andromeda | e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28

Resubmissions

16/01/2025, 06:01

250116-gq1whavrgy 10

16/01/2025, 05:29

250116-f6vtravrfn 10

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16/01/2025, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe
Size

284KB
MD5

35b803718620e93d26e57596887ccfd4
SHA1

61e4a8cb8cc84acd6a846236964c2dc97065d346
SHA256

e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28
SHA512

9bfa9aff504396b08415a0361f34e985c9dde2e109d8a3d5dec71a83bf25b832781572ccc6164c23d602807fc108b2f53e41874578a5d4afb88b2c81f73bfe12
SSDEEP

3072:mSQ0EWVwZhKxC5Rt+k60Zh+qw6PYSsszfHZTZJ2lCi:mPA6wxmuJspr2l3

Score

10^/10

andromeda backdoor botnet discovery persistence upx

Malware Config

Signatures

Andromeda family
andromeda
Andromeda, Gamarue
Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
botnet backdoor andromeda

Detects Andromeda payload. 2 IoCs

resource	yara_rule
behavioral2/memory/2668-61-0x0000000001280000-0x0000000001285000-memory.dmp	family_andromeda
behavioral2/memory/2668-65-0x0000000001280000-0x0000000001285000-memory.dmp	family_andromeda

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\37538 = "C:\\PROGRA~3\\LOCALS~1\\Temp\\msbfzl.exe"	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe

Executes dropped EXE 3 IoCs

pid	Process
2432	skyrpe.exe
3180	skyrpe.exe
3308	skyrpe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Roaming\\skype\\skyrpe.exe"	reg.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\enum	skyrpe.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	skyrpe.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1576 set thread context of 4424	1576	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe	90
PID 2432 set thread context of 3180	2432	skyrpe.exe	97
PID 2432 set thread context of 3308	2432	skyrpe.exe	98

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4424-7-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4424-9-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4424-11-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4424-39-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/4424-57-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3180-67-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\LOCALS~1\Temp\msbfzl.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skyrpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skyrpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skyrpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3308	skyrpe.exe
3308	skyrpe.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3308	skyrpe.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe
Token: SeDebugPrivilege	3180	skyrpe.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1576	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe
4424	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe
2432	skyrpe.exe
3180	skyrpe.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 4424	1576	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe	90
PID 1576 wrote to memory of 4424	1576	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe	90
PID 1576 wrote to memory of 4424	1576	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe	90
PID 1576 wrote to memory of 4424	1576	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe	90
PID 1576 wrote to memory of 4424	1576	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe	90
PID 1576 wrote to memory of 4424	1576	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe	90
PID 1576 wrote to memory of 4424	1576	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe	90
PID 1576 wrote to memory of 4424	1576	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe	90
PID 4424 wrote to memory of 4548	4424	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe	91
PID 4424 wrote to memory of 4548	4424	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe	91
PID 4424 wrote to memory of 4548	4424	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe	91
PID 4548 wrote to memory of 2964	4548	cmd.exe	94
PID 4548 wrote to memory of 2964	4548	cmd.exe	94
PID 4548 wrote to memory of 2964	4548	cmd.exe	94
PID 4424 wrote to memory of 2432	4424	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe	95
PID 4424 wrote to memory of 2432	4424	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe	95
PID 4424 wrote to memory of 2432	4424	e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe	95
PID 2432 wrote to memory of 3180	2432	skyrpe.exe	97
PID 2432 wrote to memory of 3180	2432	skyrpe.exe	97
PID 2432 wrote to memory of 3180	2432	skyrpe.exe	97
PID 2432 wrote to memory of 3180	2432	skyrpe.exe	97
PID 2432 wrote to memory of 3180	2432	skyrpe.exe	97
PID 2432 wrote to memory of 3180	2432	skyrpe.exe	97
PID 2432 wrote to memory of 3180	2432	skyrpe.exe	97
PID 2432 wrote to memory of 3180	2432	skyrpe.exe	97
PID 2432 wrote to memory of 3308	2432	skyrpe.exe	98
PID 2432 wrote to memory of 3308	2432	skyrpe.exe	98
PID 2432 wrote to memory of 3308	2432	skyrpe.exe	98
PID 2432 wrote to memory of 3308	2432	skyrpe.exe	98
PID 2432 wrote to memory of 3308	2432	skyrpe.exe	98
PID 2432 wrote to memory of 3308	2432	skyrpe.exe	98
PID 3308 wrote to memory of 2668	3308	skyrpe.exe	99
PID 3308 wrote to memory of 2668	3308	skyrpe.exe	99
PID 3308 wrote to memory of 2668	3308	skyrpe.exe	99

C:\Users\Admin\AppData\Local\Temp\e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe
"C:\Users\Admin\AppData\Local\Temp\e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\AppData\Local\Temp\e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe
  "C:\Users\Admin\AppData\Local\Temp\e5e0303841d217bb73f26c57848908d9c8c71478bc992b0a841475c39b59cb28.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LIITQ.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Skype" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2964
- - C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe
    "C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe
      "C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3180
  - - C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe
      "C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe"
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3308
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\syswow64\svchost.exe
        5⤵
        Adds policy Run key to start application
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LIITQ.txt

Filesize
139B

MD5
0654f004b2e314bad7f75867e91da37d

SHA1
4232c22e7340b12108d86e3cb35ed288a3dbc7f1

SHA256
ead325a060300a9606a3f0f14694be39a3e4006a60c6c3eb0bea5d6f98192249

SHA512
dda135cdfca90a742d42b4c7a5e7f5df6580ec428302a8f0c311f5b92eb08dda75774e0c7497110faffbe2dfa02b30d2dfe35ec2848a275f53be8d930c7aa553

Download Submit
C:\Users\Admin\AppData\Roaming\skype\skyrpe.exe

Filesize
284KB

MD5
50b2ebdc16f603916f035426269d3936

SHA1
24a317add9da5380bd41fd4e81ab2242fefb7640

SHA256
b50af5ce654ed4a4a1c23987f57e7d4fbebc1ca9c769a03246da9bd0a8438b3a

SHA512
0402b2b589545ff110825862ada82d45fff28b6c1e780a8af0ab7477f38aed31fad0ffb1d9028c53ac243262f1f467773c65d9acf844ca87f8dc3bb455ca88ec

Download Submit
memory/1576-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1576-2-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1576-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1576-4-0x0000000002A50000-0x0000000002A51000-memory.dmp

Filesize
4KB

Download
memory/1576-3-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/2432-37-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2432-38-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2432-43-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2432-53-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2668-69-0x0000000000C80000-0x0000000000C85000-memory.dmp

Filesize
20KB

Download
memory/2668-65-0x0000000001280000-0x0000000001285000-memory.dmp

Filesize
20KB

Download
memory/2668-61-0x0000000001280000-0x0000000001285000-memory.dmp

Filesize
20KB

Download
memory/3180-67-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3308-51-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3308-46-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4424-57-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4424-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4424-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4424-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4424-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download