Analysis
-
max time kernel
124s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 04:21
Static task
static1
Behavioral task
behavioral1
Sample
dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe
Resource
win10v2004-20221111-en
General
-
Target
dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe
-
Size
380KB
-
MD5
f990042d798722b3990094c81f0acfc9
-
SHA1
680ee4e2f7ef1b5d75219cdf91c75db7c2e6844f
-
SHA256
dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2
-
SHA512
77a0c64ae6e12c163cb26853d2a550428757a1d82f3781e35f1fb8358a9db7ddc37a2dfeb4d146fc71f46ce2ab6e0a0eca5d64e4db3ce11082e1ecb4b5b3f052
-
SSDEEP
6144:JzOPJKVhoUOCDQo7aBfmwvPN4eUYPO79Dxymlgl9WfaG1PI:JzOPE+URNWOYNdUrVyWgldG
Malware Config
Extracted
amadey
3.50
31.41.244.167/v7eWcjs/index.php
Signatures
-
Detect Amadey credential stealer module 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module behavioral1/memory/1408-84-0x0000000000240000-0x0000000000264000-memory.dmp amadey_cred_module \Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module \Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 5 1408 rundll32.exe -
Executes dropped EXE 3 IoCs
Processes:
gntuud.exegntuud.exegntuud.exepid process 1108 gntuud.exe 824 gntuud.exe 1104 gntuud.exe -
Loads dropped DLL 6 IoCs
Processes:
dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exerundll32.exepid process 960 dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe 960 dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe 1408 rundll32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exegntuud.exetaskeng.exedescription pid process target process PID 960 wrote to memory of 1108 960 dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe gntuud.exe PID 960 wrote to memory of 1108 960 dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe gntuud.exe PID 960 wrote to memory of 1108 960 dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe gntuud.exe PID 960 wrote to memory of 1108 960 dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe gntuud.exe PID 1108 wrote to memory of 1600 1108 gntuud.exe schtasks.exe PID 1108 wrote to memory of 1600 1108 gntuud.exe schtasks.exe PID 1108 wrote to memory of 1600 1108 gntuud.exe schtasks.exe PID 1108 wrote to memory of 1600 1108 gntuud.exe schtasks.exe PID 564 wrote to memory of 824 564 taskeng.exe gntuud.exe PID 564 wrote to memory of 824 564 taskeng.exe gntuud.exe PID 564 wrote to memory of 824 564 taskeng.exe gntuud.exe PID 564 wrote to memory of 824 564 taskeng.exe gntuud.exe PID 1108 wrote to memory of 1408 1108 gntuud.exe rundll32.exe PID 1108 wrote to memory of 1408 1108 gntuud.exe rundll32.exe PID 1108 wrote to memory of 1408 1108 gntuud.exe rundll32.exe PID 1108 wrote to memory of 1408 1108 gntuud.exe rundll32.exe PID 1108 wrote to memory of 1408 1108 gntuud.exe rundll32.exe PID 1108 wrote to memory of 1408 1108 gntuud.exe rundll32.exe PID 1108 wrote to memory of 1408 1108 gntuud.exe rundll32.exe PID 564 wrote to memory of 1104 564 taskeng.exe gntuud.exe PID 564 wrote to memory of 1104 564 taskeng.exe gntuud.exe PID 564 wrote to memory of 1104 564 taskeng.exe gntuud.exe PID 564 wrote to memory of 1104 564 taskeng.exe gntuud.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe"C:\Users\Admin\AppData\Local\Temp\dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\system32\taskeng.exetaskeng.exe {D4C5A827-FA2F-41B6-9125-E2899B29676E} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD5f990042d798722b3990094c81f0acfc9
SHA1680ee4e2f7ef1b5d75219cdf91c75db7c2e6844f
SHA256dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2
SHA51277a0c64ae6e12c163cb26853d2a550428757a1d82f3781e35f1fb8358a9db7ddc37a2dfeb4d146fc71f46ce2ab6e0a0eca5d64e4db3ce11082e1ecb4b5b3f052
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD5f990042d798722b3990094c81f0acfc9
SHA1680ee4e2f7ef1b5d75219cdf91c75db7c2e6844f
SHA256dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2
SHA51277a0c64ae6e12c163cb26853d2a550428757a1d82f3781e35f1fb8358a9db7ddc37a2dfeb4d146fc71f46ce2ab6e0a0eca5d64e4db3ce11082e1ecb4b5b3f052
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD5f990042d798722b3990094c81f0acfc9
SHA1680ee4e2f7ef1b5d75219cdf91c75db7c2e6844f
SHA256dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2
SHA51277a0c64ae6e12c163cb26853d2a550428757a1d82f3781e35f1fb8358a9db7ddc37a2dfeb4d146fc71f46ce2ab6e0a0eca5d64e4db3ce11082e1ecb4b5b3f052
-
C:\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD5f990042d798722b3990094c81f0acfc9
SHA1680ee4e2f7ef1b5d75219cdf91c75db7c2e6844f
SHA256dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2
SHA51277a0c64ae6e12c163cb26853d2a550428757a1d82f3781e35f1fb8358a9db7ddc37a2dfeb4d146fc71f46ce2ab6e0a0eca5d64e4db3ce11082e1ecb4b5b3f052
-
C:\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD5f990042d798722b3990094c81f0acfc9
SHA1680ee4e2f7ef1b5d75219cdf91c75db7c2e6844f
SHA256dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2
SHA51277a0c64ae6e12c163cb26853d2a550428757a1d82f3781e35f1fb8358a9db7ddc37a2dfeb4d146fc71f46ce2ab6e0a0eca5d64e4db3ce11082e1ecb4b5b3f052
-
\Users\Admin\AppData\Local\Temp\3f904562a0\gntuud.exeFilesize
380KB
MD5f990042d798722b3990094c81f0acfc9
SHA1680ee4e2f7ef1b5d75219cdf91c75db7c2e6844f
SHA256dea9c08c4923130f955a8a7a20ffc832bbaafc28b414a7a1a6686860e83d98a2
SHA51277a0c64ae6e12c163cb26853d2a550428757a1d82f3781e35f1fb8358a9db7ddc37a2dfeb4d146fc71f46ce2ab6e0a0eca5d64e4db3ce11082e1ecb4b5b3f052
-
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
\Users\Admin\AppData\Roaming\56a1c3d463f381\cred64.dllFilesize
126KB
MD5aebf8cd9ea982decded5ee6f3777c6d7
SHA1406e723158cd5697503d1d04839d3bc7a5051603
SHA256104af593683398f0980f2c86e6513b8c1b7dededc1f924d4693ad92410d51a62
SHA512f28fbb9b155348a6aca1105abf6f88640bb68374c07e023a7c9e06577006002d09b53b7629923c2486d7e9811f7254a296d19e566940077431e5089b06a13981
-
memory/824-76-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/824-75-0x00000000005C8000-0x00000000005E7000-memory.dmpFilesize
124KB
-
memory/824-73-0x00000000005C8000-0x00000000005E7000-memory.dmpFilesize
124KB
-
memory/824-71-0x0000000000000000-mapping.dmp
-
memory/960-62-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/960-61-0x00000000001B0000-0x00000000001EE000-memory.dmpFilesize
248KB
-
memory/960-55-0x0000000075351000-0x0000000075353000-memory.dmpFilesize
8KB
-
memory/960-60-0x00000000002C8000-0x00000000002E7000-memory.dmpFilesize
124KB
-
memory/960-54-0x00000000002C8000-0x00000000002E7000-memory.dmpFilesize
124KB
-
memory/1104-90-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1104-89-0x0000000000568000-0x0000000000587000-memory.dmpFilesize
124KB
-
memory/1104-87-0x0000000000568000-0x0000000000587000-memory.dmpFilesize
124KB
-
memory/1104-85-0x0000000000000000-mapping.dmp
-
memory/1108-65-0x00000000005B8000-0x00000000005D7000-memory.dmpFilesize
124KB
-
memory/1108-63-0x00000000005B8000-0x00000000005D7000-memory.dmpFilesize
124KB
-
memory/1108-58-0x0000000000000000-mapping.dmp
-
memory/1108-70-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1108-66-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/1108-69-0x00000000005B8000-0x00000000005D7000-memory.dmpFilesize
124KB
-
memory/1408-84-0x0000000000240000-0x0000000000264000-memory.dmpFilesize
144KB
-
memory/1408-77-0x0000000000000000-mapping.dmp
-
memory/1600-67-0x0000000000000000-mapping.dmp