Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
06-05-2021 09:02
Static task
static1
Behavioral task
behavioral1
Sample
AF96260D874638083E3C7335933227E7.exe
Resource
win7v20210410
General
-
Target
AF96260D874638083E3C7335933227E7.exe
-
Size
191KB
-
MD5
af96260d874638083e3c7335933227e7
-
SHA1
98a4f387a46cba1a88fc95063a01a9c4579cc40a
-
SHA256
d04ec4f0546f476d13d8ac05da68cd58c395c93e13c83eb8c5f44ed273064bb6
-
SHA512
0ebd10262c6bed3c342b85b05d8567e13d0d46c8fa51b742682866394b82860ce291d1889872f94ace629eee6daea06ef818bc0805d6c57177b8b97cc231f9ba
Malware Config
Extracted
amadey
2.16
45.155.205.172/4dcYcWsw3/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 15 3960 rundll32.exe 20 3932 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
blfte.exepid process 2200 blfte.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exepid process 3960 rundll32.exe 3932 rundll32.exe 3932 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 3960 rundll32.exe 3960 rundll32.exe 3960 rundll32.exe 3960 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
AF96260D874638083E3C7335933227E7.exeblfte.execmd.exedescription pid process target process PID 2220 wrote to memory of 2200 2220 AF96260D874638083E3C7335933227E7.exe blfte.exe PID 2220 wrote to memory of 2200 2220 AF96260D874638083E3C7335933227E7.exe blfte.exe PID 2220 wrote to memory of 2200 2220 AF96260D874638083E3C7335933227E7.exe blfte.exe PID 2200 wrote to memory of 3820 2200 blfte.exe cmd.exe PID 2200 wrote to memory of 3820 2200 blfte.exe cmd.exe PID 2200 wrote to memory of 3820 2200 blfte.exe cmd.exe PID 3820 wrote to memory of 3924 3820 cmd.exe reg.exe PID 3820 wrote to memory of 3924 3820 cmd.exe reg.exe PID 3820 wrote to memory of 3924 3820 cmd.exe reg.exe PID 2200 wrote to memory of 3960 2200 blfte.exe rundll32.exe PID 2200 wrote to memory of 3960 2200 blfte.exe rundll32.exe PID 2200 wrote to memory of 3960 2200 blfte.exe rundll32.exe PID 2200 wrote to memory of 3932 2200 blfte.exe rundll32.exe PID 2200 wrote to memory of 3932 2200 blfte.exe rundll32.exe PID 2200 wrote to memory of 3932 2200 blfte.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AF96260D874638083E3C7335933227E7.exe"C:\Users\Admin\AppData\Local\Temp\AF96260D874638083E3C7335933227E7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c2ff7e01a0\blfte.exe"C:\Users\Admin\AppData\Local\Temp\c2ff7e01a0\blfte.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\c2ff7e01a0\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\c2ff7e01a0\4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\c9c2592926ae12\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\c9c2592926ae12\scr.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\c9c2592926ae12\cred.dllMD5
95cf3fb1bee9a2cf50d999142e6b6b4c
SHA123b6008f9b89517d3fe81466a5d1c9beb8b1d5fa
SHA256706ace133ec546df3aebe4ca0ca927ee1f3059e570cea2e8f6e98e77882f8745
SHA512905ce6b3ac8706e03dc8197a3b599abb446f5a6af2908d43aacdbcefb911c585b84c5b904a35660e7fa8f9775dfc374a319b375e60e65a027c432dcd3ef8f6c3
-
C:\ProgramData\c9c2592926ae12\scr.dllMD5
8fb5cc19a4b3784c602be19efe34555c
SHA120b0ee7e24bf9cce5d34b88378d106f2bea84eab
SHA2563a7809920592be114483fe7f764f4ce9c48f6c7bc1ed578f7b8a5f2130488810
SHA512778e17b02e1f9eac735a2f04498afafb7cf42660a5a962ad3dca3a4d0c00cf793df104ce99c665ade72afe02c189e7f45af69673da532cd730121c4f8f0a0304
-
C:\Users\Admin\AppData\Local\Temp\15213686645723710336MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\c2ff7e01a0\blfte.exeMD5
af96260d874638083e3c7335933227e7
SHA198a4f387a46cba1a88fc95063a01a9c4579cc40a
SHA256d04ec4f0546f476d13d8ac05da68cd58c395c93e13c83eb8c5f44ed273064bb6
SHA5120ebd10262c6bed3c342b85b05d8567e13d0d46c8fa51b742682866394b82860ce291d1889872f94ace629eee6daea06ef818bc0805d6c57177b8b97cc231f9ba
-
C:\Users\Admin\AppData\Local\Temp\c2ff7e01a0\blfte.exeMD5
af96260d874638083e3c7335933227e7
SHA198a4f387a46cba1a88fc95063a01a9c4579cc40a
SHA256d04ec4f0546f476d13d8ac05da68cd58c395c93e13c83eb8c5f44ed273064bb6
SHA5120ebd10262c6bed3c342b85b05d8567e13d0d46c8fa51b742682866394b82860ce291d1889872f94ace629eee6daea06ef818bc0805d6c57177b8b97cc231f9ba
-
\ProgramData\c9c2592926ae12\cred.dllMD5
95cf3fb1bee9a2cf50d999142e6b6b4c
SHA123b6008f9b89517d3fe81466a5d1c9beb8b1d5fa
SHA256706ace133ec546df3aebe4ca0ca927ee1f3059e570cea2e8f6e98e77882f8745
SHA512905ce6b3ac8706e03dc8197a3b599abb446f5a6af2908d43aacdbcefb911c585b84c5b904a35660e7fa8f9775dfc374a319b375e60e65a027c432dcd3ef8f6c3
-
\ProgramData\c9c2592926ae12\scr.dllMD5
8fb5cc19a4b3784c602be19efe34555c
SHA120b0ee7e24bf9cce5d34b88378d106f2bea84eab
SHA2563a7809920592be114483fe7f764f4ce9c48f6c7bc1ed578f7b8a5f2130488810
SHA512778e17b02e1f9eac735a2f04498afafb7cf42660a5a962ad3dca3a4d0c00cf793df104ce99c665ade72afe02c189e7f45af69673da532cd730121c4f8f0a0304
-
\ProgramData\c9c2592926ae12\scr.dllMD5
8fb5cc19a4b3784c602be19efe34555c
SHA120b0ee7e24bf9cce5d34b88378d106f2bea84eab
SHA2563a7809920592be114483fe7f764f4ce9c48f6c7bc1ed578f7b8a5f2130488810
SHA512778e17b02e1f9eac735a2f04498afafb7cf42660a5a962ad3dca3a4d0c00cf793df104ce99c665ade72afe02c189e7f45af69673da532cd730121c4f8f0a0304
-
memory/2200-114-0x0000000000000000-mapping.dmp
-
memory/3820-118-0x0000000000000000-mapping.dmp
-
memory/3924-119-0x0000000000000000-mapping.dmp
-
memory/3932-123-0x0000000000000000-mapping.dmp
-
memory/3960-120-0x0000000000000000-mapping.dmp