0cf3e8db566d34f19d7c2df598f038542439d1f48e4b228d04c0a5469a62290b

General

Target

Andromeda Builder.exe
Size

1.3MB
MD5

be31dede2df4ba25eeb71b191a3512ba
SHA1

0d6ef1e4662eb0d624a395afe3e8c16a5f57be4d
SHA256

2089c3234f1808f2f729407fbec57e42f0cae79590b7e386b8ee2e18e0252f97
SHA512

c51a4b62e69467e6ddab21bfe452d41c0da376a14d3e1d4d16feefb60874b3efd76971df87e392c6d66bef6cffdf7dddede42c4c04172ef50a75761835ce2b57
SSDEEP

24576:8BvCwlJ2FEVchkZH7H0W9E3JB60t/d9GeD6g/DERv7i43MV/2gG:k6wlJ2FPuZH7H0W9eJB60t/d9GeD6gDC

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

Andromeda Builder.exe

pid	process
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe
2028	Andromeda Builder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 20 IoCs

Processes:

Andromeda Builder.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Andromeda Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Andromeda Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Andromeda Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Andromeda Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Andromeda Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Andromeda Builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Andromeda Builder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Andromeda Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Andromeda Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Andromeda Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Andromeda Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Andromeda Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Andromeda Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	Andromeda Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Andromeda Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Andromeda Builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Andromeda Builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Andromeda Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Andromeda Builder.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Andromeda Builder.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Andromeda Builder.exe

pid process

2028 Andromeda Builder.exe

C:\Users\Admin\AppData\Local\Temp\Andromeda Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Andromeda Builder.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-133-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2028-134-0x0000000077250000-0x0000000077465000-memory.dmp

Filesize
2.1MB

Download
memory/2028-2072-0x00000000779A0000-0x0000000077B40000-memory.dmp

Filesize
1.6MB

Download
memory/2028-3077-0x0000000075F40000-0x0000000075FBA000-memory.dmp

Filesize
488KB

Download
memory/2028-6670-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2028-6671-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download
memory/2028-6676-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing