Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 02:45
Static task
static1
Behavioral task
behavioral1
Sample
ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe
Resource
win7-20240903-en
General
-
Target
ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe
-
Size
1.3MB
-
MD5
db04aa6e158c5d52c20fc855f5285905
-
SHA1
822416dfa3f094aa6776ed0cad77fb9083db29a3
-
SHA256
ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f
-
SHA512
cdc0ff46ac48178da0a68d4e2601a46a960c3aa998edd66a7bb6a39d1caa7dbbe53f1aa463307a9932996d2993386addc7c54cee73811897b075dd75fbc904ff
-
SSDEEP
24576:wbsh2BfGSklE31Sa1jnzi+k24VR5SLRUyvQAqBYcTHykVbFv4pOdfEPkXsvHo/s/:wbsQf6lEFti+kZRSUJAqB/VRsO/oo/sJ
Malware Config
Extracted
amadey
4.18
1cc3fe
http://vitantgroup.com
-
install_dir
431a343abc
-
install_file
Dctooux.exe
-
strings_key
5a2387e2bfef84adb686c856b4155237
-
url_paths
/xmlrpc.php
Signatures
-
Amadey family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe -
Executes dropped EXE 3 IoCs
pid Process 4596 Dctooux.exe 2044 Dctooux.exe 4356 Dctooux.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
pid Process 3460 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 4596 Dctooux.exe 4596 Dctooux.exe 4596 Dctooux.exe 4596 Dctooux.exe 2044 Dctooux.exe 2044 Dctooux.exe 4596 Dctooux.exe 4596 Dctooux.exe 4596 Dctooux.exe 4596 Dctooux.exe 4596 Dctooux.exe 4596 Dctooux.exe 4356 Dctooux.exe 4356 Dctooux.exe 4596 Dctooux.exe 4596 Dctooux.exe 4596 Dctooux.exe 4596 Dctooux.exe 4596 Dctooux.exe 4596 Dctooux.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Dctooux.job ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dctooux.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dctooux.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dctooux.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3460 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3460 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 4596 Dctooux.exe 2044 Dctooux.exe 4356 Dctooux.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3460 wrote to memory of 4596 3460 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 82 PID 3460 wrote to memory of 4596 3460 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 82 PID 3460 wrote to memory of 4596 3460 ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe"C:\Users\Admin\AppData\Local\Temp\ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4596
-
-
C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2044
-
C:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\431a343abc\Dctooux.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD569e5e03a97b2b453e2447c0d2ad5f05a
SHA136f1f5e779bc5d212288bd8b91e083f9a16f2971
SHA256de6f0bc4d13c5cda49e9f68582c26078c611e46ba07ba942051601209a1d0cae
SHA5125c0171df8d59e728002e97b9e59bbbe23f91c95cc91b1320da8d4e3a293de82a6679d1b58150f77bffe330760c8d2f18c65c261aa3b14d5cf5107817b7879879
-
Filesize
1.3MB
MD5db04aa6e158c5d52c20fc855f5285905
SHA1822416dfa3f094aa6776ed0cad77fb9083db29a3
SHA256ced8891ea8d87005de989f25f0f94634d1fc70ebb37302cf21aa0c0b0e13350f
SHA512cdc0ff46ac48178da0a68d4e2601a46a960c3aa998edd66a7bb6a39d1caa7dbbe53f1aa463307a9932996d2993386addc7c54cee73811897b075dd75fbc904ff
-
Filesize
4KB
MD5103aee4a4b19eab69b5d015d0575632c
SHA18912c0abcea9a67950c7ed16c81a87bfc358f2b4
SHA256fd973eb374e3ba68f501681b7c773c3bc41d87f5f0a455177e53e19ad2f6a950
SHA512f73de06fffd6f93bdf8adbc156b6e4a66b460de45ba37de51b0b8e8bc3603117bd5c1699cc6ce6bed60b441da8199a2a7d85605639b6c84b829c022890631c92