Analysis

  • max time kernel
    162s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    06-03-2022 22:12

General

  • Target

    a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe

  • Size

    11.8MB

  • MD5

    8d3f6ce67a39b911724915ceaef8a2b2

  • SHA1

    741581134935cdc99b33e606a7fba75d77d76b86

  • SHA256

    a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d

  • SHA512

    e3e2435db8cb784e11f76bbecac691c1f6c6ced861a68c2202e381e7b6860e74a50facffbfb93d89876aa68c4a9f8b9135dcc2e65134e28448eef18fca383776

Malware Config

Extracted

Family

amadey

Version

2.06

C2

217.8.117.207/gb2pnjsjcs/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Taurus Stealer

    Taurus is an infostealer first seen in June 2020.

  • Taurus Stealer Payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Executes dropped EXE 5 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 5 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe
    "C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3972
    • C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe
      "C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Drops startup file
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2124
      • C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe
        "C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        PID:3732
    • C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe
      "C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks computer location settings
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\ProgramData\97fd00311d\bween.exe
        "C:\ProgramData\97fd00311d\bween.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks computer location settings
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:360
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\97fd00311d\
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3180
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\97fd00311d\
            5⤵
              PID:496
      • C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe
        "C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe"
        2⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:312

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\152179071449815494214911

      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    • C:\ProgramData\97fd00311d\bween.exe

