Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/12/2022, 05:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    286KB

  • MD5

    b7f0855a38e270a7d2d939d62f20174a

  • SHA1

    7ae4e3d97c18e0c2b250dab479621a82ccc88555

  • SHA256

    76f53358df7fb36537cbfa5dcb9c6625d299438eb9ddabe1ca4897b9952b98da

  • SHA512

    58fba0c19644e45ad5db5cc935836305d68ebdbcf65c19cbd3d8a9c98392d6cbc73d2c0958451ba96a9be02e0a75af0db115fe4afd5513fa83e7aff5ef62e5b7

  • SSDEEP

    6144:0XkiLw8PBfHzx15maSvpDrLPagR3MyI62DtF13VHj8qMrc:0XkiU0x910LvtPZ3My92DbHj8n

Score
10/10
amadeycollectionspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.60

C2

62.204.41.79/fb73jc3/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Amadey credential stealer module 4 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3828
    • C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe
      "C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3796
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:4824
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\2c33368f7d" /P "Admin:N"&&CACLS "..\2c33368f7d" /P "Admin:R" /E&&Exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          4⤵
            PID:1328
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "gntuud.exe" /P "Admin:N"
            4⤵
              PID:312
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "gntuud.exe" /P "Admin:R" /E
              4⤵
                PID:2704
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                4⤵
                  PID:448
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\2c33368f7d" /P "Admin:N"
                  4⤵
                    PID:4088
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\2c33368f7d" /P "Admin:R" /E
                    4⤵
                      PID:2632
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main
                    3⤵
                    • Blocklisted process makes network request
                    • Loads dropped DLL
                    • Accesses Microsoft Outlook profiles
                    • Suspicious behavior: EnumeratesProcesses
                    • outlook_win_path
                    PID:2228
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 904
                  2⤵
                  • Program crash
                  PID:536
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3828 -ip 3828
                1⤵
                  PID:804
                • C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe
                  C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe
                  1⤵
                  • Executes dropped EXE
                  PID:836
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 416
                    2⤵
                    • Program crash
                    PID:4108
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 836 -ip 836
                  1⤵
                    PID:5028
                  • C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe
                    C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe
                    1⤵
                    • Executes dropped EXE
                    PID:5076
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 416
                      2⤵
                      • Program crash
                      PID:3592
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5076 -ip 5076
                    1⤵
                      PID:4576

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe
                      Filesize

                      286KB

                      MD5

                      b7f0855a38e270a7d2d939d62f20174a

                      SHA1

                      7ae4e3d97c18e0c2b250dab479621a82ccc88555

                      SHA256

                      76f53358df7fb36537cbfa5dcb9c6625d299438eb9ddabe1ca4897b9952b98da

                      SHA512

                      58fba0c19644e45ad5db5cc935836305d68ebdbcf65c19cbd3d8a9c98392d6cbc73d2c0958451ba96a9be02e0a75af0db115fe4afd5513fa83e7aff5ef62e5b7

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe
                      Filesize

                      286KB

                      MD5

                      b7f0855a38e270a7d2d939d62f20174a

                      SHA1

                      7ae4e3d97c18e0c2b250dab479621a82ccc88555

                      SHA256

                      76f53358df7fb36537cbfa5dcb9c6625d299438eb9ddabe1ca4897b9952b98da

                      SHA512

                      58fba0c19644e45ad5db5cc935836305d68ebdbcf65c19cbd3d8a9c98392d6cbc73d2c0958451ba96a9be02e0a75af0db115fe4afd5513fa83e7aff5ef62e5b7

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe
                      Filesize

                      286KB

                      MD5

                      b7f0855a38e270a7d2d939d62f20174a

                      SHA1

                      7ae4e3d97c18e0c2b250dab479621a82ccc88555

                      SHA256

                      76f53358df7fb36537cbfa5dcb9c6625d299438eb9ddabe1ca4897b9952b98da

                      SHA512

                      58fba0c19644e45ad5db5cc935836305d68ebdbcf65c19cbd3d8a9c98392d6cbc73d2c0958451ba96a9be02e0a75af0db115fe4afd5513fa83e7aff5ef62e5b7

