Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 22:58
Static task
static1
Behavioral task
behavioral1
Sample
6641f40539e78d756b92665342ae6adbeb818b3ce3eb5a7b8da2bd3eaf565d6b.exe
Resource
win7-20240903-en
General
-
Target
6641f40539e78d756b92665342ae6adbeb818b3ce3eb5a7b8da2bd3eaf565d6b.exe
-
Size
374KB
-
MD5
9abf0ea0643fa018e9c7cf3f94c3f421
-
SHA1
33798c4f784a63c1b34b1c78186814a649248e86
-
SHA256
6641f40539e78d756b92665342ae6adbeb818b3ce3eb5a7b8da2bd3eaf565d6b
-
SHA512
c2b0f6754c50629871516f697ab32fdad2ea3fec8de8d09702057aab0e8a2389983484106c9d850ba22be3cd4275de2cf115aeb67f602a34f4e713a5d91030fe
-
SSDEEP
6144:6BdLNonYcBtYajv4hZfmEhAfMjfiHP8JITTEWqO:6BdpwYc9jv8kEaIuPlTTrN
Malware Config
Extracted
amadey
3.80
9c0adb
http://193.3.19.154
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
23b27c80db2465a8e1dc15491b69b82f
-
url_paths
/store/games/index.php
Signatures
-
Amadey family
-
Executes dropped EXE 3 IoCs
pid Process 2900 oneetx.exe 1984 oneetx.exe 1152 oneetx.exe -
Loads dropped DLL 2 IoCs
pid Process 2484 6641f40539e78d756b92665342ae6adbeb818b3ce3eb5a7b8da2bd3eaf565d6b.exe 2484 6641f40539e78d756b92665342ae6adbeb818b3ce3eb5a7b8da2bd3eaf565d6b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6641f40539e78d756b92665342ae6adbeb818b3ce3eb5a7b8da2bd3eaf565d6b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2816 schtasks.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2484 6641f40539e78d756b92665342ae6adbeb818b3ce3eb5a7b8da2bd3eaf565d6b.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2900 2484 6641f40539e78d756b92665342ae6adbeb818b3ce3eb5a7b8da2bd3eaf565d6b.exe 31 PID 2484 wrote to memory of 2900 2484 6641f40539e78d756b92665342ae6adbeb818b3ce3eb5a7b8da2bd3eaf565d6b.exe 31 PID 2484 wrote to memory of 2900 2484 6641f40539e78d756b92665342ae6adbeb818b3ce3eb5a7b8da2bd3eaf565d6b.exe 31 PID 2484 wrote to memory of 2900 2484 6641f40539e78d756b92665342ae6adbeb818b3ce3eb5a7b8da2bd3eaf565d6b.exe 31 PID 2900 wrote to memory of 2816 2900 oneetx.exe 32 PID 2900 wrote to memory of 2816 2900 oneetx.exe 32 PID 2900 wrote to memory of 2816 2900 oneetx.exe 32 PID 2900 wrote to memory of 2816 2900 oneetx.exe 32 PID 2900 wrote to memory of 2660 2900 oneetx.exe 34 PID 2900 wrote to memory of 2660 2900 oneetx.exe 34 PID 2900 wrote to memory of 2660 2900 oneetx.exe 34 PID 2900 wrote to memory of 2660 2900 oneetx.exe 34 PID 2660 wrote to memory of 2820 2660 cmd.exe 36 PID 2660 wrote to memory of 2820 2660 cmd.exe 36 PID 2660 wrote to memory of 2820 2660 cmd.exe 36 PID 2660 wrote to memory of 2820 2660 cmd.exe 36 PID 2660 wrote to memory of 2696 2660 cmd.exe 37 PID 2660 wrote to memory of 2696 2660 cmd.exe 37 PID 2660 wrote to memory of 2696 2660 cmd.exe 37 PID 2660 wrote to memory of 2696 2660 cmd.exe 37 PID 2660 wrote to memory of 2772 2660 cmd.exe 38 PID 2660 wrote to memory of 2772 2660 cmd.exe 38 PID 2660 wrote to memory of 2772 2660 cmd.exe 38 PID 2660 wrote to memory of 2772 2660 cmd.exe 38 PID 2660 wrote to memory of 2852 2660 cmd.exe 39 PID 2660 wrote to memory of 2852 2660 cmd.exe 39 PID 2660 wrote to memory of 2852 2660 cmd.exe 39 PID 2660 wrote to memory of 2852 2660 cmd.exe 39 PID 2660 wrote to memory of 2564 2660 cmd.exe 40 PID 2660 wrote to memory of 2564 2660 cmd.exe 40 PID 2660 wrote to memory of 2564 2660 cmd.exe 40 PID 2660 wrote to memory of 2564 2660 cmd.exe 40 PID 2660 wrote to memory of 2336 2660 cmd.exe 41 PID 2660 wrote to memory of 2336 2660 cmd.exe 41 PID 2660 wrote to memory of 2336 2660 cmd.exe 41 PID 2660 wrote to memory of 2336 2660 cmd.exe 41 PID 704 wrote to memory of 1984 704 taskeng.exe 44 PID 704 wrote to memory of 1984 704 taskeng.exe 44 PID 704 wrote to memory of 1984 704 taskeng.exe 44 PID 704 wrote to memory of 1984 704 taskeng.exe 44 PID 704 wrote to memory of 1152 704 taskeng.exe 46 PID 704 wrote to memory of 1152 704 taskeng.exe 46 PID 704 wrote to memory of 1152 704 taskeng.exe 46 PID 704 wrote to memory of 1152 704 taskeng.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\6641f40539e78d756b92665342ae6adbeb818b3ce3eb5a7b8da2bd3eaf565d6b.exe"C:\Users\Admin\AppData\Local\Temp\6641f40539e78d756b92665342ae6adbeb818b3ce3eb5a7b8da2bd3eaf565d6b.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2816
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
- System Location Discovery: System Language Discovery
PID:2820
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"4⤵
- System Location Discovery: System Language Discovery
PID:2696
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E4⤵
- System Location Discovery: System Language Discovery
PID:2772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
- System Location Discovery: System Language Discovery
PID:2852
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"4⤵
- System Location Discovery: System Language Discovery
PID:2564
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E4⤵
- System Location Discovery: System Language Discovery
PID:2336
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B0C890F0-7E33-4C4C-AE1F-F01F1EBCC2E4} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe2⤵
- Executes dropped EXE
PID:1984
-
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe2⤵
- Executes dropped EXE
PID:1152
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
374KB
MD59abf0ea0643fa018e9c7cf3f94c3f421
SHA133798c4f784a63c1b34b1c78186814a649248e86
SHA2566641f40539e78d756b92665342ae6adbeb818b3ce3eb5a7b8da2bd3eaf565d6b
SHA512c2b0f6754c50629871516f697ab32fdad2ea3fec8de8d09702057aab0e8a2389983484106c9d850ba22be3cd4275de2cf115aeb67f602a34f4e713a5d91030fe