Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-05-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
Resource
win7-20220414-en
General
-
Target
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
-
Size
218KB
-
MD5
a9c62f3c2b7bf88433746c06a7196a92
-
SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378
-
SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
-
SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
Malware Config
Extracted
amadey
3.08
190.123.44.195/d2VxjasuwS/index.php
Signatures
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 5 832 rundll32.exe -
Executes dropped EXE 3 IoCs
Processes:
ftewk.exeftewk.exeftewk.exepid process 364 ftewk.exe 1408 ftewk.exe 1228 ftewk.exe -
Loads dropped DLL 5 IoCs
Processes:
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exerundll32.exepid process 1348 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe 832 rundll32.exe 832 rundll32.exe 832 rundll32.exe 832 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 832 rundll32.exe 832 rundll32.exe 832 rundll32.exe 832 rundll32.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exeftewk.execmd.exetaskeng.exedescription pid process target process PID 1348 wrote to memory of 364 1348 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe ftewk.exe PID 1348 wrote to memory of 364 1348 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe ftewk.exe PID 1348 wrote to memory of 364 1348 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe ftewk.exe PID 1348 wrote to memory of 364 1348 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe ftewk.exe PID 364 wrote to memory of 1368 364 ftewk.exe cmd.exe PID 364 wrote to memory of 1368 364 ftewk.exe cmd.exe PID 364 wrote to memory of 1368 364 ftewk.exe cmd.exe PID 364 wrote to memory of 1368 364 ftewk.exe cmd.exe PID 364 wrote to memory of 1680 364 ftewk.exe schtasks.exe PID 364 wrote to memory of 1680 364 ftewk.exe schtasks.exe PID 364 wrote to memory of 1680 364 ftewk.exe schtasks.exe PID 364 wrote to memory of 1680 364 ftewk.exe schtasks.exe PID 1368 wrote to memory of 1008 1368 cmd.exe reg.exe PID 1368 wrote to memory of 1008 1368 cmd.exe reg.exe PID 1368 wrote to memory of 1008 1368 cmd.exe reg.exe PID 1368 wrote to memory of 1008 1368 cmd.exe reg.exe PID 1652 wrote to memory of 1408 1652 taskeng.exe ftewk.exe PID 1652 wrote to memory of 1408 1652 taskeng.exe ftewk.exe PID 1652 wrote to memory of 1408 1652 taskeng.exe ftewk.exe PID 1652 wrote to memory of 1408 1652 taskeng.exe ftewk.exe PID 364 wrote to memory of 832 364 ftewk.exe rundll32.exe PID 364 wrote to memory of 832 364 ftewk.exe rundll32.exe PID 364 wrote to memory of 832 364 ftewk.exe rundll32.exe PID 364 wrote to memory of 832 364 ftewk.exe rundll32.exe PID 364 wrote to memory of 832 364 ftewk.exe rundll32.exe PID 364 wrote to memory of 832 364 ftewk.exe rundll32.exe PID 364 wrote to memory of 832 364 ftewk.exe rundll32.exe PID 1652 wrote to memory of 1228 1652 taskeng.exe ftewk.exe PID 1652 wrote to memory of 1228 1652 taskeng.exe ftewk.exe PID 1652 wrote to memory of 1228 1652 taskeng.exe ftewk.exe PID 1652 wrote to memory of 1228 1652 taskeng.exe ftewk.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe"C:\Users\Admin\AppData\Local\Temp\4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\dd7e303766\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\dd7e303766\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\caf045170b494e\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\system32\taskeng.exetaskeng.exe {6A0E076F-86D6-4B69-B7D8-B58FC4861993} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeC:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeC:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
C:\Users\Admin\AppData\Roaming\caf045170b494e\cred.dllFilesize
126KB
MD56a315cfd3ed85fa8c53870a1c22a22e1
SHA1829aaca9fd1cdf34e9c513306ae5a0ef02d69158
SHA2562b001bde89a1bfc82b982ddf1340379ab999dcd43dfbd7241cfedcb44adc904c
SHA512bc2f11ab4ed3d19fc4ab8705e0a888290ffc169b08cb7aa345718d111a751928e6c324adf1dc9275e037666071dc83abd935d56828ca18fcae30c23e8731fe33
-
\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
\Users\Admin\AppData\Roaming\caf045170b494e\cred.dllFilesize
126KB
MD56a315cfd3ed85fa8c53870a1c22a22e1
SHA1829aaca9fd1cdf34e9c513306ae5a0ef02d69158
SHA2562b001bde89a1bfc82b982ddf1340379ab999dcd43dfbd7241cfedcb44adc904c
SHA512bc2f11ab4ed3d19fc4ab8705e0a888290ffc169b08cb7aa345718d111a751928e6c324adf1dc9275e037666071dc83abd935d56828ca18fcae30c23e8731fe33
-
\Users\Admin\AppData\Roaming\caf045170b494e\cred.dllFilesize
126KB
MD56a315cfd3ed85fa8c53870a1c22a22e1
SHA1829aaca9fd1cdf34e9c513306ae5a0ef02d69158
SHA2562b001bde89a1bfc82b982ddf1340379ab999dcd43dfbd7241cfedcb44adc904c
SHA512bc2f11ab4ed3d19fc4ab8705e0a888290ffc169b08cb7aa345718d111a751928e6c324adf1dc9275e037666071dc83abd935d56828ca18fcae30c23e8731fe33
-
\Users\Admin\AppData\Roaming\caf045170b494e\cred.dllFilesize
126KB
MD56a315cfd3ed85fa8c53870a1c22a22e1
SHA1829aaca9fd1cdf34e9c513306ae5a0ef02d69158
SHA2562b001bde89a1bfc82b982ddf1340379ab999dcd43dfbd7241cfedcb44adc904c
SHA512bc2f11ab4ed3d19fc4ab8705e0a888290ffc169b08cb7aa345718d111a751928e6c324adf1dc9275e037666071dc83abd935d56828ca18fcae30c23e8731fe33
-
\Users\Admin\AppData\Roaming\caf045170b494e\cred.dllFilesize
126KB
MD56a315cfd3ed85fa8c53870a1c22a22e1
SHA1829aaca9fd1cdf34e9c513306ae5a0ef02d69158
SHA2562b001bde89a1bfc82b982ddf1340379ab999dcd43dfbd7241cfedcb44adc904c
SHA512bc2f11ab4ed3d19fc4ab8705e0a888290ffc169b08cb7aa345718d111a751928e6c324adf1dc9275e037666071dc83abd935d56828ca18fcae30c23e8731fe33
-
memory/364-56-0x0000000000000000-mapping.dmp
-
memory/832-66-0x0000000000000000-mapping.dmp
-
memory/832-73-0x0000000000661000-0x000000000067B000-memory.dmpFilesize
104KB
-
memory/1008-61-0x0000000000000000-mapping.dmp
-
memory/1228-74-0x0000000000000000-mapping.dmp
-
memory/1348-54-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/1368-59-0x0000000000000000-mapping.dmp
-
memory/1408-63-0x0000000000000000-mapping.dmp
-
memory/1680-60-0x0000000000000000-mapping.dmp