Analysis
-
max time kernel
156s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-05-2022 13:53
Static task
static1
Behavioral task
behavioral1
Sample
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
Resource
win7-20220414-en
General
-
Target
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
-
Size
218KB
-
MD5
a9c62f3c2b7bf88433746c06a7196a92
-
SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378
-
SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
-
SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
Malware Config
Extracted
amadey
3.08
190.123.44.195/d2VxjasuwS/index.php
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
ftewk.exeftewk.exeftewk.exepid process 5044 ftewk.exe 3736 ftewk.exe 944 ftewk.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exeftewk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation ftewk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exeftewk.execmd.exedescription pid process target process PID 1032 wrote to memory of 5044 1032 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe ftewk.exe PID 1032 wrote to memory of 5044 1032 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe ftewk.exe PID 1032 wrote to memory of 5044 1032 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe ftewk.exe PID 5044 wrote to memory of 4816 5044 ftewk.exe cmd.exe PID 5044 wrote to memory of 4816 5044 ftewk.exe cmd.exe PID 5044 wrote to memory of 4816 5044 ftewk.exe cmd.exe PID 5044 wrote to memory of 2104 5044 ftewk.exe schtasks.exe PID 5044 wrote to memory of 2104 5044 ftewk.exe schtasks.exe PID 5044 wrote to memory of 2104 5044 ftewk.exe schtasks.exe PID 4816 wrote to memory of 3748 4816 cmd.exe reg.exe PID 4816 wrote to memory of 3748 4816 cmd.exe reg.exe PID 4816 wrote to memory of 3748 4816 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe"C:\Users\Admin\AppData\Local\Temp\4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\dd7e303766\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\dd7e303766\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeC:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeC:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
memory/2104-134-0x0000000000000000-mapping.dmp
-
memory/3748-135-0x0000000000000000-mapping.dmp
-
memory/4816-133-0x0000000000000000-mapping.dmp
-
memory/5044-130-0x0000000000000000-mapping.dmp