Analysis
-
max time kernel
115s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-05-2022 16:37
Static task
static1
Behavioral task
behavioral1
Sample
00abc3cdf40d724b3bbaf8cb2de12d95.exe
Resource
win7-20220414-en
General
-
Target
00abc3cdf40d724b3bbaf8cb2de12d95.exe
-
Size
319KB
-
MD5
00abc3cdf40d724b3bbaf8cb2de12d95
-
SHA1
529cfe8010a6541a0c7accd33ae02a5237f58301
-
SHA256
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e
-
SHA512
414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e
Malware Config
Extracted
amadey
3.10
199.188.204.245/f8dfksdj3/index.php
Signatures
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 55 4352 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
orxds.exeorxds.exeorxds.exepid process 2132 orxds.exe 4828 orxds.exe 4072 orxds.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
orxds.exe00abc3cdf40d724b3bbaf8cb2de12d95.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation orxds.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 00abc3cdf40d724b3bbaf8cb2de12d95.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4352 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4828 1144 WerFault.exe 00abc3cdf40d724b3bbaf8cb2de12d95.exe 1144 4828 WerFault.exe orxds.exe 3216 4072 WerFault.exe orxds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 4352 rundll32.exe 4352 rundll32.exe 4352 rundll32.exe 4352 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
00abc3cdf40d724b3bbaf8cb2de12d95.exeorxds.execmd.exedescription pid process target process PID 1144 wrote to memory of 2132 1144 00abc3cdf40d724b3bbaf8cb2de12d95.exe orxds.exe PID 1144 wrote to memory of 2132 1144 00abc3cdf40d724b3bbaf8cb2de12d95.exe orxds.exe PID 1144 wrote to memory of 2132 1144 00abc3cdf40d724b3bbaf8cb2de12d95.exe orxds.exe PID 2132 wrote to memory of 2656 2132 orxds.exe cmd.exe PID 2132 wrote to memory of 2656 2132 orxds.exe cmd.exe PID 2132 wrote to memory of 2656 2132 orxds.exe cmd.exe PID 2132 wrote to memory of 2372 2132 orxds.exe schtasks.exe PID 2132 wrote to memory of 2372 2132 orxds.exe schtasks.exe PID 2132 wrote to memory of 2372 2132 orxds.exe schtasks.exe PID 2656 wrote to memory of 2784 2656 cmd.exe reg.exe PID 2656 wrote to memory of 2784 2656 cmd.exe reg.exe PID 2656 wrote to memory of 2784 2656 cmd.exe reg.exe PID 2132 wrote to memory of 4352 2132 orxds.exe rundll32.exe PID 2132 wrote to memory of 4352 2132 orxds.exe rundll32.exe PID 2132 wrote to memory of 4352 2132 orxds.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00abc3cdf40d724b3bbaf8cb2de12d95.exe"C:\Users\Admin\AppData\Local\Temp\00abc3cdf40d724b3bbaf8cb2de12d95.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe"C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\70d66d8271\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\70d66d8271\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\95ae2649e6d72d\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 12522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1144 -ip 11441⤵
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exeC:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 4922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4828 -ip 48281⤵
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exeC:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 4882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4072 -ip 40721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exeFilesize
319KB
MD500abc3cdf40d724b3bbaf8cb2de12d95
SHA1529cfe8010a6541a0c7accd33ae02a5237f58301
SHA25669db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e
SHA512414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exeFilesize
319KB
MD500abc3cdf40d724b3bbaf8cb2de12d95
SHA1529cfe8010a6541a0c7accd33ae02a5237f58301
SHA25669db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e
SHA512414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exeFilesize
319KB
MD500abc3cdf40d724b3bbaf8cb2de12d95
SHA1529cfe8010a6541a0c7accd33ae02a5237f58301
SHA25669db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e
SHA512414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exeFilesize
319KB
MD500abc3cdf40d724b3bbaf8cb2de12d95
SHA1529cfe8010a6541a0c7accd33ae02a5237f58301
SHA25669db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e
SHA512414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e
-
C:\Users\Admin\AppData\Roaming\95ae2649e6d72d\cred.dllFilesize
126KB
MD5210d9d14509f0bc2c26c87ba5fef4108
SHA18f4443a8cdfe1ff2156c3a1abd3371e778a2806f
SHA256993c8664fac2e9aefc6cd25b3b435d6358fccc98119faedadbd68679281c0b77
SHA51268250b674fff40870d5102760b9064e3483850f91d64a2fe395bea0058559b79daa5ad867d7578fe875d7ead415801eb99b49718912799e69683df66036c8095
-
C:\Users\Admin\AppData\Roaming\95ae2649e6d72d\cred.dllFilesize
126KB
MD5210d9d14509f0bc2c26c87ba5fef4108
SHA18f4443a8cdfe1ff2156c3a1abd3371e778a2806f
SHA256993c8664fac2e9aefc6cd25b3b435d6358fccc98119faedadbd68679281c0b77
SHA51268250b674fff40870d5102760b9064e3483850f91d64a2fe395bea0058559b79daa5ad867d7578fe875d7ead415801eb99b49718912799e69683df66036c8095
-
memory/1144-130-0x00000000006CC000-0x00000000006EA000-memory.dmpFilesize
120KB
-
memory/1144-131-0x0000000000650000-0x0000000000688000-memory.dmpFilesize
224KB
-
memory/1144-132-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/2132-136-0x000000000075C000-0x000000000077A000-memory.dmpFilesize
120KB
-
memory/2132-137-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/2132-133-0x0000000000000000-mapping.dmp
-
memory/2372-139-0x0000000000000000-mapping.dmp
-
memory/2656-138-0x0000000000000000-mapping.dmp
-
memory/2784-140-0x0000000000000000-mapping.dmp
-
memory/4072-148-0x0000000000540000-0x000000000055E000-memory.dmpFilesize
120KB
-
memory/4072-149-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/4352-144-0x0000000000000000-mapping.dmp
-
memory/4828-143-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/4828-142-0x00000000007C0000-0x00000000007DE000-memory.dmpFilesize
120KB