Analysis
-
max time kernel
207s -
max time network
274s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
13-12-2022 22:40
General
-
Target
7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe
-
Size
5.5MB
-
MD5
dcded7ac014d98160a90789c615ae3cf
-
SHA1
e1f14ffa121e6618aaa5760c91d129503f7656da
-
SHA256
7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
-
SHA512
fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
SSDEEP
98304:IrxJwipiyZZ9RmdEeGCbGAstmlUse5mvKLgO/zhyPSp8616v+E7LF9yzTuU:INZpimLRvCbVlLnSg6piW+T4
Malware Config
Extracted
amadey
3.60
85.209.135.11/gjend7w/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe"C:\Users\Admin\AppData\Local\Temp\7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe"C:\Users\Admin\AppData\Local\Temp\7c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\acc0b83959" /P "Admin:N"&&CACLS "..\acc0b83959" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "gntuud.exe" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\acc0b83959" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\acc0b83959" /P "Admin:R" /E6⤵
-
C:\Users\Admin\AppData\Local\Temp\1000009001\avicapn32.exe"C:\Users\Admin\AppData\Local\Temp\1000009001\avicapn32.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exeC:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exeC:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000009001\avicapn32.exeFilesize
7.3MB
MD5ae50461b518a30040f33bab3560683e8
SHA1b4abdf727194e3b3e4c73f93db2f308969884f2f
SHA256ee8b0c2ec8680a2fbffe5334b9eeaa2c9aa04edce22c8a30d8052e89fa26950e
SHA512fc5d4b4e6c93a728e17350dd83d4885bd9fa764002c533c6d13967cae98a6c66ff2742495eca9cf3aadcea312f9baf656f942bf44327817d8da405f4e6f042e8
-
C:\Users\Admin\AppData\Local\Temp\1000009001\avicapn32.exeFilesize
7.3MB
MD5ae50461b518a30040f33bab3560683e8
SHA1b4abdf727194e3b3e4c73f93db2f308969884f2f
SHA256ee8b0c2ec8680a2fbffe5334b9eeaa2c9aa04edce22c8a30d8052e89fa26950e
SHA512fc5d4b4e6c93a728e17350dd83d4885bd9fa764002c533c6d13967cae98a6c66ff2742495eca9cf3aadcea312f9baf656f942bf44327817d8da405f4e6f042e8
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exeFilesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exeFilesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exeFilesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exeFilesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exeFilesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
C:\Users\Admin\AppData\Local\Temp\acc0b83959\gntuud.exeFilesize
5.5MB
MD5dcded7ac014d98160a90789c615ae3cf
SHA1e1f14ffa121e6618aaa5760c91d129503f7656da
SHA2567c5189d18f6898c9ae9456d0166348caf5499ce058468d99000d87dad21b6995
SHA512fec39d6dfd97ecc69ea85b18e8dfaadf84a2289a8b5eb6416918d0f7625897491a7a4302de0f1f16abbba2b906d0523affbfaa3198c583c21c53e883bba82f2c
-
C:\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dllFilesize
5.0MB
MD524ece515d8082af9bbf326e17e9f0670
SHA19b7e8e37f2a27ee3c92835873e446686e6f0a723
SHA2568c0ea747424ac83b2392463cdd6d244a62cc3e0557476b5140e035c26e41bcbe
SHA512e1428917fd7e6643cbc2c561007164edfa7bb8599ffa736d4fdf2bf49b618101eb7a14c79bd250ede9a2a0afa0affe43194a3ace111b4c7c43d29a7e18f9a0e2
-
\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dllFilesize
5.0MB
MD524ece515d8082af9bbf326e17e9f0670
SHA19b7e8e37f2a27ee3c92835873e446686e6f0a723
SHA2568c0ea747424ac83b2392463cdd6d244a62cc3e0557476b5140e035c26e41bcbe
SHA512e1428917fd7e6643cbc2c561007164edfa7bb8599ffa736d4fdf2bf49b618101eb7a14c79bd250ede9a2a0afa0affe43194a3ace111b4c7c43d29a7e18f9a0e2
-
\Users\Admin\AppData\Roaming\c33e9ad058e5d3\cred64.dllFilesize
5.0MB
MD524ece515d8082af9bbf326e17e9f0670
SHA19b7e8e37f2a27ee3c92835873e446686e6f0a723
SHA2568c0ea747424ac83b2392463cdd6d244a62cc3e0557476b5140e035c26e41bcbe
SHA512e1428917fd7e6643cbc2c561007164edfa7bb8599ffa736d4fdf2bf49b618101eb7a14c79bd250ede9a2a0afa0affe43194a3ace111b4c7c43d29a7e18f9a0e2
-
memory/188-412-0x0000000000000000-mapping.dmp
-
memory/188-489-0x0000000000400000-0x00000000012DA000-memory.dmpFilesize
14.9MB
-
memory/188-487-0x0000000000400000-0x00000000012DA000-memory.dmpFilesize
14.9MB
-
memory/188-454-0x0000000000400000-0x00000000012DA000-memory.dmpFilesize
14.9MB
-
memory/320-488-0x0000000000400000-0x0000000000D4E000-memory.dmpFilesize
9.3MB
-
memory/320-477-0x0000000000400000-0x0000000000D4E000-memory.dmpFilesize
9.3MB
-
memory/320-615-0x0000000000400000-0x0000000000D4E000-memory.dmpFilesize
9.3MB
-
memory/340-368-0x0000000000000000-mapping.dmp
-
memory/1388-657-0x0000000000400000-0x0000000000D4E000-memory.dmpFilesize
9.3MB
-
memory/2108-490-0x0000000000000000-mapping.dmp
-
memory/2108-541-0x00000000043F0000-0x0000000004BE7000-memory.dmpFilesize
8.0MB
-
memory/2108-542-0x00000000043F0000-0x0000000004BE7000-memory.dmpFilesize
8.0MB
-
memory/2212-583-0x0000000000419040-mapping.dmp
-
memory/2212-616-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/2272-370-0x0000000000000000-mapping.dmp
-
memory/3780-270-0x0000000000400000-0x0000000000D4E000-memory.dmpFilesize
9.3MB
-
memory/3780-213-0x0000000000000000-mapping.dmp
-
memory/3780-244-0x0000000000400000-0x0000000000D4E000-memory.dmpFilesize
9.3MB
-
memory/4016-183-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-172-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-182-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-167-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-208-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/4016-180-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-186-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-188-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-189-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-187-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-185-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-184-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-176-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-179-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-178-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-166-0x0000000000419040-mapping.dmp
-
memory/4016-168-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-169-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-171-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-222-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/4016-173-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-174-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-175-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4016-170-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4020-336-0x0000000000000000-mapping.dmp
-
memory/4180-397-0x0000000000000000-mapping.dmp
-
memory/4192-146-0x0000000000400000-0x0000000000D4E000-memory.dmpFilesize
9.3MB
-
memory/4192-134-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-165-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-164-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-163-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-162-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-161-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-160-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-159-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-157-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-181-0x0000000002D60000-0x0000000002D68000-memory.dmpFilesize
32KB
-
memory/4192-158-0x0000000000400000-0x0000000000D4E000-memory.dmpFilesize
9.3MB
-
memory/4192-156-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-155-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-154-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-152-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-151-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-149-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-121-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-148-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-120-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-122-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-123-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-124-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-125-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-145-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-126-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-144-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-143-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-142-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-141-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-140-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-139-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-138-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-137-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-135-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-127-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-136-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-177-0x0000000000400000-0x0000000000D4E000-memory.dmpFilesize
9.3MB
-
memory/4192-133-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-132-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-131-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-130-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-129-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4192-128-0x0000000077330000-0x00000000774BE000-memory.dmpFilesize
1.6MB
-
memory/4272-486-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/4272-318-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/4272-263-0x0000000000419040-mapping.dmp
-
memory/4776-354-0x0000000000000000-mapping.dmp
-
memory/4828-308-0x0000000000000000-mapping.dmp
-
memory/5080-312-0x0000000000000000-mapping.dmp
-
memory/5088-325-0x0000000000000000-mapping.dmp