Overview

overview

10

Static

static

10

Malware-1-...30.exe

windows7-x64

10

Malware-1-...30.exe

windows10-2004-x64

10

Malware-1-...40.exe

windows7-x64

10

Malware-1-...40.exe

windows10-2004-x64

10

Malware-1-...32.exe

windows7-x64

10

Malware-1-...32.exe

windows10-2004-x64

Malware-1-.../5.exe

windows7-x64

10

Malware-1-.../5.exe

windows10-2004-x64

10

Malware-1-...91.exe

windows7-x64

10

Malware-1-...91.exe

windows10-2004-x64

10

Malware-1-...ey.exe

windows7-x64

7

Malware-1-...ey.exe

windows10-2004-x64

7

Malware-1-...ad.exe

windows7-x64

3

Malware-1-...ad.exe

windows10-2004-x64

3

Malware-1-...ti.exe

windows7-x64

5

Malware-1-...ti.exe

windows10-2004-x64

5

Malware-1-...an.bat

windows7-x64

7

Malware-1-...an.bat

windows10-2004-x64

7

Malware-1-...an.exe

windows7-x64

3

Malware-1-...an.exe

windows10-2004-x64

7

Malware-1-...ve.bat

windows7-x64

7

Malware-1-...ve.bat

windows10-2004-x64

7

Malware-1-...ve.exe

windows7-x64

6

Malware-1-...ve.exe

windows10-2004-x64

7

Malware-1-...ya.exe

windows7-x64

6

Malware-1-...ya.exe

windows10-2004-x64

Malware-1-...re.exe

windows7-x64

10

Malware-1-...re.exe

windows10-2004-x64

10

Malware-1-...ry.exe

windows7-x64

10

Malware-1-...ry.exe

windows10-2004-x64

10

Malware-1-...ck.exe

windows7-x64

3

Malware-1-...ck.exe

windows10-2004-x64

3

Resubmissions

13/02/2025, 01:26 UTC

250213-btppra1pcz 10

17/01/2025, 20:14 UTC

250117-yz7h3s1qfw 10

17/01/2025, 20:12 UTC

250117-yy9l2sslcr 10

17/01/2025, 17:25 UTC

250117-vy9p9sxpez 10

17/01/2025, 17:21 UTC

250117-vw8eesyjfp 10

17/01/2025, 14:16 UTC

250117-rk9ass1rhk 10

17/01/2025, 14:12 UTC

250117-rhv1ds1lds 10

16/01/2025, 12:52 UTC

250116-p4et7a1mez 10

Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2025, 17:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Malware-1-master/Amadey.exe

  • Size

    49KB

  • MD5

    871294e398217876017702c96d0e7854

  • SHA1

    35a22da1522bf86659576ed59235f8ed7029e79b

  • SHA256

    7fd898dde3a7ed047657e3dc81c3de50ed381857edc53744664332fd98476c54

  • SHA512

    047237e3a615839918fe32662524f2de5455734a01cbb2f66017c636f3d08207b3aead79cdff9a94729550ad7eddc2b5950d5e774fb25fba2d0d69e048ca7fe5

  • SSDEEP

    768:AN4a7os+Bd1CiSJfBFdiGOsSyS5/hhurlzdx:3a2xC5+YSyE/hgpzH

Score
7/10
defense_evasiondiscovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NTFS ADS 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Malware-1-master\Amadey.exe
    "C:\Users\Admin\AppData\Local\Temp\Malware-1-master\Amadey.exe"
    1⤵
    • Subvert Trust Controls: Mark-of-the-Web Bypass
    • System Location Discovery: System Language Discovery
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:1460
    • \??\c:\programdata\1be588a5b7\gdsun.exe
      c:\programdata\1be588a5b7\gdsun.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4316
      • C:\Windows\SysWOW64\REG.exe
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\1be588a5b7
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4456

Network

  • flag-us
    DNS
    gucciai.net
    gdsun.exe
    Remote address:
    8.8.8.8:53
    Request
    gucciai.net
    IN A
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    245.131.30.184.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    245.131.30.184.in-addr.arpa
    IN PTR
    Response
    245.131.30.184.in-addr.arpa
    IN PTR
    a184-30-131-245deploystaticakamaitechnologiescom
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    gucciai.net
    gdsun.exe
    Remote address:
    8.8.8.8:53
    Request
    gucciai.net
    IN A
    Response
  • flag-us
    DNS
    22.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    20.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    gucciai.net
    gdsun.exe
    Remote address:
    8.8.8.8:53
    Request
    gucciai.net
    IN A
    Response
No results found
  • 8.8.8.8:53
    gucciai.net
    dns
    gdsun.exe
    57 B
     130 B
     1
    1

    DNS Request

    gucciai.net

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    133.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    133.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    245.131.30.184.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    245.131.30.184.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    gucciai.net
    dns
    gdsun.exe
    57 B
     130 B
     1
    1

    DNS Request

    gucciai.net

  • 8.8.8.8:53
    22.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    22.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    20.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    20.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    gucciai.net
    dns
    gdsun.exe
    57 B
     130 B
     1
    1

    DNS Request

    gucciai.net

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\1be588a5b7\gdsun.exe
    Filesize

    49KB

    MD5

    871294e398217876017702c96d0e7854

    SHA1

    35a22da1522bf86659576ed59235f8ed7029e79b

    SHA256

    7fd898dde3a7ed047657e3dc81c3de50ed381857edc53744664332fd98476c54

    SHA512

    047237e3a615839918fe32662524f2de5455734a01cbb2f66017c636f3d08207b3aead79cdff9a94729550ad7eddc2b5950d5e774fb25fba2d0d69e048ca7fe5

    Download Submit

  • memory/1460-14-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4316-15-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.