Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/07/2025, 07:07

General

  • Target

    2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe

  • Size

    7.0MB

  • MD5

    e401a72a05ca2768dece12eb9f901cd4

  • SHA1

    6820c628ab059ae5d6e14b699d291d00bb3c3536

  • SHA256

    bca462cb28356dd4319a25e4680159433f6c3ba373bbd783b6f84163139f9dce

  • SHA512

    d76425266de993463f04b7797a46a81aa2c4f1ae9a2fbfeebd38393bdb8c0829856116421f32d6c7fcdd391d8dbc4bfe61286141ddf0c64d33bafedc4215df8e

  • SSDEEP

    98304:xYOXwnS4rVjx1LVt0Q7+Cga0Kt14vgvK0pR7Xn4TiRCvJ7:mIG1Jjj14YF7XnKPZ

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3464
      • C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe
        "C:\Users\Admin\AppData\Local\Temp\2025-07-01_e401a72a05ca2768dece12eb9f901cd4_amadey_black-basta_coinminer_elex_luca-stealer_magniber_.exe"
        2⤵
        • Drops startup file
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3204
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2120
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4012
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3912
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3340

    Network

          MITRE ATT&CK Enterprise v16

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe

            Filesize

            7.1MB

            MD5

            16840829526086e6aabae7ef10a58d00

            SHA1

            0b66cc86125f1c04e019ccb45e557c823c6e6adc

            SHA256

            4a60415653f0814b4b0fff9206d5929d56679bbddf4e6b02299243c771d6e39a

            SHA512

            51cc6f6f2afa6c287769fb469770ff06833ae10483dbf9868d63da040613c433d23ee76856d96c3f2d7bef09f5b5cd4a56bf10a8a7933ee032d153f4b4635547

          • C:\Program Files\dotnet\dotnet.exe

            Filesize

            7.2MB

            MD5

            a12ba6f7507a071274cb9fc364361560

            SHA1

            be5b08de6ec26bc03f7debdb4127b699554fb4e7

            SHA256

            3291ea85fa82fcfb1184c9cd34fa266b1a7b607c1878d895aec61f3905beae86

            SHA512

            a7498997f1291521fa2880e53ddf44636d9ca1840a7c00694b2c2697d5fdcbc11d3e540e581a05fe27610424f2e171247fb69b9baf649a2491b74fbf3567b0c1

          • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

            Filesize

            7.5MB

            MD5

            1cc19e4fda96278b8a120bdb3fa9e5ec

            SHA1

            97f2d293b63e2f22012f7c037c2be7a6e68f9b3a

            SHA256

            b6ff4f2c3d33ad69e9bb1ebb28568522cc1035418dc7dde10a476e69aeda24aa

            SHA512

            3a41da10f1780572945bf32f25a4482a019ebe0372c70c0755df7797be9ebfe53e1f7270595746525e293ce97919027456f020be7089ece0a2fed463c1dfdfe6

          • F:\$RECYCLE.BIN\S-1-5-21-2866795425-63786011-2927312124-1000\_desktop.ini

            Filesize

            8B

            MD5

            24c49e895be062b0bc063b7f1d713545

            SHA1

            096a87b1f8369fb3a4c4fc8323606dad58b8e790

            SHA256

            c18ba10163eca907f0f0957d320e3f831cdfaf81758c3a3a7aef62236d4d3f2f

            SHA512

            ae5d7fd55ea8caaea714d7baf66fe7c074e5d12d81bb10a774965ed23fd4d1dae5d2820c811bcbc5c84eab6aa7a2d6b8e81aef19875d87f62910c7387ec24f36

          • memory/3204-0-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB

          • memory/3204-3-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB