Analysis
-
max time kernel
294s -
max time network
193s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 22:27
Static task
static1
Behavioral task
behavioral1
Sample
3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
Resource
win7-20240221-en
General
-
Target
3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe
-
Size
420KB
-
MD5
7b432411c12d3d0d31ecaf9011450e42
-
SHA1
968943d42ba1e8938989b6ed1884195c2285396f
-
SHA256
3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348
-
SHA512
6881c00ec9674a90b6390e18bcff67d0a5c837411f83955869a9cb2b62bccdedbc93561e70f6ddab7baaf908c8154de3a5bb982d0ee9ecc62363cc67d9cf563b
-
SSDEEP
6144:lfBwgfV+aXoGJR1xpppStlxu4qGilNZZDLxFLWj4+36o9:l3V+anFxZUq1NZJ9N8qu
Malware Config
Extracted
amadey
4.18
-
install_dir
154561dcbf
-
install_file
Dctooux.exe
-
strings_key
2cd47fa043c815e1a033c67832f3c6a5
-
url_paths
/j4Fvskd3/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 9 2860 rundll32.exe 12 2380 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
Dctooux.exepid process 2624 Dctooux.exe -
Loads dropped DLL 14 IoCs
Processes:
3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exerundll32.exerundll32.exerundll32.exepid process 1988 3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe 1988 3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe 2888 rundll32.exe 2888 rundll32.exe 2888 rundll32.exe 2888 rundll32.exe 2860 rundll32.exe 2860 rundll32.exe 2860 rundll32.exe 2860 rundll32.exe 2380 rundll32.exe 2380 rundll32.exe 2380 rundll32.exe 2380 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 1 IoCs
Processes:
3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exedescription ioc process File created C:\Windows\Tasks\Dctooux.job 3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepowershell.exepid process 2860 rundll32.exe 2860 rundll32.exe 2860 rundll32.exe 2860 rundll32.exe 2860 rundll32.exe 2020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2020 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exepid process 1988 3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exeDctooux.exerundll32.exerundll32.exedescription pid process target process PID 1988 wrote to memory of 2624 1988 3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe Dctooux.exe PID 1988 wrote to memory of 2624 1988 3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe Dctooux.exe PID 1988 wrote to memory of 2624 1988 3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe Dctooux.exe PID 1988 wrote to memory of 2624 1988 3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe Dctooux.exe PID 2624 wrote to memory of 2888 2624 Dctooux.exe rundll32.exe PID 2624 wrote to memory of 2888 2624 Dctooux.exe rundll32.exe PID 2624 wrote to memory of 2888 2624 Dctooux.exe rundll32.exe PID 2624 wrote to memory of 2888 2624 Dctooux.exe rundll32.exe PID 2624 wrote to memory of 2888 2624 Dctooux.exe rundll32.exe PID 2624 wrote to memory of 2888 2624 Dctooux.exe rundll32.exe PID 2624 wrote to memory of 2888 2624 Dctooux.exe rundll32.exe PID 2888 wrote to memory of 2860 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2860 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2860 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2860 2888 rundll32.exe rundll32.exe PID 2860 wrote to memory of 1632 2860 rundll32.exe netsh.exe PID 2860 wrote to memory of 1632 2860 rundll32.exe netsh.exe PID 2860 wrote to memory of 1632 2860 rundll32.exe netsh.exe PID 2860 wrote to memory of 2020 2860 rundll32.exe powershell.exe PID 2860 wrote to memory of 2020 2860 rundll32.exe powershell.exe PID 2860 wrote to memory of 2020 2860 rundll32.exe powershell.exe PID 2624 wrote to memory of 2380 2624 Dctooux.exe rundll32.exe PID 2624 wrote to memory of 2380 2624 Dctooux.exe rundll32.exe PID 2624 wrote to memory of 2380 2624 Dctooux.exe rundll32.exe PID 2624 wrote to memory of 2380 2624 Dctooux.exe rundll32.exe PID 2624 wrote to memory of 2380 2624 Dctooux.exe rundll32.exe PID 2624 wrote to memory of 2380 2624 Dctooux.exe rundll32.exe PID 2624 wrote to memory of 2380 2624 Dctooux.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe"C:\Users\Admin\AppData\Local\Temp\3fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\780967622241_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\780967622241Filesize
66KB
MD5455f6b22b5e5bea15c49307982026c16
SHA178ccdede7c3167e88e93f6705729fae75cdd2d65
SHA256ad4d7d064ccd74fa3a9c91ec2cda5ea584bcc19786ff8c448f101091d226dcc1
SHA51287fb0c61fc1127a3f4c5429bf717bc3f3e56f208094cbb5e01c9b7e4e5d55f28968ba91ca8cc559c2763e4099744d95f42b35da0f6dd2cfe04076a986ae2a7d9
-
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dllFilesize
109KB
MD5ca684dc5ebed4381701a39f1cc3a0fb2
SHA18c4a375aa583bd1c705597a7f45fd18934276770
SHA256b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2
SHA5128b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510
-
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dllFilesize
1.2MB
MD54876ee75ce2712147c41ff1277cd2d30
SHA13733dc92318f0c6b92cb201e49151686281acda6
SHA256bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA5129bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9
-
\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exeFilesize
420KB
MD57b432411c12d3d0d31ecaf9011450e42
SHA1968943d42ba1e8938989b6ed1884195c2285396f
SHA2563fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348
SHA5126881c00ec9674a90b6390e18bcff67d0a5c837411f83955869a9cb2b62bccdedbc93561e70f6ddab7baaf908c8154de3a5bb982d0ee9ecc62363cc67d9cf563b
-
memory/1988-17-0x0000000000400000-0x0000000000B12000-memory.dmpFilesize
7.1MB
-
memory/1988-3-0x0000000000400000-0x0000000000B12000-memory.dmpFilesize
7.1MB
-
memory/1988-1-0x0000000000CD0000-0x0000000000DD0000-memory.dmpFilesize
1024KB
-
memory/1988-20-0x0000000000220000-0x000000000028F000-memory.dmpFilesize
444KB
-
memory/1988-2-0x0000000000220000-0x000000000028F000-memory.dmpFilesize
444KB
-
memory/1988-19-0x0000000000CD0000-0x0000000000DD0000-memory.dmpFilesize
1024KB
-
memory/1988-5-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/2020-57-0x000000001B480000-0x000000001B762000-memory.dmpFilesize
2.9MB
-
memory/2020-62-0x000007FEF4CA0000-0x000007FEF563D000-memory.dmpFilesize
9.6MB
-
memory/2020-65-0x000007FEF4CA0000-0x000007FEF563D000-memory.dmpFilesize
9.6MB
-
memory/2020-64-0x00000000028D0000-0x0000000002950000-memory.dmpFilesize
512KB
-
memory/2020-63-0x00000000028D0000-0x0000000002950000-memory.dmpFilesize
512KB
-
memory/2020-58-0x00000000023A0000-0x00000000023A8000-memory.dmpFilesize
32KB
-
memory/2020-59-0x000007FEF4CA0000-0x000007FEF563D000-memory.dmpFilesize
9.6MB
-
memory/2020-60-0x00000000028D0000-0x0000000002950000-memory.dmpFilesize
512KB
-
memory/2020-61-0x00000000028D0000-0x0000000002950000-memory.dmpFilesize
512KB
-
memory/2624-22-0x0000000000400000-0x0000000000B12000-memory.dmpFilesize
7.1MB
-
memory/2624-33-0x0000000000400000-0x0000000000B12000-memory.dmpFilesize
7.1MB
-
memory/2624-56-0x0000000000BF0000-0x0000000000CF0000-memory.dmpFilesize
1024KB
-
memory/2624-51-0x0000000000400000-0x0000000000B12000-memory.dmpFilesize
7.1MB
-
memory/2624-21-0x0000000000BF0000-0x0000000000CF0000-memory.dmpFilesize
1024KB
-
memory/2624-80-0x0000000000400000-0x0000000000B12000-memory.dmpFilesize
7.1MB
-
memory/2624-104-0x0000000000400000-0x0000000000B12000-memory.dmpFilesize
7.1MB