Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/11/2024, 14:44
Static task
static1
Behavioral task
behavioral1
Sample
378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe
Resource
win7-20240708-en
General
-
Target
378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe
-
Size
280KB
-
MD5
bbef91512706a73ab565b9b3d48d72a7
-
SHA1
6dea225c90f2be69c230a1b2c61f4aa9756b4d8a
-
SHA256
378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a
-
SHA512
28134748828618c01780236939cb3d1e8b21d5a23e89812a6cff8566b815894dfb654b8c8f7ef7c3c250c8a72c8783425b865948d08b56d4b79106e5fb22b56a
-
SSDEEP
6144:DGiLSorTu62X507BLwhjwLO++BN8oZHk5o:xOovSgO8z+BPa
Malware Config
Extracted
amadey
3.61
cafd42
http://62.204.41.79
-
install_dir
35731ceaf0
-
install_file
gntuud.exe
-
strings_key
29ad5994adb6f4ebc9a42a4a96ba1ca2
-
url_paths
/U7vfDb3kg/index.php
Signatures
-
Amadey family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation gntuud.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe -
Executes dropped EXE 4 IoCs
pid Process 640 gntuud.exe 2540 gntuud.exe 1244 gntuud.exe 4280 gntuud.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 1936 1180 WerFault.exe 83 4728 2540 WerFault.exe 102 4100 1244 WerFault.exe 111 3436 4280 WerFault.exe 123 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gntuud.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2188 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1180 wrote to memory of 640 1180 378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe 87 PID 1180 wrote to memory of 640 1180 378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe 87 PID 1180 wrote to memory of 640 1180 378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe 87 PID 640 wrote to memory of 2188 640 gntuud.exe 93 PID 640 wrote to memory of 2188 640 gntuud.exe 93 PID 640 wrote to memory of 2188 640 gntuud.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe"C:\Users\Admin\AppData\Local\Temp\378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2188
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 11362⤵
- Program crash
PID:1936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1180 -ip 11801⤵PID:4420
-
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe1⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 3122⤵
- Program crash
PID:4728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2540 -ip 25401⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe1⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 3122⤵
- Program crash
PID:4100
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1244 -ip 12441⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exeC:\Users\Admin\AppData\Local\Temp\35731ceaf0\gntuud.exe1⤵
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 3122⤵
- Program crash
PID:3436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4280 -ip 42801⤵PID:2260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD5bbef91512706a73ab565b9b3d48d72a7
SHA16dea225c90f2be69c230a1b2c61f4aa9756b4d8a
SHA256378fe8b541fd23d6df8fd31c2134aba0f3cff4ccb6a3225d91f1e23de6d59b8a
SHA51228134748828618c01780236939cb3d1e8b21d5a23e89812a6cff8566b815894dfb654b8c8f7ef7c3c250c8a72c8783425b865948d08b56d4b79106e5fb22b56a