Analysis
-
max time kernel
121s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22-01-2023 16:31
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220812-en
General
-
Target
tmp.exe
-
Size
235KB
-
MD5
6779cd6f17fa7536c4490cc6d72a00a0
-
SHA1
2976ecc0ecc2800be22fa92868c2173a44e04ee0
-
SHA256
b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
-
SHA512
88e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482
-
SSDEEP
6144:eLUoeyDABOdDubDXqgraG0JzSRuVyL+VYjQqgE:elu0LgwJ4uVyaV+J
Malware Config
Extracted
amadey
3.66
62.204.41.242/9vZbns/index.php
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 1728 nbveek.exe 884 nbveek.exe 1600 nbveek.exe -
Loads dropped DLL 15 IoCs
pid Process 1852 tmp.exe 824 rundll32.exe 824 rundll32.exe 824 rundll32.exe 824 rundll32.exe 296 rundll32.exe 296 rundll32.exe 296 rundll32.exe 296 rundll32.exe 1052 rundll32.exe 1052 rundll32.exe 1052 rundll32.exe 1052 rundll32.exe 1168 WerFault.exe 1168 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1168 296 WerFault.exe 43 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1312 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 1728 1852 tmp.exe 28 PID 1852 wrote to memory of 1728 1852 tmp.exe 28 PID 1852 wrote to memory of 1728 1852 tmp.exe 28 PID 1852 wrote to memory of 1728 1852 tmp.exe 28 PID 1728 wrote to memory of 1312 1728 nbveek.exe 29 PID 1728 wrote to memory of 1312 1728 nbveek.exe 29 PID 1728 wrote to memory of 1312 1728 nbveek.exe 29 PID 1728 wrote to memory of 1312 1728 nbveek.exe 29 PID 1728 wrote to memory of 604 1728 nbveek.exe 31 PID 1728 wrote to memory of 604 1728 nbveek.exe 31 PID 1728 wrote to memory of 604 1728 nbveek.exe 31 PID 1728 wrote to memory of 604 1728 nbveek.exe 31 PID 604 wrote to memory of 1376 604 cmd.exe 33 PID 604 wrote to memory of 1376 604 cmd.exe 33 PID 604 wrote to memory of 1376 604 cmd.exe 33 PID 604 wrote to memory of 1376 604 cmd.exe 33 PID 604 wrote to memory of 1948 604 cmd.exe 34 PID 604 wrote to memory of 1948 604 cmd.exe 34 PID 604 wrote to memory of 1948 604 cmd.exe 34 PID 604 wrote to memory of 1948 604 cmd.exe 34 PID 604 wrote to memory of 1820 604 cmd.exe 35 PID 604 wrote to memory of 1820 604 cmd.exe 35 PID 604 wrote to memory of 1820 604 cmd.exe 35 PID 604 wrote to memory of 1820 604 cmd.exe 35 PID 604 wrote to memory of 856 604 cmd.exe 36 PID 604 wrote to memory of 856 604 cmd.exe 36 PID 604 wrote to memory of 856 604 cmd.exe 36 PID 604 wrote to memory of 856 604 cmd.exe 36 PID 604 wrote to memory of 432 604 cmd.exe 37 PID 604 wrote to memory of 432 604 cmd.exe 37 PID 604 wrote to memory of 432 604 cmd.exe 37 PID 604 wrote to memory of 432 604 cmd.exe 37 PID 604 wrote to memory of 520 604 cmd.exe 38 PID 604 wrote to memory of 520 604 cmd.exe 38 PID 604 wrote to memory of 520 604 cmd.exe 38 PID 604 wrote to memory of 520 604 cmd.exe 38 PID 1728 wrote to memory of 824 1728 nbveek.exe 41 PID 1728 wrote to memory of 824 1728 nbveek.exe 41 PID 1728 wrote to memory of 824 1728 nbveek.exe 41 PID 1728 wrote to memory of 824 1728 nbveek.exe 41 PID 1728 wrote to memory of 824 1728 nbveek.exe 41 PID 1728 wrote to memory of 824 1728 nbveek.exe 41 PID 1728 wrote to memory of 824 1728 nbveek.exe 41 PID 1728 wrote to memory of 1052 1728 nbveek.exe 42 PID 1728 wrote to memory of 1052 1728 nbveek.exe 42 PID 1728 wrote to memory of 1052 1728 nbveek.exe 42 PID 1728 wrote to memory of 1052 1728 nbveek.exe 42 PID 1728 wrote to memory of 1052 1728 nbveek.exe 42 PID 1728 wrote to memory of 1052 1728 nbveek.exe 42 PID 1728 wrote to memory of 1052 1728 nbveek.exe 42 PID 824 wrote to memory of 296 824 rundll32.exe 43 PID 824 wrote to memory of 296 824 rundll32.exe 43 PID 824 wrote to memory of 296 824 rundll32.exe 43 PID 824 wrote to memory of 296 824 rundll32.exe 43 PID 296 wrote to memory of 1168 296 rundll32.exe 45 PID 296 wrote to memory of 1168 296 rundll32.exe 45 PID 296 wrote to memory of 1168 296 rundll32.exe 45 PID 1520 wrote to memory of 884 1520 taskeng.exe 46 PID 1520 wrote to memory of 884 1520 taskeng.exe 46 PID 1520 wrote to memory of 884 1520 taskeng.exe 46 PID 1520 wrote to memory of 884 1520 taskeng.exe 46 PID 1520 wrote to memory of 1600 1520 taskeng.exe 47 PID 1520 wrote to memory of 1600 1520 taskeng.exe 47 PID 1520 wrote to memory of 1600 1520 taskeng.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe" /F3⤵
- Creates scheduled task(s)
PID:1312
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1376
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"4⤵PID:1948
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E4⤵PID:1820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:856
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:N"4⤵PID:432
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4b9a106e76" /P "Admin:R" /E4⤵PID:520
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 296 -s 3445⤵
- Loads dropped DLL
- Program crash
PID:1168
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main3⤵
- Loads dropped DLL
PID:1052
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8CCE874F-02F2-47ED-99E2-29E754225578} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe2⤵
- Executes dropped EXE
PID:884
-
-
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exeC:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe2⤵
- Executes dropped EXE
PID:1600
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD56779cd6f17fa7536c4490cc6d72a00a0
SHA12976ecc0ecc2800be22fa92868c2173a44e04ee0
SHA256b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
SHA51288e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482
-
Filesize
235KB
MD56779cd6f17fa7536c4490cc6d72a00a0
SHA12976ecc0ecc2800be22fa92868c2173a44e04ee0
SHA256b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
SHA51288e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482
-
Filesize
235KB
MD56779cd6f17fa7536c4490cc6d72a00a0
SHA12976ecc0ecc2800be22fa92868c2173a44e04ee0
SHA256b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
SHA51288e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482
-
Filesize
235KB
MD56779cd6f17fa7536c4490cc6d72a00a0
SHA12976ecc0ecc2800be22fa92868c2173a44e04ee0
SHA256b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
SHA51288e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482
-
Filesize
89KB
MD546132baadaa4c318d24db8ed2220b80a
SHA1e923041a849d6c4719564280aaf48fe61ed62fa4
SHA25645f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e
SHA512c2afe2d08a3e29d2549df37d8bec7da7f83e7aa9c1e0b039e492d105ae36a00f1d52935fe150e6dbc46d7a414465d818f6eb825b91a31e70d3e73239a736f60f
-
Filesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
Filesize
235KB
MD56779cd6f17fa7536c4490cc6d72a00a0
SHA12976ecc0ecc2800be22fa92868c2173a44e04ee0
SHA256b00302c7a37d30e1d649945bce637c2be5ef5a1055e572df9866ef8281964b65
SHA51288e8e38e1c664ebe1aa3c9f7601496b83f3c7ca9916a49573d169a33ae697602737505aaa2af755b6bea19dc38064742876b585a41c6ffaac172a44fb8bdc482
-
Filesize
89KB
MD546132baadaa4c318d24db8ed2220b80a
SHA1e923041a849d6c4719564280aaf48fe61ed62fa4
SHA25645f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e
SHA512c2afe2d08a3e29d2549df37d8bec7da7f83e7aa9c1e0b039e492d105ae36a00f1d52935fe150e6dbc46d7a414465d818f6eb825b91a31e70d3e73239a736f60f
-
Filesize
89KB
MD546132baadaa4c318d24db8ed2220b80a
SHA1e923041a849d6c4719564280aaf48fe61ed62fa4
SHA25645f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e
SHA512c2afe2d08a3e29d2549df37d8bec7da7f83e7aa9c1e0b039e492d105ae36a00f1d52935fe150e6dbc46d7a414465d818f6eb825b91a31e70d3e73239a736f60f
-
Filesize
89KB
MD546132baadaa4c318d24db8ed2220b80a
SHA1e923041a849d6c4719564280aaf48fe61ed62fa4
SHA25645f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e
SHA512c2afe2d08a3e29d2549df37d8bec7da7f83e7aa9c1e0b039e492d105ae36a00f1d52935fe150e6dbc46d7a414465d818f6eb825b91a31e70d3e73239a736f60f
-
Filesize
89KB
MD546132baadaa4c318d24db8ed2220b80a
SHA1e923041a849d6c4719564280aaf48fe61ed62fa4
SHA25645f90d58562a9ee67bd129e4bbd538969aabd476e558aa0ff0a9cbdfb7d43a2e
SHA512c2afe2d08a3e29d2549df37d8bec7da7f83e7aa9c1e0b039e492d105ae36a00f1d52935fe150e6dbc46d7a414465d818f6eb825b91a31e70d3e73239a736f60f
-
Filesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
Filesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
Filesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
Filesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
Filesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
Filesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
Filesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
Filesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
Filesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1
-
Filesize
1.0MB
MD517ffefed5c2de006ac35f47b84d2477b
SHA17cd101050de0f53973e8144fbae9db8ebb74adcc
SHA256398235467c51419c4d2df6b9a0fad678730ae52b6db55d26e96f7ba70cae2dc3
SHA512d4e50ea058ad2dcd2bf45c92270ff9a909457166e8b1c4c38d70e7e45c1d3498ef2bafeffaefc8ffaedab693b8890e1994497c023dc96e15c11baae239486aa1