Analysis
-
max time kernel
162s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
06-03-2022 22:12
Static task
static1
Behavioral task
behavioral1
Sample
a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe
Resource
win7-en-20211208
General
-
Target
a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe
-
Size
11.8MB
-
MD5
8d3f6ce67a39b911724915ceaef8a2b2
-
SHA1
741581134935cdc99b33e606a7fba75d77d76b86
-
SHA256
a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d
-
SHA512
e3e2435db8cb784e11f76bbecac691c1f6c6ced861a68c2202e381e7b6860e74a50facffbfb93d89876aa68c4a9f8b9135dcc2e65134e28448eef18fca383776
Malware Config
Extracted
amadey
2.06
217.8.117.207/gb2pnjsjcs/index.php
Signatures
-
Taurus Stealer Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/312-151-0x00000000007C0000-0x0000000000E54000-memory.dmp family_taurus_stealer -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 5 IoCs
Processes:
Arch_40.exePermit_17.exeBid_19.exeRealtekSb.exebween.exepid process 2124 Arch_40.exe 2904 Permit_17.exe 312 Bid_19.exe 3732 RealtekSb.exe 360 bween.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Permit_17.exeBid_19.exebween.exeArch_40.exeRealtekSb.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Permit_17.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Bid_19.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bween.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bween.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Arch_40.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Arch_40.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Permit_17.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Bid_19.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RealtekSb.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RealtekSb.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exePermit_17.exebween.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation Permit_17.exe Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation bween.exe -
Drops startup file 1 IoCs
Processes:
Arch_40.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RealtekSb.lnk Arch_40.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Arch_40.exePermit_17.exeBid_19.exeRealtekSb.exebween.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Wine Arch_40.exe Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Wine Permit_17.exe Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Wine Bid_19.exe Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Wine RealtekSb.exe Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Wine bween.exe -
Loads dropped DLL 1 IoCs
Processes:
a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exepid process 3972 a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
Arch_40.exePermit_17.exeBid_19.exeRealtekSb.exebween.exepid process 2124 Arch_40.exe 2904 Permit_17.exe 312 Bid_19.exe 3732 RealtekSb.exe 360 bween.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
RealtekSb.exepid process 3732 RealtekSb.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Arch_40.exePermit_17.exeBid_19.exeRealtekSb.exebween.exepid process 2124 Arch_40.exe 2124 Arch_40.exe 2904 Permit_17.exe 2904 Permit_17.exe 312 Bid_19.exe 312 Bid_19.exe 3732 RealtekSb.exe 3732 RealtekSb.exe 360 bween.exe 360 bween.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exeArch_40.exePermit_17.exebween.execmd.exedescription pid process target process PID 3972 wrote to memory of 2124 3972 a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe Arch_40.exe PID 3972 wrote to memory of 2124 3972 a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe Arch_40.exe PID 3972 wrote to memory of 2124 3972 a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe Arch_40.exe PID 3972 wrote to memory of 2904 3972 a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe Permit_17.exe PID 3972 wrote to memory of 2904 3972 a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe Permit_17.exe PID 3972 wrote to memory of 2904 3972 a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe Permit_17.exe PID 3972 wrote to memory of 312 3972 a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe Bid_19.exe PID 3972 wrote to memory of 312 3972 a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe Bid_19.exe PID 3972 wrote to memory of 312 3972 a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe Bid_19.exe PID 2124 wrote to memory of 3732 2124 Arch_40.exe RealtekSb.exe PID 2124 wrote to memory of 3732 2124 Arch_40.exe RealtekSb.exe PID 2124 wrote to memory of 3732 2124 Arch_40.exe RealtekSb.exe PID 2904 wrote to memory of 360 2904 Permit_17.exe bween.exe PID 2904 wrote to memory of 360 2904 Permit_17.exe bween.exe PID 2904 wrote to memory of 360 2904 Permit_17.exe bween.exe PID 360 wrote to memory of 3180 360 bween.exe cmd.exe PID 360 wrote to memory of 3180 360 bween.exe cmd.exe PID 360 wrote to memory of 3180 360 bween.exe cmd.exe PID 3180 wrote to memory of 496 3180 cmd.exe reg.exe PID 3180 wrote to memory of 496 3180 cmd.exe reg.exe PID 3180 wrote to memory of 496 3180 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe"C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe"C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe"C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:3732 -
C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe"C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\ProgramData\97fd00311d\bween.exe"C:\ProgramData\97fd00311d\bween.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\97fd00311d\4⤵
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\97fd00311d\5⤵PID:496
-
C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe"C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:312
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
77726cbf962c895ed94737fb5d1999cd
SHA1f69fea46fd0bed8b452cac3923664bca749e78c3
SHA256f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99
SHA51251072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979
-
MD5
77726cbf962c895ed94737fb5d1999cd
SHA1f69fea46fd0bed8b452cac3923664bca749e78c3
SHA256f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99
SHA51251072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979
-
MD5
0063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
MD5
22f31f5dee32cb8ac454a216b9226a60
SHA1a716176ff41859483dce502a76dbe5d0f6961854
SHA256c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1
SHA51216fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e
-
MD5
22f31f5dee32cb8ac454a216b9226a60
SHA1a716176ff41859483dce502a76dbe5d0f6961854
SHA256c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1
SHA51216fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e
-
MD5
22f31f5dee32cb8ac454a216b9226a60
SHA1a716176ff41859483dce502a76dbe5d0f6961854
SHA256c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1
SHA51216fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e
-
MD5
22f31f5dee32cb8ac454a216b9226a60
SHA1a716176ff41859483dce502a76dbe5d0f6961854
SHA256c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1
SHA51216fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e
-
MD5
4868ef1ed1eeccf63f09c2407c438b2f
SHA1f40fb4d4506bf9f155e1cc1b0990c65435137a86
SHA256cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010
SHA5122705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5
-
MD5
4868ef1ed1eeccf63f09c2407c438b2f
SHA1f40fb4d4506bf9f155e1cc1b0990c65435137a86
SHA256cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010
SHA5122705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5
-
MD5
77726cbf962c895ed94737fb5d1999cd
SHA1f69fea46fd0bed8b452cac3923664bca749e78c3
SHA256f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99
SHA51251072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979
-
MD5
77726cbf962c895ed94737fb5d1999cd
SHA1f69fea46fd0bed8b452cac3923664bca749e78c3
SHA256f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99
SHA51251072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979