4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a

General

Target

4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe
Size

321KB
MD5

725c0e3e4df4553964341d39616c32f6
SHA1

88416e7a4915a8792daffa5f8c62c9d0d6a548a9
SHA256

4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a
SHA512

ba0383dcfea734db1248c1fe444f7bbcdca2c51a57377157c46fcf0729a5b63522d09ed37ef2baa2c58c73e6ecc07c0eb47a9c9e6eff24d245328dca9aadbb31
SSDEEP

6144:zT+FQojd7mZswMHScIOq1G/P+RnC2CkErfoL:GFhjhycBqw+RC2gcL

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

amydi.exe

pid process

964 amydi.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

468 cmd.exe

pid	process
468	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe

pid	process
1956	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe
1956	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

amydi.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	amydi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Biocl\\amydi.exe"	amydi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe

description pid process target process

PID 1956 set thread context of 468 1956 4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe cmd.exe

description	pid	process	target process
PID 1956 set thread context of 468	1956	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

amydi.exe

pid	process
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe
964	amydi.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exeamydi.exe

pid process

1956 4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe
964 amydi.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exeamydi.exe

description	pid	process	target process
PID 1956 wrote to memory of 964	1956	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe	amydi.exe
PID 1956 wrote to memory of 964	1956	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe	amydi.exe
PID 1956 wrote to memory of 964	1956	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe	amydi.exe
PID 1956 wrote to memory of 964	1956	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe	amydi.exe
PID 964 wrote to memory of 1120	964	amydi.exe	taskhost.exe
PID 964 wrote to memory of 1120	964	amydi.exe	taskhost.exe
PID 964 wrote to memory of 1120	964	amydi.exe	taskhost.exe
PID 964 wrote to memory of 1120	964	amydi.exe	taskhost.exe
PID 964 wrote to memory of 1120	964	amydi.exe	taskhost.exe
PID 964 wrote to memory of 1176	964	amydi.exe	Dwm.exe
PID 964 wrote to memory of 1176	964	amydi.exe	Dwm.exe
PID 964 wrote to memory of 1176	964	amydi.exe	Dwm.exe
PID 964 wrote to memory of 1176	964	amydi.exe	Dwm.exe
PID 964 wrote to memory of 1176	964	amydi.exe	Dwm.exe
PID 964 wrote to memory of 1204	964	amydi.exe	Explorer.EXE
PID 964 wrote to memory of 1204	964	amydi.exe	Explorer.EXE
PID 964 wrote to memory of 1204	964	amydi.exe	Explorer.EXE
PID 964 wrote to memory of 1204	964	amydi.exe	Explorer.EXE
PID 964 wrote to memory of 1204	964	amydi.exe	Explorer.EXE
PID 964 wrote to memory of 1956	964	amydi.exe	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe
PID 964 wrote to memory of 1956	964	amydi.exe	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe
PID 964 wrote to memory of 1956	964	amydi.exe	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe
PID 964 wrote to memory of 1956	964	amydi.exe	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe
PID 964 wrote to memory of 1956	964	amydi.exe	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe
PID 1956 wrote to memory of 468	1956	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe	cmd.exe
PID 1956 wrote to memory of 468	1956	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe	cmd.exe
PID 1956 wrote to memory of 468	1956	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe	cmd.exe
PID 1956 wrote to memory of 468	1956	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe	cmd.exe
PID 1956 wrote to memory of 468	1956	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe	cmd.exe
PID 1956 wrote to memory of 468	1956	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe	cmd.exe
PID 1956 wrote to memory of 468	1956	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe	cmd.exe
PID 1956 wrote to memory of 468	1956	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe	cmd.exe
PID 1956 wrote to memory of 468	1956	4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe	cmd.exe
PID 964 wrote to memory of 1676	964	amydi.exe	DllHost.exe
PID 964 wrote to memory of 1676	964	amydi.exe	DllHost.exe
PID 964 wrote to memory of 1676	964	amydi.exe	DllHost.exe
PID 964 wrote to memory of 1676	964	amydi.exe	DllHost.exe
PID 964 wrote to memory of 1676	964	amydi.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe
"C:\Users\Admin\AppData\Local\Temp\4a62e3cc02c3a93dde3d3e16ad0d21761397a540a517a8e890f2980a9e2b192a.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Roaming\Biocl\amydi.exe
"C:\Users\Admin\AppData\Roaming\Biocl\amydi.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp0a4e76f8.bat"
3⤵
- Deletes itself
PID:468

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp0a4e76f8.bat
Filesize
307B

MD5
681de36be5be9a2e6f2bd8d9305f2200

SHA1
999552dfea974f1f3002691261add4dcb1539033

SHA256
31c905b4d6a10be6c6f91940d4c2829960d7cebb2c1de8022581280c44aaa810

SHA512
54e916c4931ea0e26ac0668b5d8120ae29df341f69d0efc4ffed9552b99a9b9fc424170006b7b7e5696b8c8d76ac3bad10d2ef8d21e52404532d5c5c8b3e7c6c

Download Submit
C:\Users\Admin\AppData\Roaming\Biocl\amydi.exe
Filesize
321KB

MD5
6ab38a14e572dee8740a19dba0ac9bd7

SHA1
fd18939b18229b534392070b324e0c3c7e270286

SHA256
4547a731b792c2aa29afd51f6b7b8bea6c2223516861500b1c6ea8422cf0f553

SHA512
cd2dfe7b7e00b9919013a5386aec5afc38b49769ba8b5aadd1842d0dfc1b5edc6b2d902420ac09a0926984f853cc60fbc875b76d79d7b1ad3c1be1dce564dc07

Download Submit
C:\Users\Admin\AppData\Roaming\Biocl\amydi.exe
Filesize
321KB

MD5
6ab38a14e572dee8740a19dba0ac9bd7

SHA1
fd18939b18229b534392070b324e0c3c7e270286

SHA256
4547a731b792c2aa29afd51f6b7b8bea6c2223516861500b1c6ea8422cf0f553

SHA512
cd2dfe7b7e00b9919013a5386aec5afc38b49769ba8b5aadd1842d0dfc1b5edc6b2d902420ac09a0926984f853cc60fbc875b76d79d7b1ad3c1be1dce564dc07

Download Submit
\Users\Admin\AppData\Roaming\Biocl\amydi.exe
Filesize
321KB

MD5
6ab38a14e572dee8740a19dba0ac9bd7

SHA1
fd18939b18229b534392070b324e0c3c7e270286

SHA256
4547a731b792c2aa29afd51f6b7b8bea6c2223516861500b1c6ea8422cf0f553

SHA512
cd2dfe7b7e00b9919013a5386aec5afc38b49769ba8b5aadd1842d0dfc1b5edc6b2d902420ac09a0926984f853cc60fbc875b76d79d7b1ad3c1be1dce564dc07

Download Submit
\Users\Admin\AppData\Roaming\Biocl\amydi.exe
Filesize
321KB

MD5
6ab38a14e572dee8740a19dba0ac9bd7

SHA1
fd18939b18229b534392070b324e0c3c7e270286

SHA256
4547a731b792c2aa29afd51f6b7b8bea6c2223516861500b1c6ea8422cf0f553

SHA512
cd2dfe7b7e00b9919013a5386aec5afc38b49769ba8b5aadd1842d0dfc1b5edc6b2d902420ac09a0926984f853cc60fbc875b76d79d7b1ad3c1be1dce564dc07

Download Submit
memory/468-101-0x00000000000E71E6-mapping.dmp

Download
memory/468-100-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/468-107-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/468-99-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/468-98-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/468-96-0x00000000000D0000-0x0000000000114000-memory.dmp

Filesize
272KB

Download
memory/964-61-0x0000000000000000-mapping.dmp

Download
memory/964-90-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/964-92-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/964-91-0x00000000002D0000-0x0000000000326000-memory.dmp

Filesize
344KB

Download
memory/1120-67-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/1120-65-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/1120-68-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/1120-69-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/1120-70-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/1176-73-0x0000000001B50000-0x0000000001B94000-memory.dmp

Filesize
272KB

Download
memory/1176-75-0x0000000001B50000-0x0000000001B94000-memory.dmp

Filesize
272KB

Download
memory/1176-76-0x0000000001B50000-0x0000000001B94000-memory.dmp

Filesize
272KB

Download
memory/1176-74-0x0000000001B50000-0x0000000001B94000-memory.dmp

Filesize
272KB

Download
memory/1204-80-0x0000000002950000-0x0000000002994000-memory.dmp

Filesize
272KB

Download
memory/1204-82-0x0000000002950000-0x0000000002994000-memory.dmp

Filesize
272KB

Download
memory/1204-81-0x0000000002950000-0x0000000002994000-memory.dmp

Filesize
272KB

Download
memory/1204-79-0x0000000002950000-0x0000000002994000-memory.dmp

Filesize
272KB

Download
memory/1676-112-0x00000000000F0000-0x0000000000134000-memory.dmp

Filesize
272KB

Download
memory/1676-111-0x00000000000F0000-0x0000000000134000-memory.dmp

Filesize
272KB

Download
memory/1676-110-0x00000000000F0000-0x0000000000134000-memory.dmp

Filesize
272KB

Download
memory/1676-113-0x00000000000F0000-0x0000000000134000-memory.dmp

Filesize
272KB

Download
memory/1956-85-0x0000000000510000-0x0000000000554000-memory.dmp

Filesize
272KB

Download
memory/1956-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1956-93-0x0000000000510000-0x0000000000566000-memory.dmp

Filesize
344KB

Download
memory/1956-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1956-58-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1956-102-0x00000000003A0000-0x00000000003F6000-memory.dmp

Filesize
344KB

Download
memory/1956-103-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1956-104-0x0000000000510000-0x0000000000554000-memory.dmp

Filesize
272KB

Download
memory/1956-56-0x00000000003A0000-0x00000000003F6000-memory.dmp

Filesize
344KB

Download
memory/1956-55-0x0000000000280000-0x00000000002C4000-memory.dmp

Filesize
272KB

Download
memory/1956-89-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1956-88-0x0000000000510000-0x0000000000554000-memory.dmp

Filesize
272KB

Download
memory/1956-87-0x0000000000510000-0x0000000000554000-memory.dmp

Filesize
272KB

Download
memory/1956-86-0x0000000000510000-0x0000000000554000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads