Analysis

  • max time kernel
    149s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    06-03-2022 22:12

General

  • Target

    a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe

  • Size

    11.8MB

  • MD5

    8d3f6ce67a39b911724915ceaef8a2b2

  • SHA1

    741581134935cdc99b33e606a7fba75d77d76b86

  • SHA256

    a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d

  • SHA512

    e3e2435db8cb784e11f76bbecac691c1f6c6ced861a68c2202e381e7b6860e74a50facffbfb93d89876aa68c4a9f8b9135dcc2e65134e28448eef18fca383776

Malware Config

Extracted

Family

amadey

Version

2.06

C2

217.8.117.207/gb2pnjsjcs/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

  • Taurus Stealer Payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Executes dropped EXE 5 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe
    "C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe
      "C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Drops startup file
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:860
      • C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe
        "C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        PID:864
    • C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe
      "C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1248
      • C:\ProgramData\97fd00311d\bween.exe
        "C:\ProgramData\97fd00311d\bween.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1988
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\97fd00311d\
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1964
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\97fd00311d\
            5⤵
              PID:1992
      • C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe
        "C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe"
        2⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:1392

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\152123293896284064185017

      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    • C:\ProgramData\97fd00311d\bween.exe

      MD5

      77726cbf962c895ed94737fb5d1999cd

      SHA1

      f69fea46fd0bed8b452cac3923664bca749e78c3

      SHA256

      f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99

      SHA512

      51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

    • C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe

      MD5

      22f31f5dee32cb8ac454a216b9226a60

      SHA1

      a716176ff41859483dce502a76dbe5d0f6961854

      SHA256

      c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1

      SHA512

      16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

    • C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe

      MD5

      22f31f5dee32cb8ac454a216b9226a60

      SHA1

      a716176ff41859483dce502a76dbe5d0f6961854

      SHA256

      c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1

      SHA512

      16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

    • C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe

      MD5

      22f31f5dee32cb8ac454a216b9226a60

      SHA1

      a716176ff41859483dce502a76dbe5d0f6961854

      SHA256

      c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1

      SHA512

      16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

    • C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe

      MD5

      4868ef1ed1eeccf63f09c2407c438b2f

      SHA1

      f40fb4d4506bf9f155e1cc1b0990c65435137a86

      SHA256

      cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010

      SHA512

      2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

    • C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe

      MD5

      4868ef1ed1eeccf63f09c2407c438b2f

      SHA1

      f40fb4d4506bf9f155e1cc1b0990c65435137a86

      SHA256

      cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010

      SHA512

      2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

    • C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe

      MD5

      77726cbf962c895ed94737fb5d1999cd

      SHA1

      f69fea46fd0bed8b452cac3923664bca749e78c3

      SHA256

      f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99

      SHA512

      51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

    • C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe

      MD5

      77726cbf962c895ed94737fb5d1999cd

      SHA1

      f69fea46fd0bed8b452cac3923664bca749e78c3

      SHA256

      f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99

      SHA512

      51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

    • \ProgramData\97fd00311d\bween.exe

      MD5

      77726cbf962c895ed94737fb5d1999cd

      SHA1

      f69fea46fd0bed8b452cac3923664bca749e78c3

      SHA256

      f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99

      SHA512

      51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

    • \Users\Admin\AppData\Local\Temp\nsd389F.tmp\System.dll

      MD5

      0063d48afe5a0cdc02833145667b6641

      SHA1

      e7eb614805d183ecb1127c62decb1a6be1b4f7a8

      SHA256

      ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

      SHA512

      71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

    • \Users\Admin\AppData\Roaming\Puddle\Arch_40.exe

      MD5

      22f31f5dee32cb8ac454a216b9226a60

      SHA1

      a716176ff41859483dce502a76dbe5d0f6961854

      SHA256

      c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1

      SHA512

      16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

    • \Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe

      MD5

      22f31f5dee32cb8ac454a216b9226a60

      SHA1

      a716176ff41859483dce502a76dbe5d0f6961854

      SHA256

      c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1

      SHA512

      16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

    • \Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe

      MD5

      22f31f5dee32cb8ac454a216b9226a60

      SHA1

      a716176ff41859483dce502a76dbe5d0f6961854

      SHA256

      c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1

      SHA512

      16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

    • \Users\Admin\AppData\Roaming\Software\Bid_19.exe

      MD5

      4868ef1ed1eeccf63f09c2407c438b2f

      SHA1

      f40fb4d4506bf9f155e1cc1b0990c65435137a86

      SHA256

      cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010

      SHA512

      2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

    • \Users\Admin\AppData\Roaming\Software\Bid_19.exe

      MD5

      4868ef1ed1eeccf63f09c2407c438b2f

      SHA1

      f40fb4d4506bf9f155e1cc1b0990c65435137a86

      SHA256

      cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010

      SHA512

      2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

    • \Users\Admin\AppData\Roaming\Software\Bid_19.exe

      MD5

      4868ef1ed1eeccf63f09c2407c438b2f

      SHA1

      f40fb4d4506bf9f155e1cc1b0990c65435137a86

      SHA256

      cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010

      SHA512

      2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

    • \Users\Admin\AppData\Roaming\Software\Bid_19.exe

      MD5

      4868ef1ed1eeccf63f09c2407c438b2f

      SHA1

      f40fb4d4506bf9f155e1cc1b0990c65435137a86

      SHA256

      cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010

      SHA512

      2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

    • \Users\Admin\AppData\Roaming\Software\Permit_17.exe

      MD5

      77726cbf962c895ed94737fb5d1999cd

      SHA1

      f69fea46fd0bed8b452cac3923664bca749e78c3

      SHA256

      f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99

      SHA512

      51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

    • memory/860-76-0x0000000000D40000-0x0000000000D41000-memory.dmp

      Filesize

      4KB

    • memory/860-73-0x00000000001C0000-0x0000000000B5B000-memory.dmp

      Filesize

      9.6MB

    • memory/860-81-0x0000000000D30000-0x0000000000D31000-memory.dmp

      Filesize

      4KB

    • memory/860-79-0x0000000000D80000-0x0000000000D81000-memory.dmp

      Filesize

      4KB

    • memory/860-77-0x0000000000D70000-0x0000000000D71000-memory.dmp

      Filesize

      4KB

    • memory/860-82-0x0000000000D00000-0x0000000000D01000-memory.dmp

      Filesize

      4KB

    • memory/860-83-0x0000000000D90000-0x0000000000D91000-memory.dmp

      Filesize

      4KB

    • memory/860-84-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

      Filesize

      4KB

    • memory/860-66-0x0000000076F30000-0x00000000770B0000-memory.dmp

      Filesize

      1.5MB

    • memory/860-80-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

      Filesize

      4KB

    • memory/864-128-0x0000000000B30000-0x0000000000B31000-memory.dmp

      Filesize

      4KB

