Analysis

  • max time kernel
    112s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2024, 13:39

General

  • Target

    3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe

  • Size

    80KB

  • MD5

    7cdff1827f0a2e77a0d715f5951558be

  • SHA1

    9a277d0c2d3ec8f61de77c16d138de7b5367a1c3

  • SHA256

    3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae

  • SHA512

    62675a38ef9ba9b0bad79bae8937c25c453e7d821525f585149419a8d0c95ae2f2b80a4e580f4ce8b33ab093c3e757c8e0711fa81fff1b5c6f70f5508d0d66d2

  • SSDEEP

    1536:BxR5bM9oLiCMsJozgKWNJ4NJxPMg2o1Ej7j:BP5bphozgKWNJ4NJxPR1A7j

Malware Config

Signatures

  • Andromeda family
  • Andromeda, Gamarue

    Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.

  • Detects Andromeda payload. 5 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Blocklisted process makes network request 25 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe
    "C:\Users\Admin\AppData\Local\Temp\3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Users\Admin\AppData\Local\Temp\3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe
      "C:\Users\Admin\AppData\Local\Temp\3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:536
      • C:\Windows\SysWOW64\msiexec.exe
        C:\Windows\syswow64\msiexec.exe
        3⤵
        • Adds policy Run key to start application
        • Blocklisted process makes network request
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        PID:3112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae.exe

    Filesize

    80KB

    MD5

    7cdff1827f0a2e77a0d715f5951558be

    SHA1

    9a277d0c2d3ec8f61de77c16d138de7b5367a1c3

    SHA256

    3272b284899f654b59786c5660fe3acd880653065a70ecaba2341f3b714494ae

    SHA512

    62675a38ef9ba9b0bad79bae8937c25c453e7d821525f585149419a8d0c95ae2f2b80a4e580f4ce8b33ab093c3e757c8e0711fa81fff1b5c6f70f5508d0d66d2

  • memory/536-0-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/536-3-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/3112-6-0x00000000005D0000-0x00000000005E2000-memory.dmp

    Filesize

    72KB

  • memory/3112-8-0x00000000005D0000-0x00000000005E2000-memory.dmp

    Filesize

    72KB

  • memory/3112-10-0x00000000005D0000-0x00000000005E2000-memory.dmp

    Filesize

    72KB

  • memory/3112-11-0x0000000001470000-0x0000000001475000-memory.dmp

    Filesize

    20KB

  • memory/3112-13-0x0000000001470000-0x0000000001475000-memory.dmp

    Filesize

    20KB

  • memory/3112-17-0x0000000001470000-0x0000000001475000-memory.dmp

    Filesize

    20KB