andromeda | 2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ff

General

Target

2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe
Size

145KB
MD5

1fbf613c905f75f696344844e5e7cb20
SHA1

b65c73f6f404aa1deb283d9c2767075b196b6a29
SHA256

2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ff
SHA512

5465807b2e1d0d17ee0372ef3a3c21f6f29ad92c6df159d00ecdb617cc26a224953d1e717ab6d42c4fae95a3b60069fde73732e0b9891c1c43a567657834605c
SSDEEP

1536:8haN2fh0+TTQInoWGJcJJleqt1+Wgx3lFnHmleHSWgLAyXnnLm+AnqXw/hCxueh1:2++TFnoWTTYBB1hHgN1AnqdJr

Score

10^/10

andromeda backdoor botnet discovery

Malware Config

Signatures

Andromeda family
andromeda
Andromeda, Gamarue
Andromeda, also known as Gamarue, is a modular botnet malware primarily used for distributing other types of malware and it's written in C++.
botnet backdoor andromeda

Detects Andromeda payload. 3 IoCs

resource	yara_rule
behavioral1/memory/636-6-0x0000000000400000-0x0000000000409000-memory.dmp	family_andromeda
behavioral1/memory/636-4-0x0000000000400000-0x0000000000409000-memory.dmp	family_andromeda
behavioral1/memory/636-8-0x0000000000400000-0x0000000000409000-memory.dmp	family_andromeda

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 432 set thread context of 636	432	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe	29

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2172	2772	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
636	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe
636	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 636	432	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe	29
PID 432 wrote to memory of 636	432	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe	29
PID 432 wrote to memory of 636	432	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe	29
PID 432 wrote to memory of 636	432	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe	29
PID 432 wrote to memory of 636	432	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe	29
PID 432 wrote to memory of 636	432	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe	29
PID 432 wrote to memory of 636	432	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe	29
PID 636 wrote to memory of 2772	636	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe	30
PID 636 wrote to memory of 2772	636	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe	30
PID 636 wrote to memory of 2772	636	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe	30
PID 636 wrote to memory of 2772	636	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe	30
PID 636 wrote to memory of 2772	636	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe	30
PID 636 wrote to memory of 2772	636	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe	30
PID 636 wrote to memory of 2772	636	2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe	30
PID 2772 wrote to memory of 2172	2772	msiexec.exe	31
PID 2772 wrote to memory of 2172	2772	msiexec.exe	31
PID 2772 wrote to memory of 2172	2772	msiexec.exe	31
PID 2772 wrote to memory of 2172	2772	msiexec.exe	31

C:\Users\Admin\AppData\Local\Temp\2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe
"C:\Users\Admin\AppData\Local\Temp\2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\Temp\2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe
  "C:\Users\Admin\AppData\Local\Temp\2e60d50e334e7cb3c6909d80e483f76dead0518af306ba9ddda92375a3e6c3ffN.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\syswow64\msiexec.exe
    C:\Windows\syswow64\msiexec.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 272
      4⤵
      Program crash
      PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-2-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/636-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/636-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/636-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/636-8-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2772-11-0x00000000008E0000-0x00000000008F4000-memory.dmp

Filesize
80KB

Download
memory/2772-12-0x00000000008E0000-0x00000000008F4000-memory.dmp

Filesize
80KB

Download
memory/2772-14-0x00000000008E0000-0x00000000008F4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing