Analysis
-
max time kernel
157s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 23:11
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
250KB
-
MD5
3e1ed65a2ffdef2d6741e0559c091a69
-
SHA1
da45a29ede30ea2e821347d7d9856959bcfb2add
-
SHA256
fe59a0a9daea97b1b399f4fed30db13c9abfc8ac226d0b6c5bb7cdcf887108bf
-
SHA512
20d706340766c6cc5f25db4cf56b652dd1f0316eef83428f226dd013ed9718ef9628d683760e52bf68ba45d4b0693ece6b3a9476ac7c4ac43e5d1cd2514afe81
-
SSDEEP
3072:eZb/qzmavZGuIJ5ZSRaxzwETtb2aWgPWO5+SH+DfbshB5V81eDuxxaNBRvdaRs9T:e4vZGu3RSTgqJ5D80BEki4RvdXvpEA
Malware Config
Extracted
amadey
3.50
31.41.244.167/v7eWcjs/index.php
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 69 4288 rundll32.exe -
Executes dropped EXE 3 IoCs
Processes:
gntuud.exegntuud.exegntuud.exepid process 2560 gntuud.exe 4300 gntuud.exe 4976 gntuud.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exegntuud.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation gntuud.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4288 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 4288 rundll32.exe 4288 rundll32.exe 4288 rundll32.exe 4288 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exegntuud.exedescription pid process target process PID 620 wrote to memory of 2560 620 file.exe gntuud.exe PID 620 wrote to memory of 2560 620 file.exe gntuud.exe PID 620 wrote to memory of 2560 620 file.exe gntuud.exe PID 2560 wrote to memory of 628 2560 gntuud.exe schtasks.exe PID 2560 wrote to memory of 628 2560 gntuud.exe schtasks.exe PID 2560 wrote to memory of 628 2560 gntuud.exe schtasks.exe PID 2560 wrote to memory of 4288 2560 gntuud.exe rundll32.exe PID 2560 wrote to memory of 4288 2560 gntuud.exe rundll32.exe PID 2560 wrote to memory of 4288 2560 gntuud.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
250KB
MD53e1ed65a2ffdef2d6741e0559c091a69
SHA1da45a29ede30ea2e821347d7d9856959bcfb2add
SHA256fe59a0a9daea97b1b399f4fed30db13c9abfc8ac226d0b6c5bb7cdcf887108bf
SHA51220d706340766c6cc5f25db4cf56b652dd1f0316eef83428f226dd013ed9718ef9628d683760e52bf68ba45d4b0693ece6b3a9476ac7c4ac43e5d1cd2514afe81
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
250KB
MD53e1ed65a2ffdef2d6741e0559c091a69
SHA1da45a29ede30ea2e821347d7d9856959bcfb2add
SHA256fe59a0a9daea97b1b399f4fed30db13c9abfc8ac226d0b6c5bb7cdcf887108bf
SHA51220d706340766c6cc5f25db4cf56b652dd1f0316eef83428f226dd013ed9718ef9628d683760e52bf68ba45d4b0693ece6b3a9476ac7c4ac43e5d1cd2514afe81
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
250KB
MD53e1ed65a2ffdef2d6741e0559c091a69
SHA1da45a29ede30ea2e821347d7d9856959bcfb2add
SHA256fe59a0a9daea97b1b399f4fed30db13c9abfc8ac226d0b6c5bb7cdcf887108bf
SHA51220d706340766c6cc5f25db4cf56b652dd1f0316eef83428f226dd013ed9718ef9628d683760e52bf68ba45d4b0693ece6b3a9476ac7c4ac43e5d1cd2514afe81
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
250KB
MD53e1ed65a2ffdef2d6741e0559c091a69
SHA1da45a29ede30ea2e821347d7d9856959bcfb2add
SHA256fe59a0a9daea97b1b399f4fed30db13c9abfc8ac226d0b6c5bb7cdcf887108bf
SHA51220d706340766c6cc5f25db4cf56b652dd1f0316eef83428f226dd013ed9718ef9628d683760e52bf68ba45d4b0693ece6b3a9476ac7c4ac43e5d1cd2514afe81
-
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
memory/620-139-0x00000000006E0000-0x000000000071E000-memory.dmpFilesize
248KB
-
memory/620-140-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/620-137-0x00000000007E9000-0x0000000000808000-memory.dmpFilesize
124KB
-
memory/620-134-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/620-132-0x00000000007E9000-0x0000000000808000-memory.dmpFilesize
124KB
-
memory/620-133-0x00000000006E0000-0x000000000071E000-memory.dmpFilesize
248KB
-
memory/628-143-0x0000000000000000-mapping.dmp
-
memory/2560-142-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/2560-144-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/2560-141-0x0000000000618000-0x0000000000637000-memory.dmpFilesize
124KB
-
memory/2560-135-0x0000000000000000-mapping.dmp
-
memory/4288-148-0x0000000000000000-mapping.dmp
-
memory/4300-146-0x00000000005FC000-0x000000000061B000-memory.dmpFilesize
124KB
-
memory/4300-147-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/4976-152-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB