Analysis
-
max time kernel
172s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 22:45
Static task
static1
Behavioral task
behavioral1
Sample
8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe
Resource
win10v2004-20221111-en
General
-
Target
8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe
-
Size
237KB
-
MD5
0460990761ea0b12df9d8133fb116bd7
-
SHA1
16d234e218b4d7963e94d5a8c1b6b273fc538f19
-
SHA256
8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e
-
SHA512
0aad95f916b1f07cdd2be965292fee772fd420f111f969823875a4c4952df4f3aa380d00eb53ce67572027464bce139d41deae17656fbecf1b6f04d3db764a32
-
SSDEEP
3072:rEW2zikDTjDqowd5u/NGVQUYocEKc0YTdfPOB4aHHQG70W8BVvFCEu:UDTjDR5Ub1Rm4IB7cBVNCE
Malware Config
Extracted
amadey
3.50
31.41.244.17/hfk3vK9/index.php
Extracted
laplas
clipper.guru
-
api_key
ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb
Signatures
-
Detect Amadey credential stealer module 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module behavioral1/memory/1172-174-0x00000000003B0000-0x00000000003D4000-memory.dmp amadey_cred_module C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 73 1172 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
gntuud.exelinda5.exegntuud.exeanon.exegala.exepid process 4988 gntuud.exe 4744 linda5.exe 2204 gntuud.exe 3112 anon.exe 2496 gala.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exegntuud.exelinda5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation gntuud.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation linda5.exe -
Loads dropped DLL 3 IoCs
Processes:
msiexec.exerundll32.exepid process 628 msiexec.exe 1172 rundll32.exe 1172 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
gntuud.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000003001\\linda5.exe" gntuud.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\anon.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\anon.exe" gntuud.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4992 220 WerFault.exe 8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe 1508 2204 WerFault.exe gntuud.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 1172 rundll32.exe 1172 rundll32.exe 1172 rundll32.exe 1172 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
anon.exedescription pid process Token: SeDebugPrivilege 3112 anon.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exegntuud.exelinda5.exedescription pid process target process PID 220 wrote to memory of 4988 220 8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe gntuud.exe PID 220 wrote to memory of 4988 220 8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe gntuud.exe PID 220 wrote to memory of 4988 220 8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe gntuud.exe PID 4988 wrote to memory of 1736 4988 gntuud.exe schtasks.exe PID 4988 wrote to memory of 1736 4988 gntuud.exe schtasks.exe PID 4988 wrote to memory of 1736 4988 gntuud.exe schtasks.exe PID 4988 wrote to memory of 4744 4988 gntuud.exe linda5.exe PID 4988 wrote to memory of 4744 4988 gntuud.exe linda5.exe PID 4988 wrote to memory of 4744 4988 gntuud.exe linda5.exe PID 4744 wrote to memory of 628 4744 linda5.exe msiexec.exe PID 4744 wrote to memory of 628 4744 linda5.exe msiexec.exe PID 4744 wrote to memory of 628 4744 linda5.exe msiexec.exe PID 4988 wrote to memory of 3112 4988 gntuud.exe anon.exe PID 4988 wrote to memory of 3112 4988 gntuud.exe anon.exe PID 4988 wrote to memory of 3112 4988 gntuud.exe anon.exe PID 4988 wrote to memory of 2496 4988 gntuud.exe gala.exe PID 4988 wrote to memory of 2496 4988 gntuud.exe gala.exe PID 4988 wrote to memory of 2496 4988 gntuud.exe gala.exe PID 4988 wrote to memory of 1172 4988 gntuud.exe rundll32.exe PID 4988 wrote to memory of 1172 4988 gntuud.exe rundll32.exe PID 4988 wrote to memory of 1172 4988 gntuud.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe"C:\Users\Admin\AppData\Local\Temp\8d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000003001\linda5.exe"C:\Users\Admin\AppData\Local\Temp\1000003001\linda5.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /Y .\v9LqYzU.ErU4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\1000005001\anon.exe"C:\Users\Admin\AppData\Local\Temp\1000005001\anon.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1000004001\gala.exe"C:\Users\Admin\AppData\Local\Temp\1000004001\gala.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 12682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 220 -ip 2201⤵
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2204 -ip 22041⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000003001\linda5.exeFilesize
1.5MB
MD5562e87edfeb432072d23de64daf26acf
SHA12916ae2a49851459c82ae95e656c49d16688eac1
SHA256b0fef5290f1a17feba7db3c5abff05207ac838b40380461c2c84eefe6ba1a70d
SHA512e9ac55ec0654db57984bddaa0d72cf17bc506e788dfee71f4b11c77e1d56135c946d1cbf201c0de4c2ae070ba87172ed4caa914a7be7cbc07279c729bd038d4c
-
C:\Users\Admin\AppData\Local\Temp\1000003001\linda5.exeFilesize
1.5MB
MD5562e87edfeb432072d23de64daf26acf
SHA12916ae2a49851459c82ae95e656c49d16688eac1
SHA256b0fef5290f1a17feba7db3c5abff05207ac838b40380461c2c84eefe6ba1a70d
SHA512e9ac55ec0654db57984bddaa0d72cf17bc506e788dfee71f4b11c77e1d56135c946d1cbf201c0de4c2ae070ba87172ed4caa914a7be7cbc07279c729bd038d4c
-
C:\Users\Admin\AppData\Local\Temp\1000004001\gala.exeFilesize
4.6MB
MD5f6829a19455a7b24a79e0b984d2a42d9
SHA1c71d657301d721b42c52c0252aa5fe0dbfb04f9f
SHA2567dc8f90673b102c2945e36747763ccccd243519500eca01fd1cfdbbfcb61d61b
SHA512e3d8db3d3938366e9fe8c1645647dbf29bfb5c9a6210f54bdfca05b9782f005b9b40df2a7980f160143c48139a638c5a4ff6b091d0d846a839d363eba94bce4c
-
C:\Users\Admin\AppData\Local\Temp\1000004001\gala.exeFilesize
4.6MB
MD5f6829a19455a7b24a79e0b984d2a42d9
SHA1c71d657301d721b42c52c0252aa5fe0dbfb04f9f
SHA2567dc8f90673b102c2945e36747763ccccd243519500eca01fd1cfdbbfcb61d61b
SHA512e3d8db3d3938366e9fe8c1645647dbf29bfb5c9a6210f54bdfca05b9782f005b9b40df2a7980f160143c48139a638c5a4ff6b091d0d846a839d363eba94bce4c
-
C:\Users\Admin\AppData\Local\Temp\1000005001\anon.exeFilesize
297KB
MD53091f1775af3bb34121b2caddb4eb353
SHA11661bf18cf8d266b2c3f1ac50c282dc945e568c8
SHA2562282a4fcfa986d6781501636dfd04375c471e05fdfcb65732b088211bd9fff72
SHA51270f1406e446944459f8488db52e7589d399cfb65460028f89a7ad58d1ddc93d68ffdb942f929c1674df26adaf6478caed1c7fef2798ae490b6bfefa7ddb0b348
-
C:\Users\Admin\AppData\Local\Temp\1000005001\anon.exeFilesize
297KB
MD53091f1775af3bb34121b2caddb4eb353
SHA11661bf18cf8d266b2c3f1ac50c282dc945e568c8
SHA2562282a4fcfa986d6781501636dfd04375c471e05fdfcb65732b088211bd9fff72
SHA51270f1406e446944459f8488db52e7589d399cfb65460028f89a7ad58d1ddc93d68ffdb942f929c1674df26adaf6478caed1c7fef2798ae490b6bfefa7ddb0b348
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
237KB
MD50460990761ea0b12df9d8133fb116bd7
SHA116d234e218b4d7963e94d5a8c1b6b273fc538f19
SHA2568d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e
SHA5120aad95f916b1f07cdd2be965292fee772fd420f111f969823875a4c4952df4f3aa380d00eb53ce67572027464bce139d41deae17656fbecf1b6f04d3db764a32
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
237KB
MD50460990761ea0b12df9d8133fb116bd7
SHA116d234e218b4d7963e94d5a8c1b6b273fc538f19
SHA2568d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e
SHA5120aad95f916b1f07cdd2be965292fee772fd420f111f969823875a4c4952df4f3aa380d00eb53ce67572027464bce139d41deae17656fbecf1b6f04d3db764a32
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
237KB
MD50460990761ea0b12df9d8133fb116bd7
SHA116d234e218b4d7963e94d5a8c1b6b273fc538f19
SHA2568d436a881302c1767ef5a1d9573779a2196fb105ad9f3b29439d648c77b08f8e
