Malware Analysis Report

2025-01-22 08:47

Sample ID 241027-t9yayaxkgr
Target 921b0badeaffee860310e6755769337e.dll
SHA256 c9914b4ab252e782b73ab0a3efad386444ba8a8059167adcb0675968da2df36f
Tags
6305e7 amadey credential_access discovery execution persistence privilege_escalation spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c9914b4ab252e782b73ab0a3efad386444ba8a8059167adcb0675968da2df36f

Threat Level: Known bad

The file 921b0badeaffee860310e6755769337e.dll was found to be: Known bad.

Malicious Activity Summary

6305e7 amadey credential_access discovery execution persistence privilege_escalation spyware stealer

Amadey family

Blocklisted process makes network request

Unsecured Credentials: Credentials In Files

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

Reads local data of messenger clients

Command and Scripting Interpreter: PowerShell

Event Triggered Execution: Netsh Helper DLL

System Network Configuration Discovery: Wi-Fi Discovery

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 16:46

Signatures

Amadey family

amadey

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 16:46

Reported

2024-10-27 16:48

Platform

win7-20241010-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\921b0badeaffee860310e6755769337e.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 2636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 2636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 2636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 2636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 2636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 2636 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2636 wrote to memory of 2124 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\netsh.exe
PID 2636 wrote to memory of 2124 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\netsh.exe
PID 2636 wrote to memory of 2124 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\netsh.exe
PID 2636 wrote to memory of 2124 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\netsh.exe
PID 2636 wrote to memory of 2940 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2940 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2940 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2940 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\921b0badeaffee860310e6755769337e.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\921b0badeaffee860310e6755769337e.dll,#1

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\039016743699_Desktop.zip' -CompressionLevel Optimal

Network

Country Destination Domain Proto
RU 185.215.113.217:80 185.215.113.217 tcp

Files

memory/2940-9-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

memory/2940-10-0x0000000002860000-0x0000000002868000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 16:46

Reported

2024-10-27 16:48

Platform

win10v2004-20241007-en

Max time kernel

136s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\921b0badeaffee860310e6755769337e.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\921b0badeaffee860310e6755769337e.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\921b0badeaffee860310e6755769337e.dll,#1

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\878641211696_Desktop.zip' -CompressionLevel Optimal

Network

Country Destination Domain Proto
RU 185.215.113.217:80 185.215.113.217 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 217.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/4444-3-0x00007FF989083000-0x00007FF989085000-memory.dmp

memory/4444-9-0x000002CEF4670000-0x000002CEF4692000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jhpetget.v3k.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4444-14-0x00007FF989080000-0x00007FF989B41000-memory.dmp

memory/4444-15-0x00007FF989080000-0x00007FF989B41000-memory.dmp

memory/4444-17-0x000002CEF47D0000-0x000002CEF47DA000-memory.dmp

memory/4444-16-0x000002CEF4B80000-0x000002CEF4B92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_Files_\DisconnectExit.docx

MD5 0959505c756e4a90411959af06976394
SHA1 d7e1c654e1ef0344963ca06a6ae76917ec0538b8
SHA256 28a747f8f6f6ec46fd6431363a8b00f93089be6357c5cfa38691c86b6a761cce
SHA512 3820eeb7ba2ba0aa7bf24733ec589a9ca5a8509c11fc4b1e80c1ff1c7b96e14c6d2a20af497eb8d08bb0f2b930ff3ca4138004801a476557b7346189e109e25d

C:\Users\Admin\AppData\Local\Temp\_Files_\GrantUnlock.xls

MD5 707fc2f47604860e71d5cbe886950b02
SHA1 cadcfa7605c33bfd53e647c432e2428716e284f5
SHA256 f7f5c943f7e990e8e0e692e55a2a8dc324f41cbe61d2b010a05a2978ace1fd44
SHA512 d24f2c80ec9b9a9a77fd392f329f5006b047686de976b3e3b71d8f9809c95d6367b9c5529880e841625970430df82c263c288df7cef63c70dc5b79733f992de1

C:\Users\Admin\AppData\Local\Temp\_Files_\SubmitRequest.docx

MD5 b89c1d2b412036667bb4e4c0ceb87d4a
SHA1 2fa90985ab89b1629febe5ed836bfd55c4480943
SHA256 67e7d9f4fca46cda56078ce3fa0ba374d8225b376a093e484abb858de2148cb9
SHA512 c717689bf796ff125912d9f30d7a763a11eb91bd9ab09b7201d687604f4cdba0cc1844c1bd7e26b2e3d9524ae1bf02d52319ee9519af0a0f357c120937c10e7e

memory/4444-24-0x00007FF989080000-0x00007FF989B41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\878641211696_Desktop.zip

MD5 56e8420544e694270ae57df892290d70
SHA1 33c724b071570991a40efeaaeaa7477ef56c81c4
SHA256 8adfb8a9a9840c80dcdd4b448e8a7a9f0bceb495005aebebe37e9188c44bfebb
SHA512 fa9a4c3f59eb998c92f92a3ba8020b18d654b552d9bcba4c50c52ca42c4a7e7b3c67c9c08ece14bbea7c0a2071de8ad624597225e3ddfae358e937ec96fbebbb