Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 13:06
Static task
static1
Behavioral task
behavioral1
Sample
e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe
Resource
win10v2004-20240508-en
General
-
Target
e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe
-
Size
4.5MB
-
MD5
2505c6f2331cfc6d1a74b7009ecb41ea
-
SHA1
67fe99c67d3aeb351d2cef54ba352a328db65433
-
SHA256
e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd
-
SHA512
7b1ffcdb8a6300c62bffd62b4bad3aabc24bbb67e40b95ad197fb662b72a363af1c67d6422def2f837ac6297918ebc222c907c73dcc67c7b130c0a47379fd611
-
SSDEEP
98304:cfUb8pAxsOBSexdGzByOahalkaX7EgPHx8lPw2GiqVGf2s7x9tMOmf:cfU+OsvwoYOau3gosPbk4f/bo
Malware Config
Extracted
amadey
4.19
8fc809
http://nudump.com
http://otyt.ru
http://selltix.org
-
install_dir
b739b37d80
-
install_file
Dctooux.exe
-
strings_key
65bac8d4c26069c29f1fd276f7af33f3
-
url_paths
/forum/index.php
/forum2/index.php
/forum3/index.php
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exepythonw.exepythonw.exepid process 3672 e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe 3632 pythonw.exe 2336 pythonw.exe -
Loads dropped DLL 5 IoCs
Processes:
e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exepythonw.exepythonw.exepid process 3672 e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe 3632 pythonw.exe 3632 pythonw.exe 2336 pythonw.exe 2336 pythonw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pythonw.exedescription pid process target process PID 2336 set thread context of 4076 2336 pythonw.exe cmd.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
pythonw.exepythonw.execmd.exepid process 3632 pythonw.exe 2336 pythonw.exe 2336 pythonw.exe 4076 cmd.exe 4076 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
pythonw.execmd.exepid process 2336 pythonw.exe 4076 cmd.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exee9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exepythonw.exepythonw.execmd.exedescription pid process target process PID 3348 wrote to memory of 3672 3348 e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe PID 3348 wrote to memory of 3672 3348 e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe PID 3348 wrote to memory of 3672 3348 e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe PID 3672 wrote to memory of 3632 3672 e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe pythonw.exe PID 3672 wrote to memory of 3632 3672 e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe pythonw.exe PID 3632 wrote to memory of 2336 3632 pythonw.exe pythonw.exe PID 3632 wrote to memory of 2336 3632 pythonw.exe pythonw.exe PID 2336 wrote to memory of 4076 2336 pythonw.exe cmd.exe PID 2336 wrote to memory of 4076 2336 pythonw.exe cmd.exe PID 2336 wrote to memory of 4076 2336 pythonw.exe cmd.exe PID 2336 wrote to memory of 4076 2336 pythonw.exe cmd.exe PID 4076 wrote to memory of 396 4076 cmd.exe explorer.exe PID 4076 wrote to memory of 396 4076 cmd.exe explorer.exe PID 4076 wrote to memory of 396 4076 cmd.exe explorer.exe PID 4076 wrote to memory of 396 4076 cmd.exe explorer.exe PID 4076 wrote to memory of 396 4076 cmd.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe"C:\Users\Admin\AppData\Local\Temp\e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{6949FA13-3BD9-41C8-A57F-3944BB3660A2}\.cr\e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe"C:\Windows\Temp\{6949FA13-3BD9-41C8-A57F-3944BB3660A2}\.cr\e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exe" -burn.filehandle.attached=540 -burn.filehandle.self=5482⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{B497804E-E947-4AAB-8338-592E658C8D95}\.ba\pythonw.exe"C:\Windows\Temp\{B497804E-E947-4AAB-8338-592E658C8D95}\.ba\pythonw.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\quickValidv3\pythonw.exeC:\Users\Admin\AppData\Roaming\quickValidv3\pythonw.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6d5e3c33Filesize
1.1MB
MD5b0693ee808b75270a3a35bc2278f75c2
SHA10a78398966d48ca868167474e40264c211cf072e
SHA256c700ce2e179f27bd666d03324122d9a6aeb7501d3a39b40635b4becfe708c6d2
SHA51223bd4bf4775a68b12c2b475f50b05c7be0231f78443cab841f0bbbcb9cf58670bf11fe3a6a608c82e5ab77cab377824e0f027ef9751e3f2a7cdfb0abf23636a9
-
C:\Users\Admin\AppData\Local\Temp\804150937214Filesize
73KB
MD50719d038d0e8729748306e029ad1218a
SHA10306719c4bcd37da8979cf1f22d7b9032f6b4f1b
SHA25664fdb86169c0677e6d130eee4a351d11012330de2fcb581ca6b11de70a3e1247
SHA5120b1cf3b47af212fd5ddd6470aabddb76ea816e60beaf6e005f6ae3026b179f4231effc02fddd3e58cb8ef6d1d95a7b1f0ce8c7131ebc9cc4982adbdac4b096b9
-
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dllFilesize
153B
MD5d47b646093dd84d34885a714ce4bd74e
SHA1c4df23671b6440e29159093dc52cb8c4aa184597
SHA2566807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352
SHA512906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338
-
C:\Windows\Temp\{6949FA13-3BD9-41C8-A57F-3944BB3660A2}\.cr\e9bcb3fcdedd982630b53e0ec84eefd0c7dbb9e22a4fd6de1168e7f5e166defd.exeFilesize
4.4MB
MD5e3635175852f9b41caa9e0b1f7484dbf
SHA1ceab4f1b5ead34586addcd351b9528c2dc5627e1
SHA2565de2f55d796eb45ec0136e33108d3b1fd1220335d061371718b0b42301bb7bd2
SHA512ceba4d44e64c3386aeac70d7ee4f6dc468626f6e7e80fc01a28b07cc28a160d03d8f6ecc36f419b9c8bf6a6c942d4aa53602a26952359c36b39be4bd51428a7f
-
C:\Windows\Temp\{B497804E-E947-4AAB-8338-592E658C8D95}\.ba\Tiderip.dllFilesize
1.2MB
MD5a632842bba74492720c9a6f9a8ad231c
SHA1f361debaf17b08174e49ed9a35d99bffb3dc0510
SHA25652b6310d121e91b42a44c24bfd6d1369d1d4388c56260dd4b05ac06225bab8d8
SHA5120f36c56e7ce72860633b76ceb524c8cd3b634c2f672a7106438de4b4a5ea0a828fe1f67680d1414ff92432f70d762262e6c83427bdae794ac16549c38972d0d4
-
C:\Windows\Temp\{B497804E-E947-4AAB-8338-592E658C8D95}\.ba\film.phpFilesize
67KB
MD543afa90c95cc223a5d86d67ffad9abcc
SHA19f142e11ed9331292227247cb842cd4c5a82773d
SHA256a5295f0cd05655c1c79f5000bef797c390f4df2f6b05d0febb65f26cda076411
SHA512a9ad8ef8faf059c2f70127aad6f0cb31831f42b75a773ba4186a257fefba377791cea0c96f3ac3ec10a7cab947ff75f1876570ef038f526b87cae5e6579dac36
-
C:\Windows\Temp\{B497804E-E947-4AAB-8338-592E658C8D95}\.ba\python310.dllFilesize
4.3MB
MD5ba6483887ff60e3a7c5eebbba62ed060
SHA1964c38a1c2519f7368ef2c94fbba6a24856d3fe3
SHA256198db1aeac214915511a90095b867935d197e419423134fd1f8934e81498e89f
SHA5120cf38a6177676554b74582691548325240d5ebfbb6a562a392a69aea01944038aa82d90017720998d08ee3eb6e517d0a6b367eac2197ffa27deeca4217fb2fad
-
C:\Windows\Temp\{B497804E-E947-4AAB-8338-592E658C8D95}\.ba\pythonw.exeFilesize
94KB
MD59a4cc0d8e7007f7ef20ca585324e0739
SHA1f3e5a2e477cac4bab85940a2158eed78f2d74441
SHA256040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92
SHA51254636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3
-
C:\Windows\Temp\{B497804E-E947-4AAB-8338-592E658C8D95}\.ba\raphe.docFilesize
900KB
MD52c247fc433fb1ade899955ac89e8102f
SHA122428f24ce4384565357ad88650e4f6b94a15e4b
SHA256154f9f3d968721528a0e7453a723e2b480b06cb1bd294721be5debf4cc3f836f
SHA51298e2e5b2dbc551295f540d3682470389d892d68fa08e3fc325fc188300870f1a02289c2527e472bb60a62b917fb440115a86ba183c2998ad3dffe4a8263f4993
-
C:\Windows\Temp\{B497804E-E947-4AAB-8338-592E658C8D95}\.ba\vcruntime140.dllFilesize
106KB
MD549c96cecda5c6c660a107d378fdfc3d4
SHA100149b7a66723e3f0310f139489fe172f818ca8e
SHA25669320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
-
memory/396-48-0x0000000000A00000-0x0000000000A73000-memory.dmpFilesize
460KB
-
memory/396-47-0x00007FF86BFF0000-0x00007FF86C1E5000-memory.dmpFilesize
2.0MB
-
memory/396-55-0x0000000000A00000-0x0000000000A73000-memory.dmpFilesize
460KB
-
memory/396-67-0x0000000000A00000-0x0000000000A73000-memory.dmpFilesize
460KB
-
memory/396-77-0x0000000000A00000-0x0000000000A73000-memory.dmpFilesize
460KB
-
memory/396-83-0x0000000000A00000-0x0000000000A73000-memory.dmpFilesize
460KB
-
memory/2336-41-0x00007FF84D3A0000-0x00007FF84D512000-memory.dmpFilesize
1.4MB
-
memory/2336-40-0x00007FF84D3A0000-0x00007FF84D512000-memory.dmpFilesize
1.4MB
-
memory/3632-24-0x00007FF84D3A0000-0x00007FF84D512000-memory.dmpFilesize
1.4MB
-
memory/3672-13-0x00000000696C0000-0x00000000697F0000-memory.dmpFilesize
1.2MB
-
memory/4076-44-0x00007FF86BFF0000-0x00007FF86C1E5000-memory.dmpFilesize
2.0MB
-
memory/4076-45-0x0000000074DD0000-0x0000000074F4B000-memory.dmpFilesize
1.5MB