SHA5120aad95f916b1f07cdd2be965292fee772fd420f111f969823875a4c4952df4f3aa380d00eb53ce67572027464bce139d41deae17656fbecf1b6f04d3db764a32
-
C:\Users\Admin\AppData\Local\Temp\v9LqYzU.ErUFilesize
1.8MB
MD5fffc278f07ae1be001b80ca8ee0267d2
SHA104d4b6c7349c9c5b0327fcfc65864d022e4128e6
SHA2568c9042a5904e663a0f2516935ac611af817ad760994055f47fa613b4574babf2
SHA512ce39d95b7695641f0a0539cba38c413c5a8cba3d91821f9312a809907c12d7a3ab85a7b6961161f09dba205dcdf49956f3b0c7370ab225643425b3f9d3171b51
-
C:\Users\Admin\AppData\Local\Temp\v9LqyzU.ErUFilesize
1.8MB
MD5fffc278f07ae1be001b80ca8ee0267d2
SHA104d4b6c7349c9c5b0327fcfc65864d022e4128e6
SHA2568c9042a5904e663a0f2516935ac611af817ad760994055f47fa613b4574babf2
SHA512ce39d95b7695641f0a0539cba38c413c5a8cba3d91821f9312a809907c12d7a3ab85a7b6961161f09dba205dcdf49956f3b0c7370ab225643425b3f9d3171b51
-
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5adbaf286228c46522e50371c4be31a03
SHA1a29d644c4663b2e2b2bd92046ba0df629537c297
SHA256d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0
SHA51274a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d
-
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5adbaf286228c46522e50371c4be31a03
SHA1a29d644c4663b2e2b2bd92046ba0df629537c297
SHA256d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0
SHA51274a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d
-
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5adbaf286228c46522e50371c4be31a03
SHA1a29d644c4663b2e2b2bd92046ba0df629537c297
SHA256d3e9a3365f73a34e2dd9022a318abcc2c55af98bafb2dc302cbb55f5398bb9a0
SHA51274a55cc8d8c3af54e5ba290a34b968918da994ea2d55b5f0d1f39e83cb9a39d73226227933c760b48f2e0bdb646f8243967517ef8202e02d88411d2d19ae217d
-
memory/220-133-0x00000000008B0000-0x00000000008EE000-memory.dmpFilesize
248KB
-
memory/220-134-0x0000000000400000-0x000000000071D000-memory.dmpFilesize
3.1MB
-
memory/220-132-0x000000000098E000-0x00000000009AD000-memory.dmpFilesize
124KB
-
memory/220-142-0x0000000000400000-0x000000000071D000-memory.dmpFilesize
3.1MB
-
memory/220-141-0x000000000098E000-0x00000000009AD000-memory.dmpFilesize
124KB
-
memory/628-152-0x0000000002EF0000-0x0000000002FEE000-memory.dmpFilesize
1016KB
-
memory/628-162-0x0000000002FF0000-0x00000000030B5000-memory.dmpFilesize
788KB
-
memory/628-147-0x0000000000000000-mapping.dmp
-
memory/628-168-0x0000000002EF0000-0x0000000002FEE000-memory.dmpFilesize
1016KB
-
memory/628-151-0x0000000002C90000-0x0000000002DE9000-memory.dmpFilesize
1.3MB
-
memory/628-163-0x00000000030C0000-0x0000000003171000-memory.dmpFilesize
708KB
-
memory/1172-174-0x00000000003B0000-0x00000000003D4000-memory.dmpFilesize
144KB
-
memory/1172-170-0x0000000000000000-mapping.dmp
-
memory/1736-143-0x0000000000000000-mapping.dmp
-
memory/2204-157-0x0000000000400000-0x000000000071D000-memory.dmpFilesize
3.1MB
-
memory/2204-156-0x00000000008C0000-0x00000000008DF000-memory.dmpFilesize
124KB
-
memory/2496-166-0x0000000000000000-mapping.dmp
-
memory/3112-153-0x0000000000000000-mapping.dmp
-
memory/3112-159-0x0000000002250000-0x000000000228E000-memory.dmpFilesize
248KB
-
memory/3112-158-0x000000000085C000-0x000000000088D000-memory.dmpFilesize
196KB
-
memory/3112-160-0x0000000000400000-0x000000000072C000-memory.dmpFilesize
3.2MB
-
memory/3112-161-0x000000000085C000-0x000000000088D000-memory.dmpFilesize
196KB
-
memory/3112-175-0x0000000005060000-0x0000000005604000-memory.dmpFilesize
5.6MB
-
memory/3112-176-0x0000000002A30000-0x0000000002AC2000-memory.dmpFilesize
584KB
-
memory/4744-144-0x0000000000000000-mapping.dmp
-
memory/4988-140-0x0000000000400000-0x000000000071D000-memory.dmpFilesize
3.1MB
-
memory/4988-139-0x0000000002350000-0x000000000238E000-memory.dmpFilesize
248KB
-
memory/4988-138-0x00000000009CC000-0x00000000009EB000-memory.dmpFilesize
124KB
-
memory/4988-135-0x0000000000000000-mapping.dmp