amadey | b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438

Analysis

max time kernel
191s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438.exe
Size

322KB
MD5

85f6fe679a04868dd03c5af77360df58
SHA1

26c330194913ef9ef367ee17d3389ff71a6d08cf
SHA256

b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438
SHA512

03336f8f6d2ffc3ffa8e1a51c2a703c1fbfdb520dce36261079097407c16993a2cc0fb5c27e953513097c7c3f73ce04e9604cbd741b48d50b1917b4e7c2b8475
SSDEEP

6144:40sZlbXLNtuuL6oBOf8Im7WfI1O3tE/uilf:40sZlbHuuL6oBq8DyfI1Mel

Score

10^/10

amadey socelars collection spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

62.204.41.6/p9cWxH/index.php

Extracted

Family

socelars

https://hdbywe.s3.us-west-2.amazonaws.com/sauydga27/

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000058001\mp3studios_97.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\1000058001\mp3studios_97.exe	family_socelars

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

102 4048 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

gntuud.exegntuud.exemp3studios_97.exegntuud.exe

pid process

232 gntuud.exe
932 gntuud.exe
2260 mp3studios_97.exe
1388 gntuud.exe

flow	pid	process
102	4048	rundll32.exe

pid	process
232	gntuud.exe
932	gntuud.exe
2260	mp3studios_97.exe
1388	gntuud.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438.exegntuud.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	gntuud.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4048 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4048	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

Processes:

mp3studios_97.exe

description	ioc	process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	mp3studios_97.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	mp3studios_97.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	mp3studios_97.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	mp3studios_97.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_97.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	mp3studios_97.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_97.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	mp3studios_97.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	mp3studios_97.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	mp3studios_97.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4504	4256	WerFault.exe	b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438.exe
3988	932	WerFault.exe	gntuud.exe
5004	1388	WerFault.exe	gntuud.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3116 schtasks.exe

pid	process
3116	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1312 taskkill.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rundll32.exechrome.exechrome.exe

pid process

4048 rundll32.exe
4048 rundll32.exe
4048 rundll32.exe
4048 rundll32.exe
4040 chrome.exe
4040 chrome.exe
4016 chrome.exe
4016 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4016 chrome.exe
4016 chrome.exe
4016 chrome.exe

pid	process
1312	taskkill.exe

pid	process
4048	rundll32.exe
4048	rundll32.exe
4048	rundll32.exe
4048	rundll32.exe
4040	chrome.exe
4040	chrome.exe
4016	chrome.exe
4016	chrome.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

mp3studios_97.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	2260	mp3studios_97.exe
Token: SeAssignPrimaryTokenPrivilege	2260	mp3studios_97.exe
Token: SeLockMemoryPrivilege	2260	mp3studios_97.exe
Token: SeIncreaseQuotaPrivilege	2260	mp3studios_97.exe
Token: SeMachineAccountPrivilege	2260	mp3studios_97.exe
Token: SeTcbPrivilege	2260	mp3studios_97.exe
Token: SeSecurityPrivilege	2260	mp3studios_97.exe
Token: SeTakeOwnershipPrivilege	2260	mp3studios_97.exe
Token: SeLoadDriverPrivilege	2260	mp3studios_97.exe
Token: SeSystemProfilePrivilege	2260	mp3studios_97.exe
Token: SeSystemtimePrivilege	2260	mp3studios_97.exe
Token: SeProfSingleProcessPrivilege	2260	mp3studios_97.exe
Token: SeIncBasePriorityPrivilege	2260	mp3studios_97.exe
Token: SeCreatePagefilePrivilege	2260	mp3studios_97.exe
Token: SeCreatePermanentPrivilege	2260	mp3studios_97.exe
Token: SeBackupPrivilege	2260	mp3studios_97.exe
Token: SeRestorePrivilege	2260	mp3studios_97.exe
Token: SeShutdownPrivilege	2260	mp3studios_97.exe
Token: SeDebugPrivilege	2260	mp3studios_97.exe
Token: SeAuditPrivilege	2260	mp3studios_97.exe
Token: SeSystemEnvironmentPrivilege	2260	mp3studios_97.exe
Token: SeChangeNotifyPrivilege	2260	mp3studios_97.exe
Token: SeRemoteShutdownPrivilege	2260	mp3studios_97.exe
Token: SeUndockPrivilege	2260	mp3studios_97.exe
Token: SeSyncAgentPrivilege	2260	mp3studios_97.exe
Token: SeEnableDelegationPrivilege	2260	mp3studios_97.exe
Token: SeManageVolumePrivilege	2260	mp3studios_97.exe
Token: SeImpersonatePrivilege	2260	mp3studios_97.exe
Token: SeCreateGlobalPrivilege	2260	mp3studios_97.exe
Token: 31	2260	mp3studios_97.exe
Token: 32	2260	mp3studios_97.exe
Token: 33	2260	mp3studios_97.exe
Token: 34	2260	mp3studios_97.exe
Token: 35	2260	mp3studios_97.exe
Token: SeDebugPrivilege	1312	taskkill.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe
4016	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438.exegntuud.exemp3studios_97.execmd.exechrome.exe

description	pid	process	target process
PID 4256 wrote to memory of 232	4256	b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438.exe	gntuud.exe
PID 4256 wrote to memory of 232	4256	b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438.exe	gntuud.exe
PID 4256 wrote to memory of 232	4256	b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438.exe	gntuud.exe
PID 232 wrote to memory of 3116	232	gntuud.exe	schtasks.exe
PID 232 wrote to memory of 3116	232	gntuud.exe	schtasks.exe
PID 232 wrote to memory of 3116	232	gntuud.exe	schtasks.exe
PID 232 wrote to memory of 2260	232	gntuud.exe	mp3studios_97.exe
PID 232 wrote to memory of 2260	232	gntuud.exe	mp3studios_97.exe
PID 232 wrote to memory of 2260	232	gntuud.exe	mp3studios_97.exe
PID 232 wrote to memory of 4048	232	gntuud.exe	rundll32.exe
PID 232 wrote to memory of 4048	232	gntuud.exe	rundll32.exe
PID 232 wrote to memory of 4048	232	gntuud.exe	rundll32.exe
PID 2260 wrote to memory of 3172	2260	mp3studios_97.exe	cmd.exe
PID 2260 wrote to memory of 3172	2260	mp3studios_97.exe	cmd.exe
PID 2260 wrote to memory of 3172	2260	mp3studios_97.exe	cmd.exe
PID 3172 wrote to memory of 1312	3172	cmd.exe	taskkill.exe
PID 3172 wrote to memory of 1312	3172	cmd.exe	taskkill.exe
PID 3172 wrote to memory of 1312	3172	cmd.exe	taskkill.exe
PID 2260 wrote to memory of 4016	2260	mp3studios_97.exe	chrome.exe
PID 2260 wrote to memory of 4016	2260	mp3studios_97.exe	chrome.exe
PID 4016 wrote to memory of 1244	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 1244	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4528	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4040	4016	chrome.exe	chrome.exe
PID 4016 wrote to memory of 4040	4016	chrome.exe	chrome.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438.exe
"C:\Users\Admin\AppData\Local\Temp\b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4256

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:3116

C:\Users\Admin\AppData\Local\Temp\1000058001\mp3studios_97.exe
"C:\Users\Admin\AppData\Local\Temp\1000058001\mp3studios_97.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd37484f50,0x7ffd37484f60,0x7ffd37484f70
5⤵
PID:1244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1576,7176615179297250503,7326689128662439418,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1632 /prefetch:2
5⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,7176615179297250503,7326689128662439418,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1988 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1576,7176615179297250503,7326689128662439418,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 /prefetch:8
5⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,7176615179297250503,7326689128662439418,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1
5⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,7176615179297250503,7326689128662439418,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
5⤵
PID:1484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,7176615179297250503,7326689128662439418,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
5⤵
PID:2288

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 908
2⤵
- Program crash
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4256 -ip 4256
1⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
1⤵
- Executes dropped EXE
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 416
2⤵
- Program crash
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 932 -ip 932
1⤵
PID:3556

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
1⤵
- Executes dropped EXE
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 420
2⤵
- Program crash
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1388 -ip 1388
1⤵
PID:3100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png
Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js
Filesize
3KB

MD5
f79618c53614380c5fdc545699afe890

SHA1
7804a4621cd9405b6def471f3ebedb07fb17e90a

SHA256
f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c

SHA512
c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json
Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
5b27455f1984af3c5497d97886254a44

SHA1
5648dc52488ea6a0d573a9288e8b98dcaab147dc

SHA256
d7cdb0049d481903f8f695921aaaf93a3a1c602b645b8c1d77c971c473a760bb

SHA512
4b21e0e977ccd0c011452dd0362ce2c4ddd0217471c9a648a43fe587e354000a5e813bfe8d80c331bf9e5d8fe284197478ffe3a99a4ecc10b6cb3c4f7877e63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058001\mp3studios_97.exe
Filesize
1.4MB

