Analysis
-
max time kernel
184s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 10:52
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
260KB
-
MD5
cc0625d0a816c1e97a8ee955bb2c0d54
-
SHA1
034096104494e5d85088e086c5d26901a3b13451
-
SHA256
5b020087c21dfbf6dc5e1d7122d48854f52613bd45b07809512f257ea0495a70
-
SHA512
9091fb27b63d9b1d19e7ab5c49d3d6655fc470f151f34ca954fc76e9045fe9d0f3306b0297d31c9ba5933e8bc3314e30bbfd6e3df4dc019f87e489a51da35130
-
SSDEEP
3072:Epj/dI4OwMl+Ui5jA68sgHoSw8ULsjlF33079UQ1mRcN8k8+zq27Aa/FBjfhTDwO:WMl+D8sgeKpFWBY+NDz17NFBju02s+
Malware Config
Extracted
amadey
3.50
62.204.41.6/p9cWxH/index.php
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 59 4316 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
gntuud.exegntuud.exelinda5.exegntuud.exepid process 4204 gntuud.exe 4444 gntuud.exe 1884 linda5.exe 1364 gntuud.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exegntuud.exelinda5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation gntuud.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation linda5.exe -
Loads dropped DLL 5 IoCs
Processes:
rundll32.exerundll32.exerundll32.exepid process 4316 rundll32.exe 2820 rundll32.exe 2820 rundll32.exe 4068 rundll32.exe 4068 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1388 4004 WerFault.exe file.exe 364 4444 WerFault.exe gntuud.exe 1856 1364 WerFault.exe gntuud.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 4316 rundll32.exe 4316 rundll32.exe 4316 rundll32.exe 4316 rundll32.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
file.exegntuud.exelinda5.execontrol.exerundll32.exedescription pid process target process PID 4004 wrote to memory of 4204 4004 file.exe gntuud.exe PID 4004 wrote to memory of 4204 4004 file.exe gntuud.exe PID 4004 wrote to memory of 4204 4004 file.exe gntuud.exe PID 4204 wrote to memory of 320 4204 gntuud.exe schtasks.exe PID 4204 wrote to memory of 320 4204 gntuud.exe schtasks.exe PID 4204 wrote to memory of 320 4204 gntuud.exe schtasks.exe PID 4204 wrote to memory of 1884 4204 gntuud.exe linda5.exe PID 4204 wrote to memory of 1884 4204 gntuud.exe linda5.exe PID 4204 wrote to memory of 1884 4204 gntuud.exe linda5.exe PID 4204 wrote to memory of 4316 4204 gntuud.exe rundll32.exe PID 4204 wrote to memory of 4316 4204 gntuud.exe rundll32.exe PID 4204 wrote to memory of 4316 4204 gntuud.exe rundll32.exe PID 1884 wrote to memory of 1624 1884 linda5.exe control.exe PID 1884 wrote to memory of 1624 1884 linda5.exe control.exe PID 1884 wrote to memory of 1624 1884 linda5.exe control.exe PID 1624 wrote to memory of 2820 1624 control.exe rundll32.exe PID 1624 wrote to memory of 2820 1624 control.exe rundll32.exe PID 1624 wrote to memory of 2820 1624 control.exe rundll32.exe PID 2820 wrote to memory of 5048 2820 rundll32.exe RunDll32.exe PID 2820 wrote to memory of 5048 2820 rundll32.exe RunDll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000011001\linda5.exe"C:\Users\Admin\AppData\Local\Temp\1000011001\linda5.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\t725LbZ.A4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\t725LbZ.A5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\t725LbZ.A6⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\t725LbZ.A7⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 11402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4004 -ip 40041⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4444 -ip 44441⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 4242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1364 -ip 13641⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000011001\linda5.exeFilesize
1.6MB
MD5678c0bd00c5575055ab836ab9e6a3e21
SHA19968f7715492a1a0e1c610524175e8f854f6b0da
SHA256318ff4836b8ced8563567e136200d50f344880b4f3a4f23e96585ff5f37809da
SHA51286a66ba7faef681ad9096b8d6117bd738c2e5e9cc5bd5278bcd64ad1709f9f009006110b73934d8be18fca228a3c06fa20bdc45e1b6b54c9c60dc149fd465321
-
C:\Users\Admin\AppData\Local\Temp\1000011001\linda5.exeFilesize
1.6MB
MD5678c0bd00c5575055ab836ab9e6a3e21
SHA19968f7715492a1a0e1c610524175e8f854f6b0da
SHA256318ff4836b8ced8563567e136200d50f344880b4f3a4f23e96585ff5f37809da
SHA51286a66ba7faef681ad9096b8d6117bd738c2e5e9cc5bd5278bcd64ad1709f9f009006110b73934d8be18fca228a3c06fa20bdc45e1b6b54c9c60dc149fd465321
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
260KB
MD5cc0625d0a816c1e97a8ee955bb2c0d54
SHA1034096104494e5d85088e086c5d26901a3b13451
SHA2565b020087c21dfbf6dc5e1d7122d48854f52613bd45b07809512f257ea0495a70
SHA5129091fb27b63d9b1d19e7ab5c49d3d6655fc470f151f34ca954fc76e9045fe9d0f3306b0297d31c9ba5933e8bc3314e30bbfd6e3df4dc019f87e489a51da35130
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
260KB
MD5cc0625d0a816c1e97a8ee955bb2c0d54
SHA1034096104494e5d85088e086c5d26901a3b13451
SHA2565b020087c21dfbf6dc5e1d7122d48854f52613bd45b07809512f257ea0495a70
SHA5129091fb27b63d9b1d19e7ab5c49d3d6655fc470f151f34ca954fc76e9045fe9d0f3306b0297d31c9ba5933e8bc3314e30bbfd6e3df4dc019f87e489a51da35130
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
260KB
MD5cc0625d0a816c1e97a8ee955bb2c0d54
SHA1034096104494e5d85088e086c5d26901a3b13451
SHA2565b020087c21dfbf6dc5e1d7122d48854f52613bd45b07809512f257ea0495a70
SHA5129091fb27b63d9b1d19e7ab5c49d3d6655fc470f151f34ca954fc76e9045fe9d0f3306b0297d31c9ba5933e8bc3314e30bbfd6e3df4dc019f87e489a51da35130
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
260KB
MD5cc0625d0a816c1e97a8ee955bb2c0d54
SHA1034096104494e5d85088e086c5d26901a3b13451
SHA2565b020087c21dfbf6dc5e1d7122d48854f52613bd45b07809512f257ea0495a70
SHA5129091fb27b63d9b1d19e7ab5c49d3d6655fc470f151f34ca954fc76e9045fe9d0f3306b0297d31c9ba5933e8bc3314e30bbfd6e3df4dc019f87e489a51da35130
-
C:\Users\Admin\AppData\Local\Temp\t725LbZ.AFilesize
2.8MB
MD52b47fe6e0c79d350ac1569096f179b40
SHA1e2a442df29f0f7b24b5fbdf5b9c82bfbe88d323d
SHA256fd3c87a09bc135e8aebc64eb5f5f26ec643f3a08f004b23bd432101c13d5e169
SHA5121e88e199d0b274b4085264e9531830ac35d8ef16d3bace4c78341f9ad065cfb81fdc6f723092a2e12f6f67dbd73d12315c82cacc40f6e9ad107580a4ac6921d2
-
C:\Users\Admin\AppData\Local\Temp\t725lbZ.aFilesize
2.8MB
MD52b47fe6e0c79d350ac1569096f179b40
SHA1e2a442df29f0f7b24b5fbdf5b9c82bfbe88d323d
SHA256fd3c87a09bc135e8aebc64eb5f5f26ec643f3a08f004b23bd432101c13d5e169
SHA5121e88e199d0b274b4085264e9531830ac35d8ef16d3bace4c78341f9ad065cfb81fdc6f723092a2e12f6f67dbd73d12315c82cacc40f6e9ad107580a4ac6921d2
-
C:\Users\Admin\AppData\Local\Temp\t725lbZ.aFilesize
2.8MB
MD52b47fe6e0c79d350ac1569096f179b40
SHA1e2a442df29f0f7b24b5fbdf5b9c82bfbe88d323d
SHA256fd3c87a09bc135e8aebc64eb5f5f26ec643f3a08f004b23bd432101c13d5e169
SHA5121e88e199d0b274b4085264e9531830ac35d8ef16d3bace4c78341f9ad065cfb81fdc6f723092a2e12f6f67dbd73d12315c82cacc40f6e9ad107580a4ac6921d2
-
C:\Users\Admin\AppData\Local\Temp\t725lbZ.aFilesize
2.8MB
MD52b47fe6e0c79d350ac1569096f179b40
SHA1e2a442df29f0f7b24b5fbdf5b9c82bfbe88d323d
SHA256fd3c87a09bc135e8aebc64eb5f5f26ec643f3a08f004b23bd432101c13d5e169
SHA5121e88e199d0b274b4085264e9531830ac35d8ef16d3bace4c78341f9ad065cfb81fdc6f723092a2e12f6f67dbd73d12315c82cacc40f6e9ad107580a4ac6921d2
-
C:\Users\Admin\AppData\Local\Temp\t725lbZ.aFilesize
2.8MB
MD52b47fe6e0c79d350ac1569096f179b40
SHA1e2a442df29f0f7b24b5fbdf5b9c82bfbe88d323d
SHA256fd3c87a09bc135e8aebc64eb5f5f26ec643f3a08f004b23bd432101c13d5e169
SHA5121e88e199d0b274b4085264e9531830ac35d8ef16d3bace4c78341f9ad065cfb81fdc6f723092a2e12f6f67dbd73d12315c82cacc40f6e9ad107580a4ac6921d2
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
memory/320-140-0x0000000000000000-mapping.dmp
-
memory/1364-178-0x000000000073B000-0x000000000075B000-memory.dmpFilesize
128KB
-
memory/1364-179-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/1624-153-0x0000000000000000-mapping.dmp
-
memory/1884-147-0x0000000000000000-mapping.dmp
-
memory/2820-154-0x0000000000000000-mapping.dmp
-
memory/2820-159-0x00000000031A0000-0x0000000003416000-memory.dmpFilesize
2.5MB
-
memory/2820-165-0x0000000003540000-0x0000000003654000-memory.dmpFilesize
1.1MB
-
memory/2820-162-0x0000000003760000-0x0000000003839000-memory.dmpFilesize
868KB
-
memory/2820-161-0x0000000003660000-0x0000000003751000-memory.dmpFilesize
964KB
-
memory/2820-160-0x0000000003540000-0x0000000003654000-memory.dmpFilesize
1.1MB
-
memory/2820-158-0x0000000002B50000-0x0000000002E18000-memory.dmpFilesize
2.8MB
-
memory/4004-142-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/4004-133-0x0000000002070000-0x00000000020AE000-memory.dmpFilesize
248KB
-
memory/4004-134-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/4004-132-0x00000000004D9000-0x00000000004F8000-memory.dmpFilesize
124KB
-
memory/4004-141-0x00000000004D9000-0x00000000004F8000-memory.dmpFilesize
124KB
-
memory/4068-170-0x0000000003560000-0x00000000037D6000-memory.dmpFilesize
2.5MB
-
memory/4068-177-0x0000000003900000-0x0000000003A14000-memory.dmpFilesize
1.1MB
-
memory/4068-173-0x0000000003B20000-0x0000000003BF9000-memory.dmpFilesize
868KB
-
memory/4068-172-0x0000000003A20000-0x0000000003B11000-memory.dmpFilesize
964KB
-
memory/4068-171-0x0000000003900000-0x0000000003A14000-memory.dmpFilesize
1.1MB
-
memory/4068-169-0x0000000002F10000-0x00000000031D8000-memory.dmpFilesize
2.8MB
-
memory/4204-138-0x0000000000828000-0x0000000000847000-memory.dmpFilesize
124KB
-
memory/4204-139-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/4204-135-0x0000000000000000-mapping.dmp
-
memory/4204-143-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/4316-149-0x0000000000000000-mapping.dmp
-
memory/4444-146-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/4444-145-0x000000000058B000-0x00000000005AA000-memory.dmpFilesize
124KB
-
memory/5048-166-0x0000000000000000-mapping.dmp