Analysis
-
max time kernel
110s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-05-2021 21:02
Static task
static1
Behavioral task
behavioral1
Sample
7B030FD1473BD9B213A6DA3EF3ADC19E.exe
Resource
win7v20210410
General
-
Target
7B030FD1473BD9B213A6DA3EF3ADC19E.exe
-
Size
2.0MB
-
MD5
7b030fd1473bd9b213a6da3ef3adc19e
-
SHA1
3fd6debb83d6b9b6240408fecef9946163d5a493
-
SHA256
07eaa6e88904f46157a5e5e45dd70d6e14d5d06aae7dc17e8a2c440ff403a51e
-
SHA512
833cf86b707836347fca8750ef0abf8d7e6f5ce56ef4dacdaa85b5dc1a44099c94384dba2cbbf575329c0a8569ee2b48e4507633237e4b2231c90bbea855f71d
Malware Config
Extracted
amadey
2.15
92.38.184.216/4dcYcWsw3/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 20 3744 rundll32.exe 23 1328 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
jmgas.exepid process 4076 jmgas.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exepid process 3744 rundll32.exe 3744 rundll32.exe 1328 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 3744 rundll32.exe 3744 rundll32.exe 3744 rundll32.exe 3744 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
7B030FD1473BD9B213A6DA3EF3ADC19E.exejmgas.execmd.exedescription pid process target process PID 3896 wrote to memory of 4076 3896 7B030FD1473BD9B213A6DA3EF3ADC19E.exe jmgas.exe PID 3896 wrote to memory of 4076 3896 7B030FD1473BD9B213A6DA3EF3ADC19E.exe jmgas.exe PID 3896 wrote to memory of 4076 3896 7B030FD1473BD9B213A6DA3EF3ADC19E.exe jmgas.exe PID 4076 wrote to memory of 1900 4076 jmgas.exe cmd.exe PID 4076 wrote to memory of 1900 4076 jmgas.exe cmd.exe PID 4076 wrote to memory of 1900 4076 jmgas.exe cmd.exe PID 1900 wrote to memory of 2088 1900 cmd.exe reg.exe PID 1900 wrote to memory of 2088 1900 cmd.exe reg.exe PID 1900 wrote to memory of 2088 1900 cmd.exe reg.exe PID 4076 wrote to memory of 3744 4076 jmgas.exe rundll32.exe PID 4076 wrote to memory of 3744 4076 jmgas.exe rundll32.exe PID 4076 wrote to memory of 3744 4076 jmgas.exe rundll32.exe PID 4076 wrote to memory of 1328 4076 jmgas.exe rundll32.exe PID 4076 wrote to memory of 1328 4076 jmgas.exe rundll32.exe PID 4076 wrote to memory of 1328 4076 jmgas.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7B030FD1473BD9B213A6DA3EF3ADC19E.exe"C:\Users\Admin\AppData\Local\Temp\7B030FD1473BD9B213A6DA3EF3ADC19E.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\816ea2c2e2\jmgas.exe"C:\ProgramData\816ea2c2e2\jmgas.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\816ea2c2e2\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\816ea2c2e2\4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\bc692796e64ffe\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\ProgramData\bc692796e64ffe\scr.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\152136866457237103368804MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\ProgramData\816ea2c2e2\jmgas.exeMD5
7b030fd1473bd9b213a6da3ef3adc19e
SHA13fd6debb83d6b9b6240408fecef9946163d5a493
SHA25607eaa6e88904f46157a5e5e45dd70d6e14d5d06aae7dc17e8a2c440ff403a51e
SHA512833cf86b707836347fca8750ef0abf8d7e6f5ce56ef4dacdaa85b5dc1a44099c94384dba2cbbf575329c0a8569ee2b48e4507633237e4b2231c90bbea855f71d
-
C:\ProgramData\816ea2c2e2\jmgas.exeMD5
7b030fd1473bd9b213a6da3ef3adc19e
SHA13fd6debb83d6b9b6240408fecef9946163d5a493
SHA25607eaa6e88904f46157a5e5e45dd70d6e14d5d06aae7dc17e8a2c440ff403a51e
SHA512833cf86b707836347fca8750ef0abf8d7e6f5ce56ef4dacdaa85b5dc1a44099c94384dba2cbbf575329c0a8569ee2b48e4507633237e4b2231c90bbea855f71d
-
C:\ProgramData\bc692796e64ffe\cred.dllMD5
899d6d472e52fa0891c7a5bf090235dd
SHA1076acad155813bd284333f2bb224a119e8b952dd
SHA256542fce375cc802da32461e2b6842745f53aded3b56c76ec85b750d8aba029a23
SHA512cad0b845d187b751d34f45d1789a819d5273155ddf7b7420c7a19b585e73ec5117039cc92f431fa73c5c11c8b68754ea34732863e54d07dbc6ddc863e04102db
-
C:\ProgramData\bc692796e64ffe\scr.dllMD5
bc02549e5e87e2e01868e3eefc0cdc3f
SHA178f119a416896d6ae314f180c3d69614f0efadbb
SHA256270ba1baa2c59c864e8ec517d7d4ea7856cd1c42f97a33a8c9eb9948fac1d0ff
SHA5123e2ebf1f8c2556bb187b62c39a19c236e80d395eee94cabbabe33cb4bf4706b56bf096ca7575348acce3b2434bec38c6b30bb407214b838667ef15d2c5caf269
-
\ProgramData\bc692796e64ffe\cred.dllMD5
899d6d472e52fa0891c7a5bf090235dd
SHA1076acad155813bd284333f2bb224a119e8b952dd
SHA256542fce375cc802da32461e2b6842745f53aded3b56c76ec85b750d8aba029a23
SHA512cad0b845d187b751d34f45d1789a819d5273155ddf7b7420c7a19b585e73ec5117039cc92f431fa73c5c11c8b68754ea34732863e54d07dbc6ddc863e04102db
-
\ProgramData\bc692796e64ffe\cred.dllMD5
899d6d472e52fa0891c7a5bf090235dd
SHA1076acad155813bd284333f2bb224a119e8b952dd
SHA256542fce375cc802da32461e2b6842745f53aded3b56c76ec85b750d8aba029a23
SHA512cad0b845d187b751d34f45d1789a819d5273155ddf7b7420c7a19b585e73ec5117039cc92f431fa73c5c11c8b68754ea34732863e54d07dbc6ddc863e04102db
-
\ProgramData\bc692796e64ffe\scr.dllMD5
bc02549e5e87e2e01868e3eefc0cdc3f
SHA178f119a416896d6ae314f180c3d69614f0efadbb
SHA256270ba1baa2c59c864e8ec517d7d4ea7856cd1c42f97a33a8c9eb9948fac1d0ff
SHA5123e2ebf1f8c2556bb187b62c39a19c236e80d395eee94cabbabe33cb4bf4706b56bf096ca7575348acce3b2434bec38c6b30bb407214b838667ef15d2c5caf269
-
memory/1328-131-0x0000000000000000-mapping.dmp
-
memory/1900-124-0x0000000000000000-mapping.dmp
-
memory/2088-125-0x0000000000000000-mapping.dmp
-
memory/3744-126-0x0000000000000000-mapping.dmp
-
memory/3744-130-0x00000000009E0000-0x0000000000A04000-memory.dmpFilesize
144KB
-
memory/3896-114-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/3896-115-0x0000000002A20000-0x0000000002A51000-memory.dmpFilesize
196KB
-
memory/3896-116-0x0000000000400000-0x0000000000611000-memory.dmpFilesize
2.1MB
-
memory/4076-117-0x0000000000000000-mapping.dmp
-
memory/4076-123-0x0000000000400000-0x0000000000611000-memory.dmpFilesize
2.1MB
-
memory/4076-120-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB