amadey | 920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
22-05-2022 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe
Size

321KB
MD5

198929adc74b1ba1e260c2b614e1ed80
SHA1

2bc01b272b38257f357104ae6c2a7e70e59aabce
SHA256

920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3
SHA512

094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff

Score

10^/10

amadey microsoft collection persistence phishing spyware stealer suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.08

185.215.113.35/d2VxjasuwS/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

38 2940 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

ftewk.exeftewk.exeftewk.exeftewk.exe

pid process

456 ftewk.exe
4920 ftewk.exe
2476 ftewk.exe
2276 ftewk.exe

flow	pid	process
38	2940	rundll32.exe

pid	process
456	ftewk.exe
4920	ftewk.exe
2476	ftewk.exe
2276	ftewk.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exeftewk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	ftewk.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2940 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft
Suspicious use of SetThreadContext 1 IoCs

Processes:

ftewk.exe

description pid process target process

PID 456 set thread context of 4920 456 ftewk.exe ftewk.exe

description	pid	process	target process
PID 456 set thread context of 4920	456	ftewk.exe	ftewk.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220522035803.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\585b6e6e-7418-4b6c-8ad1-e2432b142c32.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4696	4896	WerFault.exe	920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe
5024	2476	WerFault.exe	ftewk.exe
4860	2276	WerFault.exe	ftewk.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4376 schtasks.exe

pid	process
4376	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rundll32.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
2940	rundll32.exe
4412	msedge.exe
4412	msedge.exe
4700	msedge.exe
4700	msedge.exe
2368	msedge.exe
2368	msedge.exe
796	identity_helper.exe
796	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2368 msedge.exe
2368 msedge.exe
2368 msedge.exe
2368 msedge.exe
2368 msedge.exe
2368 msedge.exe
2368 msedge.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

2368 msedge.exe
2368 msedge.exe

pid	process
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe

pid	process
2368	msedge.exe
2368	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exeftewk.execmd.exeftewk.exemsedge.exemsedge.exe

description	pid	process	target process
PID 4896 wrote to memory of 456	4896	920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe	ftewk.exe
PID 4896 wrote to memory of 456	4896	920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe	ftewk.exe
PID 4896 wrote to memory of 456	4896	920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe	ftewk.exe
PID 456 wrote to memory of 1484	456	ftewk.exe	cmd.exe
PID 456 wrote to memory of 1484	456	ftewk.exe	cmd.exe
PID 456 wrote to memory of 1484	456	ftewk.exe	cmd.exe
PID 456 wrote to memory of 4376	456	ftewk.exe	schtasks.exe
PID 456 wrote to memory of 4376	456	ftewk.exe	schtasks.exe
PID 456 wrote to memory of 4376	456	ftewk.exe	schtasks.exe
PID 1484 wrote to memory of 4784	1484	cmd.exe	reg.exe
PID 1484 wrote to memory of 4784	1484	cmd.exe	reg.exe
PID 1484 wrote to memory of 4784	1484	cmd.exe	reg.exe
PID 456 wrote to memory of 4920	456	ftewk.exe	ftewk.exe
PID 456 wrote to memory of 4920	456	ftewk.exe	ftewk.exe
PID 456 wrote to memory of 4920	456	ftewk.exe	ftewk.exe
PID 456 wrote to memory of 4920	456	ftewk.exe	ftewk.exe
PID 456 wrote to memory of 4920	456	ftewk.exe	ftewk.exe
PID 456 wrote to memory of 4920	456	ftewk.exe	ftewk.exe
PID 456 wrote to memory of 4920	456	ftewk.exe	ftewk.exe
PID 456 wrote to memory of 4920	456	ftewk.exe	ftewk.exe
PID 4920 wrote to memory of 5048	4920	ftewk.exe	msedge.exe
PID 4920 wrote to memory of 5048	4920	ftewk.exe	msedge.exe
PID 4920 wrote to memory of 2368	4920	ftewk.exe	msedge.exe
PID 4920 wrote to memory of 2368	4920	ftewk.exe	msedge.exe
PID 5048 wrote to memory of 4420	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 4420	5048	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2424	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 2424	2368	msedge.exe	msedge.exe
PID 456 wrote to memory of 2940	456	ftewk.exe	rundll32.exe
PID 456 wrote to memory of 2940	456	ftewk.exe	rundll32.exe
PID 456 wrote to memory of 2940	456	ftewk.exe	rundll32.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe
PID 2368 wrote to memory of 404	2368	msedge.exe	msedge.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe
"C:\Users\Admin\AppData\Local\Temp\920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e014321378\
3⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e014321378\
4⤵
PID:4784

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe" /F
3⤵
- Creates scheduled task(s)
PID:4376

C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ftewk.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
4⤵
- Suspicious use of WriteProcessMemory
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff87e8146f8,0x7ff87e814708,0x7ff87e814718
5⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,1453012798130880723,6875061681663509667,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
5⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,1453012798130880723,6875061681663509667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2688 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ftewk.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff87e8146f8,0x7ff87e814708,0x7ff87e814718
5⤵
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
5⤵
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2608 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3020 /prefetch:8
5⤵
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
5⤵
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
5⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:1
5⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5332 /prefetch:8
5⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
5⤵
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
5⤵
PID:1372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5812 /prefetch:8
5⤵
PID:2420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
5⤵
PID:1152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
5⤵
PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6444 /prefetch:8
5⤵
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7f7dd5460,0x7ff7f7dd5470,0x7ff7f7dd5480
6⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,14080913983695496007,8713454425884290702,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6444 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:796

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1108
2⤵
- Program crash
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4896 -ip 4896
1⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
1⤵
- Executes dropped EXE
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 508
2⤵
- Program crash
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2476 -ip 2476
1⤵
PID:4568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 484
2⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2276 -ip 2276
1⤵
PID:768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
471B

MD5
4dc423160e393c8c0ad93226d15eb6d2

SHA1
0385e7335afa99659c165956afed3a932648d03b

SHA256
323df1e6fc9502c2a0c65eb5cfccd9670680645053bef738006c7aabbef1edf2

SHA512
ea602cf4824cbbd88996fa680a3525433c997ea39f787c18f0ffcb9a0f5916bebf89f4dda1586f4e53eed8a2dd0eda6967899e49d92655119911336de8e6a716

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
442B

MD5
60441b625d4b9b6ac123582301ca754a

SHA1
9eefb69619fccef0e57d377f2882ddca466f7ee5

SHA256
6da423a9b7db8dcc227d31be1f5c02d3b78d1f9184e2bf5320967b1a32593577

SHA512
ae8d2bf252bd0197fbb8013abe39d4fb664c05c5a88489589085de9aab5e11e57143beb1786c7fa5004aa219eec4cf8d20a15c5b97a29a19d07cc2fcc989dcd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0f2fd3ffef216b4a9345a3bf7c19e54c

SHA1
bb53767f6009d83c4af27ddb9f72b88d2dea8c1c

SHA256
4587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a

SHA512
5987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0f2fd3ffef216b4a9345a3bf7c19e54c

SHA1
bb53767f6009d83c4af27ddb9f72b88d2dea8c1c

SHA256
4587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a

SHA512
5987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0f2fd3ffef216b4a9345a3bf7c19e54c

SHA1
bb53767f6009d83c4af27ddb9f72b88d2dea8c1c

SHA256
4587b60ec8ed42f34c0c85604a70363bd7e82b5dac6b6e14629e3a5672b3e98a

SHA512
5987b7af8b369ad6208688a59562c6d187b45a64cc307af5d96da4cbfc6c146c71bcc493f9a66bf23d2d249416222bb728e9072a44a7d9a13355647768b32900

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
95e22ee8bac6765a868c13fc5ca5017c

SHA1
dff7d454639c700bb4408bf2cef900337977eb56

SHA256
cb320ebc79962dfd60205d687132b62ac884924f6cf5c5a40aea28fd2bc44802

SHA512
47fb43256f59834aaf626e3c9c9e20f71afbb018f64755d8e05f6cbd8dde21e1c14049192a90bffd99413a58a0cacebdd8bce7b3d464aa622d7eefad71145428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
95e22ee8bac6765a868c13fc5ca5017c

SHA1
dff7d454639c700bb4408bf2cef900337977eb56

SHA256
cb320ebc79962dfd60205d687132b62ac884924f6cf5c5a40aea28fd2bc44802

SHA512
47fb43256f59834aaf626e3c9c9e20f71afbb018f64755d8e05f6cbd8dde21e1c14049192a90bffd99413a58a0cacebdd8bce7b3d464aa622d7eefad71145428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
7f8b81ea951580a472644a29d8974e00

SHA1
ef79786f09693fe76f32e3cf4d64be066b75970a

SHA256
6b04790bebfbeb9dc37f06bbc3261d6e63c5c6c60bda69ff4970f541e3485dd1

SHA512
59b6077fd61cf4c552582c83a5725db8bcc09abfb0408a732c7370120574454c0f7cc940ba67ed9218b4daa90febda15ca5398eb8c7086b6a37031839a461487

Download Submit
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
321KB

MD5
198929adc74b1ba1e260c2b614e1ed80

SHA1
2bc01b272b38257f357104ae6c2a7e70e59aabce

SHA256
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3

SHA512
094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
321KB

MD5
198929adc74b1ba1e260c2b614e1ed80

SHA1
2bc01b272b38257f357104ae6c2a7e70e59aabce

SHA256
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3

SHA512
094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
321KB

MD5
198929adc74b1ba1e260c2b614e1ed80

SHA1
2bc01b272b38257f357104ae6c2a7e70e59aabce

SHA256
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3

SHA512
094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
321KB

MD5
198929adc74b1ba1e260c2b614e1ed80

SHA1
2bc01b272b38257f357104ae6c2a7e70e59aabce

SHA256
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3

SHA512
094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
321KB

MD5
198929adc74b1ba1e260c2b614e1ed80

SHA1
2bc01b272b38257f357104ae6c2a7e70e59aabce

SHA256
920872b6c2b2f2c535729538c8359f8a8456399dbe6eec8cf52389e16c1458d3

SHA512
094e75cf694278231c479d556dd48d6cf19ba6dad4569cf701914fc3f671253881e20d787adad555820d05be3c922279befea23100f7718452d35d05239b4cff

Download Submit
C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll
Filesize
126KB

MD5
d4ca12f7203548519be8455bd836274f

SHA1
7c8a18a80ba96c3944462f3a68e63b55da0e1bf4

SHA256
7bc6a9edc592553dcb9250d70816f511d43a998f95f4e0b2a347dc2b66f897c4

SHA512
e2cad4293dbb043c6d563710087e9769beeb130a80319c151e9d81d9c74b0b5017a23c3fec9cdc022b45491dc6aa6499e3898488dc9c8486e1df83e6da28e697

Download Submit
C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll
Filesize
126KB

MD5
d4ca12f7203548519be8455bd836274f

SHA1
7c8a18a80ba96c3944462f3a68e63b55da0e1bf4

SHA256
7bc6a9edc592553dcb9250d70816f511d43a998f95f4e0b2a347dc2b66f897c4

SHA512
e2cad4293dbb043c6d563710087e9769beeb130a80319c151e9d81d9c74b0b5017a23c3fec9cdc022b45491dc6aa6499e3898488dc9c8486e1df83e6da28e697

Download Submit
\??\pipe\LOCAL\crashpad_2368_JLBHJCRUEBHFYSPB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_5048_IZTUTUQRFHNXSQCG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/404-159-0x0000000000000000-mapping.dmp

Download
memory/456-133-0x0000000000000000-mapping.dmp

Download
memory/456-140-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/456-141-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/796-197-0x0000000000000000-mapping.dmp

Download
memory/940-191-0x0000000000000000-mapping.dmp

Download
memory/1152-189-0x0000000000000000-mapping.dmp

Download
memory/1372-184-0x0000000000000000-mapping.dmp

Download
memory/1476-178-0x0000000000000000-mapping.dmp

Download
memory/1484-137-0x0000000000000000-mapping.dmp

Download
memory/2120-164-0x0000000000000000-mapping.dmp

Download
memory/2276-193-0x00000000005D4000-0x00000000005F1000-memory.dmp

Filesize
116KB

Download
memory/2276-194-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2368-149-0x0000000000000000-mapping.dmp

Download
memory/2420-187-0x0000000000000000-mapping.dmp

Download
memory/2424-151-0x0000000000000000-mapping.dmp

Download
memory/2476-147-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2476-146-0x0000000000684000-0x00000000006A1000-memory.dmp

Filesize
116KB

Download
memory/2940-153-0x0000000000000000-mapping.dmp

Download
memory/3504-182-0x0000000000000000-mapping.dmp

Download
memory/3640-195-0x0000000000000000-mapping.dmp

Download
memory/3736-176-0x0000000000000000-mapping.dmp

Download
memory/4056-170-0x0000000000000000-mapping.dmp

Download
memory/4376-138-0x0000000000000000-mapping.dmp

Download
memory/4412-165-0x0000000000000000-mapping.dmp

Download
memory/4420-150-0x0000000000000000-mapping.dmp

Download
memory/4484-180-0x0000000000000000-mapping.dmp

Download
memory/4700-166-0x0000000000000000-mapping.dmp

Download
memory/4784-139-0x0000000000000000-mapping.dmp

Download
memory/4896-131-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4896-132-0x0000000002210000-0x0000000002248000-memory.dmp

Filesize
224KB

Download
memory/4896-130-0x0000000000782000-0x00000000007A0000-memory.dmp

Filesize
120KB

Download
memory/4920-143-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4920-142-0x0000000000000000-mapping.dmp

Download
memory/4952-174-0x0000000000000000-mapping.dmp

Download
memory/4992-196-0x0000000000000000-mapping.dmp

Download
memory/5048-148-0x0000000000000000-mapping.dmp

Download