      MD5

      77726cbf962c895ed94737fb5d1999cd

      SHA1

      f69fea46fd0bed8b452cac3923664bca749e78c3

      SHA256

      f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99

      SHA512

      51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

    • C:\ProgramData\97fd00311d\bween.exe

      MD5

      77726cbf962c895ed94737fb5d1999cd

      SHA1

      f69fea46fd0bed8b452cac3923664bca749e78c3

      SHA256

      f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99

      SHA512

      51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

    • C:\Users\Admin\AppData\Local\Temp\nst5F12.tmp\System.dll

      MD5

      0063d48afe5a0cdc02833145667b6641

      SHA1

      e7eb614805d183ecb1127c62decb1a6be1b4f7a8

      SHA256

      ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

      SHA512

      71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

    • C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe

      MD5

      22f31f5dee32cb8ac454a216b9226a60

      SHA1

      a716176ff41859483dce502a76dbe5d0f6961854

      SHA256

      c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1

      SHA512

      16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

    • C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe

      MD5

      22f31f5dee32cb8ac454a216b9226a60

      SHA1

      a716176ff41859483dce502a76dbe5d0f6961854

      SHA256

      c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1

      SHA512

      16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

    • C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe

      MD5

      22f31f5dee32cb8ac454a216b9226a60

      SHA1

      a716176ff41859483dce502a76dbe5d0f6961854

      SHA256

      c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1

      SHA512

      16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

    • C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe

      MD5

      22f31f5dee32cb8ac454a216b9226a60

      SHA1

      a716176ff41859483dce502a76dbe5d0f6961854

      SHA256

      c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1

      SHA512

      16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

    • C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe

      MD5

      4868ef1ed1eeccf63f09c2407c438b2f

      SHA1

      f40fb4d4506bf9f155e1cc1b0990c65435137a86

      SHA256

      cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010

      SHA512

      2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

    • C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe

      MD5

      4868ef1ed1eeccf63f09c2407c438b2f

      SHA1

      f40fb4d4506bf9f155e1cc1b0990c65435137a86

      SHA256

      cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010

      SHA512

      2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

    • C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe

      MD5

      77726cbf962c895ed94737fb5d1999cd

      SHA1

      f69fea46fd0bed8b452cac3923664bca749e78c3

      SHA256

      f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99

      SHA512

      51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

    • C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe

      MD5

      77726cbf962c895ed94737fb5d1999cd

      SHA1

      f69fea46fd0bed8b452cac3923664bca749e78c3

      SHA256

      f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99

      SHA512

      51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

    • memory/312-148-0x0000000003350000-0x0000000003351000-memory.dmp

      Filesize

      4KB

    • memory/312-151-0x00000000007C0000-0x0000000000E54000-memory.dmp

      Filesize

      6.6MB

    • memory/312-150-0x0000000003360000-0x0000000003361000-memory.dmp

      Filesize

      4KB

    • memory/312-140-0x0000000077230000-0x00000000773D3000-memory.dmp

      Filesize

      1.6MB

    • memory/360-176-0x0000000002E20000-0x0000000002E21000-memory.dmp

      Filesize

      4KB

    • memory/360-177-0x0000000002E30000-0x0000000002E31000-memory.dmp

      Filesize

      4KB

    • memory/360-173-0x0000000000250000-0x00000000008D5000-memory.dmp

      Filesize

      6.5MB

    • memory/360-180-0x0000000002E80000-0x0000000002E81000-memory.dmp

      Filesize

      4KB

    • memory/360-178-0x0000000002E50000-0x0000000002E51000-memory.dmp

      Filesize

      4KB

    • memory/360-174-0x0000000002E60000-0x0000000002E61000-memory.dmp

      Filesize

      4KB

    • memory/360-179-0x0000000002E40000-0x0000000002E41000-memory.dmp

      Filesize

      4KB

    • memory/360-171-0x0000000077230000-0x00000000773D3000-memory.dmp

      Filesize

      1.6MB

    • memory/360-175-0x0000000002E70000-0x0000000002E71000-memory.dmp

      Filesize

      4KB

    • memory/2124-141-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

      Filesize

      4KB

    • memory/2124-137-0x0000000077230000-0x00000000773D3000-memory.dmp

      Filesize

      1.6MB

    • memory/2124-144-0x0000000003A70000-0x0000000003A71000-memory.dmp

      Filesize

      4KB

    • memory/2124-145-0x0000000003A90000-0x0000000003A91000-memory.dmp

      Filesize

      4KB

    • memory/2124-143-0x0000000003AA0000-0x0000000003AA1000-memory.dmp

      Filesize

      4KB

    • memory/2124-142-0x0000000003AC0000-0x0000000003AC1000-memory.dmp

      Filesize

      4KB

    • memory/2124-139-0x0000000000EB0000-0x000000000184B000-memory.dmp

      Filesize

      9.6MB

    • memory/2904-154-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

      Filesize

      4KB

    • memory/2904-158-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

      Filesize

      4KB

    • memory/2904-138-0x0000000077230000-0x00000000773D3000-memory.dmp

      Filesize

      1.6MB

    • memory/2904-149-0x0000000001000000-0x0000000001685000-memory.dmp

      Filesize

      6.5MB

    • memory/2904-152-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

      Filesize

      4KB

    • memory/2904-153-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

      Filesize

      4KB

    • memory/2904-156-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

      Filesize

      4KB

    • memory/2904-155-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

      Filesize

      4KB

    • memory/2904-157-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

      Filesize

      4KB

    • memory/3732-167-0x0000000003630000-0x0000000003631000-memory.dmp

      Filesize

      4KB

    • memory/3732-161-0x0000000077230000-0x00000000773D3000-memory.dmp

      Filesize

      1.6MB

    • memory/3732-162-0x0000000000920000-0x00000000012BB000-memory.dmp

      Filesize

      9.6MB

    • memory/3732-170-0x0000000003650000-0x0000000003651000-memory.dmp

      Filesize

      4KB

    • memory/3732-169-0x0000000003640000-0x0000000003641000-memory.dmp

      Filesize

      4KB

    • memory/3732-168-0x0000000003670000-0x0000000003671000-memory.dmp

      Filesize

      4KB

    • memory/3732-163-0x0000000002D90000-0x0000000002D91000-memory.dmp

      Filesize

      4KB

    • memory/3732-166-0x0000000002D70000-0x0000000002D71000-memory.dmp

      Filesize

      4KB

    • memory/3732-165-0x0000000002D50000-0x0000000002D51000-memory.dmp

      Filesize

      4KB

    • memory/3732-164-0x0000000003620000-0x0000000003621000-memory.dmp

      Filesize

      4KB