA174b8352d724cf8757f646042cbc3e9339e09c193
SHA256c14ea29de50a8295487fea090d9313dfff27bd3c30b67b82e5d2634dc30ce738
SHA512e981609af406bb73943ec0fff88ad2833d6d3037527e1d1e988cf213b5ca6929180e2ae5421b7c631b63d5629cf01a699c0b701124b75fbf76a9de7500b59d36
-
\ProgramData\1a9f26b569d5df\cred.dllMD5
985f9c4d8bf231ca08046bcd44d558eb
SHA1de5711528d94dab76186d9695ce19c3c6c26eec9
SHA25678322121578342e588375350f56edb5e0a6d4b889c6425814590afd1a967e650
SHA512939ded352bf569ddc0ec01c642fb6ddb12d055b8a785fb717daa63e9e3f141ff13a40291c18df2d8ea28b2860f91067b9cfd1a740a587b7726d9cb293155e44f
-
\ProgramData\1a9f26b569d5df\scr.dllMD5
a48dc2da2655fd049e37e36fcda28fba
SHA196ce27ab5fec62c6ac3ed96dd1bdc2defad5499e
SHA25676f6c712403a2f6213390ab2a72a82c98c9c48e1b1bde182aa5932bd02a06d43
SHA51237ad66440213cc29ec658158151366afd077a2ff941323b4190279a4344f1b4c55109a5cf80b96abd9bd4d07741a8cdaec5d3651c53b0dd87f2e720c73264490
-
memory/1052-127-0x0000000000000000-mapping.dmp
-
memory/1968-117-0x00000000047B0000-0x00000000047E1000-memory.dmpFilesize
196KB
-
memory/1968-118-0x0000000000400000-0x0000000002BB5000-memory.dmpFilesize
39.7MB
-
memory/2096-124-0x0000000000000000-mapping.dmp
-
memory/2104-114-0x0000000000000000-mapping.dmp
-
memory/2104-123-0x0000000000400000-0x0000000002BB5000-memory.dmpFilesize
39.7MB
-
memory/2648-121-0x0000000000000000-mapping.dmp
-
memory/3864-122-0x0000000000000000-mapping.dmp