Analysis
-
max time kernel
207s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 17:16
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
332KB
-
MD5
cb224fa9c997ca170553d96aedc36f5e
-
SHA1
40fe73f63ad3eee278f194c321419595f61dad91
-
SHA256
7c8da0a30496367922885931c4744e8a844dfd1f3cd3333253a92af768e9aba8
-
SHA512
c70459ade226e1040412d41e20c60c8eaec0a85d3ad77596e5f99ed266db78bcb163232ea7eefbab11c362afc0e1fcb903cc4df2e6bf8e72b8eb64e1a6f62729
-
SSDEEP
6144:ZaR9xA3l8Er8vQ4Ifmc6PoJG4iKWzujBNfIDcJbDTVS:ZaR7AVjrmDoZ6PoJGcwDcJbXVS
Malware Config
Extracted
amadey
3.50
62.204.41.6/p9cWxH/index.php
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
gntuud.exegntuud.exepid process 1500 gntuud.exe 4760 gntuud.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exegntuud.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation gntuud.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4592 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4592 rundll32.exe 4592 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
file.exegntuud.exedescription pid process target process PID 4072 wrote to memory of 1500 4072 file.exe gntuud.exe PID 4072 wrote to memory of 1500 4072 file.exe gntuud.exe PID 4072 wrote to memory of 1500 4072 file.exe gntuud.exe PID 1500 wrote to memory of 2064 1500 gntuud.exe schtasks.exe PID 1500 wrote to memory of 2064 1500 gntuud.exe schtasks.exe PID 1500 wrote to memory of 2064 1500 gntuud.exe schtasks.exe PID 1500 wrote to memory of 4592 1500 gntuud.exe rundll32.exe PID 1500 wrote to memory of 4592 1500 gntuud.exe rundll32.exe PID 1500 wrote to memory of 4592 1500 gntuud.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
332KB
MD5cb224fa9c997ca170553d96aedc36f5e
SHA140fe73f63ad3eee278f194c321419595f61dad91
SHA2567c8da0a30496367922885931c4744e8a844dfd1f3cd3333253a92af768e9aba8
SHA512c70459ade226e1040412d41e20c60c8eaec0a85d3ad77596e5f99ed266db78bcb163232ea7eefbab11c362afc0e1fcb903cc4df2e6bf8e72b8eb64e1a6f62729
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
332KB
MD5cb224fa9c997ca170553d96aedc36f5e
SHA140fe73f63ad3eee278f194c321419595f61dad91
SHA2567c8da0a30496367922885931c4744e8a844dfd1f3cd3333253a92af768e9aba8
SHA512c70459ade226e1040412d41e20c60c8eaec0a85d3ad77596e5f99ed266db78bcb163232ea7eefbab11c362afc0e1fcb903cc4df2e6bf8e72b8eb64e1a6f62729
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exeFilesize
332KB
MD5cb224fa9c997ca170553d96aedc36f5e
SHA140fe73f63ad3eee278f194c321419595f61dad91
SHA2567c8da0a30496367922885931c4744e8a844dfd1f3cd3333253a92af768e9aba8
SHA512c70459ade226e1040412d41e20c60c8eaec0a85d3ad77596e5f99ed266db78bcb163232ea7eefbab11c362afc0e1fcb903cc4df2e6bf8e72b8eb64e1a6f62729
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD598cc0f811ad5ff43fedc262961002498
SHA137e48635fcef35c0b3db3c1f0c35833899eb53d8
SHA25662d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be
SHA512d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1
-
memory/1500-142-0x0000000000748000-0x0000000000767000-memory.dmpFilesize
124KB
-
memory/1500-136-0x0000000000000000-mapping.dmp
-
memory/1500-143-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/2064-144-0x0000000000000000-mapping.dmp
-
memory/4072-141-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/4072-140-0x00000000005F0000-0x000000000062E000-memory.dmpFilesize
248KB
-
memory/4072-139-0x00000000004C9000-0x00000000004E8000-memory.dmpFilesize
124KB
-
memory/4072-132-0x00000000004C9000-0x00000000004E8000-memory.dmpFilesize
124KB
-
memory/4072-135-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/4072-134-0x00000000004C9000-0x00000000004E8000-memory.dmpFilesize
124KB
-
memory/4072-133-0x00000000005F0000-0x000000000062E000-memory.dmpFilesize
248KB
-
memory/4592-148-0x0000000000000000-mapping.dmp
-
memory/4760-147-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/4760-146-0x000000000062B000-0x000000000064A000-memory.dmpFilesize
124KB