Analysis
-
max time kernel
292s -
max time network
190s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-03-2024 01:52
Static task
static1
Behavioral task
behavioral1
Sample
9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3.exe
Resource
win7-20240221-en
General
-
Target
9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3.exe
-
Size
441KB
-
MD5
258e294a16170fba05529bcce0263608
-
SHA1
50cc521dd5b5a9aa0e47870bc6dffa651ea7ae34
-
SHA256
9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3
-
SHA512
7f015af852be227e970e27ad2733fd8eaa076795faad34f01f3615656dcc62b3eae72d63fb2930cac8330917ceb843b30fad2e7e9bb34352681691c6e7c8fe3f
-
SSDEEP
6144:h0h+V80D4cOyLE6lE/AW2BhkFvKwkZ+eXH+wVM21+rmqmvGIF:h++V80DXOn6luAjh+bwVMMd
Malware Config
Extracted
amadey
4.18
-
install_dir
154561dcbf
-
install_file
Dctooux.exe
-
strings_key
2cd47fa043c815e1a033c67832f3c6a5
-
url_paths
/j4Fvskd3/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exerundll32.exeflow pid process 9 1216 rundll32.exe 12 1700 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
Dctooux.exepid process 2596 Dctooux.exe -
Loads dropped DLL 14 IoCs
Processes:
9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3.exerundll32.exerundll32.exerundll32.exepid process 2256 9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3.exe 2256 9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3.exe 1188 rundll32.exe 1188 rundll32.exe 1188 rundll32.exe 1188 rundll32.exe 1216 rundll32.exe 1216 rundll32.exe 1216 rundll32.exe 1216 rundll32.exe 1700 rundll32.exe 1700 rundll32.exe 1700 rundll32.exe 1700 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 1 IoCs
Processes:
9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3.exedescription ioc process File created C:\Windows\Tasks\Dctooux.job 9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exepowershell.exepid process 1216 rundll32.exe 1216 rundll32.exe 1216 rundll32.exe 1216 rundll32.exe 1216 rundll32.exe 2236 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2236 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3.exepid process 2256 9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3.exeDctooux.exerundll32.exerundll32.exedescription pid process target process PID 2256 wrote to memory of 2596 2256 9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3.exe Dctooux.exe PID 2256 wrote to memory of 2596 2256 9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3.exe Dctooux.exe PID 2256 wrote to memory of 2596 2256 9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3.exe Dctooux.exe PID 2256 wrote to memory of 2596 2256 9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3.exe Dctooux.exe PID 2596 wrote to memory of 1188 2596 Dctooux.exe rundll32.exe PID 2596 wrote to memory of 1188 2596 Dctooux.exe rundll32.exe PID 2596 wrote to memory of 1188 2596 Dctooux.exe rundll32.exe PID 2596 wrote to memory of 1188 2596 Dctooux.exe rundll32.exe PID 2596 wrote to memory of 1188 2596 Dctooux.exe rundll32.exe PID 2596 wrote to memory of 1188 2596 Dctooux.exe rundll32.exe PID 2596 wrote to memory of 1188 2596 Dctooux.exe rundll32.exe PID 1188 wrote to memory of 1216 1188 rundll32.exe rundll32.exe PID 1188 wrote to memory of 1216 1188 rundll32.exe rundll32.exe PID 1188 wrote to memory of 1216 1188 rundll32.exe rundll32.exe PID 1188 wrote to memory of 1216 1188 rundll32.exe rundll32.exe PID 1216 wrote to memory of 2412 1216 rundll32.exe netsh.exe PID 1216 wrote to memory of 2412 1216 rundll32.exe netsh.exe PID 1216 wrote to memory of 2412 1216 rundll32.exe netsh.exe PID 1216 wrote to memory of 2236 1216 rundll32.exe powershell.exe PID 1216 wrote to memory of 2236 1216 rundll32.exe powershell.exe PID 1216 wrote to memory of 2236 1216 rundll32.exe powershell.exe PID 2596 wrote to memory of 1700 2596 Dctooux.exe rundll32.exe PID 2596 wrote to memory of 1700 2596 Dctooux.exe rundll32.exe PID 2596 wrote to memory of 1700 2596 Dctooux.exe rundll32.exe PID 2596 wrote to memory of 1700 2596 Dctooux.exe rundll32.exe PID 2596 wrote to memory of 1700 2596 Dctooux.exe rundll32.exe PID 2596 wrote to memory of 1700 2596 Dctooux.exe rundll32.exe PID 2596 wrote to memory of 1700 2596 Dctooux.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3.exe"C:\Users\Admin\AppData\Local\Temp\9f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\297530677122_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\297530677122Filesize
46KB
MD5d2a828b96b181a5761ad0a7fac8bdae1
SHA1b9204319024117ad2a3cedf75a72a168ea7cd98c
SHA256691c3078a711bfd66180ae063192678b02762b052e66d4459fa947fb616fc92d
SHA512676089444ce14d8e74cdbc0c4f429c0e4ec1337faf34a2f94958f2148df6889f448af294e075f251984582c6c88f105ace0737f8f4e134ade66afe59430847c7
-
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dllFilesize
109KB
MD5ca684dc5ebed4381701a39f1cc3a0fb2
SHA18c4a375aa583bd1c705597a7f45fd18934276770
SHA256b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2
SHA5128b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510
-
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dllFilesize
1.2MB
MD54876ee75ce2712147c41ff1277cd2d30
SHA13733dc92318f0c6b92cb201e49151686281acda6
SHA256bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA5129bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9
-
\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exeFilesize
441KB
MD5258e294a16170fba05529bcce0263608
SHA150cc521dd5b5a9aa0e47870bc6dffa651ea7ae34
SHA2569f30da97a5d57aaed356a17e8346988c899f4882e2e3f0156cb5c78951ee4ef3
SHA5127f015af852be227e970e27ad2733fd8eaa076795faad34f01f3615656dcc62b3eae72d63fb2930cac8330917ceb843b30fad2e7e9bb34352681691c6e7c8fe3f
-
memory/2236-59-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmpFilesize
9.6MB
-
memory/2236-61-0x0000000002AD0000-0x0000000002B50000-memory.dmpFilesize
512KB
-
memory/2236-63-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmpFilesize
9.6MB
-
memory/2236-62-0x0000000002AD0000-0x0000000002B50000-memory.dmpFilesize
512KB
-
memory/2236-60-0x0000000002AD0000-0x0000000002B50000-memory.dmpFilesize
512KB
-
memory/2236-58-0x0000000002AD0000-0x0000000002B50000-memory.dmpFilesize
512KB
-
memory/2236-57-0x000007FEF5240000-0x000007FEF5BDD000-memory.dmpFilesize
9.6MB
-
memory/2236-56-0x0000000001F00000-0x0000000001F08000-memory.dmpFilesize
32KB
-
memory/2236-55-0x000000001B5B0000-0x000000001B892000-memory.dmpFilesize
2.9MB
-
memory/2256-18-0x0000000000400000-0x0000000000B17000-memory.dmpFilesize
7.1MB
-
memory/2256-1-0x0000000000F80000-0x0000000001080000-memory.dmpFilesize
1024KB
-
memory/2256-5-0x0000000000CF0000-0x0000000000CF1000-memory.dmpFilesize
4KB
-
memory/2256-19-0x0000000000220000-0x000000000028F000-memory.dmpFilesize
444KB
-
memory/2256-21-0x0000000000F80000-0x0000000001080000-memory.dmpFilesize
1024KB
-
memory/2256-2-0x0000000000220000-0x000000000028F000-memory.dmpFilesize
444KB
-
memory/2256-3-0x0000000000400000-0x0000000000B17000-memory.dmpFilesize
7.1MB
-
memory/2596-22-0x0000000000400000-0x0000000000B17000-memory.dmpFilesize
7.1MB
-
memory/2596-20-0x00000000002B0000-0x00000000003B0000-memory.dmpFilesize
1024KB
-
memory/2596-64-0x0000000000400000-0x0000000000B17000-memory.dmpFilesize
7.1MB
-
memory/2596-65-0x00000000002B0000-0x00000000003B0000-memory.dmpFilesize
1024KB
-
memory/2596-33-0x0000000000400000-0x0000000000B17000-memory.dmpFilesize
7.1MB
-
memory/2596-79-0x0000000000400000-0x0000000000B17000-memory.dmpFilesize
7.1MB
-
memory/2596-104-0x0000000000400000-0x0000000000B17000-memory.dmpFilesize
7.1MB