Analysis
-
max time kernel
295s -
max time network
297s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-06-2023 07:09
Behavioral task
behavioral1
Sample
56de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490.zip
Resource
win10v2004-20230220-en
General
-
Target
56de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490.exe
-
Size
218KB
-
MD5
3367e30e4f2e023419d7b3c4251f854f
-
SHA1
f364b4426d5ec06f152b0dde69306313f1de34ee
-
SHA256
56de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490
-
SHA512
6ea512daf807b64acedb2b8e61b1b818ce181f9a56069688b49b1067493613362cd00d14a6e5e849caa2582e85ec46ffa59e15944fdeead54da98a552e76c85b
-
SSDEEP
3072:meTRJ0kHbnpN23kQKp5XzutZXKGrpeN84LuZAIybiy3xEfbi:FTR2AnpN2wDurXBeBuZAIMEj
Malware Config
Extracted
amadey
3.83
77.91.68.62/wings/game/index.php
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
56de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490.exemetado.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation 56de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation metado.exe -
Executes dropped EXE 6 IoCs
Processes:
metado.exemetado.exemetado.exemetado.exemetado.exemetado.exepid process 1864 metado.exe 2724 metado.exe 4260 metado.exe 704 metado.exe 2648 metado.exe 816 metado.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
56de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490.exepid process 1900 56de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
56de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490.exemetado.execmd.exedescription pid process target process PID 1900 wrote to memory of 1864 1900 56de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490.exe metado.exe PID 1900 wrote to memory of 1864 1900 56de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490.exe metado.exe PID 1900 wrote to memory of 1864 1900 56de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490.exe metado.exe PID 1864 wrote to memory of 816 1864 metado.exe schtasks.exe PID 1864 wrote to memory of 816 1864 metado.exe schtasks.exe PID 1864 wrote to memory of 816 1864 metado.exe schtasks.exe PID 1864 wrote to memory of 3436 1864 metado.exe cmd.exe PID 1864 wrote to memory of 3436 1864 metado.exe cmd.exe PID 1864 wrote to memory of 3436 1864 metado.exe cmd.exe PID 3436 wrote to memory of 4928 3436 cmd.exe cmd.exe PID 3436 wrote to memory of 4928 3436 cmd.exe cmd.exe PID 3436 wrote to memory of 4928 3436 cmd.exe cmd.exe PID 3436 wrote to memory of 4280 3436 cmd.exe cacls.exe PID 3436 wrote to memory of 4280 3436 cmd.exe cacls.exe PID 3436 wrote to memory of 4280 3436 cmd.exe cacls.exe PID 3436 wrote to memory of 1980 3436 cmd.exe cacls.exe PID 3436 wrote to memory of 1980 3436 cmd.exe cacls.exe PID 3436 wrote to memory of 1980 3436 cmd.exe cacls.exe PID 3436 wrote to memory of 4060 3436 cmd.exe cmd.exe PID 3436 wrote to memory of 4060 3436 cmd.exe cmd.exe PID 3436 wrote to memory of 4060 3436 cmd.exe cmd.exe PID 3436 wrote to memory of 3056 3436 cmd.exe cacls.exe PID 3436 wrote to memory of 3056 3436 cmd.exe cacls.exe PID 3436 wrote to memory of 3056 3436 cmd.exe cacls.exe PID 3436 wrote to memory of 320 3436 cmd.exe cacls.exe PID 3436 wrote to memory of 320 3436 cmd.exe cacls.exe PID 3436 wrote to memory of 320 3436 cmd.exe cacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490.exe"C:\Users\Admin\AppData\Local\Temp\56de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490.exe"1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN metado.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "metado.exe" /P "Admin:N"&&CACLS "metado.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "metado.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "metado.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\a9e2a16078" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\a9e2a16078" /P "Admin:R" /E4⤵
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exeC:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exeC:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exeC:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exeC:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exeC:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exeFilesize
218KB
MD53367e30e4f2e023419d7b3c4251f854f
SHA1f364b4426d5ec06f152b0dde69306313f1de34ee
SHA25656de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490
SHA5126ea512daf807b64acedb2b8e61b1b818ce181f9a56069688b49b1067493613362cd00d14a6e5e849caa2582e85ec46ffa59e15944fdeead54da98a552e76c85b
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exeFilesize
218KB
MD53367e30e4f2e023419d7b3c4251f854f
SHA1f364b4426d5ec06f152b0dde69306313f1de34ee
SHA25656de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490
SHA5126ea512daf807b64acedb2b8e61b1b818ce181f9a56069688b49b1067493613362cd00d14a6e5e849caa2582e85ec46ffa59e15944fdeead54da98a552e76c85b
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exeFilesize
218KB
MD53367e30e4f2e023419d7b3c4251f854f
SHA1f364b4426d5ec06f152b0dde69306313f1de34ee
SHA25656de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490
SHA5126ea512daf807b64acedb2b8e61b1b818ce181f9a56069688b49b1067493613362cd00d14a6e5e849caa2582e85ec46ffa59e15944fdeead54da98a552e76c85b
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exeFilesize
218KB
MD53367e30e4f2e023419d7b3c4251f854f
SHA1f364b4426d5ec06f152b0dde69306313f1de34ee
SHA25656de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490
SHA5126ea512daf807b64acedb2b8e61b1b818ce181f9a56069688b49b1067493613362cd00d14a6e5e849caa2582e85ec46ffa59e15944fdeead54da98a552e76c85b
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exeFilesize
218KB
MD53367e30e4f2e023419d7b3c4251f854f
SHA1f364b4426d5ec06f152b0dde69306313f1de34ee
SHA25656de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490
SHA5126ea512daf807b64acedb2b8e61b1b818ce181f9a56069688b49b1067493613362cd00d14a6e5e849caa2582e85ec46ffa59e15944fdeead54da98a552e76c85b
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exeFilesize
218KB
MD53367e30e4f2e023419d7b3c4251f854f
SHA1f364b4426d5ec06f152b0dde69306313f1de34ee
SHA25656de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490
SHA5126ea512daf807b64acedb2b8e61b1b818ce181f9a56069688b49b1067493613362cd00d14a6e5e849caa2582e85ec46ffa59e15944fdeead54da98a552e76c85b
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exeFilesize
218KB
MD53367e30e4f2e023419d7b3c4251f854f
SHA1f364b4426d5ec06f152b0dde69306313f1de34ee
SHA25656de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490
SHA5126ea512daf807b64acedb2b8e61b1b818ce181f9a56069688b49b1067493613362cd00d14a6e5e849caa2582e85ec46ffa59e15944fdeead54da98a552e76c85b
-
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\metado.exeFilesize
218KB
MD53367e30e4f2e023419d7b3c4251f854f
SHA1f364b4426d5ec06f152b0dde69306313f1de34ee
SHA25656de980060e4a4e6619fcda6b716b08278487459a301a1938838b90467531490
SHA5126ea512daf807b64acedb2b8e61b1b818ce181f9a56069688b49b1067493613362cd00d14a6e5e849caa2582e85ec46ffa59e15944fdeead54da98a552e76c85b
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
10B
MD57605968e79d0ca095ab1231486d2b814
SHA1a007b420d19ceefa840f0373e050e3b51a4ab480
SHA256493fda53120050f85836032324409be6c6484f90a0755ae0c6a673ba7626818b
SHA512769249da7ed6c6bf5671bbc2371a6453b433226ceb8c4c2aa3604000d66647bcec83dee1ab64c0262fa40f923d77e23bad2c47274d339effc51d904ce77072a6