Analysis
-
max time kernel
101s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-05-2022 13:46
Static task
static1
Behavioral task
behavioral1
Sample
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe
Resource
win7-20220414-en
General
-
Target
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe
-
Size
334KB
-
MD5
21a947b4e4a65510aa9188cc950bc943
-
SHA1
9ee64e984916c52852c31d89b65a08eb2ec61e17
-
SHA256
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
-
SHA512
358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684
Malware Config
Extracted
amadey
3.08
193.106.191.201/panelis/index.php
Signatures
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 6 1924 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
ftewk.exeftewk.exepid process 1060 ftewk.exe 1620 ftewk.exe -
Loads dropped DLL 6 IoCs
Processes:
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exerundll32.exepid process 336 dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe 336 dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe 1924 rundll32.exe 1924 rundll32.exe 1924 rundll32.exe 1924 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 1924 rundll32.exe 1924 rundll32.exe 1924 rundll32.exe 1924 rundll32.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exeftewk.execmd.exetaskeng.exedescription pid process target process PID 336 wrote to memory of 1060 336 dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe ftewk.exe PID 336 wrote to memory of 1060 336 dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe ftewk.exe PID 336 wrote to memory of 1060 336 dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe ftewk.exe PID 336 wrote to memory of 1060 336 dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe ftewk.exe PID 1060 wrote to memory of 2044 1060 ftewk.exe cmd.exe PID 1060 wrote to memory of 2044 1060 ftewk.exe cmd.exe PID 1060 wrote to memory of 2044 1060 ftewk.exe cmd.exe PID 1060 wrote to memory of 2044 1060 ftewk.exe cmd.exe PID 1060 wrote to memory of 932 1060 ftewk.exe schtasks.exe PID 1060 wrote to memory of 932 1060 ftewk.exe schtasks.exe PID 1060 wrote to memory of 932 1060 ftewk.exe schtasks.exe PID 1060 wrote to memory of 932 1060 ftewk.exe schtasks.exe PID 2044 wrote to memory of 664 2044 cmd.exe reg.exe PID 2044 wrote to memory of 664 2044 cmd.exe reg.exe PID 2044 wrote to memory of 664 2044 cmd.exe reg.exe PID 2044 wrote to memory of 664 2044 cmd.exe reg.exe PID 1060 wrote to memory of 1924 1060 ftewk.exe rundll32.exe PID 1060 wrote to memory of 1924 1060 ftewk.exe rundll32.exe PID 1060 wrote to memory of 1924 1060 ftewk.exe rundll32.exe PID 1060 wrote to memory of 1924 1060 ftewk.exe rundll32.exe PID 1060 wrote to memory of 1924 1060 ftewk.exe rundll32.exe PID 1060 wrote to memory of 1924 1060 ftewk.exe rundll32.exe PID 1060 wrote to memory of 1924 1060 ftewk.exe rundll32.exe PID 1940 wrote to memory of 1620 1940 taskeng.exe ftewk.exe PID 1940 wrote to memory of 1620 1940 taskeng.exe ftewk.exe PID 1940 wrote to memory of 1620 1940 taskeng.exe ftewk.exe PID 1940 wrote to memory of 1620 1940 taskeng.exe ftewk.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe"C:\Users\Admin\AppData\Local\Temp\dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\system32\taskeng.exetaskeng.exe {E24AD97B-486C-494A-A76C-E7B28D1731AD} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exeC:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exeFilesize
334KB
MD521a947b4e4a65510aa9188cc950bc943
SHA19ee64e984916c52852c31d89b65a08eb2ec61e17
SHA256dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
SHA512358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684
-
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exeFilesize
334KB
MD521a947b4e4a65510aa9188cc950bc943
SHA19ee64e984916c52852c31d89b65a08eb2ec61e17
SHA256dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
SHA512358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684
-
C:\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exeFilesize
334KB
MD521a947b4e4a65510aa9188cc950bc943
SHA19ee64e984916c52852c31d89b65a08eb2ec61e17
SHA256dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
SHA512358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684
-
C:\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dllFilesize
126KB
MD5b15e23ee34fa9c69866799fdd8e3820b
SHA1880b9624ddb7e1484f5694db01f33128bf1a01c3
SHA256635f64b41ef6264c7e53ea882377625e9b5fb9624b8fb73ced1a157dcd0a9c2e
SHA512d46728917770c59936267aa070e7340a21f15ad202afad886e2145707d21aeacd70d5a935ff70cbafed9435b1acc2a6a82fb9b7a02c8784ce48c26b4d60a5be4
-
\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exeFilesize
334KB
MD521a947b4e4a65510aa9188cc950bc943
SHA19ee64e984916c52852c31d89b65a08eb2ec61e17
SHA256dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
SHA512358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684
-
\Users\Admin\AppData\Local\Temp\b3dcf4c296\ftewk.exeFilesize
334KB
MD521a947b4e4a65510aa9188cc950bc943
SHA19ee64e984916c52852c31d89b65a08eb2ec61e17
SHA256dcc559c45ecf4159655411999117728f288c7e50c78a2414d020f75cc2b86364
SHA512358105b5371c8988e125040b0cd469854a58b96017bab1d10a5fa826d4ca368705f9994696cf4254f0ab5f7b12f5f2d12ca7aeb75ccf1ed568bbb360efa19684
-
\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dllFilesize
126KB
MD5b15e23ee34fa9c69866799fdd8e3820b
SHA1880b9624ddb7e1484f5694db01f33128bf1a01c3
SHA256635f64b41ef6264c7e53ea882377625e9b5fb9624b8fb73ced1a157dcd0a9c2e
SHA512d46728917770c59936267aa070e7340a21f15ad202afad886e2145707d21aeacd70d5a935ff70cbafed9435b1acc2a6a82fb9b7a02c8784ce48c26b4d60a5be4
-
\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dllFilesize
126KB
MD5b15e23ee34fa9c69866799fdd8e3820b
SHA1880b9624ddb7e1484f5694db01f33128bf1a01c3
SHA256635f64b41ef6264c7e53ea882377625e9b5fb9624b8fb73ced1a157dcd0a9c2e
SHA512d46728917770c59936267aa070e7340a21f15ad202afad886e2145707d21aeacd70d5a935ff70cbafed9435b1acc2a6a82fb9b7a02c8784ce48c26b4d60a5be4
-
\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dllFilesize
126KB
MD5b15e23ee34fa9c69866799fdd8e3820b
SHA1880b9624ddb7e1484f5694db01f33128bf1a01c3
SHA256635f64b41ef6264c7e53ea882377625e9b5fb9624b8fb73ced1a157dcd0a9c2e
SHA512d46728917770c59936267aa070e7340a21f15ad202afad886e2145707d21aeacd70d5a935ff70cbafed9435b1acc2a6a82fb9b7a02c8784ce48c26b4d60a5be4
-
\Users\Admin\AppData\Roaming\a20732a67da3b4\cred.dllFilesize
126KB
MD5b15e23ee34fa9c69866799fdd8e3820b
SHA1880b9624ddb7e1484f5694db01f33128bf1a01c3
SHA256635f64b41ef6264c7e53ea882377625e9b5fb9624b8fb73ced1a157dcd0a9c2e
SHA512d46728917770c59936267aa070e7340a21f15ad202afad886e2145707d21aeacd70d5a935ff70cbafed9435b1acc2a6a82fb9b7a02c8784ce48c26b4d60a5be4
-
memory/336-57-0x0000000000230000-0x0000000000268000-memory.dmpFilesize
224KB
-
memory/336-58-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/336-55-0x0000000075781000-0x0000000075783000-memory.dmpFilesize
8KB
-
memory/336-54-0x0000000000648000-0x0000000000667000-memory.dmpFilesize
124KB
-
memory/336-56-0x0000000000648000-0x0000000000667000-memory.dmpFilesize
124KB
-
memory/664-69-0x0000000000000000-mapping.dmp
-
memory/932-68-0x0000000000000000-mapping.dmp
-
memory/1060-67-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/1060-63-0x0000000000548000-0x0000000000566000-memory.dmpFilesize
120KB
-
memory/1060-61-0x0000000000000000-mapping.dmp
-
memory/1060-66-0x0000000000548000-0x0000000000566000-memory.dmpFilesize
120KB
-
memory/1620-79-0x0000000000000000-mapping.dmp
-
memory/1620-81-0x0000000000598000-0x00000000005B6000-memory.dmpFilesize
120KB
-
memory/1620-83-0x0000000000598000-0x00000000005B6000-memory.dmpFilesize
120KB
-
memory/1620-84-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/1924-77-0x0000000000190000-0x00000000001B4000-memory.dmpFilesize
144KB
-
memory/1924-70-0x0000000000000000-mapping.dmp
-
memory/2044-65-0x0000000000000000-mapping.dmp