Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-03-2024 18:51
Static task
static1
Behavioral task
behavioral1
Sample
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe
Resource
win10v2004-20240226-en
General
-
Target
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe
-
Size
1.4MB
-
MD5
04055601abbd16ec6cc9e02450c19381
-
SHA1
420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e
-
SHA256
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13
-
SHA512
826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac
-
SSDEEP
24576:HhSIBky91oHhqyp54SWIbts8MZHq9NGCzgNgpiZtsyCx+OO9OKfNgd5H4+3:B3J91qhDp5HWAsF28ZtsJsOO9WH4g
Malware Config
Extracted
amadey
4.18
http://185.172.128.3
http://cdnforbusiness.com
-
install_dir
One_Dragon_Center
-
install_file
MSI.CentralServer.exe
-
strings_key
fd2f5851d3165c210396dcbe9930d294
-
url_paths
/QajE3OBS/index.php
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2920 MSI.CentralServer.exe 3232 MSI.CentralServer.exe 3140 MSI.CentralServer.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3232 set thread context of 3624 3232 MSI.CentralServer.exe 87 PID 3140 set thread context of 676 3140 MSI.CentralServer.exe 91 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\MSI.CentralServer.job b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1476 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 3932 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3232 MSI.CentralServer.exe 3232 MSI.CentralServer.exe 3624 cmd.exe 3624 cmd.exe 3140 MSI.CentralServer.exe 3140 MSI.CentralServer.exe 676 cmd.exe 676 cmd.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 3232 MSI.CentralServer.exe 3140 MSI.CentralServer.exe 3624 cmd.exe 676 cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3932 taskkill.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2920 wrote to memory of 2516 2920 MSI.CentralServer.exe 81 PID 2920 wrote to memory of 2516 2920 MSI.CentralServer.exe 81 PID 2920 wrote to memory of 2516 2920 MSI.CentralServer.exe 81 PID 2516 wrote to memory of 3932 2516 cmd.exe 83 PID 2516 wrote to memory of 3932 2516 cmd.exe 83 PID 2516 wrote to memory of 3932 2516 cmd.exe 83 PID 2516 wrote to memory of 1476 2516 cmd.exe 85 PID 2516 wrote to memory of 1476 2516 cmd.exe 85 PID 2516 wrote to memory of 1476 2516 cmd.exe 85 PID 2516 wrote to memory of 3232 2516 cmd.exe 86 PID 2516 wrote to memory of 3232 2516 cmd.exe 86 PID 2516 wrote to memory of 3232 2516 cmd.exe 86 PID 3232 wrote to memory of 3624 3232 MSI.CentralServer.exe 87 PID 3232 wrote to memory of 3624 3232 MSI.CentralServer.exe 87 PID 3232 wrote to memory of 3624 3232 MSI.CentralServer.exe 87 PID 3232 wrote to memory of 3624 3232 MSI.CentralServer.exe 87 PID 3140 wrote to memory of 676 3140 MSI.CentralServer.exe 91 PID 3140 wrote to memory of 676 3140 MSI.CentralServer.exe 91 PID 3140 wrote to memory of 676 3140 MSI.CentralServer.exe 91 PID 3624 wrote to memory of 2872 3624 cmd.exe 93 PID 3624 wrote to memory of 2872 3624 cmd.exe 93 PID 3624 wrote to memory of 2872 3624 cmd.exe 93 PID 3140 wrote to memory of 676 3140 MSI.CentralServer.exe 91 PID 3624 wrote to memory of 2872 3624 cmd.exe 93 PID 676 wrote to memory of 1448 676 cmd.exe 94 PID 676 wrote to memory of 1448 676 cmd.exe 94 PID 676 wrote to memory of 1448 676 cmd.exe 94 PID 676 wrote to memory of 1448 676 cmd.exe 94 PID 3624 wrote to memory of 2872 3624 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe"C:\Users\Admin\AppData\Local\Temp\b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13.exe"1⤵
- Drops file in Windows directory
PID:1472
-
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exeC:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k "taskkill /f /im "MSI.CentralServer.exe" && timeout 1 && del "MSI.CentralServer.exe" && ren c36f10 MSI.CentralServer.exe && C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe && Exit"2⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "MSI.CentralServer.exe"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
