Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/12/2022, 09:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1a9fcc9824192930be4f99536934ce03a2e06ab428097285aa1617e9c4c87d30.exe

  • Size

    273KB

  • MD5

    c5e6b0ddf6414795b054b7448380e1e5

  • SHA1

    fcbe111058babc8078836b603cc9b5b72407a638

  • SHA256

    1a9fcc9824192930be4f99536934ce03a2e06ab428097285aa1617e9c4c87d30

  • SHA512

    266dd087a6798e35cfacb94f8e3d260c61c9bca876f1746532233901367181886ca65ba21772eedbadb6606d695f46e56d4e2c800a597760be39189159c572ed

  • SSDEEP

    6144:Jd5KBLJk9cxa5tTNHKgODZP+VAFwV8Il+rjjlVklPH:JTi1UcKFKgA+VI2MlU

Score
10/10
amadeycollectionspywarestealertrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

31.41.244.237/jg94cVd30f/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Amadey credential stealer module 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 4 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a9fcc9824192930be4f99536934ce03a2e06ab428097285aa1617e9c4c87d30.exe
    "C:\Users\Admin\AppData\Local\Temp\1a9fcc9824192930be4f99536934ce03a2e06ab428097285aa1617e9c4c87d30.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
      "C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
        3⤵
        • Creates scheduled task(s)
        PID:1672
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "Admin:N"&&CACLS "gntuud.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9c69749b54" /P "Admin:N"&&CACLS "..\9c69749b54" /P "Admin:R" /E&&Exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4288
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
          4⤵
            PID:4720
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "gntuud.exe" /P "Admin:N"
            4⤵
              PID:3748
            • C:\Windows\SysWOW64\cacls.exe
              CACLS "gntuud.exe" /P "Admin:R" /E
              4⤵
                PID:4460
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                4⤵
                  PID:5016
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "..\9c69749b54" /P "Admin:N"
                  4⤵
                    PID:4984
                  • C:\Windows\SysWOW64\cacls.exe
                    CACLS "..\9c69749b54" /P "Admin:R" /E
                    4⤵
                      PID:3720
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll, Main
                    3⤵
                    • Blocklisted process makes network request
                    • Loads dropped DLL
                    • Accesses Microsoft Outlook profiles
                    • Suspicious behavior: EnumeratesProcesses
                    • outlook_win_path
                    PID:452
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 900
                  2⤵
                  • Program crash
                  PID:1712
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1208 -ip 1208
                1⤵
                  PID:1044
                • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                  C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                  1⤵
                  • Executes dropped EXE
                  PID:3652
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3652 -s 416
                    2⤵
                    • Program crash
                    PID:4340
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3652 -ip 3652
                  1⤵
                    PID:2624
                  • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                    C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                    1⤵
                    • Executes dropped EXE
                    PID:2568
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 416
                      2⤵
                      • Program crash
                      PID:4380
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2568 -ip 2568
                    1⤵
                      PID:3176
                    • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                      C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                      1⤵
                      • Executes dropped EXE
                      PID:4496
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 416
                        2⤵
                        • Program crash
                        PID:4092
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4496 -ip 4496
                      1⤵
                        PID:5052

                      Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                              Filesize

                              273KB

                              MD5

                              c5e6b0ddf6414795b054b7448380e1e5

                              SHA1

                              fcbe111058babc8078836b603cc9b5b72407a638

                              SHA256

                              1a9fcc9824192930be4f99536934ce03a2e06ab428097285aa1617e9c4c87d30

                              SHA512

                              266dd087a6798e35cfacb94f8e3d260c61c9bca876f1746532233901367181886ca65ba21772eedbadb6606d695f46e56d4e2c800a597760be39189159c572ed

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                              Filesize

                              273KB

                              MD5

                              c5e6b0ddf6414795b054b7448380e1e5

                              SHA1

                              fcbe111058babc8078836b603cc9b5b72407a638

                              SHA256

                              1a9fcc9824192930be4f99536934ce03a2e06ab428097285aa1617e9c4c87d30

                              SHA512

                              266dd087a6798e35cfacb94f8e3d260c61c9bca876f1746532233901367181886ca65ba21772eedbadb6606d695f46e56d4e2c800a597760be39189159c572ed

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                              Filesize

                              273KB

                              MD5

                              c5e6b0ddf6414795b054b7448380e1e5

                              SHA1

                              fcbe111058babc8078836b603cc9b5b72407a638

                              SHA256

                              1a9fcc9824192930be4f99536934ce03a2e06ab428097285aa1617e9c4c87d30

                              SHA512

                              266dd087a6798e35cfacb94f8e3d260c61c9bca876f1746532233901367181886ca65ba21772eedbadb6606d695f46e56d4e2c800a597760be39189159c572ed

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                              Filesize

                              273KB

                              MD5

                              c5e6b0ddf6414795b054b7448380e1e5

                              SHA1

                              fcbe111058babc8078836b603cc9b5b72407a638

                              SHA256

                              1a9fcc9824192930be4f99536934ce03a2e06ab428097285aa1617e9c4c87d30

                              SHA512

                              266dd087a6798e35cfacb94f8e3d260c61c9bca876f1746532233901367181886ca65ba21772eedbadb6606d695f46e56d4e2c800a597760be39189159c572ed

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\9c69749b54\gntuud.exe
                              Filesize

                              273KB

                              MD5

                              c5e6b0ddf6414795b054b7448380e1e5

                              SHA1

                              fcbe111058babc8078836b603cc9b5b72407a638

                              SHA256

                              1a9fcc9824192930be4f99536934ce03a2e06ab428097285aa1617e9c4c87d30

                              SHA512

                              266dd087a6798e35cfacb94f8e3d260c61c9bca876f1746532233901367181886ca65ba21772eedbadb6606d695f46e56d4e2c800a597760be39189159c572ed

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll
                              Filesize

                              126KB

                              MD5

                              c0fd0167e213b6148333351bd16ed1fb

                              SHA1

                              1cfb2b42686557656dead53e02d1db3f2a848026

                              SHA256

                              c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b

                              SHA512

                              d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\85f469ce401df1\cred64.dll
                              Filesize

                              126KB

                              MD5

                              c0fd0167e213b6148333351bd16ed1fb

                              SHA1

                              1cfb2b42686557656dead53e02d1db3f2a848026

                              SHA256

                              c7d804e8fb096769b0e199102bdf8efa97dfae1a9b57a479819971146877368b

                              SHA512

                              d514f35e62a5380b4ad96a3e0cddf82b53b1cf273e5ac542f040f30a75efd3c246fa2194e4bb273572cd2436a435a608e2b919f6df9fa4ebbf452b0d297b0cf9

                              Download Submit

                            • memory/1208-132-0x0000000000522000-0x0000000000541000-memory.dmp

                              Filesize

                              124KB

                              Download

                            • memory/1208-138-0x0000000000522000-0x0000000000541000-memory.dmp

                              Filesize

                              124KB

                              Download

                            • memory/1208-133-0x00000000020D0000-0x000000000210E000-memory.dmp

                              Filesize

                              248KB

                              Download

                            • memory/1208-134-0x0000000000400000-0x000000000046E000-memory.dmp

                              Filesize

                              440KB

                              Download

                            • memory/1208-139-0x0000000000400000-0x000000000046E000-memory.dmp

                              Filesize

                              440KB

                              Download

                            • memory/2568-158-0x00000000007A4000-0x00000000007C3000-memory.dmp

                              Filesize

                              124KB

                              Download

                            • memory/2568-159-0x0000000000400000-0x000000000046E000-memory.dmp

                              Filesize

                              440KB

                              Download

                            • memory/2980-143-0x0000000000400000-0x000000000046E000-memory.dmp

                              Filesize

                              440KB

                              Download

                            • memory/2980-150-0x0000000000400000-0x000000000046E000-memory.dmp

                              Filesize

                              440KB

                              Download

                            • memory/2980-142-0x0000000000563000-0x0000000000582000-memory.dmp

                              Filesize

                              124KB

                              Download

                            • memory/3652-153-0x0000000000400000-0x000000000046E000-memory.dmp

                              Filesize

                              440KB

                              Download

                            • memory/3652-152-0x0000000000644000-0x0000000000663000-memory.dmp

                              Filesize

                              124KB

                              Download

                            • memory/4496-161-0x00000000005D4000-0x00000000005F3000-memory.dmp

                              Filesize

                              124KB

                              Download

                            • memory/4496-162-0x0000000000400000-0x000000000046E000-memory.dmp

                              Filesize

                              440KB

                              Download