Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 11:22
Static task
static1
Behavioral task
behavioral1
Sample
5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe
Resource
win7-20240221-en
General
-
Target
5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe
-
Size
391KB
-
MD5
19d257c7f63ff3dbf8b5ae26f2c1b45a
-
SHA1
dc84514dd1471efa7db9e34c43c6a60827dadad0
-
SHA256
5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af
-
SHA512
7cd1aa6e9c404965050e4f11bb6ec0c135332a339e734dc8a3aada0385effcda1fbea0317e02aad92a9c9d18af802538376169963fe695c11a114d17792801fb
-
SSDEEP
6144:u59jzB1LkOHcUR1p8oOdaQ/Lgy/pmbo3uCJL0q6ZTutv7XZfDj:gxB+icUjmoOdXt/pmbStWZT8FDj
Malware Config
Extracted
amadey
3.21
http://185.215.113.204
-
install_dir
580e612ff0
-
install_file
bguuwe.exe
-
strings_key
11ae05ddf878fd8a904552f1e0be6ecb
-
url_paths
/Lkb2dxj3/index.php
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 25 2720 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
bguuwe.exebguuwe.exebguuwe.exepid process 1392 bguuwe.exe 1108 bguuwe.exe 2832 bguuwe.exe -
Loads dropped DLL 6 IoCs
Processes:
5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exerundll32.exepid process 2812 5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe 2812 5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe 2720 rundll32.exe 2720 rundll32.exe 2720 rundll32.exe 2720 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
Processes:
flow ioc 21 raw.githubusercontent.com 22 raw.githubusercontent.com 17 raw.githubusercontent.com 18 raw.githubusercontent.com 19 raw.githubusercontent.com 20 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
bguuwe.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 bguuwe.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e bguuwe.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e bguuwe.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 2720 rundll32.exe 2720 rundll32.exe 2720 rundll32.exe 2720 rundll32.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exebguuwe.execmd.exetaskeng.exedescription pid process target process PID 2812 wrote to memory of 1392 2812 5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe bguuwe.exe PID 2812 wrote to memory of 1392 2812 5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe bguuwe.exe PID 2812 wrote to memory of 1392 2812 5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe bguuwe.exe PID 2812 wrote to memory of 1392 2812 5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe bguuwe.exe PID 1392 wrote to memory of 2472 1392 bguuwe.exe cmd.exe PID 1392 wrote to memory of 2472 1392 bguuwe.exe cmd.exe PID 1392 wrote to memory of 2472 1392 bguuwe.exe cmd.exe PID 1392 wrote to memory of 2472 1392 bguuwe.exe cmd.exe PID 1392 wrote to memory of 2540 1392 bguuwe.exe schtasks.exe PID 1392 wrote to memory of 2540 1392 bguuwe.exe schtasks.exe PID 1392 wrote to memory of 2540 1392 bguuwe.exe schtasks.exe PID 1392 wrote to memory of 2540 1392 bguuwe.exe schtasks.exe PID 2472 wrote to memory of 2460 2472 cmd.exe reg.exe PID 2472 wrote to memory of 2460 2472 cmd.exe reg.exe PID 2472 wrote to memory of 2460 2472 cmd.exe reg.exe PID 2472 wrote to memory of 2460 2472 cmd.exe reg.exe PID 1656 wrote to memory of 1108 1656 taskeng.exe bguuwe.exe PID 1656 wrote to memory of 1108 1656 taskeng.exe bguuwe.exe PID 1656 wrote to memory of 1108 1656 taskeng.exe bguuwe.exe PID 1656 wrote to memory of 1108 1656 taskeng.exe bguuwe.exe PID 1392 wrote to memory of 2720 1392 bguuwe.exe rundll32.exe PID 1392 wrote to memory of 2720 1392 bguuwe.exe rundll32.exe PID 1392 wrote to memory of 2720 1392 bguuwe.exe rundll32.exe PID 1392 wrote to memory of 2720 1392 bguuwe.exe rundll32.exe PID 1392 wrote to memory of 2720 1392 bguuwe.exe rundll32.exe PID 1392 wrote to memory of 2720 1392 bguuwe.exe rundll32.exe PID 1392 wrote to memory of 2720 1392 bguuwe.exe rundll32.exe PID 1656 wrote to memory of 2832 1656 taskeng.exe bguuwe.exe PID 1656 wrote to memory of 2832 1656 taskeng.exe bguuwe.exe PID 1656 wrote to memory of 2832 1656 taskeng.exe bguuwe.exe PID 1656 wrote to memory of 2832 1656 taskeng.exe bguuwe.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe"C:\Users\Admin\AppData\Local\Temp\5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe"C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\580e612ff0\3⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\580e612ff0\4⤵PID:2460
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe" /F3⤵
- Creates scheduled task(s)
PID:2540 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:2720
-
C:\Windows\system32\taskeng.exetaskeng.exe {8181A24B-0FFD-425E-A0E7-5F99AA96981B} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exeC:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe2⤵
- Executes dropped EXE
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exeC:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe2⤵
- Executes dropped EXE
PID:2832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
65KB
MD53b3a84129858dc28055a6f99d05aa1a6
SHA1072d4b5d6db20a94061873c2e952ad1a15c00e56
SHA256b21d43e677aa2d86f63004f306dad96cfffc0c6eda10467f707626c30115d5c0
SHA512c489d6daa956ffde2ffc154185e52a9493d0c54e666b9665715828a3921e6e22769e341e195e527e545aae26f27224ec001114a498ea2220ebee198599a95988
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
126KB
MD52930d1a61c3e082b983802bf71266ec0
SHA19b676931a59da39eac50a08c15d5c4beb22ac366
SHA2565554595940945dc2e7549d8840344e150954f6419b0e809e1bcfb667fcd663f3
SHA512df8038ac7866a9929d56f138380ec75b78723a5a99ce425f394b216f8a30597a90e6f1173269dda06b3a414b0ccab60a6cf1fef2d0047f5ed010d5c7f9aed53b
-
Filesize
391KB
MD519d257c7f63ff3dbf8b5ae26f2c1b45a
SHA1dc84514dd1471efa7db9e34c43c6a60827dadad0
SHA2565f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af
SHA5127cd1aa6e9c404965050e4f11bb6ec0c135332a339e734dc8a3aada0385effcda1fbea0317e02aad92a9c9d18af802538376169963fe695c11a114d17792801fb