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\2c33368f7d\gntuud.exe
                      Filesize

                      286KB

                      MD5

                      b7f0855a38e270a7d2d939d62f20174a

                      SHA1

                      7ae4e3d97c18e0c2b250dab479621a82ccc88555

                      SHA256

                      76f53358df7fb36537cbfa5dcb9c6625d299438eb9ddabe1ca4897b9952b98da

                      SHA512

                      58fba0c19644e45ad5db5cc935836305d68ebdbcf65c19cbd3d8a9c98392d6cbc73d2c0958451ba96a9be02e0a75af0db115fe4afd5513fa83e7aff5ef62e5b7

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
                      Filesize

                      126KB

                      MD5

                      9995abf2f401e4945a7d2930a3727619

                      SHA1

                      7715e14ad6e4adf609c62c5812419800343fbd4f

                      SHA256

                      d35b5dd18d91dbfe3dc89cb75b6a26757777b5c52a33cd8fcf6e5ed45a946f1a

                      SHA512

                      42726fb602958594914b5bc936aff36833823f9f9da9bc80a46579d96cec12c7df070c174ec9dd82c21f2fe44f1e9a4a2e50d9944fea6379dbdec666727a7eda

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
                      Filesize

                      126KB

                      MD5

                      9995abf2f401e4945a7d2930a3727619

                      SHA1

                      7715e14ad6e4adf609c62c5812419800343fbd4f

                      SHA256

                      d35b5dd18d91dbfe3dc89cb75b6a26757777b5c52a33cd8fcf6e5ed45a946f1a

                      SHA512

                      42726fb602958594914b5bc936aff36833823f9f9da9bc80a46579d96cec12c7df070c174ec9dd82c21f2fe44f1e9a4a2e50d9944fea6379dbdec666727a7eda

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll
                      Filesize

                      126KB

                      MD5

                      9995abf2f401e4945a7d2930a3727619

                      SHA1

                      7715e14ad6e4adf609c62c5812419800343fbd4f

                      SHA256

                      d35b5dd18d91dbfe3dc89cb75b6a26757777b5c52a33cd8fcf6e5ed45a946f1a

                      SHA512

                      42726fb602958594914b5bc936aff36833823f9f9da9bc80a46579d96cec12c7df070c174ec9dd82c21f2fe44f1e9a4a2e50d9944fea6379dbdec666727a7eda

                      Download Submit

                    • memory/836-153-0x0000000000400000-0x0000000000464000-memory.dmp

                      Filesize

                      400KB

                      Download

                    • memory/836-152-0x0000000000694000-0x00000000006B3000-memory.dmp

                      Filesize

                      124KB

                      Download

                    • memory/2228-158-0x00000000008B0000-0x00000000008D4000-memory.dmp

                      Filesize

                      144KB

                      Download

                    • memory/3796-141-0x0000000000400000-0x0000000000464000-memory.dmp

                      Filesize

                      400KB

                      Download

                    • memory/3796-150-0x0000000000400000-0x0000000000464000-memory.dmp

                      Filesize

                      400KB

                      Download

                    • memory/3796-140-0x0000000000543000-0x0000000000562000-memory.dmp

                      Filesize

                      124KB

                      Download

                    • memory/3828-134-0x0000000000400000-0x0000000000464000-memory.dmp

                      Filesize

                      400KB

                      Download

                    • memory/3828-139-0x0000000000400000-0x0000000000464000-memory.dmp

                      Filesize

                      400KB

                      Download

                    • memory/3828-138-0x0000000000773000-0x0000000000792000-memory.dmp

                      Filesize

                      124KB

                      Download

                    • memory/3828-132-0x0000000000773000-0x0000000000792000-memory.dmp

                      Filesize

                      124KB

                      Download

                    • memory/3828-133-0x00000000005F0000-0x000000000062E000-memory.dmp

                      Filesize

                      248KB

                      Download

                    • memory/5076-160-0x0000000000624000-0x0000000000643000-memory.dmp

                      Filesize

                      124KB

                      Download

                    • memory/5076-161-0x0000000000400000-0x0000000000464000-memory.dmp

                      Filesize

                      400KB

                      Download