amadey | e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19

Analysis

max time kernel
149s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
22-05-2022 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe
Size

307KB
MD5

ee7e3d6206b8c815c7e3c30bd40e00cc
SHA1

c41bd2e3c0ac545d7ba81e26743ee4f909eccb27
SHA256

e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19
SHA512

7a8f98e25c44d6db495eda24247e29696b4bc195566ea5d5fd3f9aedc8c792bedf9ce8d9b826d34e52302a2ab0ec82552a2007f8811688e8f84746c66af807d7

Score

10^/10

amadey microsoft collection persistence phishing spyware stealer suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.08

185.215.113.35/d2VxjasuwS/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

92 4168 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

ftewk.exeftewk.exeftewk.exeftewk.exe

pid process

920 ftewk.exe
4480 ftewk.exe
1500 ftewk.exe
4476 ftewk.exe

flow	pid	process
92	4168	rundll32.exe

pid	process
920	ftewk.exe
4480	ftewk.exe
1500	ftewk.exe
4476	ftewk.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exeftewk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	ftewk.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4168 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4168	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft
Suspicious use of SetThreadContext 1 IoCs

Processes:

ftewk.exe

description pid process target process

PID 920 set thread context of 4480 920 ftewk.exe ftewk.exe

description	pid	process	target process
PID 920 set thread context of 4480	920	ftewk.exe	ftewk.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e411a71f-edc6-4c09-8a16-30423bc8c6d5.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220522095755.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4372	3564	WerFault.exe	e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe
4256	1500	WerFault.exe	ftewk.exe
3324	4476	WerFault.exe	ftewk.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2052 schtasks.exe

pid	process
2052	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exerundll32.exeidentity_helper.exe

pid	process
1520	msedge.exe
1520	msedge.exe
4464	msedge.exe
4464	msedge.exe
2304	msedge.exe
2304	msedge.exe
4168	rundll32.exe
4168	rundll32.exe
4168	rundll32.exe
4168	rundll32.exe
4576	identity_helper.exe
4576	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2304 msedge.exe
2304 msedge.exe
2304 msedge.exe
2304 msedge.exe
2304 msedge.exe
2304 msedge.exe
2304 msedge.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

2304 msedge.exe
2304 msedge.exe

pid	process
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe

pid	process
2304	msedge.exe
2304	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exeftewk.execmd.exeftewk.exemsedge.exemsedge.exe

description	pid	process	target process
PID 3564 wrote to memory of 920	3564	e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe	ftewk.exe
PID 3564 wrote to memory of 920	3564	e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe	ftewk.exe
PID 3564 wrote to memory of 920	3564	e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe	ftewk.exe
PID 920 wrote to memory of 4404	920	ftewk.exe	cmd.exe
PID 920 wrote to memory of 4404	920	ftewk.exe	cmd.exe
PID 920 wrote to memory of 4404	920	ftewk.exe	cmd.exe
PID 920 wrote to memory of 2052	920	ftewk.exe	schtasks.exe
PID 920 wrote to memory of 2052	920	ftewk.exe	schtasks.exe
PID 920 wrote to memory of 2052	920	ftewk.exe	schtasks.exe
PID 4404 wrote to memory of 4284	4404	cmd.exe	reg.exe
PID 4404 wrote to memory of 4284	4404	cmd.exe	reg.exe
PID 4404 wrote to memory of 4284	4404	cmd.exe	reg.exe
PID 920 wrote to memory of 4480	920	ftewk.exe	ftewk.exe
PID 920 wrote to memory of 4480	920	ftewk.exe	ftewk.exe
PID 920 wrote to memory of 4480	920	ftewk.exe	ftewk.exe
PID 920 wrote to memory of 4480	920	ftewk.exe	ftewk.exe
PID 920 wrote to memory of 4480	920	ftewk.exe	ftewk.exe
PID 920 wrote to memory of 4480	920	ftewk.exe	ftewk.exe
PID 920 wrote to memory of 4480	920	ftewk.exe	ftewk.exe
PID 920 wrote to memory of 4480	920	ftewk.exe	ftewk.exe
PID 4480 wrote to memory of 3008	4480	ftewk.exe	msedge.exe
PID 4480 wrote to memory of 3008	4480	ftewk.exe	msedge.exe
PID 3008 wrote to memory of 3856	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3856	3008	msedge.exe	msedge.exe
PID 4480 wrote to memory of 2304	4480	ftewk.exe	msedge.exe
PID 4480 wrote to memory of 2304	4480	ftewk.exe	msedge.exe
PID 2304 wrote to memory of 3200	2304	msedge.exe	msedge.exe
PID 2304 wrote to memory of 3200	2304	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe
PID 3008 wrote to memory of 3096	3008	msedge.exe	msedge.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe
"C:\Users\Admin\AppData\Local\Temp\e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e014321378\
3⤵
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e014321378\
4⤵
PID:4284

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe" /F
3⤵
- Creates scheduled task(s)
PID:2052

C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
"C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ftewk.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
4⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffefd5146f8,0x7ffefd514708,0x7ffefd514718
5⤵
PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,115687071188979753,12246863624568334579,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
5⤵
PID:3096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,115687071188979753,12246863624568334579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ftewk.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffefd5146f8,0x7ffefd514708,0x7ffefd514718
5⤵
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
5⤵
PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
5⤵
PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
5⤵
PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:1
5⤵
PID:444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
5⤵
PID:4088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5232 /prefetch:8
5⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5020 /prefetch:8
5⤵
PID:1764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
5⤵
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
5⤵
PID:876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:1
5⤵
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
5⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6792 /prefetch:8
5⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6d6595460,0x7ff6d6595470,0x7ff6d6595480
6⤵
PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6792 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4576

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 860
2⤵
- Program crash
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3564 -ip 3564
1⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 492
2⤵
- Program crash
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1500 -ip 1500
1⤵
PID:1132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
1⤵
- Executes dropped EXE
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 492
2⤵
- Program crash
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4476 -ip 4476
1⤵
PID:3096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
471B

MD5
4dc423160e393c8c0ad93226d15eb6d2

SHA1
0385e7335afa99659c165956afed3a932648d03b

SHA256
323df1e6fc9502c2a0c65eb5cfccd9670680645053bef738006c7aabbef1edf2

SHA512
ea602cf4824cbbd88996fa680a3525433c997ea39f787c18f0ffcb9a0f5916bebf89f4dda1586f4e53eed8a2dd0eda6967899e49d92655119911336de8e6a716

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
4c340c02055a64b53b41a4b40eb2edf6

SHA1
65325bd30db8731f159213ac70af00444d373107

SHA256
b9ee8906197fa7293478719e3a93d2330c67d685a3d9e119e524d27879ce2542

SHA512
d64efb2969e73b4a534468eba4e427628fea7a7e6a29742950fdaa9532f51b9c3d5aaa94a06d4509bcbaf90bbbc30128063750ceab2d82f18394c7af191e8672

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
412B

MD5
03bb77f8cf7ca94bd1137d8143fb0f16

SHA1
3ce00d980378d3f64958e40c4c4cbcb9f6e37e1e

SHA256
ea75353c4670437aa0ba1b6f61ea1d8691462bcac4a246c7e19aecaafed12ea6

SHA512
70c0de733d178b98105dff8402b0b42f431e10420bf1ec106dcc4367fe6bda37f96fbcc398c1567d9d4a443962f9bc04998a2407c33c3d84e7aa14ab9005e2ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
416B

MD5
e41000838d23807160b0d4007fa5d8b9

SHA1
5699c42fae38132c05bbe18172d8186dcfbd681a

SHA256
ffdd5772c9e69e97c6c29013de8cd3c90a6f4be2cd6dd4b909e7246256ee2735

SHA512
b41ac702e89addcc9d08f6210dec5c0f45df8e80890c7014031bde9b84bbe5056b0136cb52248efdaa3c303af01830c031fc71cc2a3a46210b7d3f7d3df80784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a18a109bb6cb1cc7f81791a89eb27564

SHA1
44f4dd33c5fe31d3137439f1786d7f9a81167f03

SHA256
f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1

SHA512
31a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b19308400c504bdc9aa1312921fec33

SHA1
61e57f79133ab680952321360d802207f23548bc

SHA256
a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b

SHA512
c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7b19308400c504bdc9aa1312921fec33

SHA1
61e57f79133ab680952321360d802207f23548bc

SHA256
a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b

SHA512
c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
6a526d1a1752b07286bd51d8b97dcc17

SHA1
670d1f77b641ae494e47a0eca06ab571e0ff7f58

SHA256
3ebd13dd4245888875e3668b2921fc0b360efcc46808f50b2216673b19bda032

SHA512
b48ffffd6e94f2168a7a047818b15ad307341cd1a80371ccde2a126abdf1f3c47c112c4e8baeb589b9a3920edb514724abc485e8c273be1d65deb2cc12f6253d

Download Submit
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
307KB

MD5
ee7e3d6206b8c815c7e3c30bd40e00cc

SHA1
c41bd2e3c0ac545d7ba81e26743ee4f909eccb27

SHA256
e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19

SHA512
7a8f98e25c44d6db495eda24247e29696b4bc195566ea5d5fd3f9aedc8c792bedf9ce8d9b826d34e52302a2ab0ec82552a2007f8811688e8f84746c66af807d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
307KB

MD5
ee7e3d6206b8c815c7e3c30bd40e00cc

SHA1
c41bd2e3c0ac545d7ba81e26743ee4f909eccb27

SHA256
e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19

SHA512
7a8f98e25c44d6db495eda24247e29696b4bc195566ea5d5fd3f9aedc8c792bedf9ce8d9b826d34e52302a2ab0ec82552a2007f8811688e8f84746c66af807d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
307KB

MD5
ee7e3d6206b8c815c7e3c30bd40e00cc

SHA1
c41bd2e3c0ac545d7ba81e26743ee4f909eccb27

SHA256
e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19

SHA512
7a8f98e25c44d6db495eda24247e29696b4bc195566ea5d5fd3f9aedc8c792bedf9ce8d9b826d34e52302a2ab0ec82552a2007f8811688e8f84746c66af807d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
307KB

MD5
ee7e3d6206b8c815c7e3c30bd40e00cc

SHA1
c41bd2e3c0ac545d7ba81e26743ee4f909eccb27

SHA256
e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19

SHA512
7a8f98e25c44d6db495eda24247e29696b4bc195566ea5d5fd3f9aedc8c792bedf9ce8d9b826d34e52302a2ab0ec82552a2007f8811688e8f84746c66af807d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe
Filesize
307KB

MD5
ee7e3d6206b8c815c7e3c30bd40e00cc

SHA1
c41bd2e3c0ac545d7ba81e26743ee4f909eccb27

SHA256
e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19

SHA512
7a8f98e25c44d6db495eda24247e29696b4bc195566ea5d5fd3f9aedc8c792bedf9ce8d9b826d34e52302a2ab0ec82552a2007f8811688e8f84746c66af807d7

Download Submit
C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll
Filesize
126KB

MD5
d4ca12f7203548519be8455bd836274f

SHA1
7c8a18a80ba96c3944462f3a68e63b55da0e1bf4

SHA256
7bc6a9edc592553dcb9250d70816f511d43a998f95f4e0b2a347dc2b66f897c4

SHA512
e2cad4293dbb043c6d563710087e9769beeb130a80319c151e9d81d9c74b0b5017a23c3fec9cdc022b45491dc6aa6499e3898488dc9c8486e1df83e6da28e697

Download Submit
C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll
Filesize
126KB

MD5
d4ca12f7203548519be8455bd836274f

SHA1
7c8a18a80ba96c3944462f3a68e63b55da0e1bf4

SHA256
7bc6a9edc592553dcb9250d70816f511d43a998f95f4e0b2a347dc2b66f897c4

SHA512
e2cad4293dbb043c6d563710087e9769beeb130a80319c151e9d81d9c74b0b5017a23c3fec9cdc022b45491dc6aa6499e3898488dc9c8486e1df83e6da28e697

Download Submit
\??\pipe\LOCAL\crashpad_2304_HJDWRUNVZTAPRIKJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3008_NQZWHVWWCJRSSVDW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/444-172-0x0000000000000000-mapping.dmp

Download
memory/876-186-0x0000000000000000-mapping.dmp

Download
memory/920-138-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/920-137-0x00000000005E0000-0x0000000000618000-memory.dmp

Filesize
224KB

Download
memory/920-136-0x0000000000633000-0x0000000000651000-memory.dmp

Filesize
120KB

Download
memory/920-132-0x0000000000000000-mapping.dmp

Download
memory/1184-170-0x0000000000000000-mapping.dmp

Download
memory/1500-146-0x0000000000784000-0x00000000007A2000-memory.dmp

Filesize
120KB

Download
memory/1500-147-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1520-158-0x0000000000000000-mapping.dmp

Download
memory/1572-184-0x0000000000000000-mapping.dmp

Download
memory/1764-182-0x0000000000000000-mapping.dmp

Download
memory/2052-140-0x0000000000000000-mapping.dmp

Download
memory/2292-190-0x0000000000000000-mapping.dmp

Download
memory/2304-150-0x0000000000000000-mapping.dmp

Download
memory/2688-157-0x0000000000000000-mapping.dmp

Download
memory/3008-148-0x0000000000000000-mapping.dmp

Download
memory/3096-155-0x0000000000000000-mapping.dmp

Download
memory/3188-176-0x0000000000000000-mapping.dmp

Download
memory/3200-151-0x0000000000000000-mapping.dmp

Download
memory/3344-188-0x0000000000000000-mapping.dmp

Download
memory/3564-135-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3564-131-0x00000000005D0000-0x0000000000608000-memory.dmp

Filesize
224KB

Download
memory/3564-130-0x0000000000752000-0x0000000000770000-memory.dmp

Filesize
120KB

Download
memory/3576-192-0x0000000000000000-mapping.dmp

Download
memory/3856-149-0x0000000000000000-mapping.dmp

Download
memory/4088-174-0x0000000000000000-mapping.dmp

Download
memory/4132-163-0x0000000000000000-mapping.dmp

Download
memory/4168-178-0x0000000000000000-mapping.dmp

Download
memory/4284-141-0x0000000000000000-mapping.dmp

Download
memory/4404-139-0x0000000000000000-mapping.dmp

Download
memory/4464-159-0x0000000000000000-mapping.dmp

Download
memory/4476-196-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4476-195-0x0000000000844000-0x0000000000862000-memory.dmp

Filesize
120KB

Download
memory/4480-143-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/4480-142-0x0000000000000000-mapping.dmp

Download
memory/4512-191-0x0000000000000000-mapping.dmp

Download
memory/4576-193-0x0000000000000000-mapping.dmp

Download