Analysis
-
max time kernel
96s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
31-01-2023 15:22
Behavioral task
behavioral1
Sample
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe
Resource
win10v2004-20221111-en
General
-
Target
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe
-
Size
235KB
-
MD5
67bb41448f41511e169c83230d7e9486
-
SHA1
dde5a6577a966a9e8713e66ad7ef50b840dd114e
-
SHA256
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b
-
SHA512
84baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84
-
SSDEEP
6144:ILUoeyDABOdDubDXqgraG0JzSRuVyL+VY9QqgE:Ilu0LgwJ4uVyaVgJ
Malware Config
Extracted
amadey
3.66
62.204.41.72/hn85jlUn/index.php
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
nbveek.exenbveek.exenbveek.exepid process 1200 nbveek.exe 1516 nbveek.exe 940 nbveek.exe -
Loads dropped DLL 5 IoCs
Processes:
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exerundll32.exepid process 832 f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe 1788 rundll32.exe 1788 rundll32.exe 1788 rundll32.exe 1788 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exenbveek.execmd.exetaskeng.exedescription pid process target process PID 832 wrote to memory of 1200 832 f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe nbveek.exe PID 832 wrote to memory of 1200 832 f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe nbveek.exe PID 832 wrote to memory of 1200 832 f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe nbveek.exe PID 832 wrote to memory of 1200 832 f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe nbveek.exe PID 1200 wrote to memory of 856 1200 nbveek.exe schtasks.exe PID 1200 wrote to memory of 856 1200 nbveek.exe schtasks.exe PID 1200 wrote to memory of 856 1200 nbveek.exe schtasks.exe PID 1200 wrote to memory of 856 1200 nbveek.exe schtasks.exe PID 1200 wrote to memory of 1460 1200 nbveek.exe cmd.exe PID 1200 wrote to memory of 1460 1200 nbveek.exe cmd.exe PID 1200 wrote to memory of 1460 1200 nbveek.exe cmd.exe PID 1200 wrote to memory of 1460 1200 nbveek.exe cmd.exe PID 1460 wrote to memory of 1712 1460 cmd.exe cmd.exe PID 1460 wrote to memory of 1712 1460 cmd.exe cmd.exe PID 1460 wrote to memory of 1712 1460 cmd.exe cmd.exe PID 1460 wrote to memory of 1712 1460 cmd.exe cmd.exe PID 1460 wrote to memory of 1988 1460 cmd.exe cacls.exe PID 1460 wrote to memory of 1988 1460 cmd.exe cacls.exe PID 1460 wrote to memory of 1988 1460 cmd.exe cacls.exe PID 1460 wrote to memory of 1988 1460 cmd.exe cacls.exe PID 1460 wrote to memory of 1844 1460 cmd.exe cacls.exe PID 1460 wrote to memory of 1844 1460 cmd.exe cacls.exe PID 1460 wrote to memory of 1844 1460 cmd.exe cacls.exe PID 1460 wrote to memory of 1844 1460 cmd.exe cacls.exe PID 1460 wrote to memory of 904 1460 cmd.exe cmd.exe PID 1460 wrote to memory of 904 1460 cmd.exe cmd.exe PID 1460 wrote to memory of 904 1460 cmd.exe cmd.exe PID 1460 wrote to memory of 904 1460 cmd.exe cmd.exe PID 1460 wrote to memory of 748 1460 cmd.exe cacls.exe PID 1460 wrote to memory of 748 1460 cmd.exe cacls.exe PID 1460 wrote to memory of 748 1460 cmd.exe cacls.exe PID 1460 wrote to memory of 748 1460 cmd.exe cacls.exe PID 1460 wrote to memory of 644 1460 cmd.exe cacls.exe PID 1460 wrote to memory of 644 1460 cmd.exe cacls.exe PID 1460 wrote to memory of 644 1460 cmd.exe cacls.exe PID 1460 wrote to memory of 644 1460 cmd.exe cacls.exe PID 1652 wrote to memory of 1516 1652 taskeng.exe nbveek.exe PID 1652 wrote to memory of 1516 1652 taskeng.exe nbveek.exe PID 1652 wrote to memory of 1516 1652 taskeng.exe nbveek.exe PID 1652 wrote to memory of 1516 1652 taskeng.exe nbveek.exe PID 1200 wrote to memory of 1788 1200 nbveek.exe rundll32.exe PID 1200 wrote to memory of 1788 1200 nbveek.exe rundll32.exe PID 1200 wrote to memory of 1788 1200 nbveek.exe rundll32.exe PID 1200 wrote to memory of 1788 1200 nbveek.exe rundll32.exe PID 1200 wrote to memory of 1788 1200 nbveek.exe rundll32.exe PID 1200 wrote to memory of 1788 1200 nbveek.exe rundll32.exe PID 1200 wrote to memory of 1788 1200 nbveek.exe rundll32.exe PID 1652 wrote to memory of 940 1652 taskeng.exe nbveek.exe PID 1652 wrote to memory of 940 1652 taskeng.exe nbveek.exe PID 1652 wrote to memory of 940 1652 taskeng.exe nbveek.exe PID 1652 wrote to memory of 940 1652 taskeng.exe nbveek.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe"C:\Users\Admin\AppData\Local\Temp\f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\5eb6b96734" /P "Admin:N"&&CACLS "..\5eb6b96734" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "nbveek.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\5eb6b96734" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\system32\taskeng.exetaskeng.exe {9A65E0EC-D5D8-4278-9D3D-45D41E9F9FFB} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeC:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD567bb41448f41511e169c83230d7e9486
SHA1dde5a6577a966a9e8713e66ad7ef50b840dd114e
SHA256f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b
SHA51284baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD567bb41448f41511e169c83230d7e9486
SHA1dde5a6577a966a9e8713e66ad7ef50b840dd114e
SHA256f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b
SHA51284baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD567bb41448f41511e169c83230d7e9486
SHA1dde5a6577a966a9e8713e66ad7ef50b840dd114e
SHA256f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b
SHA51284baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84
-
C:\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD567bb41448f41511e169c83230d7e9486
SHA1dde5a6577a966a9e8713e66ad7ef50b840dd114e
SHA256f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b
SHA51284baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5ce31169603a7eed43430aa62a758676d
SHA11721383e86d8181f3175ac9bf2fe66c87fea3ed7
SHA25615bc34f8b63e66495ebc0b9133ad8b66672114b7dc100d65aa91b26e9ab8a6c1
SHA512e322cec6c5cc3f0ea83e0f96af82700eeff9b6b353d378a99bb38cc605011eb29b36b6e286e6a2e8bf0d0d3d3276c49ae5440266bf586dbe3f8dd5e0e10ddca0
-
\Users\Admin\AppData\Local\Temp\5eb6b96734\nbveek.exeFilesize
235KB
MD567bb41448f41511e169c83230d7e9486
SHA1dde5a6577a966a9e8713e66ad7ef50b840dd114e
SHA256f3cd81daa660f8a66d5fd299a0801d06eb05e88dfc914da4e04aee13df10007b
SHA51284baf5659cee4e55f48ea0523e2f30c5c6d696d5881da7f628cb4450f1dfc949396ee48cbded60dc98b53483aeb5cdf7fbe4970ab612049356185f2aadf02d84
-
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5ce31169603a7eed43430aa62a758676d
SHA11721383e86d8181f3175ac9bf2fe66c87fea3ed7
SHA25615bc34f8b63e66495ebc0b9133ad8b66672114b7dc100d65aa91b26e9ab8a6c1
SHA512e322cec6c5cc3f0ea83e0f96af82700eeff9b6b353d378a99bb38cc605011eb29b36b6e286e6a2e8bf0d0d3d3276c49ae5440266bf586dbe3f8dd5e0e10ddca0
-
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5ce31169603a7eed43430aa62a758676d
SHA11721383e86d8181f3175ac9bf2fe66c87fea3ed7
SHA25615bc34f8b63e66495ebc0b9133ad8b66672114b7dc100d65aa91b26e9ab8a6c1
SHA512e322cec6c5cc3f0ea83e0f96af82700eeff9b6b353d378a99bb38cc605011eb29b36b6e286e6a2e8bf0d0d3d3276c49ae5440266bf586dbe3f8dd5e0e10ddca0
-
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5ce31169603a7eed43430aa62a758676d
SHA11721383e86d8181f3175ac9bf2fe66c87fea3ed7
SHA25615bc34f8b63e66495ebc0b9133ad8b66672114b7dc100d65aa91b26e9ab8a6c1
SHA512e322cec6c5cc3f0ea83e0f96af82700eeff9b6b353d378a99bb38cc605011eb29b36b6e286e6a2e8bf0d0d3d3276c49ae5440266bf586dbe3f8dd5e0e10ddca0
-
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5ce31169603a7eed43430aa62a758676d
SHA11721383e86d8181f3175ac9bf2fe66c87fea3ed7
SHA25615bc34f8b63e66495ebc0b9133ad8b66672114b7dc100d65aa91b26e9ab8a6c1
SHA512e322cec6c5cc3f0ea83e0f96af82700eeff9b6b353d378a99bb38cc605011eb29b36b6e286e6a2e8bf0d0d3d3276c49ae5440266bf586dbe3f8dd5e0e10ddca0
-
memory/644-67-0x0000000000000000-mapping.dmp
-
memory/748-66-0x0000000000000000-mapping.dmp
-
memory/832-54-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB
-
memory/856-59-0x0000000000000000-mapping.dmp
-
memory/904-65-0x0000000000000000-mapping.dmp
-
memory/940-78-0x0000000000000000-mapping.dmp
-
memory/1200-56-0x0000000000000000-mapping.dmp
-
memory/1460-60-0x0000000000000000-mapping.dmp
-
memory/1516-68-0x0000000000000000-mapping.dmp
-
memory/1712-61-0x0000000000000000-mapping.dmp
-
memory/1788-71-0x0000000000000000-mapping.dmp
-
memory/1844-64-0x0000000000000000-mapping.dmp
-
memory/1988-62-0x0000000000000000-mapping.dmp