Analysis
-
max time kernel
293s -
max time network
192s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 22:25
Static task
static1
Behavioral task
behavioral1
Sample
339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe
Resource
win7-20240221-en
General
-
Target
339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe
-
Size
442KB
-
MD5
34468074c946943518ab33be24c01ef9
-
SHA1
742cf7ff13dcab6a99b372dc99f362f45be3d69c
-
SHA256
339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99
-
SHA512
b13def10893e34d5efcb52d5b11b16c14881c27aca7f263d59a19fdad99e27681cd8cee85ba83762772ecbbf4e32eb373006627b932047eff00cbb725e9f942b
-
SSDEEP
6144:9qIH8p8GgMyYRhuPTMCGzlmJDZWgECsFjKdJtH3s5ZBjnA:9d8p8GgAWP4CYE4BCsmdJFij0
Malware Config
Extracted
amadey
4.18
-
install_dir
154561dcbf
-
install_file
Dctooux.exe
-
strings_key
2cd47fa043c815e1a033c67832f3c6a5
-
url_paths
/j4Fvskd3/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 9 2072 rundll32.exe 12 2248 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
Dctooux.exepid process 1216 Dctooux.exe -
Loads dropped DLL 14 IoCs
Processes:
339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exerundll32.exerundll32.exerundll32.exepid process 1516 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe 1516 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe 2888 rundll32.exe 2888 rundll32.exe 2888 rundll32.exe 2888 rundll32.exe 2072 rundll32.exe 2072 rundll32.exe 2072 rundll32.exe 2072 rundll32.exe 2248 rundll32.exe 2248 rundll32.exe 2248 rundll32.exe 2248 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 1 IoCs
Processes:
339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exedescription ioc process File created C:\Windows\Tasks\Dctooux.job 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepowershell.exepid process 2072 rundll32.exe 2072 rundll32.exe 2072 rundll32.exe 2072 rundll32.exe 2072 rundll32.exe 564 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 564 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exepid process 1516 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exeDctooux.exerundll32.exerundll32.exedescription pid process target process PID 1516 wrote to memory of 1216 1516 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe Dctooux.exe PID 1516 wrote to memory of 1216 1516 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe Dctooux.exe PID 1516 wrote to memory of 1216 1516 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe Dctooux.exe PID 1516 wrote to memory of 1216 1516 339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe Dctooux.exe PID 1216 wrote to memory of 2888 1216 Dctooux.exe rundll32.exe PID 1216 wrote to memory of 2888 1216 Dctooux.exe rundll32.exe PID 1216 wrote to memory of 2888 1216 Dctooux.exe rundll32.exe PID 1216 wrote to memory of 2888 1216 Dctooux.exe rundll32.exe PID 1216 wrote to memory of 2888 1216 Dctooux.exe rundll32.exe PID 1216 wrote to memory of 2888 1216 Dctooux.exe rundll32.exe PID 1216 wrote to memory of 2888 1216 Dctooux.exe rundll32.exe PID 2888 wrote to memory of 2072 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2072 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2072 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2072 2888 rundll32.exe rundll32.exe PID 2072 wrote to memory of 684 2072 rundll32.exe netsh.exe PID 2072 wrote to memory of 684 2072 rundll32.exe netsh.exe PID 2072 wrote to memory of 684 2072 rundll32.exe netsh.exe PID 2072 wrote to memory of 564 2072 rundll32.exe powershell.exe PID 2072 wrote to memory of 564 2072 rundll32.exe powershell.exe PID 2072 wrote to memory of 564 2072 rundll32.exe powershell.exe PID 1216 wrote to memory of 2248 1216 Dctooux.exe rundll32.exe PID 1216 wrote to memory of 2248 1216 Dctooux.exe rundll32.exe PID 1216 wrote to memory of 2248 1216 Dctooux.exe rundll32.exe PID 1216 wrote to memory of 2248 1216 Dctooux.exe rundll32.exe PID 1216 wrote to memory of 2248 1216 Dctooux.exe rundll32.exe PID 1216 wrote to memory of 2248 1216 Dctooux.exe rundll32.exe PID 1216 wrote to memory of 2248 1216 Dctooux.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe"C:\Users\Admin\AppData\Local\Temp\339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\063562292805_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\063562292805Filesize
69KB
MD566d8f7cf6c9f8be4f7a97a7db2c9ff82
SHA16ea7c56cc476f76d22f0330453e611d2c6831746
SHA25668d4967b7c2db8c0b921023341d55e89214ad64c0b102096f7fb1c607e80d23a
SHA512a13602459af9d3f9285714a8387457a1cf07fc5d01fdd061a4e8ded5883d1d283ea61023bed680c46624288cbe5200a47efa5358cb044d9e1faa2629ff4fd1be
-
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dllFilesize
109KB
MD5ca684dc5ebed4381701a39f1cc3a0fb2
SHA18c4a375aa583bd1c705597a7f45fd18934276770
SHA256b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2
SHA5128b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510
-
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dllFilesize
1.2MB
MD54876ee75ce2712147c41ff1277cd2d30
SHA13733dc92318f0c6b92cb201e49151686281acda6
SHA256bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA5129bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9
-
\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exeFilesize
442KB
MD534468074c946943518ab33be24c01ef9
SHA1742cf7ff13dcab6a99b372dc99f362f45be3d69c
SHA256339f7bd2b39364138d088ddd6cfc4541b6c18da0f24315388bcf80af0ee3ac99
SHA512b13def10893e34d5efcb52d5b11b16c14881c27aca7f263d59a19fdad99e27681cd8cee85ba83762772ecbbf4e32eb373006627b932047eff00cbb725e9f942b
-
memory/564-63-0x0000000002700000-0x0000000002780000-memory.dmpFilesize
512KB
-
memory/564-56-0x000000001B380000-0x000000001B662000-memory.dmpFilesize
2.9MB
-
memory/564-81-0x0000000002700000-0x0000000002780000-memory.dmpFilesize
512KB
-
memory/564-65-0x0000000002700000-0x0000000002780000-memory.dmpFilesize
512KB
-
memory/564-64-0x000007FEF5960000-0x000007FEF62FD000-memory.dmpFilesize
9.6MB
-
memory/564-62-0x0000000002700000-0x0000000002780000-memory.dmpFilesize
512KB
-
memory/564-61-0x000007FEF5960000-0x000007FEF62FD000-memory.dmpFilesize
9.6MB
-
memory/564-60-0x0000000002700000-0x0000000002780000-memory.dmpFilesize
512KB
-
memory/564-59-0x000007FEF5960000-0x000007FEF62FD000-memory.dmpFilesize
9.6MB
-
memory/564-58-0x0000000001F50000-0x0000000001F58000-memory.dmpFilesize
32KB
-
memory/1216-57-0x0000000000F60000-0x0000000001060000-memory.dmpFilesize
1024KB
-
memory/1216-20-0x0000000000220000-0x000000000028F000-memory.dmpFilesize
444KB
-
memory/1216-51-0x0000000000400000-0x0000000000B17000-memory.dmpFilesize
7.1MB
-
memory/1216-105-0x0000000000400000-0x0000000000B17000-memory.dmpFilesize
7.1MB
-
memory/1216-33-0x0000000000400000-0x0000000000B17000-memory.dmpFilesize
7.1MB
-
memory/1216-19-0x0000000000F60000-0x0000000001060000-memory.dmpFilesize
1024KB
-
memory/1216-22-0x0000000000400000-0x0000000000B17000-memory.dmpFilesize
7.1MB
-
memory/1216-79-0x0000000000400000-0x0000000000B17000-memory.dmpFilesize
7.1MB
-
memory/1516-1-0x0000000000C90000-0x0000000000D90000-memory.dmpFilesize
1024KB
-
memory/1516-21-0x0000000000C90000-0x0000000000D90000-memory.dmpFilesize
1024KB
-
memory/1516-2-0x0000000000220000-0x000000000028F000-memory.dmpFilesize
444KB
-
memory/1516-17-0x0000000000400000-0x0000000000B17000-memory.dmpFilesize
7.1MB
-
memory/1516-5-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/1516-3-0x0000000000400000-0x0000000000B17000-memory.dmpFilesize
7.1MB