Analysis
-
max time kernel
143s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-04-2024 06:40
Static task
static1
Behavioral task
behavioral1
Sample
am.exe
Resource
win7-20240221-en
General
-
Target
am.exe
-
Size
8.1MB
-
MD5
31fd3d2bdee0fd45c35273bebe4907fa
-
SHA1
e464d8d3e5a16c0484ecb40e0599a3b4ad1e3f21
-
SHA256
5fa605bf9666dc9486a83737d1f77e241bb27a033e609625499f17dbf608e840
-
SHA512
5a5558811d5a167db43a0a96679f253c3692921e59bc61708a66f6f55458441bb3c3bdc24896eefabd5f2edfb6c87b87be520bd8abd29b0428d831d24ae947b9
-
SSDEEP
196608:Z0SPWFEHfuhw52hhflik2kYrq/d/wNHP7as4v:Zgqfuhw0hmZry4NesG
Malware Config
Extracted
amadey
4.19
http://bestofthebesttraining.com
-
install_dir
763b1308d2
-
install_file
Dctooux.exe
-
strings_key
039c1d21f5b79a4ad9168019f3454a0c
-
url_paths
/8BvxwQdec3/index.php
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
am.exedescription pid process target process PID 2192 set thread context of 2520 2192 am.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
am.execmd.exepid process 2192 am.exe 2192 am.exe 2520 cmd.exe 2520 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
am.execmd.exepid process 2192 am.exe 2520 cmd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
am.execmd.exedescription pid process target process PID 2192 wrote to memory of 2520 2192 am.exe cmd.exe PID 2192 wrote to memory of 2520 2192 am.exe cmd.exe PID 2192 wrote to memory of 2520 2192 am.exe cmd.exe PID 2192 wrote to memory of 2520 2192 am.exe cmd.exe PID 2192 wrote to memory of 2520 2192 am.exe cmd.exe PID 2520 wrote to memory of 2676 2520 cmd.exe explorer.exe PID 2520 wrote to memory of 2676 2520 cmd.exe explorer.exe PID 2520 wrote to memory of 2676 2520 cmd.exe explorer.exe PID 2520 wrote to memory of 2676 2520 cmd.exe explorer.exe PID 2520 wrote to memory of 2676 2520 cmd.exe explorer.exe PID 2520 wrote to memory of 2676 2520 cmd.exe explorer.exe PID 2520 wrote to memory of 2676 2520 cmd.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\am.exe"C:\Users\Admin\AppData\Local\Temp\am.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵PID:2676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5c47b3e59f451975dd277c637e1636f43
SHA1a86a805c219806a82352d76a6a89dbc61334e3b4
SHA256d36db54ce9a87b04c1f60954f43c5adb5c88e52241e20e33460471567618bff1
SHA51265aac733d4528de6fc55b725680b7cea3b3382e811552d12054b557c624d3c75612960fcf6e135fede47149e628c1ddb2b3c65ff1ce38cfc742c2d1f065c4742
-
Filesize
1.1MB
MD5557f3a137fe631641ba26a9a97f624ff
SHA1fc3bd0e901b1e64f5b655b30d3a4e7fa1f37cbf2
SHA25671b1a7177b2f38ff9f90e1ebe01a9fadd28b91717d11f1019caa33de38736cdc
SHA512656e8c217738037a03d2698c88decd0a9773d623036092157eb220a2600caca256c25c286a88f73f2d8d433c269c5323d0a0c8a2bd28140c8c9adc426d26c5bc