Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 01:56
Static task
static1
Behavioral task
behavioral1
Sample
c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe
Resource
win7-20240221-en
General
-
Target
c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe
-
Size
436KB
-
MD5
f6ee2a295cd2ba584f9a363ade3d55b3
-
SHA1
c6966445c9adf9a0afe1a62b91d1e4f75c5ac55c
-
SHA256
c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3
-
SHA512
7db8c37f43efc0414e394dfe3c335e8073dcc53f11093dd9452a750c34b2e16fc058f83fdddbb17b430ac501aabc6af6b03b23afa7826ccac1678f86546b025b
-
SSDEEP
6144:vZLBvj27DEXhnzCaknvrhHq6p5Km/OZ2iqzUhYA0FvYgtv3EagG64/dAdUcgf:hd72YmQ/mWZUzGUvYgt8FGBxcg
Malware Config
Extracted
amadey
4.19
-
install_dir
cbb1d94791
-
install_file
Dctooux.exe
-
strings_key
fcebaf717c71f51f8908b537784e2bee
-
url_paths
/8bjndDcoA3/index.php
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 37 3032 rundll32.exe 44 3116 rundll32.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation Dctooux.exe -
Executes dropped EXE 3 IoCs
pid Process 1392 Dctooux.exe 3040 Dctooux.exe 2656 Dctooux.exe -
Loads dropped DLL 3 IoCs
pid Process 4852 rundll32.exe 3032 rundll32.exe 3116 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Dctooux.job c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 28 IoCs
pid pid_target Process procid_target 2520 348 WerFault.exe 82 2596 348 WerFault.exe 82 4852 348 WerFault.exe 82 2548 348 WerFault.exe 82 2248 348 WerFault.exe 82 4880 348 WerFault.exe 82 2592 348 WerFault.exe 82 116 348 WerFault.exe 82 4560 348 WerFault.exe 82 3364 348 WerFault.exe 82 2004 1392 WerFault.exe 109 4072 1392 WerFault.exe 109 5064 1392 WerFault.exe 109 4384 1392 WerFault.exe 109 3504 1392 WerFault.exe 109 1244 1392 WerFault.exe 109 3408 1392 WerFault.exe 109 916 1392 WerFault.exe 109 1824 1392 WerFault.exe 109 1932 1392 WerFault.exe 109 872 1392 WerFault.exe 109 2576 1392 WerFault.exe 109 2928 1392 WerFault.exe 109 5024 1392 WerFault.exe 109 2640 3040 WerFault.exe 149 1504 1392 WerFault.exe 109 3688 2656 WerFault.exe 155 4980 1392 WerFault.exe 109 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 3032 rundll32.exe 908 powershell.exe 908 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 908 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 348 c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 348 wrote to memory of 1392 348 c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe 109 PID 348 wrote to memory of 1392 348 c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe 109 PID 348 wrote to memory of 1392 348 c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe 109 PID 1392 wrote to memory of 4852 1392 Dctooux.exe 138 PID 1392 wrote to memory of 4852 1392 Dctooux.exe 138 PID 1392 wrote to memory of 4852 1392 Dctooux.exe 138 PID 4852 wrote to memory of 3032 4852 rundll32.exe 139 PID 4852 wrote to memory of 3032 4852 rundll32.exe 139 PID 3032 wrote to memory of 4648 3032 rundll32.exe 140 PID 3032 wrote to memory of 4648 3032 rundll32.exe 140 PID 3032 wrote to memory of 908 3032 rundll32.exe 142 PID 3032 wrote to memory of 908 3032 rundll32.exe 142 PID 1392 wrote to memory of 3116 1392 Dctooux.exe 146 PID 1392 wrote to memory of 3116 1392 Dctooux.exe 146 PID 1392 wrote to memory of 3116 1392 Dctooux.exe 146
Processes
-
C:\Users\Admin\AppData\Local\Temp\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe"C:\Users\Admin\AppData\Local\Temp\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 7522⤵
- Program crash
PID:2520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 7762⤵
- Program crash
PID:2596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 8602⤵
- Program crash
PID:4852
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 9202⤵
- Program crash
PID:2548
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 8602⤵
- Program crash
PID:2248
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 8722⤵
- Program crash
PID:4880
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 11282⤵
- Program crash
PID:2592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 11802⤵
- Program crash
PID:116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 12402⤵
- Program crash
PID:4560
-
-
C:\Users\Admin\AppData\Local\Temp\cbb1d94791\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\cbb1d94791\Dctooux.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 5523⤵
- Program crash
PID:2004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 5603⤵
- Program crash
PID:4072
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 5723⤵
- Program crash
PID:5064
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 6323⤵
- Program crash
PID:4384
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 8803⤵
- Program crash
PID:3504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 9163⤵
- Program crash
PID:1244
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 9323⤵
- Program crash
PID:3408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 6283⤵
- Program crash
PID:916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 9123⤵
- Program crash
PID:1824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 10123⤵
- Program crash
PID:1932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 11283⤵
- Program crash
PID:872
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 13203⤵
- Program crash
PID:2576
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 15723⤵
- Program crash
PID:2928
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:4648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\288054676187_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 11003⤵
- Program crash
PID:5024
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 16243⤵
- Program crash
PID:1504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 10283⤵
- Program crash
PID:4980
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 12882⤵
- Program crash
PID:3364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 348 -ip 3481⤵PID:2480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 348 -ip 3481⤵PID:1820
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 348 -ip 3481⤵PID:2928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 348 -ip 3481⤵PID:3932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 348 -ip 3481⤵PID:1604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 348 -ip 3481⤵PID:5040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 348 -ip 3481⤵PID:3148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 348 -ip 3481⤵PID:740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 348 -ip 3481⤵PID:1720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 348 -ip 3481⤵PID:4916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1392 -ip 13921⤵PID:3780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1392 -ip 13921⤵PID:2348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1392 -ip 13921⤵PID:4796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1392 -ip 13921⤵PID:3096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1392 -ip 13921⤵PID:1984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1392 -ip 13921⤵PID:4740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1392 -ip 13921⤵PID:1968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1392 -ip 13921⤵PID:4488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1392 -ip 13921⤵PID:4512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 1392 -ip 13921⤵PID:2340
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1392 -ip 13921⤵PID:1344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1392 -ip 13921⤵PID:1336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1392 -ip 13921⤵PID:4736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 1392 -ip 13921⤵PID:1684
-
C:\Users\Admin\AppData\Local\Temp\cbb1d94791\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\cbb1d94791\Dctooux.exe1⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 4402⤵
- Program crash
PID:2640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3040 -ip 30401⤵PID:2500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1392 -ip 13921⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\cbb1d94791\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\cbb1d94791\Dctooux.exe1⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 4442⤵
- Program crash
PID:3688
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2656 -ip 26561⤵PID:4584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1392 -ip 13921⤵PID:1836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
82KB
MD5ffb161bc9496f7752f90276f38c1023d
SHA1b9c63dd0e04d40ea8825d36f91fe13441c465e5a
SHA25671520ba8b5c81f320b57e88e3c98591f2b2229cd41409382d6cb1d79aa5e81b5
SHA512caae8a5eda40e8cea421941cfaa00d59ba0bc9758541c2322e44ce2412d42b296a7e5b06c311158c832b521c26fa1e40957a9a754255d623ead704f596305e08
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
436KB
MD5f6ee2a295cd2ba584f9a363ade3d55b3
SHA1c6966445c9adf9a0afe1a62b91d1e4f75c5ac55c
SHA256c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3
SHA5127db8c37f43efc0414e394dfe3c335e8073dcc53f11093dd9452a750c34b2e16fc058f83fdddbb17b430ac501aabc6af6b03b23afa7826ccac1678f86546b025b
-
Filesize
109KB
MD5647ac550e51ad6d7e47a6f1e94e11fd2
SHA1433991b760cbfd265d45240891300c3652aefe6f
SHA2564d743335ff8cdf1e505f4bd82b0efafde077b9bf0f88a615db99feada880e3ba
SHA5125a2905133e53490dcfdad84b65525f2925d1e82a609ad0ff551d8d90a3c61a3a58b370056b84aa5c33db71f49fffb86e58284dc317a3541d6f5572438e428bfb
-
Filesize
1.2MB
MD5877cb2f10c78a046d81f678f88d7a6a1
SHA10ecc4a6282a412802756dc5bfd1e60cf789f2687
SHA2562caf66964f582a9a1add1f13205f8797f2f4e791d980000ea6b55c719c174ed2
SHA5129a8ea29fcfcf2a4e274095819ba27261bf551c976b697ccc6fe0598d13c309042e317ec8a32d2a9dec38ebd8223fc6c9e08daf5c611cdc72c11c8fe91baf3399