Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
02-05-2023 19:28
General
-
Target
https://nftday.art/Setup2.exe
Malware Config
Extracted
amadey
3.70
tadogem.com/dF30Hn4m/index.php
Extracted
systembc
65.21.119.52:4277
localhost.exchange:4277
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 29 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://nftday.art/Setup2.exe1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1464 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\Setup2.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RUOQG7D6\Setup2.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5HvoTnCf.exe"C:\Users\Admin\AppData\Local\Temp\5HvoTnCf.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe" /F5⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe"C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe"5⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll6⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 18643⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4352 -ip 43521⤵
-
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exeC:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5826fd61900b81693965e104fdb1950b0
SHA1abd17d1972f0e60f2a25a6be8eec78c9e2af65ce
SHA256eb852708c7ac4c8930938d4a6ade9553d4d3adb73c9c51d04cc8385841fd5dac
SHA512e8b3d60bd29def232dee5562656fe99797b9d05a9a55a7e69fc7729075694486a92d8405074c0c912db1a9a646759c3fa2e76415017e948ec09471f2a6e40195
-
Filesize
724B
MD5cfbc16e33dcbef6f773f0f79af528f45
SHA1ecb8d5e8107bc671dd57fb2a137c00bffa419f1f
SHA256f0937890fb1053069baac97b7992c6d22cb74cae20317fc05d51070d96950ffa
SHA51259ac2ead1eb84edffb06867850beb1e63f72c5b5415abd2fd4e7c2a1922c368f612d2a0288c00e32d5da47c4a77968ffbe72660a8d1f577f44fb20df9c11a4af
-
Filesize
410B
MD575570d9c2c84f7d7fca0b536420c3b88
SHA140bc7120256de7dd93590ca2f9fd0e3476d20f84
SHA256dc92f5afb10bb77df030d5f31894953c41d59bdbc9d2e3f7b8ab968774a1c6c2
SHA51278e86bfeea74429625c0731ef9757195d7287974c1bf1e82426dec04539f519326df4e72970e5da8304801f654b5dda5e282b72b703927811c58700022134d4e
-
Filesize
392B
MD55964dd5756121dce94e6f2bf77c96cdb
SHA15f398cb964fcc1cfc34e962a711aef632ee422f5
SHA2569577aea6e8c1b3e089df70e3c773fa6ea196a61ed637079f8c18b2c91b7eeb90
SHA51279a44252c59c520f1d4e0dd29a70b461746d51d92f3798b235ccc0544315abd46e7591b820219c3c4b69852b9b5b473ace44edb10ea104f3b74f1d35adc03a52
-
Filesize
344KB
MD5c80864ec4f40c15a4589d19a1e6cd3ca
SHA160179fed90422c2db1cefa9e05762965fa0e4283
SHA2561d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc
SHA512acd6642f29702e26ebf2831506824caf2a1c86c9cf14822c5527545844c6194fb4577c2007b2c6c62238af46f7cc92f045c13b8358e48c173e4cacda11345fa1
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
344KB
MD5c80864ec4f40c15a4589d19a1e6cd3ca
SHA160179fed90422c2db1cefa9e05762965fa0e4283
SHA2561d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc
SHA512acd6642f29702e26ebf2831506824caf2a1c86c9cf14822c5527545844c6194fb4577c2007b2c6c62238af46f7cc92f045c13b8358e48c173e4cacda11345fa1
-
Filesize
344KB
MD5c80864ec4f40c15a4589d19a1e6cd3ca
SHA160179fed90422c2db1cefa9e05762965fa0e4283
SHA2561d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc
SHA512acd6642f29702e26ebf2831506824caf2a1c86c9cf14822c5527545844c6194fb4577c2007b2c6c62238af46f7cc92f045c13b8358e48c173e4cacda11345fa1
-
Filesize
17KB
MD54c09e8e3a1d837f125ea9f9c0c2c5380
SHA10221f489cdef441afad424b5954d07b432d0b8e8
SHA25644d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0
-
Filesize
17KB
MD54c09e8e3a1d837f125ea9f9c0c2c5380
SHA10221f489cdef441afad424b5954d07b432d0b8e8
SHA25644d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0
-
Filesize
17KB
MD54c09e8e3a1d837f125ea9f9c0c2c5380
SHA10221f489cdef441afad424b5954d07b432d0b8e8
SHA25644d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0
-
Filesize
17KB
MD54c09e8e3a1d837f125ea9f9c0c2c5380
SHA10221f489cdef441afad424b5954d07b432d0b8e8
SHA25644d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace
SHA512d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0
-
Filesize
238KB
MD5c23d62c9166ae248fe9fe078328182f9
SHA1ce684054121205b1cd7befc016644680fd5b29d5
SHA25690fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA5121f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57
-
Filesize
238KB
MD5c23d62c9166ae248fe9fe078328182f9
SHA1ce684054121205b1cd7befc016644680fd5b29d5
SHA25690fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA5121f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57
-
Filesize
79KB
MD51c2317f1d16e05791276c4208f797091
SHA1418a30fa4ee28f2a77aa1c436e0734383735b763
SHA2564f432911caed6cbbc90bc95cd38fbcfffda04d8d6f13ec1dfdb0c51bf9be38c6
SHA5122c63d7943a76ec5bdec6194834ec091b5cefe48dfd2d6a274f2853d759871f5ef39b41960421cf3083d78cc3c71bee0c21934d0a05a91c85c4e96d98cf3aa56d
-
Filesize
238KB
MD5c23d62c9166ae248fe9fe078328182f9
SHA1ce684054121205b1cd7befc016644680fd5b29d5
SHA25690fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA5121f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57
-
Filesize
238KB
MD5c23d62c9166ae248fe9fe078328182f9
SHA1ce684054121205b1cd7befc016644680fd5b29d5
SHA25690fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA5121f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57
-
Filesize
238KB
MD5c23d62c9166ae248fe9fe078328182f9
SHA1ce684054121205b1cd7befc016644680fd5b29d5
SHA25690fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA5121f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57
-
Filesize
238KB
MD5c23d62c9166ae248fe9fe078328182f9
SHA1ce684054121205b1cd7befc016644680fd5b29d5
SHA25690fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA5121f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57
-
Filesize
238KB
MD5c23d62c9166ae248fe9fe078328182f9
SHA1ce684054121205b1cd7befc016644680fd5b29d5
SHA25690fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e
SHA5121f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57
-
Filesize
211KB
MD51d81057710dc737ffee88f7f8b0ef90c
SHA18a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49
-
Filesize
211KB
MD51d81057710dc737ffee88f7f8b0ef90c
SHA18a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49
-
Filesize
211KB
MD51d81057710dc737ffee88f7f8b0ef90c
SHA18a13b1fe68d5010e5e9b14719a279c4037d7c446
SHA256c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc
SHA512a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
5.6MB
-
Filesize
256KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
592KB
-
Filesize
4KB
-
Filesize
64KB