andromeda | 212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20c

General

Target

212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe
Size

92KB
MD5

c7c14639d3f4bad55e2f9e30414e30e0
SHA1

416e5018f9914b697a17a355d11f9731e6efbd96
SHA256

212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20c
SHA512

d706f5e21dd8e8f5bfca30c9909adcd2c5474d2c28fc0afdd9cc247e512ccff5582ee6c3671f8a4b964ecb723ce97393d1d9e76785efc77ab103f07508b2cc4d
SSDEEP

1536:BxR5bM9oLiCMsJozgKWNJ4NJxPMg2o1Ej7nU:BP5bphozgKWNJ4NJxPR1A7nU

Score

10^/10

andromeda backdoor botnet discovery persistence

Malware Config

Signatures

Andromeda family
andromeda
Andromeda, Gamarue
Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
botnet backdoor andromeda

Detects Andromeda payload. 5 IoCs

resource	yara_rule
behavioral2/memory/4024-0-0x0000000000400000-0x0000000000409000-memory.dmp	family_andromeda
behavioral2/memory/4024-4-0x0000000000400000-0x0000000000409000-memory.dmp	family_andromeda
behavioral2/memory/2384-12-0x0000000001350000-0x0000000001355000-memory.dmp	family_andromeda
behavioral2/memory/2384-14-0x0000000001350000-0x0000000001355000-memory.dmp	family_andromeda
behavioral2/memory/2384-18-0x0000000001350000-0x0000000001355000-memory.dmp	family_andromeda

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\22240 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\ccjevgdep.exe"	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4024	212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe

Blocklisted process makes network request 25 IoCs

flow	pid	Process
14	2384	msiexec.exe
15	2384	msiexec.exe
16	2384	msiexec.exe
19	2384	msiexec.exe
22	2384	msiexec.exe
23	2384	msiexec.exe
24	2384	msiexec.exe
25	2384	msiexec.exe
26	2384	msiexec.exe
27	2384	msiexec.exe
28	2384	msiexec.exe
31	2384	msiexec.exe
32	2384	msiexec.exe
56	2384	msiexec.exe
57	2384	msiexec.exe
58	2384	msiexec.exe
59	2384	msiexec.exe
60	2384	msiexec.exe
61	2384	msiexec.exe
62	2384	msiexec.exe
63	2384	msiexec.exe
64	2384	msiexec.exe
65	2384	msiexec.exe
66	2384	msiexec.exe
67	2384	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4328 set thread context of 4024	4328	212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe	83

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\ccjevgdep.exe	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4024	212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe
4024	212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 4024	4328	212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe	83
PID 4328 wrote to memory of 4024	4328	212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe	83
PID 4328 wrote to memory of 4024	4328	212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe	83
PID 4328 wrote to memory of 4024	4328	212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe	83
PID 4328 wrote to memory of 4024	4328	212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe	83
PID 4328 wrote to memory of 4024	4328	212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe	83
PID 4024 wrote to memory of 2384	4024	212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe	84
PID 4024 wrote to memory of 2384	4024	212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe	84
PID 4024 wrote to memory of 2384	4024	212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe	84

C:\Users\Admin\AppData\Local\Temp\212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe
"C:\Users\Admin\AppData\Local\Temp\212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Users\Admin\AppData\Local\Temp\212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe
  "C:\Users\Admin\AppData\Local\Temp\212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\syswow64\msiexec.exe
    3⤵
    - Adds policy Run key to start application
    - Blocklisted process makes network request
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20cN.exe

Filesize
92KB

MD5
c7c14639d3f4bad55e2f9e30414e30e0

SHA1
416e5018f9914b697a17a355d11f9731e6efbd96

SHA256
212bfb2513937e0f21b91a6e6d13f283df9cdbb41c3b87101432b38caff5d20c

SHA512
d706f5e21dd8e8f5bfca30c9909adcd2c5474d2c28fc0afdd9cc247e512ccff5582ee6c3671f8a4b964ecb723ce97393d1d9e76785efc77ab103f07508b2cc4d

Download Submit
memory/2384-7-0x0000000000DC0000-0x0000000000DD2000-memory.dmp

Filesize
72KB

Download
memory/2384-9-0x0000000000DC0000-0x0000000000DD2000-memory.dmp

Filesize
72KB

Download
memory/2384-11-0x0000000000DC0000-0x0000000000DD2000-memory.dmp

Filesize
72KB

Download
memory/2384-12-0x0000000001350000-0x0000000001355000-memory.dmp

Filesize
20KB

Download
memory/2384-14-0x0000000001350000-0x0000000001355000-memory.dmp

Filesize
20KB

Download
memory/2384-18-0x0000000001350000-0x0000000001355000-memory.dmp

Filesize
20KB

Download
memory/4024-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4024-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads