Analysis
-
max time kernel
310s -
max time network
344s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 06:55
Behavioral task
behavioral1
Sample
spicis4.amdy.exe
Resource
win7-20220812-en
General
-
Target
spicis4.amdy.exe
-
Size
2.8MB
-
MD5
26fa97abd73e1517729549b2b27d03a2
-
SHA1
f74d14de09519cc6a8f77d867bcc20a554fabe89
-
SHA256
af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc
-
SHA512
d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a
-
SSDEEP
49152:6skDShXlT0EeNYaDbp9CN/BRh0MvaBtb6iOPXk3:VXXd0Epanp9IBRPv2tSk
Malware Config
Extracted
amadey
3.50
77.73.134.68/hfk3vK9/index.php
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\caf045170b494e\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\caf045170b494e\cred64.dll amadey_cred_module -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
Processes:
spicis4.amdy.exegntuud.exegntuud.exegntuud.exegntuud.exegntuud.exegntuud.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spicis4.amdy.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ gntuud.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ gntuud.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ gntuud.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ gntuud.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ gntuud.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ gntuud.exe -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 28 3624 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
gntuud.exegntuud.exegntuud.exegntuud.exegntuud.exegntuud.exepid process 2324 gntuud.exe 1924 gntuud.exe 3704 gntuud.exe 4948 gntuud.exe 1252 gntuud.exe 3204 gntuud.exe -
Checks BIOS information in registry 2 TTPs 14 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
spicis4.amdy.exegntuud.exegntuud.exegntuud.exegntuud.exegntuud.exegntuud.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spicis4.amdy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spicis4.amdy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gntuud.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gntuud.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gntuud.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gntuud.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gntuud.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gntuud.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gntuud.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gntuud.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gntuud.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gntuud.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gntuud.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gntuud.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
spicis4.amdy.exegntuud.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation spicis4.amdy.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation gntuud.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3624 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Processes:
resource yara_rule behavioral2/memory/4408-132-0x0000000000A70000-0x0000000000D3D000-memory.dmp themida behavioral2/memory/4408-133-0x0000000000A70000-0x0000000000D3D000-memory.dmp themida behavioral2/memory/4408-134-0x0000000000A70000-0x0000000000D3D000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe themida C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe themida behavioral2/memory/4408-138-0x0000000000A70000-0x0000000000D3D000-memory.dmp themida behavioral2/memory/2324-139-0x0000000000710000-0x00000000009DD000-memory.dmp themida behavioral2/memory/2324-140-0x0000000000710000-0x00000000009DD000-memory.dmp themida behavioral2/memory/2324-141-0x0000000000710000-0x00000000009DD000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe themida behavioral2/memory/1924-144-0x0000000000710000-0x00000000009DD000-memory.dmp themida behavioral2/memory/1924-145-0x0000000000710000-0x00000000009DD000-memory.dmp themida behavioral2/memory/1924-146-0x0000000000710000-0x00000000009DD000-memory.dmp themida behavioral2/memory/2324-147-0x0000000000710000-0x00000000009DD000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe themida behavioral2/memory/3704-152-0x0000000000710000-0x00000000009DD000-memory.dmp themida behavioral2/memory/3704-153-0x0000000000710000-0x00000000009DD000-memory.dmp themida behavioral2/memory/3704-154-0x0000000000710000-0x00000000009DD000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe themida behavioral2/memory/4948-156-0x0000000000710000-0x00000000009DD000-memory.dmp themida behavioral2/memory/4948-157-0x0000000000710000-0x00000000009DD000-memory.dmp themida behavioral2/memory/4948-158-0x0000000000710000-0x00000000009DD000-memory.dmp themida behavioral2/memory/4948-159-0x0000000000710000-0x00000000009DD000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe themida behavioral2/memory/1252-161-0x0000000000710000-0x00000000009DD000-memory.dmp themida behavioral2/memory/1252-162-0x0000000000710000-0x00000000009DD000-memory.dmp themida behavioral2/memory/1252-163-0x0000000000710000-0x00000000009DD000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe themida behavioral2/memory/3204-165-0x0000000000710000-0x00000000009DD000-memory.dmp themida behavioral2/memory/3204-166-0x0000000000710000-0x00000000009DD000-memory.dmp themida behavioral2/memory/3204-167-0x0000000000710000-0x00000000009DD000-memory.dmp themida -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Processes:
gntuud.exegntuud.exespicis4.amdy.exegntuud.exegntuud.exegntuud.exegntuud.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gntuud.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gntuud.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spicis4.amdy.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gntuud.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gntuud.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gntuud.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA gntuud.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
spicis4.amdy.exegntuud.exedescription pid process target process PID 4408 wrote to memory of 2324 4408 spicis4.amdy.exe gntuud.exe PID 4408 wrote to memory of 2324 4408 spicis4.amdy.exe gntuud.exe PID 4408 wrote to memory of 2324 4408 spicis4.amdy.exe gntuud.exe PID 2324 wrote to memory of 1976 2324 gntuud.exe schtasks.exe PID 2324 wrote to memory of 1976 2324 gntuud.exe schtasks.exe PID 2324 wrote to memory of 1976 2324 gntuud.exe schtasks.exe PID 2324 wrote to memory of 3624 2324 gntuud.exe rundll32.exe PID 2324 wrote to memory of 3624 2324 gntuud.exe rundll32.exe PID 2324 wrote to memory of 3624 2324 gntuud.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\spicis4.amdy.exe"C:\Users\Admin\AppData\Local\Temp\spicis4.amdy.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\caf045170b494e\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exeC:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exeC:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exeC:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exeC:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exeC:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exeFilesize
2.8MB
MD526fa97abd73e1517729549b2b27d03a2
SHA1f74d14de09519cc6a8f77d867bcc20a554fabe89
SHA256af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc
SHA512d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a
-
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exeFilesize
2.8MB
MD526fa97abd73e1517729549b2b27d03a2
SHA1f74d14de09519cc6a8f77d867bcc20a554fabe89
SHA256af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc
SHA512d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a
-
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exeFilesize
2.8MB
MD526fa97abd73e1517729549b2b27d03a2
SHA1f74d14de09519cc6a8f77d867bcc20a554fabe89
SHA256af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc
SHA512d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a
-
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exeFilesize
2.8MB
MD526fa97abd73e1517729549b2b27d03a2
SHA1f74d14de09519cc6a8f77d867bcc20a554fabe89
SHA256af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc
SHA512d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a
-
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exeFilesize
2.8MB
MD526fa97abd73e1517729549b2b27d03a2
SHA1f74d14de09519cc6a8f77d867bcc20a554fabe89
SHA256af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc
SHA512d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a
-
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exeFilesize
2.8MB
MD526fa97abd73e1517729549b2b27d03a2
SHA1f74d14de09519cc6a8f77d867bcc20a554fabe89
SHA256af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc
SHA512d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a
-
C:\Users\Admin\AppData\Local\Temp\6a413678cd\gntuud.exeFilesize
2.8MB
MD526fa97abd73e1517729549b2b27d03a2
SHA1f74d14de09519cc6a8f77d867bcc20a554fabe89
SHA256af61909e749fd00fd83ae0da3caf6099ea2f7dda0a55a5e254614ad7b33bd6dc
SHA512d16bef506d05484e146298212e9ccbc7991a78a6926388afcedff26e22659f69a978a0ffdd60660b3998a617b73ba418847050ae68fbc7cc68439988509b8c6a
-
C:\Users\Admin\AppData\Roaming\caf045170b494e\cred64.dllFilesize
126KB
MD545de67357d1bbf74eb306173dba0a950
SHA1d255f695f2a3f4aacbc8208af65cfc3037ce2c7b
SHA2568b20dc4b46361e6d7f9a361de99dc67216ddb00cb67b41284b108d8232fc2e92
SHA5127a79cfa1b50d1f5771c58837376d8d7d105234f38e68645a0d3ef79329d418be54cae22d6f789b503eab40f5482082b51b4d5a7e3dfafd3838844e7342624b23
-
C:\Users\Admin\AppData\Roaming\caf045170b494e\cred64.dllFilesize
126KB
MD545de67357d1bbf74eb306173dba0a950
SHA1d255f695f2a3f4aacbc8208af65cfc3037ce2c7b
SHA2568b20dc4b46361e6d7f9a361de99dc67216ddb00cb67b41284b108d8232fc2e92
SHA5127a79cfa1b50d1f5771c58837376d8d7d105234f38e68645a0d3ef79329d418be54cae22d6f789b503eab40f5482082b51b4d5a7e3dfafd3838844e7342624b23
-
memory/1252-162-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/1252-161-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/1252-163-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/1924-144-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/1924-145-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/1924-146-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/1976-142-0x0000000000000000-mapping.dmp
-
memory/2324-141-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/2324-139-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/2324-147-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/2324-140-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/2324-135-0x0000000000000000-mapping.dmp
-
memory/3204-167-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/3204-166-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/3204-165-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/3624-148-0x0000000000000000-mapping.dmp
-
memory/3704-152-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/3704-153-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/3704-154-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/4408-138-0x0000000000A70000-0x0000000000D3D000-memory.dmpFilesize
2.8MB
-
memory/4408-134-0x0000000000A70000-0x0000000000D3D000-memory.dmpFilesize
2.8MB
-
memory/4408-133-0x0000000000A70000-0x0000000000D3D000-memory.dmpFilesize
2.8MB
-
memory/4408-132-0x0000000000A70000-0x0000000000D3D000-memory.dmpFilesize
2.8MB
-
memory/4948-159-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/4948-158-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/4948-157-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB
-
memory/4948-156-0x0000000000710000-0x00000000009DD000-memory.dmpFilesize
2.8MB