Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 14:44
Static task
static1
Behavioral task
behavioral1
Sample
378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe
Resource
win7-20240708-en
General
-
Target
378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe
-
Size
280KB
-
MD5
bbef91512706a73ab565b9b3d48d72a7
-
SHA1
6dea225c90f2be69c230a1b2c61f4aa9756b4d8a
-
SHA256
378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a
-
SHA512
28134748828618c01780236939cb3d1e8b21d5a23e89812a6cff8566b815894dfb654b8c8f7ef7c3c250c8a72c8783425b865948d08b56d4b79106e5fb22b56a
-
SSDEEP
6144:DGiLSorTu62X507BLwhjwLO++BN8oZHk5o:xOovSgO8z+BPa
Malware Config
Extracted
amadey
3.61
cafd42
http://62.204.41.79
-
install_dir
35731ceaf0
-
install_file
gntuud.exe
-
strings_key
29ad5994adb6f4ebc9a42a4a96ba1ca2
-
url_paths
/U7vfDb3kg/index.php
Signatures
-
Amadey family
-
Executes dropped EXE 3 IoCs
pid Process 592 gntuud.exe 2596 gntuud.exe 1232 gntuud.exe -
Loads dropped DLL 2 IoCs
pid Process 388 378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe 388 378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gntuud.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2136 schtasks.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 388 wrote to memory of 592 388 378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe 31 PID 388 wrote to memory of 592 388 378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe 31 PID 388 wrote to memory of 592 388 378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe 31 PID 388 wrote to memory of 592 388 378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe 31 PID 592 wrote to memory of 2136 592 gntuud.exe 32 PID 592 wrote to memory of 2136 592 gntuud.exe 32 PID 592 wrote to memory of 2136 592 gntuud.exe 32 PID 592 wrote to memory of 2136 592 gntuud.exe 32 PID 2664 wrote to memory of 2596 2664 taskeng.exe 36 PID 2664 wrote to memory of 2596 2664 taskeng.exe 36 PID 2664 wrote to memory of 2596 2664 taskeng.exe 36 PID 2664 wrote to memory of 2596 2664 taskeng.exe 36 PID 2664 wrote to memory of 1232 2664 taskeng.exe 37 PID 2664 wrote to memory of 1232 2664 taskeng.exe 37 PID 2664 wrote to memory of 1232 2664 taskeng.exe 37 PID 2664 wrote to memory of 1232 2664 taskeng.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe"C:\Users\Admin\AppData\Local\Temp\378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2136
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B47C159A-3C41-4B1D-A671-7AEAF680A235} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe2⤵
- Executes dropped EXE
PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe2⤵
- Executes dropped EXE
PID:1232
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD5bbef91512706a73ab565b9b3d48d72a7
SHA16dea225c90f2be69c230a1b2c61f4aa9756b4d8a
SHA256378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a
SHA51228134748828618c01780236939cb3d1e8b21d5a23e89812a6cff8566b815894dfb654b8c8f7ef7c3c250c8a72c8783425b865948d08b56d4b79106e5fb22b56a