Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 11:22
Static task
static1
Behavioral task
behavioral1
Sample
5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe
Resource
win7-20240221-en
General
-
Target
5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe
-
Size
391KB
-
MD5
19d257c7f63ff3dbf8b5ae26f2c1b45a
-
SHA1
dc84514dd1471efa7db9e34c43c6a60827dadad0
-
SHA256
5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af
-
SHA512
7cd1aa6e9c404965050e4f11bb6ec0c135332a339e734dc8a3aada0385effcda1fbea0317e02aad92a9c9d18af802538376169963fe695c11a114d17792801fb
-
SSDEEP
6144:u59jzB1LkOHcUR1p8oOdaQ/Lgy/pmbo3uCJL0q6ZTutv7XZfDj:gxB+icUjmoOdXt/pmbStWZT8FDj
Malware Config
Extracted
amadey
3.21
http://185.215.113.204
-
install_dir
580e612ff0
-
install_file
bguuwe.exe
-
strings_key
11ae05ddf878fd8a904552f1e0be6ecb
-
url_paths
/Lkb2dxj3/index.php
Extracted
vidar
55.7
1827
https://t.me/deadftx
https://www.ultimate-guitar.com/u/smbfupkuhrgc1
http://116.202.2.1:80
-
profile_id
1827
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 67 2692 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exebguuwe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation bguuwe.exe -
Executes dropped EXE 4 IoCs
Processes:
bguuwe.exebguuwe.exebguuwe.exebguuwe.exepid process 3108 bguuwe.exe 4768 bguuwe.exe 4592 bguuwe.exe 4824 bguuwe.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2692 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
bguuwe.exedescription pid process target process PID 3108 set thread context of 4768 3108 bguuwe.exe bguuwe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2720 2084 WerFault.exe 5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe 4904 4592 WerFault.exe bguuwe.exe 4840 4824 WerFault.exe bguuwe.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 2692 rundll32.exe 2692 rundll32.exe 2692 rundll32.exe 2692 rundll32.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exebguuwe.execmd.exedescription pid process target process PID 2084 wrote to memory of 3108 2084 5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe bguuwe.exe PID 2084 wrote to memory of 3108 2084 5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe bguuwe.exe PID 2084 wrote to memory of 3108 2084 5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe bguuwe.exe PID 3108 wrote to memory of 1280 3108 bguuwe.exe cmd.exe PID 3108 wrote to memory of 1280 3108 bguuwe.exe cmd.exe PID 3108 wrote to memory of 1280 3108 bguuwe.exe cmd.exe PID 3108 wrote to memory of 3804 3108 bguuwe.exe schtasks.exe PID 3108 wrote to memory of 3804 3108 bguuwe.exe schtasks.exe PID 3108 wrote to memory of 3804 3108 bguuwe.exe schtasks.exe PID 1280 wrote to memory of 2488 1280 cmd.exe reg.exe PID 1280 wrote to memory of 2488 1280 cmd.exe reg.exe PID 1280 wrote to memory of 2488 1280 cmd.exe reg.exe PID 3108 wrote to memory of 4768 3108 bguuwe.exe bguuwe.exe PID 3108 wrote to memory of 4768 3108 bguuwe.exe bguuwe.exe PID 3108 wrote to memory of 4768 3108 bguuwe.exe bguuwe.exe PID 3108 wrote to memory of 4768 3108 bguuwe.exe bguuwe.exe PID 3108 wrote to memory of 4768 3108 bguuwe.exe bguuwe.exe PID 3108 wrote to memory of 4768 3108 bguuwe.exe bguuwe.exe PID 3108 wrote to memory of 4768 3108 bguuwe.exe bguuwe.exe PID 3108 wrote to memory of 4768 3108 bguuwe.exe bguuwe.exe PID 3108 wrote to memory of 4768 3108 bguuwe.exe bguuwe.exe PID 3108 wrote to memory of 2692 3108 bguuwe.exe rundll32.exe PID 3108 wrote to memory of 2692 3108 bguuwe.exe rundll32.exe PID 3108 wrote to memory of 2692 3108 bguuwe.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe"C:\Users\Admin\AppData\Local\Temp\5f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe"C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\580e612ff0\3⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\580e612ff0\4⤵PID:2488
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe" /F3⤵
- Creates scheduled task(s)
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe"C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe"3⤵
- Executes dropped EXE
PID:4768 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:2692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 10482⤵
- Program crash
PID:2720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 2084 -ip 20841⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exeC:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe1⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 4842⤵
- Program crash
PID:4904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4592 -ip 45921⤵PID:4596
-
C:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exeC:\Users\Admin\AppData\Local\Temp\580e612ff0\bguuwe.exe1⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 4842⤵
- Program crash
PID:4840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 4824 -ip 48241⤵PID:2668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD54ca86321da6b7a255d9ead384be64493
SHA1c8aa8ccf0fee039fa66eabd35ac448347895df32
SHA2562b4b64c4670efb6989fee94088bdb8a727be978ddb6ce8114381cd3fb6ce8988
SHA5126e665da6f891a50412b1a4dbbe52d8d7040908421bb02664fe6c7004e160a1b50abae790e97ec0508a44a4b38ff38c5082b148cb0180e1862b69aa6c09341099
-
Filesize
391KB
MD519d257c7f63ff3dbf8b5ae26f2c1b45a
SHA1dc84514dd1471efa7db9e34c43c6a60827dadad0
SHA2565f344c80096e18a98b6acd77482886f402cfbccb90d922d03aac07d1ae6261af
SHA5127cd1aa6e9c404965050e4f11bb6ec0c135332a339e734dc8a3aada0385effcda1fbea0317e02aad92a9c9d18af802538376169963fe695c11a114d17792801fb
-
Filesize
126KB
MD52930d1a61c3e082b983802bf71266ec0
SHA19b676931a59da39eac50a08c15d5c4beb22ac366
SHA2565554595940945dc2e7549d8840344e150954f6419b0e809e1bcfb667fcd663f3
SHA512df8038ac7866a9929d56f138380ec75b78723a5a99ce425f394b216f8a30597a90e6f1173269dda06b3a414b0ccab60a6cf1fef2d0047f5ed010d5c7f9aed53b