Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 02:45
Static task
static1
Behavioral task
behavioral1
Sample
ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe
Resource
win7-20240903-en
General
-
Target
ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe
-
Size
1.3MB
-
MD5
db04aa6e158c5d52c20fc855f5285905
-
SHA1
822416dfa3f094aa6776ed0cad77fb9083db29a3
-
SHA256
ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f
-
SHA512
cdc0ff46ac48178da0a68d4e2601a46a960c3aa998edd66a7bb6a39d1caa7dbbe53f1aa463307a9932996d2993386addc7c54cee73811897b075dd75fbc904ff
-
SSDEEP
24576:wbsh2BfGSklE31Sa1jnzi+k24VR5SLRUyvQAqBYcTHykVbFv4pOdfEPkXsvHo/s/:wbsQf6lEFti+kZRSUJAqB/VRsO/oo/sJ
Malware Config
Extracted
amadey
4.18
1cc3fe
http://vitantgroup.com
-
install_dir
431a343abc
-
install_file
Dctooux.exe
-
strings_key
5a2387e2bfef84adb686c856b4155237
-
url_paths
/xmlrpc.php
Signatures
-
Amadey family
-
Executes dropped EXE 1 IoCs
pid Process 2316 Dctooux.exe -
Loads dropped DLL 1 IoCs
pid Process 2508 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs
pid Process 2508 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 2316 Dctooux.exe 2316 Dctooux.exe 2316 Dctooux.exe 2316 Dctooux.exe 2316 Dctooux.exe 2316 Dctooux.exe 2316 Dctooux.exe 2316 Dctooux.exe 2316 Dctooux.exe 2316 Dctooux.exe 2316 Dctooux.exe 2316 Dctooux.exe 2316 Dctooux.exe 2316 Dctooux.exe 2316 Dctooux.exe 2316 Dctooux.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Dctooux.job ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dctooux.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2508 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2508 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 2316 Dctooux.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2508 wrote to memory of 2316 2508 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 30 PID 2508 wrote to memory of 2316 2508 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 30 PID 2508 wrote to memory of 2316 2508 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 30 PID 2508 wrote to memory of 2316 2508 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe"C:\Users\Admin\AppData\Local\Temp\ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2316
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5db04aa6e158c5d52c20fc855f5285905
SHA1822416dfa3f094aa6776ed0cad77fb9083db29a3
SHA256ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f
SHA512cdc0ff46ac48178da0a68d4e2601a46a960c3aa998edd66a7bb6a39d1caa7dbbe53f1aa463307a9932996d2993386addc7c54cee73811897b075dd75fbc904ff
-
Filesize
73KB
MD50e97dbb7efb123da2a568ebf8e85b55a
SHA10e019324f7b5fa2edf2adb40f5a88113255b98f2
SHA2564e1eddeaab78adcf6683207f8470333b5d4a5bcfb06d650c74785d68fe1d63d1
SHA51228dffe13728991f9e723fdf8f3772a6512872a89d0eb94ab840038d1a1dc131fc10822badfe9240d35d1b2bc300dddaa8d2f00dd7b0d866e8b399645a2655e82
-
Filesize
4KB
MD56daf71ad2aebac2c925bb62ae09be955
SHA107166aba28226bce840eeb173b5f8f6025155ab9
SHA256a75e43a5bd3c63fbf556d7cf8435046148aa8557c3ad9b9d278ac556fdbac144
SHA51218caa503751281a46b58cbd2a1267c8136365883bb04d85671f6afc5ec579fb19ac7f8d3226b3d8d9e1d4467ba92ab4d5f757a4cf099d2e5066c171051e8c78d