Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
04-03-2023 16:20
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
364KB
-
MD5
624053fd08cbbd4b037d42abf3bebccf
-
SHA1
9cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0
-
SHA256
232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a
-
SHA512
0d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6
-
SSDEEP
6144:1IlO3QxkS7Vhc6l3qbPar3jriFa5gMfSuK+yJXsnGqgHt56b2:iqQxDpq6l3qbParyFa5/SVlvq5K
Malware Config
Extracted
amadey
3.21
185.215.113.15/Lkb2dxj3/index.php
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\110809d565579c\cred.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\110809d565579c\cred.dll amadey_cred_module \Users\Admin\AppData\Roaming\110809d565579c\cred.dll amadey_cred_module \Users\Admin\AppData\Roaming\110809d565579c\cred.dll amadey_cred_module \Users\Admin\AppData\Roaming\110809d565579c\cred.dll amadey_cred_module \Users\Admin\AppData\Roaming\110809d565579c\cred.dll amadey_cred_module behavioral1/memory/1784-98-0x0000000000120000-0x0000000000144000-memory.dmp amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 7 1784 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
bguuwe.exebguuwe.exebguuwe.exebguuwe.exepid process 1956 bguuwe.exe 1132 bguuwe.exe 820 bguuwe.exe 1532 bguuwe.exe -
Loads dropped DLL 6 IoCs
Processes:
tmp.exerundll32.exepid process 2000 tmp.exe 2000 tmp.exe 1784 rundll32.exe 1784 rundll32.exe 1784 rundll32.exe 1784 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 1784 rundll32.exe 1784 rundll32.exe 1784 rundll32.exe 1784 rundll32.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
tmp.exebguuwe.execmd.exetaskeng.exedescription pid process target process PID 2000 wrote to memory of 1956 2000 tmp.exe bguuwe.exe PID 2000 wrote to memory of 1956 2000 tmp.exe bguuwe.exe PID 2000 wrote to memory of 1956 2000 tmp.exe bguuwe.exe PID 2000 wrote to memory of 1956 2000 tmp.exe bguuwe.exe PID 1956 wrote to memory of 464 1956 bguuwe.exe cmd.exe PID 1956 wrote to memory of 464 1956 bguuwe.exe cmd.exe PID 1956 wrote to memory of 464 1956 bguuwe.exe cmd.exe PID 1956 wrote to memory of 464 1956 bguuwe.exe cmd.exe PID 1956 wrote to memory of 1152 1956 bguuwe.exe schtasks.exe PID 1956 wrote to memory of 1152 1956 bguuwe.exe schtasks.exe PID 1956 wrote to memory of 1152 1956 bguuwe.exe schtasks.exe PID 1956 wrote to memory of 1152 1956 bguuwe.exe schtasks.exe PID 464 wrote to memory of 1964 464 cmd.exe reg.exe PID 464 wrote to memory of 1964 464 cmd.exe reg.exe PID 464 wrote to memory of 1964 464 cmd.exe reg.exe PID 464 wrote to memory of 1964 464 cmd.exe reg.exe PID 1760 wrote to memory of 1132 1760 taskeng.exe bguuwe.exe PID 1760 wrote to memory of 1132 1760 taskeng.exe bguuwe.exe PID 1760 wrote to memory of 1132 1760 taskeng.exe bguuwe.exe PID 1760 wrote to memory of 1132 1760 taskeng.exe bguuwe.exe PID 1956 wrote to memory of 1784 1956 bguuwe.exe rundll32.exe PID 1956 wrote to memory of 1784 1956 bguuwe.exe rundll32.exe PID 1956 wrote to memory of 1784 1956 bguuwe.exe rundll32.exe PID 1956 wrote to memory of 1784 1956 bguuwe.exe rundll32.exe PID 1956 wrote to memory of 1784 1956 bguuwe.exe rundll32.exe PID 1956 wrote to memory of 1784 1956 bguuwe.exe rundll32.exe PID 1956 wrote to memory of 1784 1956 bguuwe.exe rundll32.exe PID 1760 wrote to memory of 820 1760 taskeng.exe bguuwe.exe PID 1760 wrote to memory of 820 1760 taskeng.exe bguuwe.exe PID 1760 wrote to memory of 820 1760 taskeng.exe bguuwe.exe PID 1760 wrote to memory of 820 1760 taskeng.exe bguuwe.exe PID 1760 wrote to memory of 1532 1760 taskeng.exe bguuwe.exe PID 1760 wrote to memory of 1532 1760 taskeng.exe bguuwe.exe PID 1760 wrote to memory of 1532 1760 taskeng.exe bguuwe.exe PID 1760 wrote to memory of 1532 1760 taskeng.exe bguuwe.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe"C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\62eca45584\3⤵
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\62eca45584\4⤵PID:1964
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe" /F3⤵
- Creates scheduled task(s)
PID:1152 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\110809d565579c\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:1784
-
C:\Windows\system32\taskeng.exetaskeng.exe {EB3C8329-6C72-4A3B-BB8D-A1EF76F48930} S-1-5-21-1914912747-3343861975-731272777-1000:TMRJMUQF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exeC:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe2⤵
- Executes dropped EXE
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exeC:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe2⤵
- Executes dropped EXE
PID:820 -
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exeC:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe2⤵
- Executes dropped EXE
PID:1532
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD51aa14563c48733fb2fd61bf84e534084
SHA1d64da109ff62d853c5f96df48954e0bc2a5d9da1
SHA256dea8765e4dc2af42d64ae764838f05a6a1941f255298dd50d174067799213dce
SHA512c2ef6190495f4d99f7e22ddfc4484ac648350cb1c7caf455bf8809d25c2c874f1d3dde00e7a545c5cb2753d3666d1dd92476f8a7082bb7bc7213b0d2dc3aec96
-
Filesize
364KB
MD5624053fd08cbbd4b037d42abf3bebccf
SHA19cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0
SHA256232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a
SHA5120d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6
-
Filesize
364KB
MD5624053fd08cbbd4b037d42abf3bebccf
SHA19cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0
SHA256232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a
SHA5120d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6
-
Filesize
364KB
MD5624053fd08cbbd4b037d42abf3bebccf
SHA19cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0
SHA256232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a
SHA5120d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6
-
Filesize
364KB
MD5624053fd08cbbd4b037d42abf3bebccf
SHA19cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0
SHA256232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a
SHA5120d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6
-
Filesize
364KB
MD5624053fd08cbbd4b037d42abf3bebccf
SHA19cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0
SHA256232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a
SHA5120d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6
-
Filesize
364KB
MD5624053fd08cbbd4b037d42abf3bebccf
SHA19cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0
SHA256232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a
SHA5120d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6
-
Filesize
126KB
MD5e507e6d6e53146d7c7d7560845d7b51c
SHA112dfec1df517037846dea8044a0edc409b790a13
SHA256e49833410fea53f166523cc960fc7d60ddfcf60d0fc2024e68dbabab27ce8313
SHA512f81d8232ea61e94dc139eccd2f9246727eb569776f9bef8e25bbb4d7abe2b796ea740ccffaf1b2dd7a01e9dddb51180ca12e563ff4e7a2604f4503ebeed0d29e
-
Filesize
126KB
MD5e507e6d6e53146d7c7d7560845d7b51c
SHA112dfec1df517037846dea8044a0edc409b790a13
SHA256e49833410fea53f166523cc960fc7d60ddfcf60d0fc2024e68dbabab27ce8313
SHA512f81d8232ea61e94dc139eccd2f9246727eb569776f9bef8e25bbb4d7abe2b796ea740ccffaf1b2dd7a01e9dddb51180ca12e563ff4e7a2604f4503ebeed0d29e
-
Filesize
364KB
MD5624053fd08cbbd4b037d42abf3bebccf
SHA19cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0
SHA256232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a
SHA5120d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6
-
Filesize
364KB
MD5624053fd08cbbd4b037d42abf3bebccf
SHA19cc34928b43ea6fd5e391f0bcb07c2f1e2c705f0
SHA256232a7888f79f09c47258df130cbf4e854c7a5e0af0a534e5d918bbe7b4a9cd5a
SHA5120d834442875d8dc5a662d6a722cb46fe6f9e1501fa59993c379a34551c5d8c65c16fd156e3b3d02b55cc7eb451ffd5f8f0d11cfb84042c522f2c21ac9acecde6
-
Filesize
126KB
MD5e507e6d6e53146d7c7d7560845d7b51c
SHA112dfec1df517037846dea8044a0edc409b790a13
SHA256e49833410fea53f166523cc960fc7d60ddfcf60d0fc2024e68dbabab27ce8313
SHA512f81d8232ea61e94dc139eccd2f9246727eb569776f9bef8e25bbb4d7abe2b796ea740ccffaf1b2dd7a01e9dddb51180ca12e563ff4e7a2604f4503ebeed0d29e
-
Filesize
126KB
MD5e507e6d6e53146d7c7d7560845d7b51c
SHA112dfec1df517037846dea8044a0edc409b790a13
SHA256e49833410fea53f166523cc960fc7d60ddfcf60d0fc2024e68dbabab27ce8313
SHA512f81d8232ea61e94dc139eccd2f9246727eb569776f9bef8e25bbb4d7abe2b796ea740ccffaf1b2dd7a01e9dddb51180ca12e563ff4e7a2604f4503ebeed0d29e
-
Filesize
126KB
MD5e507e6d6e53146d7c7d7560845d7b51c
SHA112dfec1df517037846dea8044a0edc409b790a13
SHA256e49833410fea53f166523cc960fc7d60ddfcf60d0fc2024e68dbabab27ce8313
SHA512f81d8232ea61e94dc139eccd2f9246727eb569776f9bef8e25bbb4d7abe2b796ea740ccffaf1b2dd7a01e9dddb51180ca12e563ff4e7a2604f4503ebeed0d29e
-
Filesize
126KB
MD5e507e6d6e53146d7c7d7560845d7b51c
SHA112dfec1df517037846dea8044a0edc409b790a13
SHA256e49833410fea53f166523cc960fc7d60ddfcf60d0fc2024e68dbabab27ce8313
SHA512f81d8232ea61e94dc139eccd2f9246727eb569776f9bef8e25bbb4d7abe2b796ea740ccffaf1b2dd7a01e9dddb51180ca12e563ff4e7a2604f4503ebeed0d29e