Analysis
-
max time kernel
149s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
22-05-2022 07:47
Static task
static1
Behavioral task
behavioral1
Sample
e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe
Resource
win10v2004-20220414-en
General
-
Target
e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe
-
Size
307KB
-
MD5
ee7e3d6206b8c815c7e3c30bd40e00cc
-
SHA1
c41bd2e3c0ac545d7ba81e26743ee4f909eccb27
-
SHA256
e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19
-
SHA512
7a8f98e25c44d6db495eda24247e29696b4bc195566ea5d5fd3f9aedc8c792bedf9ce8d9b826d34e52302a2ab0ec82552a2007f8811688e8f84746c66af807d7
Malware Config
Extracted
amadey
3.08
185.215.113.35/d2VxjasuwS/index.php
Signatures
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 92 4168 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
ftewk.exeftewk.exeftewk.exeftewk.exepid process 920 ftewk.exe 4480 ftewk.exe 1500 ftewk.exe 4476 ftewk.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exeftewk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation ftewk.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4168 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ftewk.exedescription pid process target process PID 920 set thread context of 4480 920 ftewk.exe ftewk.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e411a71f-edc6-4c09-8a16-30423bc8c6d5.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220522095755.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4372 3564 WerFault.exe e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe 4256 1500 WerFault.exe ftewk.exe 3324 4476 WerFault.exe ftewk.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exemsedge.exerundll32.exeidentity_helper.exepid process 1520 msedge.exe 1520 msedge.exe 4464 msedge.exe 4464 msedge.exe 2304 msedge.exe 2304 msedge.exe 4168 rundll32.exe 4168 rundll32.exe 4168 rundll32.exe 4168 rundll32.exe 4576 identity_helper.exe 4576 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 2304 msedge.exe 2304 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exeftewk.execmd.exeftewk.exemsedge.exemsedge.exedescription pid process target process PID 3564 wrote to memory of 920 3564 e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe ftewk.exe PID 3564 wrote to memory of 920 3564 e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe ftewk.exe PID 3564 wrote to memory of 920 3564 e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe ftewk.exe PID 920 wrote to memory of 4404 920 ftewk.exe cmd.exe PID 920 wrote to memory of 4404 920 ftewk.exe cmd.exe PID 920 wrote to memory of 4404 920 ftewk.exe cmd.exe PID 920 wrote to memory of 2052 920 ftewk.exe schtasks.exe PID 920 wrote to memory of 2052 920 ftewk.exe schtasks.exe PID 920 wrote to memory of 2052 920 ftewk.exe schtasks.exe PID 4404 wrote to memory of 4284 4404 cmd.exe reg.exe PID 4404 wrote to memory of 4284 4404 cmd.exe reg.exe PID 4404 wrote to memory of 4284 4404 cmd.exe reg.exe PID 920 wrote to memory of 4480 920 ftewk.exe ftewk.exe PID 920 wrote to memory of 4480 920 ftewk.exe ftewk.exe PID 920 wrote to memory of 4480 920 ftewk.exe ftewk.exe PID 920 wrote to memory of 4480 920 ftewk.exe ftewk.exe PID 920 wrote to memory of 4480 920 ftewk.exe ftewk.exe PID 920 wrote to memory of 4480 920 ftewk.exe ftewk.exe PID 920 wrote to memory of 4480 920 ftewk.exe ftewk.exe PID 920 wrote to memory of 4480 920 ftewk.exe ftewk.exe PID 4480 wrote to memory of 3008 4480 ftewk.exe msedge.exe PID 4480 wrote to memory of 3008 4480 ftewk.exe msedge.exe PID 3008 wrote to memory of 3856 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3856 3008 msedge.exe msedge.exe PID 4480 wrote to memory of 2304 4480 ftewk.exe msedge.exe PID 4480 wrote to memory of 2304 4480 ftewk.exe msedge.exe PID 2304 wrote to memory of 3200 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 3200 2304 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe PID 3008 wrote to memory of 3096 3008 msedge.exe msedge.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe"C:\Users\Admin\AppData\Local\Temp\e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e014321378\3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e014321378\4⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN ftewk.exe /TR "C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe"C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ftewk.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.04⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffefd5146f8,0x7ffefd514708,0x7ffefd5147185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,115687071188979753,12246863624568334579,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,115687071188979753,12246863624568334579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2496 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ftewk.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.04⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffefd5146f8,0x7ffefd514708,0x7ffefd5147185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5232 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5020 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6792 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6d6595460,0x7ff6d6595470,0x7ff6d65954806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5875226188247301759,18188784519128419116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6792 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 8602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3564 -ip 35641⤵
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exeC:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 4922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1500 -ip 15001⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exeC:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 4922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4476 -ip 44761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868Filesize
471B
MD54dc423160e393c8c0ad93226d15eb6d2
SHA10385e7335afa99659c165956afed3a932648d03b
SHA256323df1e6fc9502c2a0c65eb5cfccd9670680645053bef738006c7aabbef1edf2
SHA512ea602cf4824cbbd88996fa680a3525433c997ea39f787c18f0ffcb9a0f5916bebf89f4dda1586f4e53eed8a2dd0eda6967899e49d92655119911336de8e6a716
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
471B
MD54c340c02055a64b53b41a4b40eb2edf6
SHA165325bd30db8731f159213ac70af00444d373107
SHA256b9ee8906197fa7293478719e3a93d2330c67d685a3d9e119e524d27879ce2542
SHA512d64efb2969e73b4a534468eba4e427628fea7a7e6a29742950fdaa9532f51b9c3d5aaa94a06d4509bcbaf90bbbc30128063750ceab2d82f18394c7af191e8672
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868Filesize
412B
MD503bb77f8cf7ca94bd1137d8143fb0f16
SHA13ce00d980378d3f64958e40c4c4cbcb9f6e37e1e
SHA256ea75353c4670437aa0ba1b6f61ea1d8691462bcac4a246c7e19aecaafed12ea6
SHA51270c0de733d178b98105dff8402b0b42f431e10420bf1ec106dcc4367fe6bda37f96fbcc398c1567d9d4a443962f9bc04998a2407c33c3d84e7aa14ab9005e2ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
416B
MD5e41000838d23807160b0d4007fa5d8b9
SHA15699c42fae38132c05bbe18172d8186dcfbd681a
SHA256ffdd5772c9e69e97c6c29013de8cd3c90a6f4be2cd6dd4b909e7246256ee2735
SHA512b41ac702e89addcc9d08f6210dec5c0f45df8e80890c7014031bde9b84bbe5056b0136cb52248efdaa3c303af01830c031fc71cc2a3a46210b7d3f7d3df80784
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a18a109bb6cb1cc7f81791a89eb27564
SHA144f4dd33c5fe31d3137439f1786d7f9a81167f03
SHA256f3f8694f3c043727f800096340b7acc0585f732a441e23c082bf41f2c2ecede1
SHA51231a3c9169e293767ae857b1ac6987288a24bd63bbf3a85e2485f6a9b69ce5d3967d87e623e58284efc557015bd4416337f216740fe066fb918c6ab3a200b5f02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b19308400c504bdc9aa1312921fec33
SHA161e57f79133ab680952321360d802207f23548bc
SHA256a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b
SHA512c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b19308400c504bdc9aa1312921fec33
SHA161e57f79133ab680952321360d802207f23548bc
SHA256a484d0a2e73a22c910c8de019c540e3f3cc4a77adc9ca4a1fa8aa91bde1cd31b
SHA512c1702cd63375494612b814ea3852cfd75761dd45a12c2be0971ac86b505a03dfb2ce82ab773c6b43baec3e6b0310dddf39f7bcac10425ef2a7d3574e33b2a699
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD56a526d1a1752b07286bd51d8b97dcc17
SHA1670d1f77b641ae494e47a0eca06ab571e0ff7f58
SHA2563ebd13dd4245888875e3668b2921fc0b360efcc46808f50b2216673b19bda032
SHA512b48ffffd6e94f2168a7a047818b15ad307341cd1a80371ccde2a126abdf1f3c47c112c4e8baeb589b9a3920edb514724abc485e8c273be1d65deb2cc12f6253d
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exeFilesize
307KB
MD5ee7e3d6206b8c815c7e3c30bd40e00cc
SHA1c41bd2e3c0ac545d7ba81e26743ee4f909eccb27
SHA256e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19
SHA5127a8f98e25c44d6db495eda24247e29696b4bc195566ea5d5fd3f9aedc8c792bedf9ce8d9b826d34e52302a2ab0ec82552a2007f8811688e8f84746c66af807d7
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exeFilesize
307KB
MD5ee7e3d6206b8c815c7e3c30bd40e00cc
SHA1c41bd2e3c0ac545d7ba81e26743ee4f909eccb27
SHA256e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19
SHA5127a8f98e25c44d6db495eda24247e29696b4bc195566ea5d5fd3f9aedc8c792bedf9ce8d9b826d34e52302a2ab0ec82552a2007f8811688e8f84746c66af807d7
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exeFilesize
307KB
MD5ee7e3d6206b8c815c7e3c30bd40e00cc
SHA1c41bd2e3c0ac545d7ba81e26743ee4f909eccb27
SHA256e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19
SHA5127a8f98e25c44d6db495eda24247e29696b4bc195566ea5d5fd3f9aedc8c792bedf9ce8d9b826d34e52302a2ab0ec82552a2007f8811688e8f84746c66af807d7
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exeFilesize
307KB
MD5ee7e3d6206b8c815c7e3c30bd40e00cc
SHA1c41bd2e3c0ac545d7ba81e26743ee4f909eccb27
SHA256e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19
SHA5127a8f98e25c44d6db495eda24247e29696b4bc195566ea5d5fd3f9aedc8c792bedf9ce8d9b826d34e52302a2ab0ec82552a2007f8811688e8f84746c66af807d7
-
C:\Users\Admin\AppData\Local\Temp\e014321378\ftewk.exeFilesize
307KB
MD5ee7e3d6206b8c815c7e3c30bd40e00cc
SHA1c41bd2e3c0ac545d7ba81e26743ee4f909eccb27
SHA256e085027f0a000f7be4a5ac90460b005d03a4ef4e48579c78b5582f2a99ae6c19
SHA5127a8f98e25c44d6db495eda24247e29696b4bc195566ea5d5fd3f9aedc8c792bedf9ce8d9b826d34e52302a2ab0ec82552a2007f8811688e8f84746c66af807d7
-
C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dllFilesize
126KB
MD5d4ca12f7203548519be8455bd836274f
SHA17c8a18a80ba96c3944462f3a68e63b55da0e1bf4
SHA2567bc6a9edc592553dcb9250d70816f511d43a998f95f4e0b2a347dc2b66f897c4
SHA512e2cad4293dbb043c6d563710087e9769beeb130a80319c151e9d81d9c74b0b5017a23c3fec9cdc022b45491dc6aa6499e3898488dc9c8486e1df83e6da28e697
-
C:\Users\Admin\AppData\Roaming\9034267ed8b4ad\cred.dllFilesize
126KB
MD5d4ca12f7203548519be8455bd836274f
SHA17c8a18a80ba96c3944462f3a68e63b55da0e1bf4
SHA2567bc6a9edc592553dcb9250d70816f511d43a998f95f4e0b2a347dc2b66f897c4
SHA512e2cad4293dbb043c6d563710087e9769beeb130a80319c151e9d81d9c74b0b5017a23c3fec9cdc022b45491dc6aa6499e3898488dc9c8486e1df83e6da28e697
-
\??\pipe\LOCAL\crashpad_2304_HJDWRUNVZTAPRIKJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_3008_NQZWHVWWCJRSSVDWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/444-172-0x0000000000000000-mapping.dmp
-
memory/876-186-0x0000000000000000-mapping.dmp
-
memory/920-138-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/920-137-0x00000000005E0000-0x0000000000618000-memory.dmpFilesize
224KB
-
memory/920-136-0x0000000000633000-0x0000000000651000-memory.dmpFilesize
120KB
-
memory/920-132-0x0000000000000000-mapping.dmp
-
memory/1184-170-0x0000000000000000-mapping.dmp
-
memory/1500-146-0x0000000000784000-0x00000000007A2000-memory.dmpFilesize
120KB
-
memory/1500-147-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1520-158-0x0000000000000000-mapping.dmp
-
memory/1572-184-0x0000000000000000-mapping.dmp
-
memory/1764-182-0x0000000000000000-mapping.dmp
-
memory/2052-140-0x0000000000000000-mapping.dmp
-
memory/2292-190-0x0000000000000000-mapping.dmp
-
memory/2304-150-0x0000000000000000-mapping.dmp
-
memory/2688-157-0x0000000000000000-mapping.dmp
-
memory/3008-148-0x0000000000000000-mapping.dmp
-
memory/3096-155-0x0000000000000000-mapping.dmp
-
memory/3188-176-0x0000000000000000-mapping.dmp
-
memory/3200-151-0x0000000000000000-mapping.dmp
-
memory/3344-188-0x0000000000000000-mapping.dmp
-
memory/3564-135-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/3564-131-0x00000000005D0000-0x0000000000608000-memory.dmpFilesize
224KB
-
memory/3564-130-0x0000000000752000-0x0000000000770000-memory.dmpFilesize
120KB
-
memory/3576-192-0x0000000000000000-mapping.dmp
-
memory/3856-149-0x0000000000000000-mapping.dmp
-
memory/4088-174-0x0000000000000000-mapping.dmp
-
memory/4132-163-0x0000000000000000-mapping.dmp
-
memory/4168-178-0x0000000000000000-mapping.dmp
-
memory/4284-141-0x0000000000000000-mapping.dmp
-
memory/4404-139-0x0000000000000000-mapping.dmp
-
memory/4464-159-0x0000000000000000-mapping.dmp
-
memory/4476-196-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/4476-195-0x0000000000844000-0x0000000000862000-memory.dmpFilesize
120KB
-
memory/4480-143-0x0000000000400000-0x00000000004C4000-memory.dmpFilesize
784KB
-
memory/4480-142-0x0000000000000000-mapping.dmp
-
memory/4512-191-0x0000000000000000-mapping.dmp
-
memory/4576-193-0x0000000000000000-mapping.dmp