-
C:\Windows\SysWOW64\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:1476
-
-
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exeC:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵PID:2872
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exeC:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵PID:1448
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
299B
MD55ae8478af8dd6eec7ad4edf162dd3df1
SHA155670b9fd39da59a9d7d0bb0aecb52324cbacc5a
SHA256fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca
SHA512a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD537193a24ef52c1a7536e28c860bdde31
SHA183e007683eb32f5b81c38ba639344940b8ba4726
SHA256d7abb22633e43bf76ce10a72e975ae96a00df9fefacfe088a2b5aa8dd3481ce9
SHA512087488b87dd8fbf88db761787c1f1883cfd55e70da9a4e0818f87673a6bc3185661f56419fb291f19a67bef427d165ba6beefbfdeff94f9682c844b11221bbd2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize192B
MD5109abf956a3c414be4a101d20eae509f
SHA1e0cb1c935cccf55a57cf66639d8bb13bbe9e2d44
SHA256bde02805093e841eba08a27935ef77b2194e4e98b232ca55716c5e5475b01bd9
SHA512adfd71b6bc39cde07e74a3bf0e802ffb50a9e220c50260061ad75d4afe9966d3b9b47338a248d05464f879e0eca9060d48efb0130e43addc83a27990c794a097
-
Filesize
128KB
MD5ff8774fb693db74d3cae3d7ff2e9087d
SHA1db39cdf5bc47f214a4a1e1e865db34bbc53c4bfd
SHA25600648def061cc4d442ecc46295b45d7df9c806617735a6edae1f3a44469c9646
SHA51221b26bfea9f9d4a4ae7ed3fd9ccd9068dee7b908cee76bcd58d6090cc9c4ea58b59f4bd89b90c2a1eaa1b66506d87c72eb1c39205fa65fdec9cf6b6e00f32741
-
Filesize
89KB
MD5df5c22d8d01c7abb0efee9a65f31715c
SHA13aeaeb90014d3a53bee06afb48825699bdfc8460
SHA256e6e484fdec7220f2662c2550ce375fbffea80d2f7edb921e06003f66c19e2269
SHA51298befc0b76c6712e5ed851ff9bb2ff8e01fad016dd2362e4ad70c3939748820cb86870d8af7c3dc3579757990306314c450ebb21a618401da9b5a0589b9f53c7
-
Filesize
442KB
MD55354778c1c198d065f5129cba8979bb2
SHA1d1f0b0b7ef675f3484cc1d57a88c6a749b9d46d6
SHA2565c5342a832644265ca09c5001a83e8aad955e694644fdce334364f14114a3a8e
SHA51250ea98306aa1acef42eb492b3351c796a92eab588ef1958116d4c88467a64e072dbd7269935e53e942f2da3c5db2cbd322cefc39af8432cbac0047a4dd6d202d
-
Filesize
401KB
MD54a3d4394e848cda1d52900b704924ef0
SHA1b0f9643869a1a422722cb1c279a3a3080f66ba3a
SHA2567efa6654940afe40d26975022af8d0980e5656db22db788e95a0e6c8ae5a8e95
SHA512aa249afd0bee0a4aac70adfaad29a06a606c0f4898095f57261396675f6cda7f6574f4c51ba94b993423f67ab08ee2877e47377af512fd240148c4d022985594
-
Filesize
789KB
MD509fe6f6f40c0adc36a554750ca70f72d
SHA105049c5af84d520bf193dfb177966bb35c500f1e
SHA256ebfecf5d450e3a9a3fe04fa2f20ae3e78f1871986fe784100c78d58eb1f02aea
SHA5125532db19ac1d6c0b5ea8e2c5202586e55bb54d8729b18f6cb9a98e6599c7ff68ba3766e7a6435e6dec88b5024e960ad5ecef941464755fbf710e5e780c8585f5
-
Filesize
172KB
MD58b530259d098538d443af20c832fcef2
SHA150a9272d2133cc59436e9c1c5b60a6ebf6ed6045
SHA25634fd13d7230885cd58b95ffdb7c34087f92ed4a20459517ec4e312137b0bb3cd
SHA5128265186f85eb6bd87259c2d29d5c7f4b1e315a869e373f2c36d0df3f43e402cba5d38550dee3196d6bc03be20469220fdd62009b3447cfaadf96a4913a014d38
-
Filesize
2.4MB
MD5ced6183a4588797f595788a568f31550
SHA125dafbc7b3604f45e22b5875baa6cf22e87dc439
SHA25613ae8685d400e61aa7784f114fe7083b9358a4839d45776cadaea3a8a1fa1422
SHA512c6645aa5d5c1568dea8298ebf83f107ec794b68d15460f2b1ccfc17602590bb8fe06ba2986569319f964530a73c809a62d7c2b6e2dc0883be5f3706893c40303
-
Filesize
264KB
MD54e03045f3f93f2c5c77538d1801b3cea
SHA1f75a86ea79fd066a0e93a9d5ba5033f61d7551e7
SHA256e97e7087dda4a46df73310405c3b9d8cec45c3dca99b42e163a20b49bdd15308
SHA512f337b3a18a343eb57238581ea2b5e8302f777860b6d48824063222eeee2e7184fd7eac9c03d01196f827e35f7787393f59d13798403a6930ee9ffd9678c06043
-
Filesize
1.1MB
MD5363e4c4c6b86f288acac0a09d8daa9a0
SHA157c58e29729c8d23e5abbfafb84585fea6af3837
SHA25637cba56115b154e81c04b932f7fcc40eedadd8fc7deeb118dfedefdc31bd3fdf
SHA51225cb2edfd9e4b3deb77c71e51d3232b7603a159017e3e2debd4086e02516e119cc66703783b9588be0dcbee6ed47a26922acde5ee7f6a0a11c7b93e0db900bc4