Analysis
-
max time kernel
80s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
18-05-2022 13:48
Static task
static1
Behavioral task
behavioral1
Sample
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe
Resource
win10v2004-20220414-en
General
-
Target
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe
-
Size
319KB
-
MD5
00abc3cdf40d724b3bbaf8cb2de12d95
-
SHA1
529cfe8010a6541a0c7accd33ae02a5237f58301
-
SHA256
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e
-
SHA512
414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e
Malware Config
Extracted
amadey
3.10
199.188.204.245/f8dfksdj3/index.php
Signatures
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 32 1296 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
orxds.exemine3.exeorxds.exeIFMb39aGmCsqJcthXwNQEToq7.exepid process 4384 orxds.exe 4268 mine3.exe 212 orxds.exe 1496 IFMb39aGmCsqJcthXwNQEToq7.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
orxds.exemine3.exe69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation orxds.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation mine3.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1296 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
orxds.exemine3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mine3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000006001\\mine3.exe" orxds.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TxMT8hHkO8fBB5FlBurdwljpn = "C:\\ProgramData\\4vFAHkNczECIXuLdvBZKuXofw\\IFMb39aGmCsqJcthXwNQEToq7.exe" mine3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4044 3396 WerFault.exe 69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe 1836 212 WerFault.exe orxds.exe 2128 1496 WerFault.exe IFMb39aGmCsqJcthXwNQEToq7.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4456 schtasks.exe 3564 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4236 timeout.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
mine3.exepid process 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe 4268 mine3.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mine3.exeIFMb39aGmCsqJcthXwNQEToq7.exedescription pid process Token: SeDebugPrivilege 4268 mine3.exe Token: SeDebugPrivilege 4268 mine3.exe Token: SeDebugPrivilege 1496 IFMb39aGmCsqJcthXwNQEToq7.exe Token: SeDebugPrivilege 1496 IFMb39aGmCsqJcthXwNQEToq7.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exeorxds.execmd.exemine3.execmd.exedescription pid process target process PID 3396 wrote to memory of 4384 3396 69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe orxds.exe PID 3396 wrote to memory of 4384 3396 69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe orxds.exe PID 3396 wrote to memory of 4384 3396 69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe orxds.exe PID 4384 wrote to memory of 4460 4384 orxds.exe cmd.exe PID 4384 wrote to memory of 4460 4384 orxds.exe cmd.exe PID 4384 wrote to memory of 4460 4384 orxds.exe cmd.exe PID 4384 wrote to memory of 4456 4384 orxds.exe schtasks.exe PID 4384 wrote to memory of 4456 4384 orxds.exe schtasks.exe PID 4384 wrote to memory of 4456 4384 orxds.exe schtasks.exe PID 4460 wrote to memory of 4924 4460 cmd.exe reg.exe PID 4460 wrote to memory of 4924 4460 cmd.exe reg.exe PID 4460 wrote to memory of 4924 4460 cmd.exe reg.exe PID 4384 wrote to memory of 4268 4384 orxds.exe mine3.exe PID 4384 wrote to memory of 4268 4384 orxds.exe mine3.exe PID 4268 wrote to memory of 3564 4268 mine3.exe schtasks.exe PID 4268 wrote to memory of 3564 4268 mine3.exe schtasks.exe PID 4384 wrote to memory of 1296 4384 orxds.exe rundll32.exe PID 4384 wrote to memory of 1296 4384 orxds.exe rundll32.exe PID 4384 wrote to memory of 1296 4384 orxds.exe rundll32.exe PID 4268 wrote to memory of 1496 4268 mine3.exe IFMb39aGmCsqJcthXwNQEToq7.exe PID 4268 wrote to memory of 1496 4268 mine3.exe IFMb39aGmCsqJcthXwNQEToq7.exe PID 4268 wrote to memory of 3748 4268 mine3.exe cmd.exe PID 4268 wrote to memory of 3748 4268 mine3.exe cmd.exe PID 3748 wrote to memory of 4236 3748 cmd.exe timeout.exe PID 3748 wrote to memory of 4236 3748 cmd.exe timeout.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe"C:\Users\Admin\AppData\Local\Temp\69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe"C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\70d66d8271\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\70d66d8271\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000006001\mine3.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\mine3.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /tn TxMT8hHkO8fBB5FlBurdwljpn /tr "C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe" /st 16:02 /du 23:59 /sc daily /ri 1 /f4⤵
- Creates scheduled task(s)
-
C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe"C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1496 -s 28925⤵
- Program crash
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7CF0.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 65⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\95ae2649e6d72d\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 8762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3396 -ip 33961⤵
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exeC:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 4882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 212 -ip 2121⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 548 -p 1496 -ip 14961⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exeFilesize
9.4MB
MD5f2819e29b7b3ef129f8ae137d30efba1
SHA1afdc1f3b1ca2a465df56e4c9b5e66dc87394ba4a
SHA256504f969b9082465b73cca844d09e6c4adf1b24e6cd6356673a3e320af5bdd7df
SHA512a9e7e3f04d6d1906e301e8fed0f66912e0bdbc7f61b80c0f83ed2ce7d864886eceab51a629ca2a289638ee14004d7c9c7c51032d612505e56c071f56ce2cb88b
-
C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exeFilesize
9.8MB
MD54ca644a44c9bcbe88b964f7c8f3a9f0e
SHA136b4a893603c0d12f8776ebd8027f54c9067f28c
SHA2565d434e29a1903fc5e2373964a674aef2919c88b4224fc1ec95ba25f6e24130d1
SHA512275b244e641d8a86f0e74bed5821721705c5b9996149502c1e5c90628eb0a016586d618a920b7d3582a7f19f46dd6fda605f7c7258787a210ec131b28b0c079e
-
C:\Users\Admin\AppData\Local\Temp\1000006001\mine3.exeFilesize
809KB
MD5ff72b295ded9889cee24320db368bcf1
SHA15d7991f8495d56088710dd558faba639ffd05292
SHA256e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd
SHA51237ab209741e90c78565d170ab48d7ee83c8633e93e646a4c8f639c305c8b6528841668b6aa7797870612d24e11e1ff1aaae0f5622e9a2195957f9142e93a7b1b
-
C:\Users\Admin\AppData\Local\Temp\1000006001\mine3.exeFilesize
809KB
MD5ff72b295ded9889cee24320db368bcf1
SHA15d7991f8495d56088710dd558faba639ffd05292
SHA256e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd
SHA51237ab209741e90c78565d170ab48d7ee83c8633e93e646a4c8f639c305c8b6528841668b6aa7797870612d24e11e1ff1aaae0f5622e9a2195957f9142e93a7b1b
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exeFilesize
319KB
MD500abc3cdf40d724b3bbaf8cb2de12d95
SHA1529cfe8010a6541a0c7accd33ae02a5237f58301
SHA25669db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e
SHA512414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exeFilesize
319KB
MD500abc3cdf40d724b3bbaf8cb2de12d95
SHA1529cfe8010a6541a0c7accd33ae02a5237f58301
SHA25669db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e
SHA512414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exeFilesize
319KB
MD500abc3cdf40d724b3bbaf8cb2de12d95
SHA1529cfe8010a6541a0c7accd33ae02a5237f58301
SHA25669db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e
SHA512414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e
-
C:\Users\Admin\AppData\Local\Temp\tmp7CF0.tmp.batFilesize
168B
MD5ef789be51d674b52d8312acd883277f9
SHA1b95dca756964d03879fcc715651907e73a5dee67
SHA25668257526abf454f1225ee08382f3a5af799a8a3cb219623add9f53b9185377c8
SHA512c1289e2f6f3ce356e12ef7ad8e707754a95739f2891826d2492810f8b1d7290f5fba280d3d0c6b9452188ec0f786957853a3e53e78f57ddd991f2a9bbed12ba5
-
C:\Users\Admin\AppData\Roaming\95ae2649e6d72d\cred.dllFilesize
126KB
MD5210d9d14509f0bc2c26c87ba5fef4108
SHA18f4443a8cdfe1ff2156c3a1abd3371e778a2806f
SHA256993c8664fac2e9aefc6cd25b3b435d6358fccc98119faedadbd68679281c0b77
SHA51268250b674fff40870d5102760b9064e3483850f91d64a2fe395bea0058559b79daa5ad867d7578fe875d7ead415801eb99b49718912799e69683df66036c8095
-
C:\Users\Admin\AppData\Roaming\95ae2649e6d72d\cred.dllFilesize
126KB
MD5210d9d14509f0bc2c26c87ba5fef4108
SHA18f4443a8cdfe1ff2156c3a1abd3371e778a2806f
SHA256993c8664fac2e9aefc6cd25b3b435d6358fccc98119faedadbd68679281c0b77
SHA51268250b674fff40870d5102760b9064e3483850f91d64a2fe395bea0058559b79daa5ad867d7578fe875d7ead415801eb99b49718912799e69683df66036c8095
-
memory/212-147-0x0000000000700000-0x000000000071E000-memory.dmpFilesize
120KB
-
memory/212-148-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/1296-150-0x0000000000000000-mapping.dmp
-
memory/1496-153-0x0000000000000000-mapping.dmp
-
memory/1496-160-0x0000000000C7A000-0x0000000000C7F000-memory.dmpFilesize
20KB
-
memory/1496-161-0x00000000266F0000-0x00000000266F4000-memory.dmpFilesize
16KB
-
memory/1496-162-0x00000000266F4000-0x00000000266F7000-memory.dmpFilesize
12KB
-
memory/1496-163-0x00000000266F7000-0x00000000266FC000-memory.dmpFilesize
20KB
-
memory/1496-159-0x00007FFC168F0000-0x00007FFC173B1000-memory.dmpFilesize
10.8MB
-
memory/3396-132-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/3396-130-0x000000000064C000-0x000000000066A000-memory.dmpFilesize
120KB
-
memory/3396-131-0x00000000005A0000-0x00000000005D8000-memory.dmpFilesize
224KB
-
memory/3564-149-0x0000000000000000-mapping.dmp
-
memory/3748-156-0x0000000000000000-mapping.dmp
-
memory/4236-158-0x0000000000000000-mapping.dmp
-
memory/4268-145-0x00007FFC168F0000-0x00007FFC173B1000-memory.dmpFilesize
10.8MB
-
memory/4268-144-0x0000000000DA0000-0x0000000000E6E000-memory.dmpFilesize
824KB
-
memory/4268-141-0x0000000000000000-mapping.dmp
-
memory/4384-140-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/4384-139-0x000000000062C000-0x000000000064A000-memory.dmpFilesize
120KB
-
memory/4384-133-0x0000000000000000-mapping.dmp
-
memory/4456-137-0x0000000000000000-mapping.dmp
-
memory/4460-136-0x0000000000000000-mapping.dmp
-
memory/4924-138-0x0000000000000000-mapping.dmp