Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04-02-2024 09:13
Static task
static1
Behavioral task
behavioral1
Sample
8ec53e702b8bb3c3da7ceceb14c501bf.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8ec53e702b8bb3c3da7ceceb14c501bf.exe
Resource
win10v2004-20231215-en
General
-
Target
8ec53e702b8bb3c3da7ceceb14c501bf.exe
-
Size
661KB
-
MD5
8ec53e702b8bb3c3da7ceceb14c501bf
-
SHA1
767656206195737252e8f11bd062e00e8577bc1f
-
SHA256
ee426002bc8cbdf883e09fdc595e5f2b3f3ba24a8d0d7db8d6cea925468fdc20
-
SHA512
baea150f7e370d53fc4d0b2bf607c549a221ced2b80c1937c635dfe7ef34db74ab7ab9d0288dfc9941789c062ec53a9afc5fa88b9d10dea944d73145b117632b
-
SSDEEP
12288:dyBC7gUC/h3fKp10rOHjIHvrIWEaPAudPXdAze5WZvIiPFMnDlLSwb37+y3l9C8z:m1/h3fKpOrpHviOVdPXdAze5WZQiKLtT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2248 amg.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AntiMalwareGuard = "C:\\Program Files (x86)\\AntiMalwareGuard\\amg.exe" amg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 6 IoCs
description ioc Process File created C:\Program Files (x86)\AntiMalwareGuard\amg.exe 8ec53e702b8bb3c3da7ceceb14c501bf.exe File opened for modification C:\Program Files (x86)\AntiMalwareGuard\amg.exe 8ec53e702b8bb3c3da7ceceb14c501bf.exe File opened for modification C:\Program Files (x86)\AntiMalwareGuard\amg.ini amg.exe File created C:\Program Files (x86)\AntiMalwareGuard\WL.dat amg.exe File created C:\Program Files (x86)\AntiMalwareGuard\BL.dat amg.exe File opened for modification C:\Program Files (x86)\AntiMalwareGuard\amg.ini 8ec53e702b8bb3c3da7ceceb14c501bf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2248 amg.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2248 amg.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4764 8ec53e702b8bb3c3da7ceceb14c501bf.exe 4764 8ec53e702b8bb3c3da7ceceb14c501bf.exe 4764 8ec53e702b8bb3c3da7ceceb14c501bf.exe 2248 amg.exe 2248 amg.exe 2248 amg.exe 2248 amg.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4764 wrote to memory of 2248 4764 8ec53e702b8bb3c3da7ceceb14c501bf.exe 84 PID 4764 wrote to memory of 2248 4764 8ec53e702b8bb3c3da7ceceb14c501bf.exe 84 PID 4764 wrote to memory of 2248 4764 8ec53e702b8bb3c3da7ceceb14c501bf.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ec53e702b8bb3c3da7ceceb14c501bf.exe"C:\Users\Admin\AppData\Local\Temp\8ec53e702b8bb3c3da7ceceb14c501bf.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Program Files (x86)\AntiMalwareGuard\amg.exe"C:\Program Files (x86)\AntiMalwareGuard\amg.exe" /install2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2248
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
661KB
MD58ec53e702b8bb3c3da7ceceb14c501bf
SHA1767656206195737252e8f11bd062e00e8577bc1f
SHA256ee426002bc8cbdf883e09fdc595e5f2b3f3ba24a8d0d7db8d6cea925468fdc20
SHA512baea150f7e370d53fc4d0b2bf607c549a221ced2b80c1937c635dfe7ef34db74ab7ab9d0288dfc9941789c062ec53a9afc5fa88b9d10dea944d73145b117632b
-
Filesize
63B
MD54545c8f92758cf5485a930cb2e29abff
SHA1f2b4ec61f8eb5bdd26691de0eba0d087aafd84e1
SHA256111bf32c641aaa357f62d7d0e6c96a145b75bcf8e5703d14fc6079cdc6bbbca1
SHA512cf966062b5aa9a2855c358ed841adc1684f8cffbd8e0c956d90c24f43e480dc4a6c823016cdeb675a71ed458456bf4cc4c40f492dbcf89bb84d7836195c55fde
-
Filesize
117B
MD533610cc69b30a8a1cfd04ac52cda6662
SHA1928df650419062edad28b16001afcc743a55f0d3
SHA256c6826a17987b1ae042258081cccf03f13efc5f0bb47f36329d709ece5d2eeed2
SHA51229a51a22d8bbc2e83d59644a56e106f3647d78313a86880265f475956b8ff9889a19f20a23454e5473dc4972e937ae3261e96988e5c90f5cb783949d1bdc231c