Analysis
-
max time kernel
114s -
max time network
109s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
18/11/2024, 20:45
Static task
static1
Behavioral task
behavioral1
Sample
9bed971fdfce1955f44350eb68cf89e2bc406a4a48cb0eda66606fba70b3c95fN.exe
Resource
win7-20241023-en
General
-
Target
9bed971fdfce1955f44350eb68cf89e2bc406a4a48cb0eda66606fba70b3c95fN.exe
-
Size
370KB
-
MD5
f8fd5f898e93865d05b9a1f1fa4ebd80
-
SHA1
98612f75f363ef5eeaa44bbc626f6d3f13c2ded0
-
SHA256
9bed971fdfce1955f44350eb68cf89e2bc406a4a48cb0eda66606fba70b3c95f
-
SHA512
4e15d148ed932b430b3d9ae61d80dc9a19988bdccc4038c86ebc829a9297493659d917ccae6a8f875f0d88e6bd99c9b4c0ad64702af82f448a3a24d6459850ba
-
SSDEEP
6144:Cl/wSz9XIMjyTze/Wb5I0HtzvvdIKcsuR4ptBmRmcPMGaKHP7:CltR4M8zsiHhtInVR4pJc5P7
Malware Config
Extracted
amadey
3.80
8c4642
http://193.201.9.240
-
install_dir
cb7ae701b3
-
install_file
oneetx.exe
-
strings_key
c7c0f24aa6d8f611f5533809029a4795
-
url_paths
/live/games/index.php
Signatures
-
Amadey family
-
Executes dropped EXE 3 IoCs
pid Process 2616 oneetx.exe 3024 oneetx.exe 1792 oneetx.exe -
Loads dropped DLL 2 IoCs
pid Process 2224 9bed971fdfce1955f44350eb68cf89e2bc406a4a48cb0eda66606fba70b3c95fN.exe 2224 9bed971fdfce1955f44350eb68cf89e2bc406a4a48cb0eda66606fba70b3c95fN.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9bed971fdfce1955f44350eb68cf89e2bc406a4a48cb0eda66606fba70b3c95fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language oneetx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cacls.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2988 schtasks.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2224 9bed971fdfce1955f44350eb68cf89e2bc406a4a48cb0eda66606fba70b3c95fN.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2616 2224 9bed971fdfce1955f44350eb68cf89e2bc406a4a48cb0eda66606fba70b3c95fN.exe 30 PID 2224 wrote to memory of 2616 2224 9bed971fdfce1955f44350eb68cf89e2bc406a4a48cb0eda66606fba70b3c95fN.exe 30 PID 2224 wrote to memory of 2616 2224 9bed971fdfce1955f44350eb68cf89e2bc406a4a48cb0eda66606fba70b3c95fN.exe 30 PID 2224 wrote to memory of 2616 2224 9bed971fdfce1955f44350eb68cf89e2bc406a4a48cb0eda66606fba70b3c95fN.exe 30 PID 2616 wrote to memory of 2988 2616 oneetx.exe 31 PID 2616 wrote to memory of 2988 2616 oneetx.exe 31 PID 2616 wrote to memory of 2988 2616 oneetx.exe 31 PID 2616 wrote to memory of 2988 2616 oneetx.exe 31 PID 2616 wrote to memory of 320 2616 oneetx.exe 33 PID 2616 wrote to memory of 320 2616 oneetx.exe 33 PID 2616 wrote to memory of 320 2616 oneetx.exe 33 PID 2616 wrote to memory of 320 2616 oneetx.exe 33 PID 320 wrote to memory of 2964 320 cmd.exe 35 PID 320 wrote to memory of 2964 320 cmd.exe 35 PID 320 wrote to memory of 2964 320 cmd.exe 35 PID 320 wrote to memory of 2964 320 cmd.exe 35 PID 320 wrote to memory of 2932 320 cmd.exe 36 PID 320 wrote to memory of 2932 320 cmd.exe 36 PID 320 wrote to memory of 2932 320 cmd.exe 36 PID 320 wrote to memory of 2932 320 cmd.exe 36 PID 320 wrote to memory of 2816 320 cmd.exe 37 PID 320 wrote to memory of 2816 320 cmd.exe 37 PID 320 wrote to memory of 2816 320 cmd.exe 37 PID 320 wrote to memory of 2816 320 cmd.exe 37 PID 320 wrote to memory of 2700 320 cmd.exe 38 PID 320 wrote to memory of 2700 320 cmd.exe 38 PID 320 wrote to memory of 2700 320 cmd.exe 38 PID 320 wrote to memory of 2700 320 cmd.exe 38 PID 320 wrote to memory of 576 320 cmd.exe 39 PID 320 wrote to memory of 576 320 cmd.exe 39 PID 320 wrote to memory of 576 320 cmd.exe 39 PID 320 wrote to memory of 576 320 cmd.exe 39 PID 320 wrote to memory of 2808 320 cmd.exe 40 PID 320 wrote to memory of 2808 320 cmd.exe 40 PID 320 wrote to memory of 2808 320 cmd.exe 40 PID 320 wrote to memory of 2808 320 cmd.exe 40 PID 2900 wrote to memory of 3024 2900 taskeng.exe 44 PID 2900 wrote to memory of 3024 2900 taskeng.exe 44 PID 2900 wrote to memory of 3024 2900 taskeng.exe 44 PID 2900 wrote to memory of 3024 2900 taskeng.exe 44 PID 2900 wrote to memory of 1792 2900 taskeng.exe 45 PID 2900 wrote to memory of 1792 2900 taskeng.exe 45 PID 2900 wrote to memory of 1792 2900 taskeng.exe 45 PID 2900 wrote to memory of 1792 2900 taskeng.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bed971fdfce1955f44350eb68cf89e2bc406a4a48cb0eda66606fba70b3c95fN.exe"C:\Users\Admin\AppData\Local\Temp\9bed971fdfce1955f44350eb68cf89e2bc406a4a48cb0eda66606fba70b3c95fN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2988
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb7ae701b3" /P "Admin:N"&&CACLS "..\cb7ae701b3" /P "Admin:R" /E&&Exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
- System Location Discovery: System Language Discovery
PID:2964
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"4⤵
- System Location Discovery: System Language Discovery
PID:2932
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E4⤵
- System Location Discovery: System Language Discovery
PID:2816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
- System Location Discovery: System Language Discovery
PID:2700
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:N"4⤵
- System Location Discovery: System Language Discovery
PID:576
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb7ae701b3" /P "Admin:R" /E4⤵
- System Location Discovery: System Language Discovery
PID:2808
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9A50E808-E848-437D-8334-1F671A772876} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe2⤵
- Executes dropped EXE
PID:3024
-
-
C:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exeC:\Users\Admin\AppData\Local\Temp\cb7ae701b3\oneetx.exe2⤵
- Executes dropped EXE
PID:1792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
370KB
MD5f8fd5f898e93865d05b9a1f1fa4ebd80
SHA198612f75f363ef5eeaa44bbc626f6d3f13c2ded0
SHA2569bed971fdfce1955f44350eb68cf89e2bc406a4a48cb0eda66606fba70b3c95f
SHA5124e15d148ed932b430b3d9ae61d80dc9a19988bdccc4038c86ebc829a9297493659d917ccae6a8f875f0d88e6bd99c9b4c0ad64702af82f448a3a24d6459850ba