Analysis
-
max time kernel
137s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-05-2022 01:48
Static task
static1
Behavioral task
behavioral1
Sample
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe
Resource
win7-20220414-en
General
-
Target
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe
-
Size
319KB
-
MD5
00abc3cdf40d724b3bbaf8cb2de12d95
-
SHA1
529cfe8010a6541a0c7accd33ae02a5237f58301
-
SHA256
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e
-
SHA512
414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e
Malware Config
Extracted
amadey
3.10
199.188.204.245/f8dfksdj3/index.php
Signatures
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 34 4200 rundll32.exe -
Executes dropped EXE 3 IoCs
Processes:
orxds.exeorxds.exeorxds.exepid process 3420 orxds.exe 4012 orxds.exe 4972 orxds.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exeorxds.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation orxds.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4200 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4136 1840 WerFault.exe 69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe 360 4012 WerFault.exe orxds.exe 3348 4972 WerFault.exe orxds.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 4200 rundll32.exe 4200 rundll32.exe 4200 rundll32.exe 4200 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exeorxds.execmd.exedescription pid process target process PID 1840 wrote to memory of 3420 1840 69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe orxds.exe PID 1840 wrote to memory of 3420 1840 69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe orxds.exe PID 1840 wrote to memory of 3420 1840 69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe orxds.exe PID 3420 wrote to memory of 5056 3420 orxds.exe cmd.exe PID 3420 wrote to memory of 5056 3420 orxds.exe cmd.exe PID 3420 wrote to memory of 5056 3420 orxds.exe cmd.exe PID 3420 wrote to memory of 4288 3420 orxds.exe schtasks.exe PID 3420 wrote to memory of 4288 3420 orxds.exe schtasks.exe PID 3420 wrote to memory of 4288 3420 orxds.exe schtasks.exe PID 5056 wrote to memory of 4808 5056 cmd.exe reg.exe PID 5056 wrote to memory of 4808 5056 cmd.exe reg.exe PID 5056 wrote to memory of 4808 5056 cmd.exe reg.exe PID 3420 wrote to memory of 4200 3420 orxds.exe rundll32.exe PID 3420 wrote to memory of 4200 3420 orxds.exe rundll32.exe PID 3420 wrote to memory of 4200 3420 orxds.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe"C:\Users\Admin\AppData\Local\Temp\69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe"C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\70d66d8271\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\70d66d8271\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\95ae2649e6d72d\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 12522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1840 -ip 18401⤵
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exeC:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 4882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4012 -ip 40121⤵
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exeC:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 4922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4972 -ip 49721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exeFilesize
319KB
MD500abc3cdf40d724b3bbaf8cb2de12d95
SHA1529cfe8010a6541a0c7accd33ae02a5237f58301
SHA25669db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e
SHA512414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exeFilesize
319KB
MD500abc3cdf40d724b3bbaf8cb2de12d95
SHA1529cfe8010a6541a0c7accd33ae02a5237f58301
SHA25669db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e
SHA512414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exeFilesize
319KB
MD500abc3cdf40d724b3bbaf8cb2de12d95
SHA1529cfe8010a6541a0c7accd33ae02a5237f58301
SHA25669db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e
SHA512414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e
-
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exeFilesize
319KB
MD500abc3cdf40d724b3bbaf8cb2de12d95
SHA1529cfe8010a6541a0c7accd33ae02a5237f58301
SHA25669db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e
SHA512414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e
-
C:\Users\Admin\AppData\Roaming\95ae2649e6d72d\cred.dllFilesize
126KB
MD5210d9d14509f0bc2c26c87ba5fef4108
SHA18f4443a8cdfe1ff2156c3a1abd3371e778a2806f
SHA256993c8664fac2e9aefc6cd25b3b435d6358fccc98119faedadbd68679281c0b77
SHA51268250b674fff40870d5102760b9064e3483850f91d64a2fe395bea0058559b79daa5ad867d7578fe875d7ead415801eb99b49718912799e69683df66036c8095
-
C:\Users\Admin\AppData\Roaming\95ae2649e6d72d\cred.dllFilesize
126KB
MD5210d9d14509f0bc2c26c87ba5fef4108
SHA18f4443a8cdfe1ff2156c3a1abd3371e778a2806f
SHA256993c8664fac2e9aefc6cd25b3b435d6358fccc98119faedadbd68679281c0b77
SHA51268250b674fff40870d5102760b9064e3483850f91d64a2fe395bea0058559b79daa5ad867d7578fe875d7ead415801eb99b49718912799e69683df66036c8095
-
memory/1840-131-0x0000000000980000-0x00000000009B8000-memory.dmpFilesize
224KB
-
memory/1840-130-0x00000000005CC000-0x00000000005EA000-memory.dmpFilesize
120KB
-
memory/1840-132-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/3420-133-0x0000000000000000-mapping.dmp
-
memory/3420-139-0x00000000006EC000-0x000000000070A000-memory.dmpFilesize
120KB
-
memory/3420-140-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/4012-142-0x0000000000870000-0x000000000088E000-memory.dmpFilesize
120KB
-
memory/4012-143-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/4200-144-0x0000000000000000-mapping.dmp
-
memory/4288-137-0x0000000000000000-mapping.dmp
-
memory/4808-138-0x0000000000000000-mapping.dmp
-
memory/4972-148-0x0000000000690000-0x00000000006AE000-memory.dmpFilesize
120KB
-
memory/4972-149-0x0000000000400000-0x00000000004E6000-memory.dmpFilesize
920KB
-
memory/5056-136-0x0000000000000000-mapping.dmp