MD5
4b5f6278f37184c8de5d9a26d738ec99

SHA1
84e149f65af913a544042f8fcdc0ef2d71ddefaa

SHA256
7c8203dabbe621d997618cc74e82877f6a04d539e8c69205a373e6c928d55892

SHA512
a828a74d9aaa79f24f8098f4e6dbe2e68e0a9855005ca87a74b1b014c575758eaac33415c910eaad13b7a19e43be445de0953efe2ddf969aa08e50e70915054b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058001\mp3studios_97.exe
Filesize
1.4MB

MD5
4b5f6278f37184c8de5d9a26d738ec99

SHA1
84e149f65af913a544042f8fcdc0ef2d71ddefaa

SHA256
7c8203dabbe621d997618cc74e82877f6a04d539e8c69205a373e6c928d55892

SHA512
a828a74d9aaa79f24f8098f4e6dbe2e68e0a9855005ca87a74b1b014c575758eaac33415c910eaad13b7a19e43be445de0953efe2ddf969aa08e50e70915054b

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
322KB

MD5
85f6fe679a04868dd03c5af77360df58

SHA1
26c330194913ef9ef367ee17d3389ff71a6d08cf

SHA256
b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438

SHA512
03336f8f6d2ffc3ffa8e1a51c2a703c1fbfdb520dce36261079097407c16993a2cc0fb5c27e953513097c7c3f73ce04e9604cbd741b48d50b1917b4e7c2b8475

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
322KB

MD5
85f6fe679a04868dd03c5af77360df58

SHA1
26c330194913ef9ef367ee17d3389ff71a6d08cf

SHA256
b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438

SHA512
03336f8f6d2ffc3ffa8e1a51c2a703c1fbfdb520dce36261079097407c16993a2cc0fb5c27e953513097c7c3f73ce04e9604cbd741b48d50b1917b4e7c2b8475

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
322KB

MD5
85f6fe679a04868dd03c5af77360df58

SHA1
26c330194913ef9ef367ee17d3389ff71a6d08cf

SHA256
b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438

SHA512
03336f8f6d2ffc3ffa8e1a51c2a703c1fbfdb520dce36261079097407c16993a2cc0fb5c27e953513097c7c3f73ce04e9604cbd741b48d50b1917b4e7c2b8475

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
322KB

MD5
85f6fe679a04868dd03c5af77360df58

SHA1
26c330194913ef9ef367ee17d3389ff71a6d08cf

SHA256
b7a5cce53d8642e47caac7db956dfa742d24b376c0183350b9dc4b819a83f438

SHA512
03336f8f6d2ffc3ffa8e1a51c2a703c1fbfdb520dce36261079097407c16993a2cc0fb5c27e953513097c7c3f73ce04e9604cbd741b48d50b1917b4e7c2b8475

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
98cc0f811ad5ff43fedc262961002498

SHA1
37e48635fcef35c0b3db3c1f0c35833899eb53d8

SHA256
62d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be

SHA512
d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
98cc0f811ad5ff43fedc262961002498

SHA1
37e48635fcef35c0b3db3c1f0c35833899eb53d8

SHA256
62d5b300b911a022c5c146ea010769cd0c2fdcc86aba7e5be25aff1f799220be

SHA512
d2ae90628acf92c6f7d176a4c866a0b6a6cfcfd722f0aec89cb48afead4318311c3ca95fe6865ac254b601b70ef5f289a35f4b26fba67a4c9b3cc5e68c7bf9c1

Download Submit
\??\pipe\crashpad_4016_RLTGOUYJFHEKOTVH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/232-140-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/232-135-0x0000000000000000-mapping.dmp

Download
memory/232-139-0x00000000005C3000-0x00000000005E2000-memory.dmp

Filesize
124KB

Download
memory/932-145-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/932-144-0x00000000004F4000-0x0000000000513000-memory.dmp

Filesize
124KB

Download
memory/1312-153-0x0000000000000000-mapping.dmp

Download
memory/1388-156-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1388-155-0x00000000006D4000-0x00000000006F3000-memory.dmp

Filesize
124KB

Download
memory/2260-146-0x0000000000000000-mapping.dmp

Download
memory/3116-138-0x0000000000000000-mapping.dmp

Download
memory/3172-152-0x0000000000000000-mapping.dmp

Download
memory/4048-149-0x0000000000000000-mapping.dmp

Download
memory/4256-141-0x0000000000722000-0x0000000000741000-memory.dmp

Filesize
124KB

Download
memory/4256-132-0x0000000000722000-0x0000000000741000-memory.dmp

Filesize
124KB

Download
memory/4256-142-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4256-134-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4256-133-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download