    • memory/864-130-0x00000000004A0000-0x00000000004A1000-memory.dmp

      Filesize

      4KB

    • memory/864-131-0x0000000000B10000-0x0000000000B11000-memory.dmp

      Filesize

      4KB

    • memory/864-126-0x0000000000CB0000-0x000000000164B000-memory.dmp

      Filesize

      9.6MB

    • memory/864-127-0x0000000000B20000-0x0000000000B21000-memory.dmp

      Filesize

      4KB

    • memory/864-133-0x0000000000B50000-0x0000000000B51000-memory.dmp

      Filesize

      4KB

    • memory/864-135-0x00000000004B0000-0x00000000004B1000-memory.dmp

      Filesize

      4KB

    • memory/864-129-0x0000000000B40000-0x0000000000B41000-memory.dmp

      Filesize

      4KB

    • memory/864-134-0x0000000000B80000-0x0000000000B81000-memory.dmp

      Filesize

      4KB

    • memory/864-132-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

      Filesize

      4KB

    • memory/1248-96-0x0000000000480000-0x0000000000481000-memory.dmp

      Filesize

      4KB

    • memory/1248-91-0x00000000003B0000-0x00000000003B1000-memory.dmp

      Filesize

      4KB

    • memory/1248-70-0x0000000076F30000-0x00000000770B0000-memory.dmp

      Filesize

      1.5MB

    • memory/1248-94-0x0000000000380000-0x0000000000381000-memory.dmp

      Filesize

      4KB

    • memory/1248-93-0x0000000000390000-0x0000000000391000-memory.dmp

      Filesize

      4KB

    • memory/1248-75-0x0000000000370000-0x0000000000371000-memory.dmp

      Filesize

      4KB

    • memory/1248-74-0x0000000000E10000-0x0000000001495000-memory.dmp

      Filesize

      6.5MB

    • memory/1248-85-0x00000000003A0000-0x00000000003A1000-memory.dmp

      Filesize

      4KB

    • memory/1248-86-0x00000000003E0000-0x00000000003E1000-memory.dmp

      Filesize

      4KB

    • memory/1248-87-0x00000000003D0000-0x00000000003D1000-memory.dmp

      Filesize

      4KB

    • memory/1248-95-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

    • memory/1248-88-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

    • memory/1248-92-0x0000000000470000-0x0000000000471000-memory.dmp

      Filesize

      4KB

    • memory/1248-89-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

    • memory/1248-90-0x0000000000250000-0x0000000000251000-memory.dmp

      Filesize

      4KB

    • memory/1392-107-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

      Filesize

      4KB

    • memory/1392-108-0x0000000000120000-0x00000000007B4000-memory.dmp

      Filesize

      6.6MB

    • memory/1392-102-0x0000000000B60000-0x0000000000B61000-memory.dmp

      Filesize

      4KB

    • memory/1392-103-0x0000000000B50000-0x0000000000B51000-memory.dmp

      Filesize

      4KB

    • memory/1392-105-0x0000000000B70000-0x0000000000B71000-memory.dmp

      Filesize

      4KB

    • memory/1392-104-0x0000000000B80000-0x0000000000B81000-memory.dmp

      Filesize

      4KB

    • memory/1392-106-0x0000000000B90000-0x0000000000B91000-memory.dmp

      Filesize

      4KB

    • memory/1560-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

      Filesize

      8KB

    • memory/1988-120-0x0000000000990000-0x0000000000991000-memory.dmp

      Filesize

      4KB

    • memory/1988-122-0x0000000000910000-0x0000000000911000-memory.dmp

      Filesize

      4KB

    • memory/1988-124-0x00000000009A0000-0x00000000009A1000-memory.dmp

      Filesize

      4KB

    • memory/1988-125-0x00000000009B0000-0x00000000009B1000-memory.dmp

      Filesize

      4KB

    • memory/1988-114-0x0000000000970000-0x0000000000971000-memory.dmp

      Filesize

      4KB

    • memory/1988-113-0x0000000000940000-0x0000000000941000-memory.dmp

      Filesize

      4KB

    • memory/1988-112-0x0000000000270000-0x00000000008F5000-memory.dmp

      Filesize

      6.5MB

    • memory/1988-123-0x0000000000900000-0x0000000000901000-memory.dmp

      Filesize

      4KB

    • memory/1988-121-0x0000000000920000-0x0000000000921000-memory.dmp

      Filesize

      4KB

    • memory/1988-115-0x0000000000250000-0x0000000000251000-memory.dmp

      Filesize

      4KB

    • memory/1988-119-0x0000000000950000-0x0000000000951000-memory.dmp

      Filesize

      4KB

    • memory/1988-118-0x0000000000260000-0x0000000000261000-memory.dmp

      Filesize

      4KB

    • memory/1988-117-0x0000000000240000-0x0000000000241000-memory.dmp

      Filesize

      4KB

    • memory/1988-116-0x0000000000960000-0x0000000000961000-memory.dmp

      Filesize

      4KB