Analysis
-
max time kernel
113s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-05-2022 13:46
Static task
static1
Behavioral task
behavioral1
Sample
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
Resource
win7-20220414-en
General
-
Target
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
-
Size
218KB
-
MD5
a9c62f3c2b7bf88433746c06a7196a92
-
SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378
-
SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
-
SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
Malware Config
Extracted
amadey
3.08
190.123.44.195/d2VxjasuwS/index.php
Signatures
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 64 364 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
ftewk.exeftewk.exeftewk.exepid process 4916 ftewk.exe 2520 ftewk.exe 3308 ftewk.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ftewk.exe4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation ftewk.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 364 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 364 rundll32.exe 364 rundll32.exe 364 rundll32.exe 364 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exeftewk.execmd.exedescription pid process target process PID 4884 wrote to memory of 4916 4884 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe ftewk.exe PID 4884 wrote to memory of 4916 4884 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe ftewk.exe PID 4884 wrote to memory of 4916 4884 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe ftewk.exe PID 4916 wrote to memory of 4368 4916 ftewk.exe cmd.exe PID 4916 wrote to memory of 4368 4916 ftewk.exe cmd.exe PID 4916 wrote to memory of 4368 4916 ftewk.exe cmd.exe PID 4916 wrote to memory of 3636 4916 ftewk.exe schtasks.exe PID 4916 wrote to memory of 3636 4916 ftewk.exe schtasks.exe PID 4916 wrote to memory of 3636 4916 ftewk.exe schtasks.exe PID 4368 wrote to memory of 5108 4368 cmd.exe reg.exe PID 4368 wrote to memory of 5108 4368 cmd.exe reg.exe PID 4368 wrote to memory of 5108 4368 cmd.exe reg.exe PID 4916 wrote to memory of 364 4916 ftewk.exe rundll32.exe PID 4916 wrote to memory of 364 4916 ftewk.exe rundll32.exe PID 4916 wrote to memory of 364 4916 ftewk.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe"C:\Users\Admin\AppData\Local\Temp\4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\dd7e303766\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\dd7e303766\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\caf045170b494e\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeC:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeC:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
C:\Users\Admin\AppData\Roaming\caf045170b494e\cred.dllFilesize
126KB
MD56a315cfd3ed85fa8c53870a1c22a22e1
SHA1829aaca9fd1cdf34e9c513306ae5a0ef02d69158
SHA2562b001bde89a1bfc82b982ddf1340379ab999dcd43dfbd7241cfedcb44adc904c
SHA512bc2f11ab4ed3d19fc4ab8705e0a888290ffc169b08cb7aa345718d111a751928e6c324adf1dc9275e037666071dc83abd935d56828ca18fcae30c23e8731fe33
-
C:\Users\Admin\AppData\Roaming\caf045170b494e\cred.dllFilesize
126KB
MD56a315cfd3ed85fa8c53870a1c22a22e1
SHA1829aaca9fd1cdf34e9c513306ae5a0ef02d69158
SHA2562b001bde89a1bfc82b982ddf1340379ab999dcd43dfbd7241cfedcb44adc904c
SHA512bc2f11ab4ed3d19fc4ab8705e0a888290ffc169b08cb7aa345718d111a751928e6c324adf1dc9275e037666071dc83abd935d56828ca18fcae30c23e8731fe33
-
memory/364-137-0x0000000000000000-mapping.dmp
-
memory/3636-134-0x0000000000000000-mapping.dmp
-
memory/4368-133-0x0000000000000000-mapping.dmp
-
memory/4916-130-0x0000000000000000-mapping.dmp
-
memory/5108-135-0x0000000000000000-mapping.dmp