Analysis
-
max time kernel
205s -
max time network
218s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:15
Static task
static1
Behavioral task
behavioral1
Sample
2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exe
Resource
win10v2004-20221111-en
General
-
Target
2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exe
-
Size
777KB
-
MD5
47f9d8570bbbfd172ee66015af682251
-
SHA1
2040636052aed433a453ef4c0a1a6a16186e7c90
-
SHA256
2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3
-
SHA512
e65a6f651a46ae69b1b259e34029655503f1c54a2ed0f634495d55d8ed5283be84eda39c5a7e42d73bd41156826079d21917d6116296e70a6627fbb8d6307a9c
-
SSDEEP
12288:mvCgSiISROTL9SKNqLNXbCFCoekOWUsIOiizzMRK34+NBR:mKViMTLAXhqbYlizz0K3x
Malware Config
Extracted
amadey
3.50
77.73.134.65/o7VsjdSa2f/index.php
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 94 5004 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
gntuud.exegntuud.exegntuud.exepid process 3376 gntuud.exe 4824 gntuud.exe 2376 gntuud.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exegntuud.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation gntuud.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 5004 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 5004 rundll32.exe 5004 rundll32.exe 5004 rundll32.exe 5004 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exegntuud.exedescription pid process target process PID 2432 wrote to memory of 3376 2432 2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exe gntuud.exe PID 2432 wrote to memory of 3376 2432 2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exe gntuud.exe PID 2432 wrote to memory of 3376 2432 2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exe gntuud.exe PID 3376 wrote to memory of 3964 3376 gntuud.exe schtasks.exe PID 3376 wrote to memory of 3964 3376 gntuud.exe schtasks.exe PID 3376 wrote to memory of 3964 3376 gntuud.exe schtasks.exe PID 3376 wrote to memory of 5004 3376 gntuud.exe rundll32.exe PID 3376 wrote to memory of 5004 3376 gntuud.exe rundll32.exe PID 3376 wrote to memory of 5004 3376 gntuud.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exe"C:\Users\Admin\AppData\Local\Temp\2a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exeC:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exeC:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exeFilesize
777KB
MD547f9d8570bbbfd172ee66015af682251
SHA12040636052aed433a453ef4c0a1a6a16186e7c90
SHA2562a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3
SHA512e65a6f651a46ae69b1b259e34029655503f1c54a2ed0f634495d55d8ed5283be84eda39c5a7e42d73bd41156826079d21917d6116296e70a6627fbb8d6307a9c
-
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exeFilesize
777KB
MD547f9d8570bbbfd172ee66015af682251
SHA12040636052aed433a453ef4c0a1a6a16186e7c90
SHA2562a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3
SHA512e65a6f651a46ae69b1b259e34029655503f1c54a2ed0f634495d55d8ed5283be84eda39c5a7e42d73bd41156826079d21917d6116296e70a6627fbb8d6307a9c
-
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exeFilesize
777KB
MD547f9d8570bbbfd172ee66015af682251
SHA12040636052aed433a453ef4c0a1a6a16186e7c90
SHA2562a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3
SHA512e65a6f651a46ae69b1b259e34029655503f1c54a2ed0f634495d55d8ed5283be84eda39c5a7e42d73bd41156826079d21917d6116296e70a6627fbb8d6307a9c
-
C:\Users\Admin\AppData\Local\Temp\f338f622fb\gntuud.exeFilesize
777KB
MD547f9d8570bbbfd172ee66015af682251
SHA12040636052aed433a453ef4c0a1a6a16186e7c90
SHA2562a1ba44054891a211ce5b2e36e91303cfc19c025af1fd8c4534f078cc7b41be3
SHA512e65a6f651a46ae69b1b259e34029655503f1c54a2ed0f634495d55d8ed5283be84eda39c5a7e42d73bd41156826079d21917d6116296e70a6627fbb8d6307a9c
-
C:\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dllFilesize
126KB
MD5f6d14701e7c568254151e153f7763672
SHA14501ffb7284f29cca51b06deba0262b8d33f93f6
SHA256e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d
SHA51262c1d6cbe6531a6b5d2a9fcdddd91cc3971dd81f1f5208e88c02d97d066e1b04665122817acb228894937279c49ac627bdb3c42cb32e130e39201f3108cde8f2
-
C:\Users\Admin\AppData\Roaming\8f80aeaa2e33b8\cred64.dllFilesize
126KB
MD5f6d14701e7c568254151e153f7763672
SHA14501ffb7284f29cca51b06deba0262b8d33f93f6
SHA256e246c844a272e80f2819e754e79a394e0fc964ad583ae90110dc38a01100b44d
SHA51262c1d6cbe6531a6b5d2a9fcdddd91cc3971dd81f1f5208e88c02d97d066e1b04665122817acb228894937279c49ac627bdb3c42cb32e130e39201f3108cde8f2
-
memory/2376-146-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/2432-135-0x00000000028B0000-0x000000000290C000-memory.dmpFilesize
368KB
-
memory/2432-136-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3376-139-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3376-137-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3376-132-0x0000000000000000-mapping.dmp
-
memory/3964-138-0x0000000000000000-mapping.dmp
-
memory/4824-144-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/5004-140-0x0000000000000000-mapping.dmp