Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
22-03-2024 02:25
General
-
Target
0851d6bd4a42a4123de6fc3de0809b29451153299e570c5284abb3033585159b.exe
-
Size
1.8MB
-
MD5
3deb44decaf4c0c6bae78a603f2b4a71
-
SHA1
b9ee88f8b78e5d392b48b6a911d5529308173568
-
SHA256
0851d6bd4a42a4123de6fc3de0809b29451153299e570c5284abb3033585159b
-
SHA512
eb4b9ab5423e818cedcbbc8b731948b5075df5768b57503b423cd49f10514b218c624feb66ba98ad57a624e00cf16fd04b73162e89cae5d7a5dbe8339f9c778b
-
SSDEEP
49152:un5E5pxdMwL/kxgLj/jPRdFRrRUvpVuvAexy0C:eE5pM8sxgCBVmAexy0C
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Extracted
stealc
http://185.172.128.209
-
url_path
/3cd2b41cbde8fc9c.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect ZGRat V1 3 IoCs
-
Stealc
Stealc is an infostealer written in C++.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 5 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 7 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0851d6bd4a42a4123de6fc3de0809b29451153299e570c5284abb3033585159b.exe"C:\Users\Admin\AppData\Local\Temp\0851d6bd4a42a4123de6fc3de0809b29451153299e570c5284abb3033585159b.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe"C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 11924⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1001010001\ISetup3.exe"C:\Users\Admin\AppData\Local\Temp\1001010001\ISetup3.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u17c.0.exe"C:\Users\Admin\AppData\Local\Temp\u17c.0.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HJJDGHCBGD.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HJJDGHCBGD.exe"C:\Users\Admin\AppData\Local\Temp\HJJDGHCBGD.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HJJDGHCBGD.exe6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30007⤵
- Runs ping.exe
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 24964⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\u17c.1.exe"C:\Users\Admin\AppData\Local\Temp\u17c.1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 11763⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3032 -ip 30321⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1560 -ip 15601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1544 -ip 15441⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
256KB
MD5d56637ea2ca40bc8b22303c9f274cd91
SHA1c729b37a70880edae19c9cbfc37d6abc54d8dae9
SHA2560d3f8ec284e987e994a99f7929aa65842cf17d2f88deff7358fa5cd90ff51de1
SHA512c6ce71956e40f75b70f2bd74a063d4ba3cb7384d50fc01d06c6a1e969d53b0044257262c683f931ee5e43e5f9062e9ffdd1aca46eb1f8be75cb2c39d843bcbe3
-
Filesize
384KB
MD5b59a2ffe9bab917d7bc5d32bf33e77c9
SHA14121f341805ef2c984d16f1ad401e470f553e609
SHA2569d137900c5d7431bcef643b53883095e1f984aea7f96a0daed48db425a5bfe7d
SHA512d6c230a55112b113afb65639a839993503da7bbd290d3554f34d3c8bbdef978e47a2a0a5605b9d714be8a49aeeaef510fdebc428705b3f46046af50a76f00129
-
Filesize
128KB
MD534772db675889069f256a8ad143554c2
SHA12e6ceda2c0267e8fe1d4f24860d46b26fdb63117
SHA256e4eafcf079025ec65956c46c5294a5122fa18a3836569784507dd9e9b5a5afde
SHA512e97495dbf030e37f52eb61ce9850d919ad09d0d8fa4200b88c213927b1f29fb7d29393d698943b68987a37c9d896b6d61eb6c7e631013b5c22566248f40480fd
-
Filesize
1.8MB
MD53deb44decaf4c0c6bae78a603f2b4a71
SHA1b9ee88f8b78e5d392b48b6a911d5529308173568
SHA2560851d6bd4a42a4123de6fc3de0809b29451153299e570c5284abb3033585159b
SHA512eb4b9ab5423e818cedcbbc8b731948b5075df5768b57503b423cd49f10514b218c624feb66ba98ad57a624e00cf16fd04b73162e89cae5d7a5dbe8339f9c778b
-
Filesize
350KB
MD504df085b57814d1a1accead4e153909e
SHA16d277da314ef185ba9072a9b677b599b1f46c35b
SHA25691a36d137ebfa812b055728807e11338d15d3a5d869cb4babdf779266688e4dd
SHA512f37678424e46e4f28e1047161db60ad737515558c8c8905ed598ca96b198304da7356e49e7bb9d1e77fe75372f0b5a7f670a353d093749c37bb85c40ec7fdafa
-
Filesize
409KB
MD583a54df2b454eb462579a74f05fc6c9f
SHA15e235c7174c3dd9979b7a8ad7eaf596775f2d6e2
SHA256cf7efb0f59fd6d747dcc6114019e6fcf797eb9a54e2706520557799fc18fc5e4
SHA512b862d9799791f9f5a28dc9a848486e8c5000d1425546200f8be9fa31d597fc8864172ba01c8ffc851aac8ff366d8b1f363bcd3ab57c7a3f926f4638904872dc7
-
Filesize
156KB
MD545143be0d8e41a80621dcf8487c52f7b
SHA14bb975e86e35509e9134e952b16f0450d2dd1b5c
SHA25680dca09d0794ae0a9469a1d3ce611caf0315dfd9c1a50f8432de1ff5a9dce1ac
SHA5128405488320d5c21b65c1c443871c3cd06c1a8525de19b0405a582c1ed1b910d28e97555499f8e64808b54304fe2398d90c7b75fce927c4235ea7746148afc049
-
Filesize
101KB
MD542b838cf8bdf67400525e128d917f6e0
SHA1a578f6faec738912dba8c41e7abe1502c46d0cae
SHA2560e4ffba62ce9a464aa1b7ff9f1e55ace8f51ff1e15102d856f801a81f8b4607d
SHA512f64b39d885375251ab7db72c57dc5b5095f0c6412169f1035d1f6a25b8415a2a01004d06bfa0267cf683ef7dea7a9f969ad43fde5a4376f1fcb65a57403433c0
-
Filesize
156KB
MD55d5aabd199c884e9022446a49ee7b6ba
SHA1eefc9a1b0b9ab0614f66e9dac140c15270623bb6
SHA256c2fbd20ae27d268a1ac4e55f4ac93050d6d4c4993ef897dcfcb3f827fe888ee8
SHA51225afcff0f810d97114fa9cdb9010741f328ede98aebf25d826b394504513481cd0de2e263936ba0c17411458158494ea844ad254cf8c5c2a8e01faa9519c6a9a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD5aa6bc21f44e160d5a427e9c3e1850cd4
SHA13a39dfe0669cf74c124a13c5b14c9ee5b020ba72
SHA2564fc53ebba4a369632c139fcdd85a85b226b302e70b77f70189fb1a8fe1d635a9
SHA512a56de8ccb6195c7bb0d51e7cc9c5a8a220617c1e0d4963105df93ca1cb10ce2e1f4e7f567d2b4ab57c6cd891c56339361b8a07e296fe8ad496cc7c36c0e158de
-
Filesize
3KB
MD54a23947e6b85c61e9f2f689c70d7e39a
SHA1d707aab4b8306a630bf7f30b9e57f827edff9ee5
SHA256577ec55a9a24de42ed4177eb475294e001ed2836580f3a26fc7b1a00628500d6
SHA512b275aa38586143c4cb57ab0cdf24a6affd26c293fdc6b384028e91ae49df27e60f54d790b4e4b59417c4e4daecfe292134fa8fb3321a5cb7f67f2db7ebb72176
-
Filesize
261KB
MD5117317fbb36d19cd13ec4ad689003337
SHA1255559041e48bf87b5409d62da5bdb93e4933c8d
SHA256afd1ac557f3abeb5bb9a8358f0a3b06e5d276ff7b478b768af4d34af6e15cba2
SHA5121c035c63157a3bb6cb00b9e3c2e6ea9af15b8b8edb3a6a34eb2a2530a3d080a37f806a6b2045bb68ede64373cb85b18b1e8632a331ad5448e9e77ffdd2801e80
-
Filesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
Filesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
Filesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
80KB
-
Filesize
1.1MB
-
Filesize
10.8MB
-
Filesize
56.8MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
3.0MB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
168KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
392KB
-
Filesize
488KB
-
Filesize
48KB
-
Filesize
144KB
-
Filesize
40KB
-
Filesize
712KB
-
Filesize
156KB
-
Filesize
972KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
2.2MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
444KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
7.7MB
-
Filesize
32.0MB
-
Filesize
376KB
-
Filesize
32.0MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
296KB
-
Filesize
4KB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB
-
Filesize
4.7MB