Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 21:45
Behavioral task
behavioral1
Sample
6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exe
Resource
win10v2004-20231215-en
General
-
Target
6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exe
-
Size
426KB
-
MD5
9a0b7ee713610b8395c8f0580a3b1e3d
-
SHA1
e44a9e7ec6fe06ae6ba1b9518db78e95ad451942
-
SHA256
6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357
-
SHA512
0f7acbc99ef4b91eba1db5b50a352f29432da25bbd3c4364947dad3d1ce2ccc3b9f95f75e66a22cd11d7fcd8bfcc6903ba646b2e8543767bce4b6b786736f8fc
-
SSDEEP
6144:1OP1cLnbZQOvBM1nGT7SVJEeFRuhuRlOBC+3hmHfqYr5PcfT5m0JuGeFxACt70+N:cPkOOKGNeZ6C+RpYrtS5m0JuGeFxZ06
Malware Config
Extracted
amadey
4.15
http://185.215.113.68
-
install_dir
d887ceb89d
-
install_file
explorhe.exe
-
strings_key
7cadc181267fafff9df8503e730d60e1
-
url_paths
/theme/index.php
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 19 3060 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
explorhe.exeexplorhe.exeexplorhe.exeexplorhe.exepid process 2376 explorhe.exe 2496 explorhe.exe 2576 explorhe.exe 588 explorhe.exe -
Loads dropped DLL 5 IoCs
Processes:
6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exerundll32.exepid process 1044 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe 3060 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exepid process 1044 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exeexplorhe.exetaskeng.exedescription pid process target process PID 1044 wrote to memory of 2376 1044 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exe explorhe.exe PID 1044 wrote to memory of 2376 1044 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exe explorhe.exe PID 1044 wrote to memory of 2376 1044 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exe explorhe.exe PID 1044 wrote to memory of 2376 1044 6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exe explorhe.exe PID 2376 wrote to memory of 2560 2376 explorhe.exe schtasks.exe PID 2376 wrote to memory of 2560 2376 explorhe.exe schtasks.exe PID 2376 wrote to memory of 2560 2376 explorhe.exe schtasks.exe PID 2376 wrote to memory of 2560 2376 explorhe.exe schtasks.exe PID 1076 wrote to memory of 2496 1076 taskeng.exe explorhe.exe PID 1076 wrote to memory of 2496 1076 taskeng.exe explorhe.exe PID 1076 wrote to memory of 2496 1076 taskeng.exe explorhe.exe PID 1076 wrote to memory of 2496 1076 taskeng.exe explorhe.exe PID 2376 wrote to memory of 3060 2376 explorhe.exe rundll32.exe PID 2376 wrote to memory of 3060 2376 explorhe.exe rundll32.exe PID 2376 wrote to memory of 3060 2376 explorhe.exe rundll32.exe PID 2376 wrote to memory of 3060 2376 explorhe.exe rundll32.exe PID 2376 wrote to memory of 3060 2376 explorhe.exe rundll32.exe PID 2376 wrote to memory of 3060 2376 explorhe.exe rundll32.exe PID 2376 wrote to memory of 3060 2376 explorhe.exe rundll32.exe PID 1076 wrote to memory of 2576 1076 taskeng.exe explorhe.exe PID 1076 wrote to memory of 2576 1076 taskeng.exe explorhe.exe PID 1076 wrote to memory of 2576 1076 taskeng.exe explorhe.exe PID 1076 wrote to memory of 2576 1076 taskeng.exe explorhe.exe PID 1076 wrote to memory of 588 1076 taskeng.exe explorhe.exe PID 1076 wrote to memory of 588 1076 taskeng.exe explorhe.exe PID 1076 wrote to memory of 588 1076 taskeng.exe explorhe.exe PID 1076 wrote to memory of 588 1076 taskeng.exe explorhe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exe"C:\Users\Admin\AppData\Local\Temp\6b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\system32\taskeng.exetaskeng.exe {C5E23CDE-9EC5-4BA1-A131-44B2D161B1D8} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exeC:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exeC:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exeC:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exeFilesize
426KB
MD59a0b7ee713610b8395c8f0580a3b1e3d
SHA1e44a9e7ec6fe06ae6ba1b9518db78e95ad451942
SHA2566b8e428cff996c49aa52e017213c7016880a2bc1583d051240c74992bf83c357
SHA5120f7acbc99ef4b91eba1db5b50a352f29432da25bbd3c4364947dad3d1ce2ccc3b9f95f75e66a22cd11d7fcd8bfcc6903ba646b2e8543767bce4b6b786736f8fc
-
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exeFilesize
280KB
MD5f56baafb279028d4cd5a36b0861b9d11
SHA173f01a3a07387f1a2e4b9ac26b253301d332bc59
SHA256bc123c78d6354c85f5af3ac7f1ddc8c08809503e947c85cea5174c991031da80
SHA512c45e0d2f305f0c80a01984e32dcc6fd607827f4605989ad4d61e0b5e2807464b5b9268f8f5822f8c899a596585db0347e55f34d1e0e172c0e5553076c5412fb8
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
102KB
MD585af6c99d918757171d2d280e5ac61ef
SHA1ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA51212c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
memory/1044-0-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB