Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
24/03/2024, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe
Resource
win10v2004-20240226-en
General
-
Target
339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe
-
Size
442KB
-
MD5
34468074c946943518ab33be24c01ef9
-
SHA1
742cf7ff13dcab6a99b372dc99f362f45be3d69c
-
SHA256
339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99
-
SHA512
b13def10893e34d5efcb52d5b11b16c14881c27aca7f263d59a19fdad99e27681cd8cee85ba83762772ecbbf4e32eb373006627b932047eff00cbb725e9f942b
-
SSDEEP
6144:9qIH8p8GgMyYRhuPTMCGzlmJDZWgECsFjKdJtH3s5ZBjnA:9d8p8GgAWP4CYE4BCsmdJFij0
Malware Config
Extracted
amadey
4.18
-
install_dir
154561dcbf
-
install_file
Dctooux.exe
-
strings_key
2cd47fa043c815e1a033c67832f3c6a5
-
url_paths
/j4Fvskd3/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 4 760 rundll32.exe 6 3120 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 3604 Dctooux.exe 2840 Dctooux.exe 3832 Dctooux.exe -
Loads dropped DLL 3 IoCs
pid Process 4456 rundll32.exe 760 rundll32.exe 3120 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Dctooux.job 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 30 IoCs
pid pid_target Process procid_target 5056 4736 WerFault.exe 75 616 4736 WerFault.exe 75 1708 4736 WerFault.exe 75 3876 4736 WerFault.exe 75 928 4736 WerFault.exe 75 4904 4736 WerFault.exe 75 3964 4736 WerFault.exe 75 1060 4736 WerFault.exe 75 1852 4736 WerFault.exe 75 3068 4736 WerFault.exe 75 4964 4736 WerFault.exe 75 4856 3604 WerFault.exe 95 1056 3604 WerFault.exe 95 4984 3604 WerFault.exe 95 1532 3604 WerFault.exe 95 4924 3604 WerFault.exe 95 4540 3604 WerFault.exe 95 2308 3604 WerFault.exe 95 404 3604 WerFault.exe 95 1628 3604 WerFault.exe 95 336 3604 WerFault.exe 95 1324 3604 WerFault.exe 95 4848 3604 WerFault.exe 95 4280 3604 WerFault.exe 95 3172 3604 WerFault.exe 95 3184 2840 WerFault.exe 135 3400 3604 WerFault.exe 95 4040 3832 WerFault.exe 140 3372 3604 WerFault.exe 95 4924 3604 WerFault.exe 95 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 760 rundll32.exe 760 rundll32.exe 760 rundll32.exe 760 rundll32.exe 760 rundll32.exe 760 rundll32.exe 760 rundll32.exe 760 rundll32.exe 760 rundll32.exe 760 rundll32.exe 400 powershell.exe 400 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 400 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4736 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4736 wrote to memory of 3604 4736 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe 95 PID 4736 wrote to memory of 3604 4736 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe 95 PID 4736 wrote to memory of 3604 4736 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe 95 PID 3604 wrote to memory of 4456 3604 Dctooux.exe 126 PID 3604 wrote to memory of 4456 3604 Dctooux.exe 126 PID 3604 wrote to memory of 4456 3604 Dctooux.exe 126 PID 4456 wrote to memory of 760 4456 rundll32.exe 127 PID 4456 wrote to memory of 760 4456 rundll32.exe 127 PID 760 wrote to memory of 4932 760 rundll32.exe 128 PID 760 wrote to memory of 4932 760 rundll32.exe 128 PID 760 wrote to memory of 400 760 rundll32.exe 130 PID 760 wrote to memory of 400 760 rundll32.exe 130 PID 3604 wrote to memory of 3120 3604 Dctooux.exe 132 PID 3604 wrote to memory of 3120 3604 Dctooux.exe 132 PID 3604 wrote to memory of 3120 3604 Dctooux.exe 132
Processes
-
C:\Users\Admin\AppData\Local\Temp\339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe"C:\Users\Admin\AppData\Local\Temp\339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe"1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 7722⤵
- Program crash
PID:5056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 8202⤵
- Program crash
PID:616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 8762⤵
- Program crash
PID:1708
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 9442⤵
- Program crash
PID:3876
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 9322⤵
- Program crash
PID:928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 9722⤵
- Program crash
PID:4904
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 9362⤵
- Program crash
PID:3964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 10562⤵
- Program crash
PID:1060
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 11322⤵
- Program crash
PID:1852
-
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 5803⤵
- Program crash
PID:4856
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 6003⤵
- Program crash
PID:1056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 6483⤵
- Program crash
PID:4984
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 7483⤵
- Program crash
PID:1532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 8923⤵
- Program crash
PID:4924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 9323⤵
- Program crash
PID:4540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 7603⤵
- Program crash
PID:2308
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 8923⤵
- Program crash
PID:404
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 7763⤵
- Program crash
PID:1628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 10603⤵
- Program crash
PID:336
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 10683⤵
- Program crash
PID:1324
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 13643⤵
- Program crash
PID:4848
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 16283⤵
- Program crash
PID:4280
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:4932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\930051783255_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3120
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 14883⤵
- Program crash
PID:3172
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 16203⤵
- Program crash
PID:3400
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 11963⤵
- Program crash
PID:3372
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 10643⤵
- Program crash
PID:4924
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 15642⤵
- Program crash
PID:3068
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 8002⤵
- Program crash
PID:4964
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4736 -ip 47361⤵PID:2548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4736 -ip 47361⤵PID:1744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4736 -ip 47361⤵PID:5072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 4736 -ip 47361⤵PID:2104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4736 -ip 47361⤵PID:4068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4736 -ip 47361⤵PID:1412
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4736 -ip 47361⤵PID:4688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4736 -ip 47361⤵PID:4492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4736 -ip 47361⤵PID:1408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 4736 -ip 47361⤵PID:1192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4736 -ip 47361⤵PID:3292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3604 -ip 36041⤵PID:4568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3604 -ip 36041⤵PID:2888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3604 -ip 36041⤵PID:2400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3604 -ip 36041⤵PID:4664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3604 -ip 36041⤵PID:2340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3604 -ip 36041⤵PID:776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3604 -ip 36041⤵PID:2468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3604 -ip 36041⤵PID:3896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3604 -ip 36041⤵PID:4700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3604 -ip 36041⤵PID:1728
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3604 -ip 36041⤵PID:2396
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3604 -ip 36041⤵PID:4232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3604 -ip 36041⤵PID:1464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3604 -ip 36041⤵PID:2548
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe1⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 4802⤵
- Program crash
PID:3184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2840 -ip 28401⤵PID:1540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3604 -ip 36041⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe1⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 4722⤵
- Program crash
PID:4040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3832 -ip 38321⤵PID:1508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3604 -ip 36041⤵PID:2156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3604 -ip 36041⤵PID:4960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD534468074c946943518ab33be24c01ef9
SHA1742cf7ff13dcab6a99b372dc99f362f45be3d69c
SHA256339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99
SHA512b13def10893e34d5efcb52d5b11b16c14881c27aca7f263d59a19fdad99e27681cd8cee85ba83762772ecbbf4e32eb373006627b932047eff00cbb725e9f942b
-
Filesize
75KB
MD583930350dc29fad869034695a36201cb
SHA14bc0af17dd2748e39305993c50deec49a128e45c
SHA2567298089a8c62ab2e8da4bd1ef09b5bad3b0fc8e9d9b48b60f6711940f24fd995
SHA512cd8c9305376f1ef67b85959ffc3181de9aba64d54bfe5b93e1e9fe90cee9bec180bbf00ebd8bf4884f59134a80eb9dafb4070b9ff7f093e7eaa4b23141b28d59
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
109KB
MD5ca684dc5ebed4381701a39f1cc3a0fb2
SHA18c4a375aa583bd1c705597a7f45fd18934276770
SHA256b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2
SHA5128b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510
-
Filesize
1.2MB
MD54876ee75ce2712147c41ff1277cd2d30
SHA13733dc92318f0c6b92cb201e49151686281acda6
SHA256bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA5129bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9