Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:40
Behavioral task
behavioral1
Sample
a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe
Resource
win10v2004-20241007-en
General
-
Target
a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe
-
Size
205KB
-
MD5
6c2ffe23d2b705aa168e28c6d490a4b0
-
SHA1
ec25e1a6227ad7a28f7027a48f29979b887526d8
-
SHA256
a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1a
-
SHA512
939c4afacc162d5b3b3303f0ba3ffee5bb593da73e5dae1897e7e3ff4b161a9b69c7012fdecced37508e9c8bd70a058f80cf1d8d8631c38b9c8a25868aa9ec7c
-
SSDEEP
3072:c/frTDzurT1S3CzpdmnATE55zjExkKGruONMvhu5QTXzeJX2vkMfSDPwU:Wfrnzurs3Czpexj2kGOIu5QTyJMKk
Malware Config
Extracted
amadey
3.80
9c0adb
http://193.3.19.154
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
23b27c80db2465a8e1dc15491b69b82f
-
url_paths
/store/games/index.php
Signatures
-
Amadey family
-
Executes dropped EXE 3 IoCs
Processes:
oneetx.exeoneetx.exeoneetx.exepid process 2736 oneetx.exe 2592 oneetx.exe 2404 oneetx.exe -
Loads dropped DLL 1 IoCs
Processes:
a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exepid process 2808 a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.execacls.exeschtasks.execmd.execacls.execacls.execmd.execacls.exea0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exeoneetx.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exepid process 2808 a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exeoneetx.execmd.exetaskeng.exedescription pid process target process PID 2808 wrote to memory of 2736 2808 a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe oneetx.exe PID 2808 wrote to memory of 2736 2808 a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe oneetx.exe PID 2808 wrote to memory of 2736 2808 a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe oneetx.exe PID 2808 wrote to memory of 2736 2808 a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe oneetx.exe PID 2736 wrote to memory of 2688 2736 oneetx.exe schtasks.exe PID 2736 wrote to memory of 2688 2736 oneetx.exe schtasks.exe PID 2736 wrote to memory of 2688 2736 oneetx.exe schtasks.exe PID 2736 wrote to memory of 2688 2736 oneetx.exe schtasks.exe PID 2736 wrote to memory of 1440 2736 oneetx.exe cmd.exe PID 2736 wrote to memory of 1440 2736 oneetx.exe cmd.exe PID 2736 wrote to memory of 1440 2736 oneetx.exe cmd.exe PID 2736 wrote to memory of 1440 2736 oneetx.exe cmd.exe PID 1440 wrote to memory of 2768 1440 cmd.exe cmd.exe PID 1440 wrote to memory of 2768 1440 cmd.exe cmd.exe PID 1440 wrote to memory of 2768 1440 cmd.exe cmd.exe PID 1440 wrote to memory of 2768 1440 cmd.exe cmd.exe PID 1440 wrote to memory of 2568 1440 cmd.exe cacls.exe PID 1440 wrote to memory of 2568 1440 cmd.exe cacls.exe PID 1440 wrote to memory of 2568 1440 cmd.exe cacls.exe PID 1440 wrote to memory of 2568 1440 cmd.exe cacls.exe PID 1440 wrote to memory of 2720 1440 cmd.exe cacls.exe PID 1440 wrote to memory of 2720 1440 cmd.exe cacls.exe PID 1440 wrote to memory of 2720 1440 cmd.exe cacls.exe PID 1440 wrote to memory of 2720 1440 cmd.exe cacls.exe PID 1440 wrote to memory of 2112 1440 cmd.exe cmd.exe PID 1440 wrote to memory of 2112 1440 cmd.exe cmd.exe PID 1440 wrote to memory of 2112 1440 cmd.exe cmd.exe PID 1440 wrote to memory of 2112 1440 cmd.exe cmd.exe PID 1440 wrote to memory of 2192 1440 cmd.exe cacls.exe PID 1440 wrote to memory of 2192 1440 cmd.exe cacls.exe PID 1440 wrote to memory of 2192 1440 cmd.exe cacls.exe PID 1440 wrote to memory of 2192 1440 cmd.exe cacls.exe PID 1440 wrote to memory of 2700 1440 cmd.exe cacls.exe PID 1440 wrote to memory of 2700 1440 cmd.exe cacls.exe PID 1440 wrote to memory of 2700 1440 cmd.exe cacls.exe PID 1440 wrote to memory of 2700 1440 cmd.exe cacls.exe PID 1892 wrote to memory of 2592 1892 taskeng.exe oneetx.exe PID 1892 wrote to memory of 2592 1892 taskeng.exe oneetx.exe PID 1892 wrote to memory of 2592 1892 taskeng.exe oneetx.exe PID 1892 wrote to memory of 2592 1892 taskeng.exe oneetx.exe PID 1892 wrote to memory of 2404 1892 taskeng.exe oneetx.exe PID 1892 wrote to memory of 2404 1892 taskeng.exe oneetx.exe PID 1892 wrote to memory of 2404 1892 taskeng.exe oneetx.exe PID 1892 wrote to memory of 2404 1892 taskeng.exe oneetx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe"C:\Users\Admin\AppData\Local\Temp\a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1aN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2688
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
- System Location Discovery: System Language Discovery
PID:2768
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"4⤵
- System Location Discovery: System Language Discovery
PID:2568
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E4⤵
- System Location Discovery: System Language Discovery
PID:2720
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
- System Location Discovery: System Language Discovery
PID:2112
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"4⤵
- System Location Discovery: System Language Discovery
PID:2192
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E4⤵
- System Location Discovery: System Language Discovery
PID:2700
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {1E755AEB-2D24-4FF7-A465-37EB411AA28C} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe2⤵
- Executes dropped EXE
PID:2592
-
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe2⤵
- Executes dropped EXE
PID:2404
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
205KB
MD56c2ffe23d2b705aa168e28c6d490a4b0
SHA1ec25e1a6227ad7a28f7027a48f29979b887526d8
SHA256a0bdb183854ad6336feaa96373b3d35088eada85eacfbd783a232fd42aa0ca1a
SHA512939c4afacc162d5b3b3303f0ba3ffee5bb593da73e5dae1897e7e3ff4b161a9b69c7012fdecced37508e9c8bd70a058f80cf1d8d8631c38b9c8a25868aa9ec7c