Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 14:40
Static task
static1
Behavioral task
behavioral1
Sample
83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe
Resource
win10v2004-20240426-en
General
-
Target
83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe
-
Size
4.4MB
-
MD5
3bea43a1f70e751778d17ff9db41b0a3
-
SHA1
3637c87f85c1f2d8526535f3de05b9943b5dd665
-
SHA256
83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3
-
SHA512
1638893ac4d7a0ee23e2e942e2a683ce5ff61365ef3020c9e4790a52e77901881a09a27cab4ef9d8539fdbc7af64675161651ac7500751c2c5bc4ae693a4ea20
-
SSDEEP
98304:cfUb8pAxsOBSexdGzByOahalkaX7EgPHx8lPw2GiqVGf2s7x9tMOmb:cfU+OsvwoYOau3gosPbk4f/b4
Malware Config
Extracted
amadey
4.19
8fc809
http://nudump.com
http://otyt.ru
http://selltix.org
-
install_dir
b739b37d80
-
install_file
Dctooux.exe
-
strings_key
65bac8d4c26069c29f1fd276f7af33f3
-
url_paths
/forum/index.php
/forum2/index.php
/forum3/index.php
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exepythonw.exepythonw.exepid process 4912 83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe 4076 pythonw.exe 3388 pythonw.exe -
Loads dropped DLL 5 IoCs
Processes:
83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exepythonw.exepythonw.exepid process 4912 83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe 4076 pythonw.exe 4076 pythonw.exe 3388 pythonw.exe 3388 pythonw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pythonw.exedescription pid process target process PID 3388 set thread context of 5096 3388 pythonw.exe cmd.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
pythonw.exepythonw.execmd.exepid process 4076 pythonw.exe 3388 pythonw.exe 3388 pythonw.exe 5096 cmd.exe 5096 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
pythonw.execmd.exepid process 3388 pythonw.exe 5096 cmd.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exepythonw.exepythonw.execmd.exedescription pid process target process PID 1044 wrote to memory of 4912 1044 83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe 83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe PID 1044 wrote to memory of 4912 1044 83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe 83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe PID 1044 wrote to memory of 4912 1044 83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe 83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe PID 4912 wrote to memory of 4076 4912 83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe pythonw.exe PID 4912 wrote to memory of 4076 4912 83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe pythonw.exe PID 4076 wrote to memory of 3388 4076 pythonw.exe pythonw.exe PID 4076 wrote to memory of 3388 4076 pythonw.exe pythonw.exe PID 3388 wrote to memory of 5096 3388 pythonw.exe cmd.exe PID 3388 wrote to memory of 5096 3388 pythonw.exe cmd.exe PID 3388 wrote to memory of 5096 3388 pythonw.exe cmd.exe PID 3388 wrote to memory of 5096 3388 pythonw.exe cmd.exe PID 5096 wrote to memory of 4628 5096 cmd.exe explorer.exe PID 5096 wrote to memory of 4628 5096 cmd.exe explorer.exe PID 5096 wrote to memory of 4628 5096 cmd.exe explorer.exe PID 5096 wrote to memory of 4628 5096 cmd.exe explorer.exe PID 5096 wrote to memory of 4628 5096 cmd.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe"C:\Users\Admin\AppData\Local\Temp\83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{6223B4EC-4C49-4A3E-A168-B1291E03D3F6}\.cr\83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe"C:\Windows\Temp\{6223B4EC-4C49-4A3E-A168-B1291E03D3F6}\.cr\83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exe" -burn.filehandle.attached=544 -burn.filehandle.self=6482⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{107B9103-A3CD-4152-8965-058B24BDC5E6}\.ba\pythonw.exe"C:\Windows\Temp\{107B9103-A3CD-4152-8965-058B24BDC5E6}\.ba\pythonw.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\quickValidv3\pythonw.exeC:\Users\Admin\AppData\Roaming\quickValidv3\pythonw.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\34cc677dFilesize
1.1MB
MD5cd12beedfc280928ed33ee92c4b7a0bb
SHA18823170f2305bae41a8086588af357f119e9a228
SHA256742e533947fd41fbc5a845568d676afb324603f553e6fc555c673cde768c3bf3
SHA512007a69306948949f3dfbc7256c807ad147910a0678e83944a88ad412a947cf46b2d7673b127fa7c6e47926d426eca868f4bf122e2d08f29d302cd8da0b817ab2
-
C:\Users\Admin\AppData\Local\Temp\906287020291Filesize
81KB
MD58ccd9d15ae8e2f17b4d1370c4120b0ec
SHA1a7ec8e6cbd9e4e3bd2af5cae34e528a91b2d4efa
SHA2566655fa58efbaff5c6e7a13ee23304083c8d8ff2c409e763d20a2c473ea398062
SHA5126622bf54513b8741660b323523f8115ce84e7a2fe37238a5a95529a6b251345938526079b8e75619df22bfef784668f881ca34aaf1637bf0e740f9043dff027d
-
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dllFilesize
153B
MD5d47b646093dd84d34885a714ce4bd74e
SHA1c4df23671b6440e29159093dc52cb8c4aa184597
SHA2566807c84bf35d67496e020c1528303b87d4759933c09817e514a7159ac689d352
SHA512906fb89d5ec9dc4338f9d5e26fdc9ccc041225157a8f114465449106128d69e9fbc7723b2bcdd56a17c74c29983f7126a1d970b24e3902a3c4e817834f21f338
-
C:\Windows\Temp\{107B9103-A3CD-4152-8965-058B24BDC5E6}\.ba\Tiderip.dllFilesize
1.2MB
MD5a632842bba74492720c9a6f9a8ad231c
SHA1f361debaf17b08174e49ed9a35d99bffb3dc0510
SHA25652b6310d121e91b42a44c24bfd6d1369d1d4388c56260dd4b05ac06225bab8d8
SHA5120f36c56e7ce72860633b76ceb524c8cd3b634c2f672a7106438de4b4a5ea0a828fe1f67680d1414ff92432f70d762262e6c83427bdae794ac16549c38972d0d4
-
C:\Windows\Temp\{107B9103-A3CD-4152-8965-058B24BDC5E6}\.ba\film.phpFilesize
67KB
MD543afa90c95cc223a5d86d67ffad9abcc
SHA19f142e11ed9331292227247cb842cd4c5a82773d
SHA256a5295f0cd05655c1c79f5000bef797c390f4df2f6b05d0febb65f26cda076411
SHA512a9ad8ef8faf059c2f70127aad6f0cb31831f42b75a773ba4186a257fefba377791cea0c96f3ac3ec10a7cab947ff75f1876570ef038f526b87cae5e6579dac36
-
C:\Windows\Temp\{107B9103-A3CD-4152-8965-058B24BDC5E6}\.ba\python310.dllFilesize
4.3MB
MD5ba6483887ff60e3a7c5eebbba62ed060
SHA1964c38a1c2519f7368ef2c94fbba6a24856d3fe3
SHA256198db1aeac214915511a90095b867935d197e419423134fd1f8934e81498e89f
SHA5120cf38a6177676554b74582691548325240d5ebfbb6a562a392a69aea01944038aa82d90017720998d08ee3eb6e517d0a6b367eac2197ffa27deeca4217fb2fad
-
C:\Windows\Temp\{107B9103-A3CD-4152-8965-058B24BDC5E6}\.ba\pythonw.exeFilesize
94KB
MD59a4cc0d8e7007f7ef20ca585324e0739
SHA1f3e5a2e477cac4bab85940a2158eed78f2d74441
SHA256040d121a3179f49cd3f33f4bc998bc8f78b7f560bfd93f279224d69e76a06e92
SHA51254636a48141804112f5b4f2fc70cb7c959a041e5743aeedb5184091b51daa1d1a03f0016e8299c0d56d924c6c8ae585e4fc864021081ffdf1e6f3eab11dd43b3
-
C:\Windows\Temp\{107B9103-A3CD-4152-8965-058B24BDC5E6}\.ba\raphe.docFilesize
900KB
MD52c247fc433fb1ade899955ac89e8102f
SHA122428f24ce4384565357ad88650e4f6b94a15e4b
SHA256154f9f3d968721528a0e7453a723e2b480b06cb1bd294721be5debf4cc3f836f
SHA51298e2e5b2dbc551295f540d3682470389d892d68fa08e3fc325fc188300870f1a02289c2527e472bb60a62b917fb440115a86ba183c2998ad3dffe4a8263f4993
-
C:\Windows\Temp\{107B9103-A3CD-4152-8965-058B24BDC5E6}\.ba\vcruntime140.dllFilesize
106KB
MD549c96cecda5c6c660a107d378fdfc3d4
SHA100149b7a66723e3f0310f139489fe172f818ca8e
SHA25669320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
-
C:\Windows\Temp\{6223B4EC-4C49-4A3E-A168-B1291E03D3F6}\.cr\83d2f02cc9276c540c26348669d8503a39ae38296590e96c734f865c420438d3.exeFilesize
4.4MB
MD5e3635175852f9b41caa9e0b1f7484dbf
SHA1ceab4f1b5ead34586addcd351b9528c2dc5627e1
SHA2565de2f55d796eb45ec0136e33108d3b1fd1220335d061371718b0b42301bb7bd2
SHA512ceba4d44e64c3386aeac70d7ee4f6dc468626f6e7e80fc01a28b07cc28a160d03d8f6ecc36f419b9c8bf6a6c942d4aa53602a26952359c36b39be4bd51428a7f
-
memory/3388-41-0x00007FFB754E0000-0x00007FFB75652000-memory.dmpFilesize
1.4MB
-
memory/3388-40-0x00007FFB754E0000-0x00007FFB75652000-memory.dmpFilesize
1.4MB
-
memory/4076-24-0x00007FFB754E0000-0x00007FFB75652000-memory.dmpFilesize
1.4MB
-
memory/4628-47-0x00007FFB92DB0000-0x00007FFB92FA5000-memory.dmpFilesize
2.0MB
-
memory/4628-48-0x0000000000800000-0x0000000000873000-memory.dmpFilesize
460KB
-
memory/4628-55-0x0000000000800000-0x0000000000873000-memory.dmpFilesize
460KB
-
memory/4628-67-0x0000000000800000-0x0000000000873000-memory.dmpFilesize
460KB
-
memory/4628-68-0x0000000000800000-0x0000000000873000-memory.dmpFilesize
460KB
-
memory/4628-77-0x0000000000800000-0x0000000000873000-memory.dmpFilesize
460KB
-
memory/4628-83-0x0000000000800000-0x0000000000873000-memory.dmpFilesize
460KB
-
memory/4912-13-0x00000000696C0000-0x00000000697F0000-memory.dmpFilesize
1.2MB
-
memory/5096-44-0x00007FFB92DB0000-0x00007FFB92FA5000-memory.dmpFilesize
2.0MB
-
memory/5096-45-0x0000000075050000-0x00000000751CB000-memory.dmpFilesize
1.5MB