Analysis
-
max time kernel
156s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 07:46
Static task
static1
Behavioral task
behavioral1
Sample
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe
Resource
win7-20220414-en
General
-
Target
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe
-
Size
383KB
-
MD5
56d9df4afbbaee34afb646e85fb4419d
-
SHA1
0ad215a57d93b70fa3a137060f5f5a3369d4f542
-
SHA256
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c
-
SHA512
1178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31
Malware Config
Extracted
amadey
3.08
179.43.154.147/d2VxjasuwS/index.php
Signatures
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 38 3120 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
ftewk.exeftewk.exeftewk.exeftewk.exeftewk.exepid process 3460 ftewk.exe 3860 ftewk.exe 3904 ftewk.exe 4372 ftewk.exe 5040 ftewk.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exeftewk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation ftewk.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3120 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
AppLaunch.exerundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ftewk.exeftewk.exedescription pid process target process PID 3460 set thread context of 3860 3460 ftewk.exe ftewk.exe PID 3860 set thread context of 3244 3860 ftewk.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1288 3744 WerFault.exe 87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe 1696 3904 WerFault.exe ftewk.exe 2776 3244 WerFault.exe AppLaunch.exe 828 4372 WerFault.exe ftewk.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier AppLaunch.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
AppLaunch.exerundll32.exepid process 3244 AppLaunch.exe 3120 rundll32.exe 3120 rundll32.exe 3120 rundll32.exe 3120 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 3244 AppLaunch.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exeftewk.execmd.exeftewk.exedescription pid process target process PID 3744 wrote to memory of 3460 3744 87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe ftewk.exe PID 3744 wrote to memory of 3460 3744 87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe ftewk.exe PID 3744 wrote to memory of 3460 3744 87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe ftewk.exe PID 3460 wrote to memory of 1156 3460 ftewk.exe cmd.exe PID 3460 wrote to memory of 1156 3460 ftewk.exe cmd.exe PID 3460 wrote to memory of 1156 3460 ftewk.exe cmd.exe PID 3460 wrote to memory of 2780 3460 ftewk.exe schtasks.exe PID 3460 wrote to memory of 2780 3460 ftewk.exe schtasks.exe PID 3460 wrote to memory of 2780 3460 ftewk.exe schtasks.exe PID 1156 wrote to memory of 4224 1156 cmd.exe reg.exe PID 1156 wrote to memory of 4224 1156 cmd.exe reg.exe PID 1156 wrote to memory of 4224 1156 cmd.exe reg.exe PID 3460 wrote to memory of 3860 3460 ftewk.exe ftewk.exe PID 3460 wrote to memory of 3860 3460 ftewk.exe ftewk.exe PID 3460 wrote to memory of 3860 3460 ftewk.exe ftewk.exe PID 3460 wrote to memory of 3860 3460 ftewk.exe ftewk.exe PID 3460 wrote to memory of 3860 3460 ftewk.exe ftewk.exe PID 3460 wrote to memory of 3860 3460 ftewk.exe ftewk.exe PID 3460 wrote to memory of 3860 3460 ftewk.exe ftewk.exe PID 3460 wrote to memory of 3860 3460 ftewk.exe ftewk.exe PID 3460 wrote to memory of 3860 3460 ftewk.exe ftewk.exe PID 3460 wrote to memory of 3860 3460 ftewk.exe ftewk.exe PID 3860 wrote to memory of 3244 3860 ftewk.exe AppLaunch.exe PID 3860 wrote to memory of 3244 3860 ftewk.exe AppLaunch.exe PID 3860 wrote to memory of 3244 3860 ftewk.exe AppLaunch.exe PID 3860 wrote to memory of 3244 3860 ftewk.exe AppLaunch.exe PID 3860 wrote to memory of 3244 3860 ftewk.exe AppLaunch.exe PID 3460 wrote to memory of 3120 3460 ftewk.exe rundll32.exe PID 3460 wrote to memory of 3120 3460 ftewk.exe rundll32.exe PID 3460 wrote to memory of 3120 3460 ftewk.exe rundll32.exe -
outlook_office_path 1 IoCs
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe"C:\Users\Admin\AppData\Local\Temp\87995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 18045⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 8482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3744 -ip 37441⤵
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeC:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 5002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3904 -ip 39041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3244 -ip 32441⤵
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeC:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 5082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4372 -ip 43721⤵
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeC:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeFilesize
383KB
MD556d9df4afbbaee34afb646e85fb4419d
SHA10ad215a57d93b70fa3a137060f5f5a3369d4f542
SHA25687995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c
SHA5121178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeFilesize
383KB
MD556d9df4afbbaee34afb646e85fb4419d
SHA10ad215a57d93b70fa3a137060f5f5a3369d4f542
SHA25687995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c
SHA5121178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeFilesize
383KB
MD556d9df4afbbaee34afb646e85fb4419d
SHA10ad215a57d93b70fa3a137060f5f5a3369d4f542
SHA25687995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c
SHA5121178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeFilesize
383KB
MD556d9df4afbbaee34afb646e85fb4419d
SHA10ad215a57d93b70fa3a137060f5f5a3369d4f542
SHA25687995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c
SHA5121178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeFilesize
383KB
MD556d9df4afbbaee34afb646e85fb4419d
SHA10ad215a57d93b70fa3a137060f5f5a3369d4f542
SHA25687995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c
SHA5121178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31
-
C:\Users\Admin\AppData\Local\Temp\9d5cca72fb\ftewk.exeFilesize
383KB
MD556d9df4afbbaee34afb646e85fb4419d
SHA10ad215a57d93b70fa3a137060f5f5a3369d4f542
SHA25687995a05b25f0dfbc564f2392434c6f66792cdf5690703bffa5797e1c3d5719c
SHA5121178e68a8ebf530fa71bfe4b63543ea486555b3badfcc144d48920eafbf1f89bfd4a73ea5b04e09f8f9858e6748ae3e25db0c03332939be51131794313e59d31
-
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred.dllFilesize
126KB
MD5b74b2173abbc5a72d47143c1ba62c97c
SHA1b8d17f4f90fbc3b1347c12caf844354b65184735
SHA2568dce72063ff6c2ec939aafe4dc0e247cec27fae82cde7886fda902cc8cd0aa75
SHA512ab73dcb86ae46e7d13d64151e5da9fd4548eccbc9b80ebf32c7de6152f25cbeba64dc3993f4431cb85aa3813cd406d18ea625ec2d92142f0eb295e2ad6ebf6ac
-
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred.dllFilesize
126KB
MD5b74b2173abbc5a72d47143c1ba62c97c
SHA1b8d17f4f90fbc3b1347c12caf844354b65184735
SHA2568dce72063ff6c2ec939aafe4dc0e247cec27fae82cde7886fda902cc8cd0aa75
SHA512ab73dcb86ae46e7d13d64151e5da9fd4548eccbc9b80ebf32c7de6152f25cbeba64dc3993f4431cb85aa3813cd406d18ea625ec2d92142f0eb295e2ad6ebf6ac
-
memory/1156-140-0x0000000000000000-mapping.dmp
-
memory/2780-141-0x0000000000000000-mapping.dmp
-
memory/3120-164-0x0000000000000000-mapping.dmp
-
memory/3244-162-0x0000000006A00000-0x0000000006A50000-memory.dmpFilesize
320KB
-
memory/3244-153-0x0000000000000000-mapping.dmp
-
memory/3244-163-0x0000000006C50000-0x0000000006CEC000-memory.dmpFilesize
624KB
-
memory/3244-161-0x0000000005D20000-0x0000000005D86000-memory.dmpFilesize
408KB
-
memory/3244-160-0x0000000005C80000-0x0000000005D12000-memory.dmpFilesize
584KB
-
memory/3244-159-0x0000000006120000-0x00000000066C4000-memory.dmpFilesize
5.6MB
-
memory/3244-154-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/3460-137-0x00000000006CE000-0x00000000006EC000-memory.dmpFilesize
120KB
-
memory/3460-139-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/3460-134-0x0000000000000000-mapping.dmp
-
memory/3460-138-0x0000000000600000-0x0000000000638000-memory.dmpFilesize
224KB
-
memory/3744-131-0x00000000004B0000-0x00000000005B0000-memory.dmpFilesize
1024KB
-
memory/3744-133-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/3744-132-0x0000000002210000-0x0000000002248000-memory.dmpFilesize
224KB
-
memory/3860-143-0x0000000000000000-mapping.dmp
-
memory/3860-148-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/3860-149-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/3860-144-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/3860-146-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/3860-147-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/3904-152-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/3904-151-0x00000000006F4000-0x0000000000712000-memory.dmpFilesize
120KB
-
memory/4224-142-0x0000000000000000-mapping.dmp
-
memory/4372-168-0x0000000000774000-0x0000000000792000-memory.dmpFilesize
120KB
-
memory/4372-169-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB