Resubmissions
29-03-2024 14:25
240329-rrdgpsad9yAnalysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
-
submitted
29-03-2024 17:47
General
-
Target
7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe
-
Size
1.9MB
-
MD5
864674e8be395eb28bb181184add5c01
-
SHA1
79bb9c0ae54bf8572328af06b6576327bd0a386c
-
SHA256
7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da
-
SHA512
7f85146e5cca26f5a388aeea88cf9d86819aed6e240c3b94569967a2074654327e531be66f1335f9fa0790f13844c65315a3020d0e9c6bdce40c3605164abc25
-
SSDEEP
49152:EJ8NNvupgJi+RYYhQx/QAfi4oxa03C+v7sOh9yPQtE:Xvu+RIx/QAfiTY03C+z/yP
Malware Config
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 3 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe"C:\Users\Admin\AppData\Local\Temp\7ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeC:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\360119756166_Desktop.zip' -CompressionLevel Optimal4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exeFilesize
1.9MB
MD5864674e8be395eb28bb181184add5c01
SHA179bb9c0ae54bf8572328af06b6576327bd0a386c
SHA2567ef012907eb337ad94d0635a9d1a1dd64ccb32b5c193a5bb732eee3dd22013da
SHA5127f85146e5cca26f5a388aeea88cf9d86819aed6e240c3b94569967a2074654327e531be66f1335f9fa0790f13844c65315a3020d0e9c6bdce40c3605164abc25
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3ksuy20.hof.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
109KB
MD52afdbe3b99a4736083066a13e4b5d11a
SHA14d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA2568d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
1.2MB
MD592fbdfccf6a63acef2743631d16652a7
SHA1971968b1378dd89d59d7f84bf92f16fc68664506
SHA256b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117
-
memory/1244-102-0x0000026F62A00000-0x0000026F62A0A000-memory.dmpFilesize
40KB
-
memory/1244-75-0x0000026F62B40000-0x0000026F62B50000-memory.dmpFilesize
64KB
-
memory/1244-89-0x0000026F62A10000-0x0000026F62A22000-memory.dmpFilesize
72KB
-
memory/1244-54-0x0000026F62AA0000-0x0000026F62B16000-memory.dmpFilesize
472KB
-
memory/1244-51-0x0000026F62B40000-0x0000026F62B50000-memory.dmpFilesize
64KB
-
memory/1244-49-0x0000026F62980000-0x0000026F629A2000-memory.dmpFilesize
136KB
-
memory/1244-48-0x0000026F62B40000-0x0000026F62B50000-memory.dmpFilesize
64KB
-
memory/1244-47-0x00007FF82E900000-0x00007FF82F2EC000-memory.dmpFilesize
9.9MB
-
memory/1244-111-0x00007FF82E900000-0x00007FF82F2EC000-memory.dmpFilesize
9.9MB
-
memory/2772-16-0x0000000000D30000-0x0000000001208000-memory.dmpFilesize
4.8MB
-
memory/2772-0-0x0000000000D30000-0x0000000001208000-memory.dmpFilesize
4.8MB
-
memory/2772-1-0x0000000077984000-0x0000000077985000-memory.dmpFilesize
4KB
-
memory/2772-2-0x0000000000D30000-0x0000000001208000-memory.dmpFilesize
4.8MB
-
memory/2772-3-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/2772-5-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/2772-4-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/2772-6-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/2772-7-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/2772-8-0x00000000056A0000-0x00000000056A1000-memory.dmpFilesize
4KB
-
memory/2772-9-0x00000000056E0000-0x00000000056E1000-memory.dmpFilesize
4KB
-
memory/2772-10-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/2772-11-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/4816-50-0x00000000008F0000-0x0000000000DC8000-memory.dmpFilesize
4.8MB
-
memory/4816-22-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/4816-29-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/4816-28-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/4816-19-0x00000000008F0000-0x0000000000DC8000-memory.dmpFilesize
4.8MB
-
memory/4816-21-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/4816-24-0x00000000049D0000-0x00000000049D1000-memory.dmpFilesize
4KB
-
memory/4816-26-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/4816-27-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/4816-25-0x0000000004970000-0x0000000004971000-memory.dmpFilesize
4KB
-
memory/4816-23-0x0000000004990000-0x0000000004991000-memory.dmpFilesize
4KB
-
memory/4816-30-0x00000000008F0000-0x0000000000DC8000-memory.dmpFilesize
4.8MB
-
memory/4816-112-0x00000000008F0000-0x0000000000DC8000-memory.dmpFilesize
4.8MB
-
memory/4816-113-0x00000000008F0000-0x0000000000DC8000-memory.dmpFilesize
4.8MB
-
memory/4816-20-0x00000000008F0000-0x0000000000DC8000-memory.dmpFilesize
4.8MB
-
memory/4816-125-0x00000000008F0000-0x0000000000DC8000-memory.dmpFilesize
4.8MB
-
memory/4816-126-0x00000000008F0000-0x0000000000DC8000-memory.dmpFilesize
4.8MB
-
memory/4816-127-0x00000000008F0000-0x0000000000DC8000-memory.dmpFilesize
4.8MB
-
memory/4816-128-0x00000000008F0000-0x0000000000DC8000-memory.dmpFilesize
4.8MB
-
memory/4816-129-0x00000000008F0000-0x0000000000DC8000-memory.dmpFilesize
4.8MB
-
memory/4816-130-0x00000000008F0000-0x0000000000DC8000-memory.dmpFilesize
4.8MB
-
memory/4816-131-0x00000000008F0000-0x0000000000DC8000-memory.dmpFilesize
4.8MB