Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-05-2022 01:48
Static task
static1
Behavioral task
behavioral1
Sample
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe
Resource
win10v2004-20220414-en
General
-
Target
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe
-
Size
321KB
-
MD5
198929adc74b1ba1e260c2b614e1ed80
-
SHA1
2bc01b272b38257f357104ae6c2a7e70e59aabce
-
SHA256
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3
-
SHA512
094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff
Malware Config
Extracted
amadey
3.08
185.215.113.35/d2VxjasuwS/index.php
Signatures
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 38 2940 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
ftewk.exeftewk.exeftewk.exeftewk.exepid process 456 ftewk.exe 4920 ftewk.exe 2476 ftewk.exe 2276 ftewk.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exeftewk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation 920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation ftewk.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2940 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ftewk.exedescription pid process target process PID 456 set thread context of 4920 456 ftewk.exe ftewk.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220522035803.pma setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\585b6e6e-7418-4b6c-8ad1-e2432b142c32.tmp setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4696 4896 WerFault.exe 920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe 5024 2476 WerFault.exe ftewk.exe 4860 2276 WerFault.exe ftewk.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
rundll32.exemsedge.exemsedge.exemsedge.exeidentity_helper.exepid process 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 4412 msedge.exe 4412 msedge.exe 4700 msedge.exe 4700 msedge.exe 2368 msedge.exe 2368 msedge.exe 796 identity_helper.exe 796 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2368 msedge.exe 2368 msedge.exe 2368 msedge.exe 2368 msedge.exe 2368 msedge.exe 2368 msedge.exe 2368 msedge.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 2368 msedge.exe 2368 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exeftewk.execmd.exeftewk.exemsedge.exemsedge.exedescription pid process target process PID 4896 wrote to memory of 456 4896 920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe ftewk.exe PID 4896 wrote to memory of 456 4896 920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe ftewk.exe PID 4896 wrote to memory of 456 4896 920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe ftewk.exe PID 456 wrote to memory of 1484 456 ftewk.exe cmd.exe PID 456 wrote to memory of 1484 456 ftewk.exe cmd.exe PID 456 wrote to memory of 1484 456 ftewk.exe cmd.exe PID 456 wrote to memory of 4376 456 ftewk.exe schtasks.exe PID 456 wrote to memory of 4376 456 ftewk.exe schtasks.exe PID 456 wrote to memory of 4376 456 ftewk.exe schtasks.exe PID 1484 wrote to memory of 4784 1484 cmd.exe reg.exe PID 1484 wrote to memory of 4784 1484 cmd.exe reg.exe PID 1484 wrote to memory of 4784 1484 cmd.exe reg.exe PID 456 wrote to memory of 4920 456 ftewk.exe ftewk.exe PID 456 wrote to memory of 4920 456 ftewk.exe ftewk.exe PID 456 wrote to memory of 4920 456 ftewk.exe ftewk.exe PID 456 wrote to memory of 4920 456 ftewk.exe ftewk.exe PID 456 wrote to memory of 4920 456 ftewk.exe ftewk.exe PID 456 wrote to memory of 4920 456 ftewk.exe ftewk.exe PID 456 wrote to memory of 4920 456 ftewk.exe ftewk.exe PID 456 wrote to memory of 4920 456 ftewk.exe ftewk.exe PID 4920 wrote to memory of 5048 4920 ftewk.exe msedge.exe PID 4920 wrote to memory of 5048 4920 ftewk.exe msedge.exe PID 4920 wrote to memory of 2368 4920 ftewk.exe msedge.exe PID 4920 wrote to memory of 2368 4920 ftewk.exe msedge.exe PID 5048 wrote to memory of 4420 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4420 5048 msedge.exe msedge.exe PID 2368 wrote to memory of 2424 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 2424 2368 msedge.exe msedge.exe PID 456 wrote to memory of 2940 456 ftewk.exe rundll32.exe PID 456 wrote to memory of 2940 456 ftewk.exe rundll32.exe PID 456 wrote to memory of 2940 456 ftewk.exe rundll32.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe PID 2368 wrote to memory of 404 2368 msedge.exe msedge.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe"C:\Users\Admin\AppData\Local\Temp\920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e014321378\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e014321378\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ftewk.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.04⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff87e8146f8,0x7ff87e814708,0x7ff87e8147185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,1453012798130880723,6875061681663509667,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,1453012798130880723,6875061681663509667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2688 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ftewk.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.04⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff87e8146f8,0x7ff87e814708,0x7ff87e8147185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2608 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3020 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5332 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5812 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6444 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7f7dd5460,0x7ff7f7dd5470,0x7ff7f7dd54806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6444 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 11082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4896 -ip 48961⤵
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exeC:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 5082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2476 -ip 24761⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exeC:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 4842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2276 -ip 22761⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868Filesize
471B
MD54dc423160e393c8c0ad93226d15eb6d2
SHA10385e7335afa99659c165956afed3a932648d03b
SHA256323df1e6fc9502c2a0c65eb5cfccd9670680645053bef738006c7aabbef1edf2
SHA512ea602cf4824cbbd88996fa680a3525433c997ea39f787c18f0ffcb9a0f5916bebf89f4dda1586f4e53eed8a2dd0eda6967899e49d92655119911336de8e6a716
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868Filesize
442B
MD560441b625d4b9b6ac123582301ca754a
SHA19eefb69619fccef0e57d377f2882ddca466f7ee5
SHA2566da423a9b7db8dcc227d31be1f5c02d3b78d1f9184e2bf5320967b1a32593577
SHA512ae8d2bf252bd0197fbb8013abe39d4fb664c05c5a88489589085de9aab5e11e57143beb1786c7fa5004aa219eec4cf8d20a15c5b97a29a19d07cc2fcc989dcd1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50f2fd3ffef216b4a9345a3bf7c19e54c
SHA1bb53767f6009d83c4af27ddb9f72b88d2dea8c1c
SHA2564587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a
SHA5125987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50f2fd3ffef216b4a9345a3bf7c19e54c
SHA1bb53767f6009d83c4af27ddb9f72b88d2dea8c1c
SHA2564587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a
SHA5125987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50f2fd3ffef216b4a9345a3bf7c19e54c
SHA1bb53767f6009d83c4af27ddb9f72b88d2dea8c1c
SHA2564587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a
SHA5125987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD595e22ee8bac6765a868c13fc5ca5017c
SHA1dff7d454639c700bb4408bf2cef900337977eb56
SHA256cb320ebc79962dfd60205d687132b62ac884924f6cf5c5a40aea28fd2bc44802
SHA51247fb43256f59834aaf626e3c9c9e20f71afbb018f64755d8e05f6cbd8dde21e1c14049192a90bffd99413a58a0cacebdd8bce7b3d464aa622d7eefad71145428
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD595e22ee8bac6765a868c13fc5ca5017c
SHA1dff7d454639c700bb4408bf2cef900337977eb56
SHA256cb320ebc79962dfd60205d687132b62ac884924f6cf5c5a40aea28fd2bc44802
SHA51247fb43256f59834aaf626e3c9c9e20f71afbb018f64755d8e05f6cbd8dde21e1c14049192a90bffd99413a58a0cacebdd8bce7b3d464aa622d7eefad71145428
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD57f8b81ea951580a472644a29d8974e00
SHA1ef79786f09693fe76f32e3cf4d64be066b75970a
SHA2566b04790bebfbeb9dc37f06bbc3261d6e63c5c6c60bda69ff4970f541e3485dd1
SHA51259b6077fd61cf4c552582c83a5725db8bcc09abfb0408a732c7370120574454c0f7cc940ba67ed9218b4daa90febda15ca5398eb8c7086b6a37031839a461487
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exeFilesize
321KB
MD5198929adc74b1ba1e260c2b614e1ed80
SHA12bc01b272b38257f357104ae6c2a7e70e59aabce
SHA256920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3
SHA512094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exeFilesize
321KB
MD5198929adc74b1ba1e260c2b614e1ed80
SHA12bc01b272b38257f357104ae6c2a7e70e59aabce
SHA256920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3
SHA512094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exeFilesize
321KB
MD5198929adc74b1ba1e260c2b614e1ed80
SHA12bc01b272b38257f357104ae6c2a7e70e59aabce
SHA256920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3
SHA512094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exeFilesize
321KB
MD5198929adc74b1ba1e260c2b614e1ed80
SHA12bc01b272b38257f357104ae6c2a7e70e59aabce
SHA256920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3
SHA512094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exeFilesize
321KB
MD5198929adc74b1ba1e260c2b614e1ed80
SHA12bc01b272b38257f357104ae6c2a7e70e59aabce
SHA256920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3
SHA512094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff
-
C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dllFilesize
126KB
MD5d4ca12f7203548519be8455bd836274f
SHA17c8a18a80ba96c3944462f3a68e63b55da0e1bf4
SHA2567bc6a9edc592553dcb9250d70816f511d43a998f95f4e0b2a347dc2b66f897c4
SHA512e2cad4293dbb043c6d563710087e9769beeb130a80319c151e9d81d9c74b0b5017a23c3fec9cdc022b45491dc6aa6499e3898488dc9c8486e1df83e6da28e697
-
C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dllFilesize
126KB
MD5d4ca12f7203548519be8455bd836274f
SHA17c8a18a80ba96c3944462f3a68e63b55da0e1bf4
SHA2567bc6a9edc592553dcb9250d70816f511d43a998f95f4e0b2a347dc2b66f897c4
SHA512e2cad4293dbb043c6d563710087e9769beeb130a80319c151e9d81d9c74b0b5017a23c3fec9cdc022b45491dc6aa6499e3898488dc9c8486e1df83e6da28e697
-
\??\pipe\LOCAL\crashpad_2368_JLBHJCRUEBHFYSPBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_5048_IZTUTUQRFHNXSQCGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/404-159-0x0000000000000000-mapping.dmp
-
memory/456-133-0x0000000000000000-mapping.dmp
-
memory/456-140-0x0000000000480000-0x0000000000580000-memory.dmpFilesize
1024KB
-
memory/456-141-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/796-197-0x0000000000000000-mapping.dmp
-
memory/940-191-0x0000000000000000-mapping.dmp
-
memory/1152-189-0x0000000000000000-mapping.dmp
-
memory/1372-184-0x0000000000000000-mapping.dmp
-
memory/1476-178-0x0000000000000000-mapping.dmp
-
memory/1484-137-0x0000000000000000-mapping.dmp
-
memory/2120-164-0x0000000000000000-mapping.dmp
-
memory/2276-193-0x00000000005D4000-0x00000000005F1000-memory.dmpFilesize
116KB
-
memory/2276-194-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/2368-149-0x0000000000000000-mapping.dmp
-
memory/2420-187-0x0000000000000000-mapping.dmp
-
memory/2424-151-0x0000000000000000-mapping.dmp
-
memory/2476-147-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/2476-146-0x0000000000684000-0x00000000006A1000-memory.dmpFilesize
116KB
-
memory/2940-153-0x0000000000000000-mapping.dmp
-
memory/3504-182-0x0000000000000000-mapping.dmp
-
memory/3640-195-0x0000000000000000-mapping.dmp
-
memory/3736-176-0x0000000000000000-mapping.dmp
-
memory/4056-170-0x0000000000000000-mapping.dmp
-
memory/4376-138-0x0000000000000000-mapping.dmp
-
memory/4412-165-0x0000000000000000-mapping.dmp
-
memory/4420-150-0x0000000000000000-mapping.dmp
-
memory/4484-180-0x0000000000000000-mapping.dmp
-
memory/4700-166-0x0000000000000000-mapping.dmp
-
memory/4784-139-0x0000000000000000-mapping.dmp
-
memory/4896-131-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/4896-132-0x0000000002210000-0x0000000002248000-memory.dmpFilesize
224KB
-
memory/4896-130-0x0000000000782000-0x00000000007A0000-memory.dmpFilesize
120KB
-
memory/4920-143-0x0000000000400000-0x00000000004C4000-memory.dmpFilesize
784KB
-
memory/4920-142-0x0000000000000000-mapping.dmp
-
memory/4952-174-0x0000000000000000-mapping.dmp
-
memory/4992-196-0x0000000000000000-mapping.dmp
-
memory/5048-148-0x0000000000000000-mapping.dmp