Analysis
-
max time kernel
156s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-05-2022 07:53
Static task
static1
Behavioral task
behavioral1
Sample
e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exe
Resource
win7-20220414-en
General
-
Target
e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exe
-
Size
218KB
-
MD5
2e5816315adcf88c8a527722a6590ed6
-
SHA1
e6756efbc30a0af6d55a64f0a3fefe3cea45293a
-
SHA256
e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f
-
SHA512
1d593ef730be2e5b094ba84f7ce5d86abeffa89a81f28c90d4740926018233d8e7cfc9e86046d60ae9594f8f61e28e6bf0f3712cfe33ac348289238ad5cd9756
Malware Config
Extracted
amadey
3.05
garts.at/forum/index.php
uknovodom.ru/forum/index.php
prospectsnorth.com/forum/index.php
Signatures
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 74 3364 rundll32.exe 76 3364 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
ftewk.exeftewk.exeftewk.exepid process 2856 ftewk.exe 4368 ftewk.exe 4124 ftewk.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exeftewk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation ftewk.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exepid process 3364 rundll32.exe 2112 rundll32.exe 2032 rundll32.exe 2032 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 3364 rundll32.exe 3364 rundll32.exe 3364 rundll32.exe 3364 rundll32.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exeftewk.execmd.exedescription pid process target process PID 784 wrote to memory of 2856 784 e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exe ftewk.exe PID 784 wrote to memory of 2856 784 e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exe ftewk.exe PID 784 wrote to memory of 2856 784 e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exe ftewk.exe PID 2856 wrote to memory of 2624 2856 ftewk.exe cmd.exe PID 2856 wrote to memory of 2624 2856 ftewk.exe cmd.exe PID 2856 wrote to memory of 2624 2856 ftewk.exe cmd.exe PID 2856 wrote to memory of 3512 2856 ftewk.exe schtasks.exe PID 2856 wrote to memory of 3512 2856 ftewk.exe schtasks.exe PID 2856 wrote to memory of 3512 2856 ftewk.exe schtasks.exe PID 2624 wrote to memory of 4076 2624 cmd.exe reg.exe PID 2624 wrote to memory of 4076 2624 cmd.exe reg.exe PID 2624 wrote to memory of 4076 2624 cmd.exe reg.exe PID 2856 wrote to memory of 2112 2856 ftewk.exe rundll32.exe PID 2856 wrote to memory of 2112 2856 ftewk.exe rundll32.exe PID 2856 wrote to memory of 2112 2856 ftewk.exe rundll32.exe PID 2856 wrote to memory of 3364 2856 ftewk.exe rundll32.exe PID 2856 wrote to memory of 3364 2856 ftewk.exe rundll32.exe PID 2856 wrote to memory of 3364 2856 ftewk.exe rundll32.exe PID 2856 wrote to memory of 2032 2856 ftewk.exe rundll32.exe PID 2856 wrote to memory of 2032 2856 ftewk.exe rundll32.exe PID 2856 wrote to memory of 2032 2856 ftewk.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exe"C:\Users\Admin\AppData\Local\Temp\e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\958dc2ebed\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\958dc2ebed\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll, Main3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dll, Main3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exeC:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exeC:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exeFilesize
218KB
MD52e5816315adcf88c8a527722a6590ed6
SHA1e6756efbc30a0af6d55a64f0a3fefe3cea45293a
SHA256e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f
SHA5121d593ef730be2e5b094ba84f7ce5d86abeffa89a81f28c90d4740926018233d8e7cfc9e86046d60ae9594f8f61e28e6bf0f3712cfe33ac348289238ad5cd9756
-
C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exeFilesize
218KB
MD52e5816315adcf88c8a527722a6590ed6
SHA1e6756efbc30a0af6d55a64f0a3fefe3cea45293a
SHA256e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f
SHA5121d593ef730be2e5b094ba84f7ce5d86abeffa89a81f28c90d4740926018233d8e7cfc9e86046d60ae9594f8f61e28e6bf0f3712cfe33ac348289238ad5cd9756
-
C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exeFilesize
218KB
MD52e5816315adcf88c8a527722a6590ed6
SHA1e6756efbc30a0af6d55a64f0a3fefe3cea45293a
SHA256e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f
SHA5121d593ef730be2e5b094ba84f7ce5d86abeffa89a81f28c90d4740926018233d8e7cfc9e86046d60ae9594f8f61e28e6bf0f3712cfe33ac348289238ad5cd9756
-
C:\Users\Admin\AppData\Local\Temp\958dc2ebed\ftewk.exeFilesize
218KB
MD52e5816315adcf88c8a527722a6590ed6
SHA1e6756efbc30a0af6d55a64f0a3fefe3cea45293a
SHA256e17ae6dc6b124cbcb453e0e5bd5319d8cb9dc4df70972b50d91e49cccc7d2f7f
SHA5121d593ef730be2e5b094ba84f7ce5d86abeffa89a81f28c90d4740926018233d8e7cfc9e86046d60ae9594f8f61e28e6bf0f3712cfe33ac348289238ad5cd9756
-
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dllFilesize
126KB
MD5c96f4b79502c4a88af0ed0935a0d5f13
SHA10976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1
SHA2561b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c
SHA5128b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486
-
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dllFilesize
126KB
MD5c96f4b79502c4a88af0ed0935a0d5f13
SHA10976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1
SHA2561b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c
SHA5128b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486
-
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dllFilesize
126KB
MD5c96f4b79502c4a88af0ed0935a0d5f13
SHA10976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1
SHA2561b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c
SHA5128b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486
-
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dllFilesize
126KB
MD5c96f4b79502c4a88af0ed0935a0d5f13
SHA10976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1
SHA2561b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c
SHA5128b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486
-
C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred.dllFilesize
126KB
MD5c96f4b79502c4a88af0ed0935a0d5f13
SHA10976ef12d339a9ccd1d255d5d6f8d8f5198cd3a1
SHA2561b53bf7d983101f59b0ea151b63eb925e5f703af4605388e90814c519225e22c
SHA5128b5cff4daf9dd29e3c49ceec29cabc7a094e4d2c89fe18d589d73d0113575987bc7db0b1492d2862c275a4f04ecbdc64a694d9637c12b5d71b36d030dc735486
-
memory/2032-139-0x0000000000000000-mapping.dmp
-
memory/2032-145-0x00000000003B0000-0x00000000003D4000-memory.dmpFilesize
144KB
-
memory/2112-137-0x0000000000000000-mapping.dmp
-
memory/2624-133-0x0000000000000000-mapping.dmp
-
memory/2856-130-0x0000000000000000-mapping.dmp
-
memory/3364-138-0x0000000000000000-mapping.dmp
-
memory/3512-134-0x0000000000000000-mapping.dmp
-
memory/4076-135-0x0000000000000000-mapping.dmp