andromeda | 3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae

General

Target

3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe
Size

80KB
MD5

7cdff1827f0a2e77a0d715f5951558be
SHA1

9a277d0c2d3ec8f61de77c16d138de7b5367a1c3
SHA256

3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae
SHA512

62675a38ef9ba9b0bad79bae8937c25c453e7d821525f585149419a8d0c95ae2f2b80a4e580f4ce8b33ab093c3e757c8e0711fa81fff1b5c6f70f5508d0d66d2
SSDEEP

1536:BxR5bM9oLiCMsJozgKWNJ4NJxPMg2o1Ej7j:BP5bphozgKWNJ4NJxPR1A7j

Score

10^/10

andromeda backdoor botnet discovery persistence

Malware Config

Signatures

Andromeda family
andromeda
Andromeda, Gamarue
Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
botnet backdoor andromeda

Detects Andromeda payload. 5 IoCs

resource	yara_rule
behavioral2/memory/536-0-0x0000000000400000-0x0000000000409000-memory.dmp	family_andromeda
behavioral2/memory/536-3-0x0000000000400000-0x0000000000409000-memory.dmp	family_andromeda
behavioral2/memory/3112-11-0x0000000001470000-0x0000000001475000-memory.dmp	family_andromeda
behavioral2/memory/3112-13-0x0000000001470000-0x0000000001475000-memory.dmp	family_andromeda
behavioral2/memory/3112-17-0x0000000001470000-0x0000000001475000-memory.dmp	family_andromeda

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\42936 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\ccvubzby.scr"	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
536	3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe

Blocklisted process makes network request 25 IoCs

flow	pid	Process
14	3112	msiexec.exe
15	3112	msiexec.exe
16	3112	msiexec.exe
17	3112	msiexec.exe
18	3112	msiexec.exe
19	3112	msiexec.exe
20	3112	msiexec.exe
21	3112	msiexec.exe
22	3112	msiexec.exe
26	3112	msiexec.exe
27	3112	msiexec.exe
28	3112	msiexec.exe
29	3112	msiexec.exe
48	3112	msiexec.exe
49	3112	msiexec.exe
50	3112	msiexec.exe
51	3112	msiexec.exe
52	3112	msiexec.exe
53	3112	msiexec.exe
54	3112	msiexec.exe
55	3112	msiexec.exe
56	3112	msiexec.exe
57	3112	msiexec.exe
58	3112	msiexec.exe
60	3112	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 412 set thread context of 536	412	3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe	85

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\ccvubzby.scr	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
536	3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe
536	3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 536	412	3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe	85
PID 412 wrote to memory of 536	412	3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe	85
PID 412 wrote to memory of 536	412	3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe	85
PID 412 wrote to memory of 536	412	3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe	85
PID 412 wrote to memory of 536	412	3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe	85
PID 412 wrote to memory of 536	412	3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe	85
PID 536 wrote to memory of 3112	536	3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe	86
PID 536 wrote to memory of 3112	536	3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe	86
PID 536 wrote to memory of 3112	536	3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe	86

C:\Users\Admin\AppData\Local\Temp\3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe
"C:\Users\Admin\AppData\Local\Temp\3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:412
- C:\Users\Admin\AppData\Local\Temp\3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe
  "C:\Users\Admin\AppData\Local\Temp\3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\syswow64\msiexec.exe
    3⤵
    - Adds policy Run key to start application
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe

Filesize
80KB

MD5
7cdff1827f0a2e77a0d715f5951558be

SHA1
9a277d0c2d3ec8f61de77c16d138de7b5367a1c3

SHA256
3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae

SHA512
62675a38ef9ba9b0bad79bae8937c25c453e7d821525f585149419a8d0c95ae2f2b80a4e580f4ce8b33ab093c3e757c8e0711fa81fff1b5c6f70f5508d0d66d2

Download Submit
memory/536-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/536-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3112-6-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/3112-8-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/3112-10-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/3112-11-0x0000000001470000-0x0000000001475000-memory.dmp

Filesize
20KB

Download
memory/3112-13-0x0000000001470000-0x0000000001475000-memory.dmp

Filesize
20KB

Download
memory/3112-17-0x0000000001470000-0x0000000001475000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads