Analysis
-
max time kernel
186s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-05-2022 07:53
Static task
static1
Behavioral task
behavioral1
Sample
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe
Resource
win7-20220414-en
General
-
Target
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe
-
Size
334KB
-
MD5
21a947b4e4a65510aa9188cc950bc943
-
SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17
-
SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
-
SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684
Malware Config
Extracted
amadey
3.08
193.106.191.201/panelis/index.php
Signatures
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 6 1772 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
ftewk.exeftewk.exeftewk.exeftewk.exepid process 1068 ftewk.exe 1796 ftewk.exe 1368 ftewk.exe 1060 ftewk.exe -
Loads dropped DLL 6 IoCs
Processes:
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exerundll32.exepid process 1472 dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe 1472 dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe 1772 rundll32.exe 1772 rundll32.exe 1772 rundll32.exe 1772 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 1772 rundll32.exe 1772 rundll32.exe 1772 rundll32.exe 1772 rundll32.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exeftewk.execmd.exetaskeng.exedescription pid process target process PID 1472 wrote to memory of 1068 1472 dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe ftewk.exe PID 1472 wrote to memory of 1068 1472 dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe ftewk.exe PID 1472 wrote to memory of 1068 1472 dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe ftewk.exe PID 1472 wrote to memory of 1068 1472 dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe ftewk.exe PID 1068 wrote to memory of 1724 1068 ftewk.exe cmd.exe PID 1068 wrote to memory of 1724 1068 ftewk.exe cmd.exe PID 1068 wrote to memory of 1724 1068 ftewk.exe cmd.exe PID 1068 wrote to memory of 1724 1068 ftewk.exe cmd.exe PID 1068 wrote to memory of 1872 1068 ftewk.exe schtasks.exe PID 1068 wrote to memory of 1872 1068 ftewk.exe schtasks.exe PID 1068 wrote to memory of 1872 1068 ftewk.exe schtasks.exe PID 1068 wrote to memory of 1872 1068 ftewk.exe schtasks.exe PID 1724 wrote to memory of 1652 1724 cmd.exe reg.exe PID 1724 wrote to memory of 1652 1724 cmd.exe reg.exe PID 1724 wrote to memory of 1652 1724 cmd.exe reg.exe PID 1724 wrote to memory of 1652 1724 cmd.exe reg.exe PID 604 wrote to memory of 1796 604 taskeng.exe ftewk.exe PID 604 wrote to memory of 1796 604 taskeng.exe ftewk.exe PID 604 wrote to memory of 1796 604 taskeng.exe ftewk.exe PID 604 wrote to memory of 1796 604 taskeng.exe ftewk.exe PID 1068 wrote to memory of 1772 1068 ftewk.exe rundll32.exe PID 1068 wrote to memory of 1772 1068 ftewk.exe rundll32.exe PID 1068 wrote to memory of 1772 1068 ftewk.exe rundll32.exe PID 1068 wrote to memory of 1772 1068 ftewk.exe rundll32.exe PID 1068 wrote to memory of 1772 1068 ftewk.exe rundll32.exe PID 1068 wrote to memory of 1772 1068 ftewk.exe rundll32.exe PID 1068 wrote to memory of 1772 1068 ftewk.exe rundll32.exe PID 604 wrote to memory of 1368 604 taskeng.exe ftewk.exe PID 604 wrote to memory of 1368 604 taskeng.exe ftewk.exe PID 604 wrote to memory of 1368 604 taskeng.exe ftewk.exe PID 604 wrote to memory of 1368 604 taskeng.exe ftewk.exe PID 604 wrote to memory of 1060 604 taskeng.exe ftewk.exe PID 604 wrote to memory of 1060 604 taskeng.exe ftewk.exe PID 604 wrote to memory of 1060 604 taskeng.exe ftewk.exe PID 604 wrote to memory of 1060 604 taskeng.exe ftewk.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe"C:\Users\Admin\AppData\Local\Temp\dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\system32\taskeng.exetaskeng.exe {1F73E332-4AB3-4B6B-9BF1-69FFE645B123} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exeC:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exeC:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exeC:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exeFilesize
334KB
MD521a947b4e4a65510aa9188cc950bc943
SHA19ee64e984916c52852c31d89b65a08eb2ec61e17
SHA256dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
SHA512358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684
-
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exeFilesize
334KB
MD521a947b4e4a65510aa9188cc950bc943
SHA19ee64e984916c52852c31d89b65a08eb2ec61e17
SHA256dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
SHA512358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684
-
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exeFilesize
334KB
MD521a947b4e4a65510aa9188cc950bc943
SHA19ee64e984916c52852c31d89b65a08eb2ec61e17
SHA256dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
SHA512358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684
-
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exeFilesize
334KB
MD521a947b4e4a65510aa9188cc950bc943
SHA19ee64e984916c52852c31d89b65a08eb2ec61e17
SHA256dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
SHA512358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684
-
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exeFilesize
334KB
MD521a947b4e4a65510aa9188cc950bc943
SHA19ee64e984916c52852c31d89b65a08eb2ec61e17
SHA256dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
SHA512358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684
-
C:\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dllFilesize
126KB
MD5b15e23ee34fa9c69866799fdd8e3820b
SHA1880b9624ddb7e1484f5694db01f33128bf1a01c3
SHA256635f64b41ef6264c7e53ea882377625e9b5fb9624b8fb73ced1a157dcd0a9c2e
SHA512d46728917770c59936267aa070e7340a21f15ad202afad886e2145707d21aeacd70d5a935ff70cbafed9435b1acc2a6a82fb9b7a02c8784ce48c26b4d60a5be4
-
\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exeFilesize
334KB
MD521a947b4e4a65510aa9188cc950bc943
SHA19ee64e984916c52852c31d89b65a08eb2ec61e17
SHA256dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
SHA512358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684
-
\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exeFilesize
334KB
MD521a947b4e4a65510aa9188cc950bc943
SHA19ee64e984916c52852c31d89b65a08eb2ec61e17
SHA256dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
SHA512358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684
-
\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dllFilesize
126KB
MD5b15e23ee34fa9c69866799fdd8e3820b
SHA1880b9624ddb7e1484f5694db01f33128bf1a01c3
SHA256635f64b41ef6264c7e53ea882377625e9b5fb9624b8fb73ced1a157dcd0a9c2e
SHA512d46728917770c59936267aa070e7340a21f15ad202afad886e2145707d21aeacd70d5a935ff70cbafed9435b1acc2a6a82fb9b7a02c8784ce48c26b4d60a5be4
-
\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dllFilesize
126KB
MD5b15e23ee34fa9c69866799fdd8e3820b
SHA1880b9624ddb7e1484f5694db01f33128bf1a01c3
SHA256635f64b41ef6264c7e53ea882377625e9b5fb9624b8fb73ced1a157dcd0a9c2e
SHA512d46728917770c59936267aa070e7340a21f15ad202afad886e2145707d21aeacd70d5a935ff70cbafed9435b1acc2a6a82fb9b7a02c8784ce48c26b4d60a5be4
-
\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dllFilesize
126KB
MD5b15e23ee34fa9c69866799fdd8e3820b
SHA1880b9624ddb7e1484f5694db01f33128bf1a01c3
SHA256635f64b41ef6264c7e53ea882377625e9b5fb9624b8fb73ced1a157dcd0a9c2e
SHA512d46728917770c59936267aa070e7340a21f15ad202afad886e2145707d21aeacd70d5a935ff70cbafed9435b1acc2a6a82fb9b7a02c8784ce48c26b4d60a5be4
-
\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dllFilesize
126KB
MD5b15e23ee34fa9c69866799fdd8e3820b
SHA1880b9624ddb7e1484f5694db01f33128bf1a01c3
SHA256635f64b41ef6264c7e53ea882377625e9b5fb9624b8fb73ced1a157dcd0a9c2e
SHA512d46728917770c59936267aa070e7340a21f15ad202afad886e2145707d21aeacd70d5a935ff70cbafed9435b1acc2a6a82fb9b7a02c8784ce48c26b4d60a5be4
-
memory/1060-91-0x0000000000000000-mapping.dmp
-
memory/1068-58-0x0000000000000000-mapping.dmp
-
memory/1068-69-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/1068-63-0x00000000002E8000-0x0000000000306000-memory.dmpFilesize
120KB
-
memory/1068-68-0x00000000002E8000-0x0000000000306000-memory.dmpFilesize
120KB
-
memory/1368-90-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/1368-89-0x0000000000598000-0x00000000005B6000-memory.dmpFilesize
120KB
-
memory/1368-87-0x0000000000598000-0x00000000005B6000-memory.dmpFilesize
120KB
-
memory/1368-85-0x0000000000000000-mapping.dmp
-
memory/1472-54-0x00000000002A8000-0x00000000002C7000-memory.dmpFilesize
124KB
-
memory/1472-61-0x0000000000480000-0x00000000004B8000-memory.dmpFilesize
224KB
-
memory/1472-60-0x00000000002A8000-0x00000000002C7000-memory.dmpFilesize
124KB
-
memory/1472-55-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/1472-62-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/1652-67-0x0000000000000000-mapping.dmp
-
memory/1724-65-0x0000000000000000-mapping.dmp
-
memory/1772-84-0x0000000000180000-0x00000000001A4000-memory.dmpFilesize
144KB
-
memory/1772-77-0x0000000000000000-mapping.dmp
-
memory/1796-75-0x00000000002C8000-0x00000000002E6000-memory.dmpFilesize
120KB
-
memory/1796-73-0x00000000002C8000-0x00000000002E6000-memory.dmpFilesize
120KB
-
memory/1796-71-0x0000000000000000-mapping.dmp
-
memory/1796-76-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/1872-66-0x0000000000000000-mapping.dmp