Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 13:50
General
-
Target
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe
-
Size
383KB
-
MD5
56d9df4afbbaee34afb646e85fb4419d
-
SHA1
0ad215a57d93b70fa3a137060f5f5a3369d4f542
-
SHA256
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c
-
SHA512
1178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31
Malware Config
Extracted
amadey
3.08
179.43.154.147/d2VxjasuwS/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 20 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe"C:\Users\Admin\AppData\Local\Temp\87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\1000164000\Setup.exe"C:\Users\Admin\AppData\Roaming\1000164000\Setup.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 15⤵
-
C:\Windows\system32\timeout.exetimeout /t 16⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 12522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2656 -ip 26561⤵
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeC:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 5082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1092 -ip 10921⤵
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeC:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 3642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3936 -ip 39361⤵
-
C:\Windows\system32\timeout.exetimeout /t 11⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeC:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeFilesize
383KB
MD556d9df4afbbaee34afb646e85fb4419d
SHA10ad215a57d93b70fa3a137060f5f5a3369d4f542
SHA25687995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c
SHA5121178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeFilesize
383KB
MD556d9df4afbbaee34afb646e85fb4419d
SHA10ad215a57d93b70fa3a137060f5f5a3369d4f542
SHA25687995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c
SHA5121178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeFilesize
383KB
MD556d9df4afbbaee34afb646e85fb4419d
SHA10ad215a57d93b70fa3a137060f5f5a3369d4f542
SHA25687995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c
SHA5121178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeFilesize
383KB
MD556d9df4afbbaee34afb646e85fb4419d
SHA10ad215a57d93b70fa3a137060f5f5a3369d4f542
SHA25687995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c
SHA5121178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeFilesize
383KB
MD556d9df4afbbaee34afb646e85fb4419d
SHA10ad215a57d93b70fa3a137060f5f5a3369d4f542
SHA25687995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c
SHA5121178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXEFilesize
115.4MB
MD59298cd89ec8a1a58457226d15ffdeba6
SHA1071171913c0efad737e2aca675cbf604b76d716c
SHA2560f41049b9188359f8101d9ff4b794fd295409b1ad356ab0bb4754530e6478cf0
SHA5127e2221ed1143369eea6d207d6d3491826b38e3e43fb2e8f1b9c5972f0d2dbf5ab0a6befb1ff50ddff69c464fc2c28e4c6143cb7aadfa5cafce087273bddc37a5
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXEFilesize
126.2MB
MD5416129fc85326b1711fa9392867eeaf2
SHA132a2f488e9f0fe258a880293a9fd7d61451e75a9
SHA2565a0243637342d2111a22452565863694c2c2ab4a5fefabd8f890c806542ccf0b
SHA512cbcefe198da9fb6b4fd8233a6f817b1b8e544cd2944df625e6e8bc11f9f52f70f6bd3b81134df03c5a93f25f84d79c80645867b2b4f59c98a1e1d8d6d6fb5f11
-
C:\Users\Admin\AppData\Roaming\1000164000\Setup.exeFilesize
1.2MB
MD53b40aa6bd50cdf50cee0ec1d2e1e6666
SHA19359abcc95789309708ec14c7ca562ce84036aee
SHA256530341b57e68e71c25a0562298f37e93c13185e0542ef64dd328cc12395e4f46
SHA512f40e9fbfc85ab027a9617eb893f29090502514bba511e950af2845a9536dad492a67eef6d13b4a7ae0e9ff2c9240bdb7ea25c7a7f5cf5e6e4cd1324cd43856e5
-
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred.dllFilesize
126KB
MD5b74b2173abbc5a72d47143c1ba62c97c
SHA1b8d17f4f90fbc3b1347c12caf844354b65184735
SHA2568dce72063ff6c2ec939aafe4dc0e247cec27fae82cde7886fda902cc8cd0aa75
SHA512ab73dcb86ae46e7d13d64151e5da9fd4548eccbc9b80ebf32c7de6152f25cbeba64dc3993f4431cb85aa3813cd406d18ea625ec2d92142f0eb295e2ad6ebf6ac
-
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred.dllFilesize
126KB
MD5b74b2173abbc5a72d47143c1ba62c97c
SHA1b8d17f4f90fbc3b1347c12caf844354b65184735
SHA2568dce72063ff6c2ec939aafe4dc0e247cec27fae82cde7886fda902cc8cd0aa75
SHA512ab73dcb86ae46e7d13d64151e5da9fd4548eccbc9b80ebf32c7de6152f25cbeba64dc3993f4431cb85aa3813cd406d18ea625ec2d92142f0eb295e2ad6ebf6ac
-
memory/212-189-0x0000000000000000-mapping.dmp
-
memory/440-183-0x0000000000000000-mapping.dmp
-
memory/516-173-0x0000000000000000-mapping.dmp
-
memory/672-168-0x0000000000000000-mapping.dmp
-
memory/820-166-0x0000000000000000-mapping.dmp
-
memory/960-184-0x0000000000000000-mapping.dmp
-
memory/1092-144-0x0000000000794000-0x00000000007B2000-memory.dmpFilesize
120KB
-
memory/1092-145-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/1196-193-0x0000000000000000-mapping.dmp
-
memory/1236-171-0x0000000000000000-mapping.dmp
-
memory/1824-163-0x0000000000000000-mapping.dmp
-
memory/1940-161-0x0000000000000000-mapping.dmp
-
memory/1972-196-0x0000000000000000-mapping.dmp
-
memory/2044-159-0x0000000000000000-mapping.dmp
-
memory/2216-192-0x0000000000000000-mapping.dmp
-
memory/2316-157-0x0000000000000000-mapping.dmp
-
memory/2376-160-0x0000000000000000-mapping.dmp
-
memory/2468-156-0x00007FF8BF790000-0x00007FF8C0251000-memory.dmpFilesize
10.8MB
-
memory/2468-155-0x0000025AE3FB0000-0x0000025AE4092000-memory.dmpFilesize
904KB
-
memory/2468-197-0x0000025AFFDD0000-0x0000025AFFE20000-memory.dmpFilesize
320KB
-
memory/2468-152-0x0000000000000000-mapping.dmp
-
memory/2628-182-0x0000000000000000-mapping.dmp
-
memory/2656-135-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/2656-134-0x0000000000650000-0x0000000000688000-memory.dmpFilesize
224KB
-
memory/2656-133-0x00000000006EE000-0x000000000070C000-memory.dmpFilesize
120KB
-
memory/2804-187-0x0000000000000000-mapping.dmp
-
memory/3140-164-0x0000000000000000-mapping.dmp
-
memory/3200-176-0x0000000000000000-mapping.dmp
-
memory/3208-190-0x0000000000000000-mapping.dmp
-
memory/3228-137-0x0000000000000000-mapping.dmp
-
memory/3292-172-0x0000000000000000-mapping.dmp
-
memory/3320-175-0x0000000000000000-mapping.dmp
-
memory/3372-191-0x0000000000000000-mapping.dmp
-
memory/3584-179-0x0000000000000000-mapping.dmp
-
memory/3632-180-0x0000000000000000-mapping.dmp
-
memory/3700-140-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/3700-130-0x0000000000000000-mapping.dmp
-
memory/3700-139-0x000000000058E000-0x00000000005AC000-memory.dmpFilesize
120KB
-
memory/3720-174-0x0000000000000000-mapping.dmp
-
memory/3784-186-0x0000000000000000-mapping.dmp
-
memory/3928-170-0x0000000000000000-mapping.dmp
-
memory/3936-151-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/3936-150-0x00000000005A4000-0x00000000005C2000-memory.dmpFilesize
120KB
-
memory/3948-158-0x0000000000000000-mapping.dmp
-
memory/4080-165-0x0000000000000000-mapping.dmp
-
memory/4296-188-0x0000000000000000-mapping.dmp
-
memory/4312-142-0x0000000000000000-mapping.dmp
-
memory/4348-136-0x0000000000000000-mapping.dmp
-
memory/4400-169-0x0000000000000000-mapping.dmp
-
memory/4416-167-0x0000000000000000-mapping.dmp
-
memory/4436-181-0x0000000000000000-mapping.dmp
-
memory/4480-162-0x0000000000000000-mapping.dmp
-
memory/4528-146-0x0000000000000000-mapping.dmp
-
memory/4576-195-0x0000000000000000-mapping.dmp
-
memory/4588-178-0x0000000000000000-mapping.dmp
-
memory/4692-177-0x0000000000000000-mapping.dmp
-
memory/4740-138-0x0000000000000000-mapping.dmp
-
memory/4828-194-0x0000000000000000-mapping.dmp
-
memory/4932-185-0x0000000000000000-mapping.dmp