Analysis
-
max time kernel
105s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 00:12
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
331KB
-
MD5
008a0ba6dce7fc04132a2e11096c822c
-
SHA1
4c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5
-
SHA256
440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90
-
SHA512
65f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8
-
SSDEEP
6144:NCHVs7DyEPUAQwU8KxZsNdlJbR2gOjIDcgeVS:NC1ODxPUAwxYP1JdDcgeVS
Malware Config
Extracted
amadey
3.50
31.41.244.167/v7eWcjs/index.php
Signatures
-
Detect Amadey credential stealer module 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module behavioral1/memory/1940-81-0x00000000001D0000-0x00000000001F4000-memory.dmp amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 5 1940 rundll32.exe -
Executes dropped EXE 3 IoCs
Processes:
gntuud.exegntuud.exegntuud.exepid process 1432 gntuud.exe 1948 gntuud.exe 1556 gntuud.exe -
Loads dropped DLL 6 IoCs
Processes:
file.exerundll32.exepid process 604 file.exe 604 file.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
file.exegntuud.exetaskeng.exedescription pid process target process PID 604 wrote to memory of 1432 604 file.exe gntuud.exe PID 604 wrote to memory of 1432 604 file.exe gntuud.exe PID 604 wrote to memory of 1432 604 file.exe gntuud.exe PID 604 wrote to memory of 1432 604 file.exe gntuud.exe PID 1432 wrote to memory of 1792 1432 gntuud.exe schtasks.exe PID 1432 wrote to memory of 1792 1432 gntuud.exe schtasks.exe PID 1432 wrote to memory of 1792 1432 gntuud.exe schtasks.exe PID 1432 wrote to memory of 1792 1432 gntuud.exe schtasks.exe PID 1732 wrote to memory of 1948 1732 taskeng.exe gntuud.exe PID 1732 wrote to memory of 1948 1732 taskeng.exe gntuud.exe PID 1732 wrote to memory of 1948 1732 taskeng.exe gntuud.exe PID 1732 wrote to memory of 1948 1732 taskeng.exe gntuud.exe PID 1432 wrote to memory of 1940 1432 gntuud.exe rundll32.exe PID 1432 wrote to memory of 1940 1432 gntuud.exe rundll32.exe PID 1432 wrote to memory of 1940 1432 gntuud.exe rundll32.exe PID 1432 wrote to memory of 1940 1432 gntuud.exe rundll32.exe PID 1432 wrote to memory of 1940 1432 gntuud.exe rundll32.exe PID 1432 wrote to memory of 1940 1432 gntuud.exe rundll32.exe PID 1432 wrote to memory of 1940 1432 gntuud.exe rundll32.exe PID 1732 wrote to memory of 1556 1732 taskeng.exe gntuud.exe PID 1732 wrote to memory of 1556 1732 taskeng.exe gntuud.exe PID 1732 wrote to memory of 1556 1732 taskeng.exe gntuud.exe PID 1732 wrote to memory of 1556 1732 taskeng.exe gntuud.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\system32\taskeng.exetaskeng.exe {3D2CD713-0D2F-4CA3-9200-71C40195EE59} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
331KB
MD5008a0ba6dce7fc04132a2e11096c822c
SHA14c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5
SHA256440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90
SHA51265f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
331KB
MD5008a0ba6dce7fc04132a2e11096c822c
SHA14c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5
SHA256440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90
SHA51265f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
331KB
MD5008a0ba6dce7fc04132a2e11096c822c
SHA14c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5
SHA256440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90
SHA51265f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
331KB
MD5008a0ba6dce7fc04132a2e11096c822c
SHA14c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5
SHA256440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90
SHA51265f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8
-
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
331KB
MD5008a0ba6dce7fc04132a2e11096c822c
SHA14c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5
SHA256440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90
SHA51265f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8
-
\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
331KB
MD5008a0ba6dce7fc04132a2e11096c822c
SHA14c1b003a5cfd7e24bc1eeb6b341fa61486b78ff5
SHA256440c2baabec30c5421d79972a8dc9b5b5b92e8ea730f735c9792a6dd494cde90
SHA51265f97403b197effc4e2aac61a9547e9da690749504f8a30f0e9b80fc72c50dde4f8a235bf7c489c72266846f1b2d9ffe7075693fb1e6bb0a45c6780d21599db8
-
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
memory/604-61-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/604-54-0x0000000075F81000-0x0000000075F83000-memory.dmpFilesize
8KB
-
memory/604-60-0x00000000003C0000-0x00000000003FE000-memory.dmpFilesize
248KB
-
memory/604-59-0x00000000008FB000-0x000000000091A000-memory.dmpFilesize
124KB
-
memory/1432-67-0x000000000028B000-0x00000000002AA000-memory.dmpFilesize
124KB
-
memory/1432-68-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1432-66-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1432-57-0x0000000000000000-mapping.dmp
-
memory/1432-65-0x000000000028B000-0x00000000002AA000-memory.dmpFilesize
124KB
-
memory/1556-86-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1556-85-0x000000000059B000-0x00000000005BA000-memory.dmpFilesize
124KB
-
memory/1556-82-0x0000000000000000-mapping.dmp
-
memory/1792-63-0x0000000000000000-mapping.dmp
-
memory/1940-81-0x00000000001D0000-0x00000000001F4000-memory.dmpFilesize
144KB
-
memory/1940-74-0x0000000000000000-mapping.dmp
-
memory/1948-72-0x000000000059B000-0x00000000005BA000-memory.dmpFilesize
124KB
-
memory/1948-73-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/1948-69-0x0000000000000000-mapping.dmp