Analysis
-
max time kernel
140s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
17-05-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
Resource
win7-20220414-en
General
-
Target
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe
-
Size
218KB
-
MD5
a9c62f3c2b7bf88433746c06a7196a92
-
SHA1
020c23eb4a3a4df8c6c1e5450127fa9383095378
-
SHA256
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
-
SHA512
342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
Malware Config
Extracted
amadey
3.08
190.123.44.195/d2VxjasuwS/index.php
Signatures
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 60 364 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
ftewk.exeftewk.exeftewk.exeftewk.exepid process 2548 ftewk.exe 4600 ftewk.exe 4612 ftewk.exe 4744 ftewk.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exeftewk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation ftewk.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 364 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 364 rundll32.exe 364 rundll32.exe 364 rundll32.exe 364 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exeftewk.execmd.exedescription pid process target process PID 408 wrote to memory of 2548 408 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe ftewk.exe PID 408 wrote to memory of 2548 408 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe ftewk.exe PID 408 wrote to memory of 2548 408 4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe ftewk.exe PID 2548 wrote to memory of 3716 2548 ftewk.exe cmd.exe PID 2548 wrote to memory of 3716 2548 ftewk.exe cmd.exe PID 2548 wrote to memory of 3716 2548 ftewk.exe cmd.exe PID 2548 wrote to memory of 4724 2548 ftewk.exe schtasks.exe PID 2548 wrote to memory of 4724 2548 ftewk.exe schtasks.exe PID 2548 wrote to memory of 4724 2548 ftewk.exe schtasks.exe PID 3716 wrote to memory of 4428 3716 cmd.exe reg.exe PID 3716 wrote to memory of 4428 3716 cmd.exe reg.exe PID 3716 wrote to memory of 4428 3716 cmd.exe reg.exe PID 2548 wrote to memory of 364 2548 ftewk.exe rundll32.exe PID 2548 wrote to memory of 364 2548 ftewk.exe rundll32.exe PID 2548 wrote to memory of 364 2548 ftewk.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe"C:\Users\Admin\AppData\Local\Temp\4d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\dd7e303766\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\dd7e303766\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\caf045170b494e\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeC:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeC:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeC:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
C:\Users\Admin\AppData\Local\Temp\dd7e303766\ftewk.exeFilesize
218KB
MD5a9c62f3c2b7bf88433746c06a7196a92
SHA1020c23eb4a3a4df8c6c1e5450127fa9383095378
SHA2564d4fa36151d3330036cdae11a434af0b5e5cc3403f60c15d968561fd3c41e9a7
SHA512342aed8d60985831565fdaffb3d02243fb64caa9bdcc93f6114378ca99513ef4f03289d6988a5e85c7d1dd351fea352fb65b0f65893df52837574311a51b2e80
-
C:\Users\Admin\AppData\Roaming\caf045170b494e\cred.dllFilesize
126KB
MD56a315cfd3ed85fa8c53870a1c22a22e1
SHA1829aaca9fd1cdf34e9c513306ae5a0ef02d69158
SHA2562b001bde89a1bfc82b982ddf1340379ab999dcd43dfbd7241cfedcb44adc904c
SHA512bc2f11ab4ed3d19fc4ab8705e0a888290ffc169b08cb7aa345718d111a751928e6c324adf1dc9275e037666071dc83abd935d56828ca18fcae30c23e8731fe33
-
C:\Users\Admin\AppData\Roaming\caf045170b494e\cred.dllFilesize
126KB
MD56a315cfd3ed85fa8c53870a1c22a22e1
SHA1829aaca9fd1cdf34e9c513306ae5a0ef02d69158
SHA2562b001bde89a1bfc82b982ddf1340379ab999dcd43dfbd7241cfedcb44adc904c
SHA512bc2f11ab4ed3d19fc4ab8705e0a888290ffc169b08cb7aa345718d111a751928e6c324adf1dc9275e037666071dc83abd935d56828ca18fcae30c23e8731fe33
-
memory/364-137-0x0000000000000000-mapping.dmp
-
memory/2548-130-0x0000000000000000-mapping.dmp
-
memory/3716-133-0x0000000000000000-mapping.dmp
-
memory/4428-135-0x0000000000000000-mapping.dmp
-
memory/4724-134-0x0000000000000000-mapping.dmp