Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19/04/2024, 01:56
Static task
static1
Behavioral task
behavioral1
Sample
c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe
Resource
win7-20240221-en
General
-
Target
c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe
-
Size
436KB
-
MD5
f6ee2a295cd2ba584f9a363ade3d55b3
-
SHA1
c6966445c9adf9a0afe1a62b91d1e4f75c5ac55c
-
SHA256
c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3
-
SHA512
7db8c37f43efc0414e394dfe3c335e8073dcc53f11093dd9452a750c34b2e16fc058f83fdddbb17b430ac501aabc6af6b03b23afa7826ccac1678f86546b025b
-
SSDEEP
6144:vZLBvj27DEXhnzCaknvrhHq6p5Km/OZ2iqzUhYA0FvYgtv3EagG64/dAdUcgf:hd72YmQ/mWZUzGUvYgt8FGBxcg
Malware Config
Extracted
amadey
4.19
-
install_dir
cbb1d94791
-
install_file
Dctooux.exe
-
strings_key
fcebaf717c71f51f8908b537784e2bee
-
url_paths
/8bjndDcoA3/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 9 960 rundll32.exe 12 880 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2916 Dctooux.exe -
Loads dropped DLL 14 IoCs
pid Process 1544 c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe 1544 c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 1492 rundll32.exe 960 rundll32.exe 960 rundll32.exe 960 rundll32.exe 960 rundll32.exe 880 rundll32.exe 880 rundll32.exe 880 rundll32.exe 880 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Dctooux.job c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 960 rundll32.exe 960 rundll32.exe 960 rundll32.exe 960 rundll32.exe 960 rundll32.exe 2764 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2764 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1544 c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1544 wrote to memory of 2916 1544 c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe 28 PID 1544 wrote to memory of 2916 1544 c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe 28 PID 1544 wrote to memory of 2916 1544 c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe 28 PID 1544 wrote to memory of 2916 1544 c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe 28 PID 2916 wrote to memory of 1492 2916 Dctooux.exe 31 PID 2916 wrote to memory of 1492 2916 Dctooux.exe 31 PID 2916 wrote to memory of 1492 2916 Dctooux.exe 31 PID 2916 wrote to memory of 1492 2916 Dctooux.exe 31 PID 2916 wrote to memory of 1492 2916 Dctooux.exe 31 PID 2916 wrote to memory of 1492 2916 Dctooux.exe 31 PID 2916 wrote to memory of 1492 2916 Dctooux.exe 31 PID 1492 wrote to memory of 960 1492 rundll32.exe 32 PID 1492 wrote to memory of 960 1492 rundll32.exe 32 PID 1492 wrote to memory of 960 1492 rundll32.exe 32 PID 1492 wrote to memory of 960 1492 rundll32.exe 32 PID 960 wrote to memory of 1392 960 rundll32.exe 33 PID 960 wrote to memory of 1392 960 rundll32.exe 33 PID 960 wrote to memory of 1392 960 rundll32.exe 33 PID 960 wrote to memory of 2764 960 rundll32.exe 35 PID 960 wrote to memory of 2764 960 rundll32.exe 35 PID 960 wrote to memory of 2764 960 rundll32.exe 35 PID 2916 wrote to memory of 880 2916 Dctooux.exe 39 PID 2916 wrote to memory of 880 2916 Dctooux.exe 39 PID 2916 wrote to memory of 880 2916 Dctooux.exe 39 PID 2916 wrote to memory of 880 2916 Dctooux.exe 39 PID 2916 wrote to memory of 880 2916 Dctooux.exe 39 PID 2916 wrote to memory of 880 2916 Dctooux.exe 39 PID 2916 wrote to memory of 880 2916 Dctooux.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe"C:\Users\Admin\AppData\Local\Temp\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\cbb1d94791\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\cbb1d94791\Dctooux.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:1392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\309405411416_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:880
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD578ce59ef71f555ef09e9706cc85e20eb
SHA11c0d07ad3caf255d3a4736b64ba6b3506841aeaa
SHA2568f0216c63bf1aab2e65e1501cc0d4cc8b4995158be7f0023be0891d64fcd8cd4
SHA512c67886b7b25d25c79429d9c38605b94a22f2e71b00d9cea00a83d5bf0040ea1cfafc88517cef470de5c5f2f4a36324402d0a54c92a90da1704233a241e9497df
-
Filesize
436KB
MD5f6ee2a295cd2ba584f9a363ade3d55b3
SHA1c6966445c9adf9a0afe1a62b91d1e4f75c5ac55c
SHA256c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3
SHA5127db8c37f43efc0414e394dfe3c335e8073dcc53f11093dd9452a750c34b2e16fc058f83fdddbb17b430ac501aabc6af6b03b23afa7826ccac1678f86546b025b
-
Filesize
109KB
MD5647ac550e51ad6d7e47a6f1e94e11fd2
SHA1433991b760cbfd265d45240891300c3652aefe6f
SHA2564d743335ff8cdf1e505f4bd82b0efafde077b9bf0f88a615db99feada880e3ba
SHA5125a2905133e53490dcfdad84b65525f2925d1e82a609ad0ff551d8d90a3c61a3a58b370056b84aa5c33db71f49fffb86e58284dc317a3541d6f5572438e428bfb
-
Filesize
1.2MB
MD5877cb2f10c78a046d81f678f88d7a6a1
SHA10ecc4a6282a412802756dc5bfd1e60cf789f2687
SHA2562caf66964f582a9a1add1f13205f8797f2f4e791d980000ea6b55c719c174ed2
SHA5129a8ea29fcfcf2a4e274095819ba27261bf551c976b697ccc6fe0598d13c309042e317ec8a32d2a9dec38ebd8223fc6c9e08daf5c611cdc72c11c8fe91baf3399