Analysis
-
max time kernel
112s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/01/2023, 09:26
Behavioral task
behavioral1
Sample
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc.exe
Resource
win10v2004-20220812-en
General
-
Target
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc.exe
-
Size
235KB
-
MD5
ebd584e9c1a400cd5d4bafa0e7936468
-
SHA1
d263c62902326425ed17855d49d35003abcd797b
-
SHA256
ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
-
SHA512
e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
SSDEEP
6144:pLUoeyDABOdDubDXqgraG0JzSRuVyL+VYLQqgE:plu0LgwJ4uVyaVqJ
Malware Config
Extracted
amadey
3.66
62.204.41.88/9vdVVVjsw/index.php
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 904 nbveek.exe 1072 nbveek.exe 964 nbveek.exe -
Loads dropped DLL 15 IoCs
pid Process 1108 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc.exe 1904 rundll32.exe 1904 rundll32.exe 1904 rundll32.exe 1904 rundll32.exe 1000 rundll32.exe 1000 rundll32.exe 1000 rundll32.exe 1000 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 1100 WerFault.exe 1100 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1100 1000 WerFault.exe 44 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1480 schtasks.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1108 wrote to memory of 904 1108 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc.exe 27 PID 1108 wrote to memory of 904 1108 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc.exe 27 PID 1108 wrote to memory of 904 1108 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc.exe 27 PID 1108 wrote to memory of 904 1108 ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc.exe 27 PID 904 wrote to memory of 1480 904 nbveek.exe 28 PID 904 wrote to memory of 1480 904 nbveek.exe 28 PID 904 wrote to memory of 1480 904 nbveek.exe 28 PID 904 wrote to memory of 1480 904 nbveek.exe 28 PID 904 wrote to memory of 628 904 nbveek.exe 30 PID 904 wrote to memory of 628 904 nbveek.exe 30 PID 904 wrote to memory of 628 904 nbveek.exe 30 PID 904 wrote to memory of 628 904 nbveek.exe 30 PID 628 wrote to memory of 1120 628 cmd.exe 32 PID 628 wrote to memory of 1120 628 cmd.exe 32 PID 628 wrote to memory of 1120 628 cmd.exe 32 PID 628 wrote to memory of 1120 628 cmd.exe 32 PID 628 wrote to memory of 1968 628 cmd.exe 33 PID 628 wrote to memory of 1968 628 cmd.exe 33 PID 628 wrote to memory of 1968 628 cmd.exe 33 PID 628 wrote to memory of 1968 628 cmd.exe 33 PID 628 wrote to memory of 1688 628 cmd.exe 34 PID 628 wrote to memory of 1688 628 cmd.exe 34 PID 628 wrote to memory of 1688 628 cmd.exe 34 PID 628 wrote to memory of 1688 628 cmd.exe 34 PID 628 wrote to memory of 524 628 cmd.exe 35 PID 628 wrote to memory of 524 628 cmd.exe 35 PID 628 wrote to memory of 524 628 cmd.exe 35 PID 628 wrote to memory of 524 628 cmd.exe 35 PID 628 wrote to memory of 1684 628 cmd.exe 36 PID 628 wrote to memory of 1684 628 cmd.exe 36 PID 628 wrote to memory of 1684 628 cmd.exe 36 PID 628 wrote to memory of 1684 628 cmd.exe 36 PID 628 wrote to memory of 1164 628 cmd.exe 37 PID 628 wrote to memory of 1164 628 cmd.exe 37 PID 628 wrote to memory of 1164 628 cmd.exe 37 PID 628 wrote to memory of 1164 628 cmd.exe 37 PID 1536 wrote to memory of 1072 1536 taskeng.exe 41 PID 1536 wrote to memory of 1072 1536 taskeng.exe 41 PID 1536 wrote to memory of 1072 1536 taskeng.exe 41 PID 1536 wrote to memory of 1072 1536 taskeng.exe 41 PID 904 wrote to memory of 1904 904 nbveek.exe 42 PID 904 wrote to memory of 1904 904 nbveek.exe 42 PID 904 wrote to memory of 1904 904 nbveek.exe 42 PID 904 wrote to memory of 1904 904 nbveek.exe 42 PID 904 wrote to memory of 1904 904 nbveek.exe 42 PID 904 wrote to memory of 1904 904 nbveek.exe 42 PID 904 wrote to memory of 1904 904 nbveek.exe 42 PID 904 wrote to memory of 2020 904 nbveek.exe 43 PID 904 wrote to memory of 2020 904 nbveek.exe 43 PID 904 wrote to memory of 2020 904 nbveek.exe 43 PID 904 wrote to memory of 2020 904 nbveek.exe 43 PID 904 wrote to memory of 2020 904 nbveek.exe 43 PID 904 wrote to memory of 2020 904 nbveek.exe 43 PID 904 wrote to memory of 2020 904 nbveek.exe 43 PID 1904 wrote to memory of 1000 1904 rundll32.exe 44 PID 1904 wrote to memory of 1000 1904 rundll32.exe 44 PID 1904 wrote to memory of 1000 1904 rundll32.exe 44 PID 1904 wrote to memory of 1000 1904 rundll32.exe 44 PID 1000 wrote to memory of 1100 1000 rundll32.exe 45 PID 1000 wrote to memory of 1100 1000 rundll32.exe 45 PID 1000 wrote to memory of 1100 1000 rundll32.exe 45 PID 1536 wrote to memory of 964 1536 taskeng.exe 46 PID 1536 wrote to memory of 964 1536 taskeng.exe 46 PID 1536 wrote to memory of 964 1536 taskeng.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc.exe"C:\Users\Admin\AppData\Local\Temp\ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F3⤵
- Creates scheduled task(s)
PID:1480
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "Admin:N"&&CACLS "..\9e0894bcc4" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1120
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"4⤵PID:1968
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E4⤵PID:1688
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:524
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\9e0894bcc4" /P "Admin:N"4⤵PID:1684
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\9e0894bcc4" /P "Admin:R" /E4⤵PID:1164
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1000 -s 3445⤵
- Loads dropped DLL
- Program crash
PID:1100
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Loads dropped DLL
PID:2020
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {283DE68E-682B-43D2-AFA9-6BCD494B02DF} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe2⤵
- Executes dropped EXE
PID:1072
-
-
C:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exeC:\Users\Admin\AppData\Local\Temp\9e0894bcc4\nbveek.exe2⤵
- Executes dropped EXE
PID:964
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
Filesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
Filesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
Filesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
Filesize
89KB
MD5e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA2563492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee
-
Filesize
1.0MB
MD5d1eb5caae43e95e1f369ca373a5e192d
SHA1bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a
-
Filesize
235KB
MD5ebd584e9c1a400cd5d4bafa0e7936468
SHA1d263c62902326425ed17855d49d35003abcd797b
SHA256ad1d5475d737c09e3c48f7996cd407c992c1bb5601bcc6c6287eb80cde3d852b
SHA512e94b7bca0258e2f2fd374898c87196587311af4aa20f1197ef8d0fddcdc098fdd0096152d27b49cbe21a3527624339fe0c806c7aa4ea6c80b76764ee2245a010
-
Filesize
89KB
MD5e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA2563492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee
-
Filesize
89KB
MD5e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA2563492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee
-
Filesize
89KB
MD5e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA2563492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee
-
Filesize
89KB
MD5e1fe62c436de6b2c3bf0fd32e0f779c1
SHA1dbaadf172ed878592ae299e27eb98e2614b7b36b
SHA2563492ed949b0d1cbd720eae940d122d6a791df098506c24517da0cc149089f405
SHA512e0749db80671b0e446d54c7edb1ff11ea6ba5728eabce567bb8d81fa4aa66872d5255e4f85b816e5634eada1314ff272dd6dbf89c1b18e75702fe92ba15348ee
-
Filesize
1.0MB
MD5d1eb5caae43e95e1f369ca373a5e192d
SHA1bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a
-
Filesize
1.0MB
MD5d1eb5caae43e95e1f369ca373a5e192d
SHA1bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a
-
Filesize
1.0MB
MD5d1eb5caae43e95e1f369ca373a5e192d
SHA1bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a
-
Filesize
1.0MB
MD5d1eb5caae43e95e1f369ca373a5e192d
SHA1bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a
-
Filesize
1.0MB
MD5d1eb5caae43e95e1f369ca373a5e192d
SHA1bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a
-
Filesize
1.0MB
MD5d1eb5caae43e95e1f369ca373a5e192d
SHA1bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a
-
Filesize
1.0MB
MD5d1eb5caae43e95e1f369ca373a5e192d
SHA1bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a
-
Filesize
1.0MB
MD5d1eb5caae43e95e1f369ca373a5e192d
SHA1bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a
-
Filesize
1.0MB
MD5d1eb5caae43e95e1f369ca373a5e192d
SHA1bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a
-
Filesize
1.0MB
MD5d1eb5caae43e95e1f369ca373a5e192d
SHA1bafa865f8f2cb5bddf951357e70af9fb011d6ac2
SHA256cdd4072239d8a62bf134e9884ef2829d831efaf3f6f7f71b7266af29df145dd0
SHA512e4f4fd7b4cfa15f5de203601e5317be2245df7cf1cb05eb9fac0a90fb2a01c42be9b6e31662d76b678c1bea731c467bed1aae61fe0c1cbb6fea3c159677b691a