Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16-03-2023 16:53
Static task
static1
Behavioral task
behavioral1
Sample
ECEC21BC458DA2A9F57365C6B937A4C9.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ECEC21BC458DA2A9F57365C6B937A4C9.exe
Resource
win10v2004-20230220-en
General
-
Target
ECEC21BC458DA2A9F57365C6B937A4C9.exe
-
Size
1.8MB
-
MD5
ecec21bc458da2a9f57365c6b937a4c9
-
SHA1
755ef702c8b7da9312f696788f333292a51f2d48
-
SHA256
563b8804db86f842d0cd46ff0129a877271e8145f2bbc8eca6ba6106f7a0afd9
-
SHA512
65bd4598ff7c9afb809eee70a4250e5dafbacbb624ffcc8534d2127c837e8ac9c70fbedbb1cbd90d95b33c469dea2eb0183d3fb57e5e0d966e2972d7243586aa
-
SSDEEP
49152:5akK7v1gAdM+m+s2jkeMci3ZbfC5S+mti1N7048oBbdTuCg353u9TDam:Q57vqFEsEMci3ZbfCB1N70yu/A93
Malware Config
Signatures
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
Processes:
resource yara_rule C:\Users\Admin\Documents\Amtek\qtbuild.xls office_macro_on_action -
Executes dropped EXE 1 IoCs
Processes:
ECEC21BC458DA2A9F57365C6B937A4C9.tmppid process 2020 ECEC21BC458DA2A9F57365C6B937A4C9.tmp -
Loads dropped DLL 5 IoCs
Processes:
ECEC21BC458DA2A9F57365C6B937A4C9.exeECEC21BC458DA2A9F57365C6B937A4C9.tmppid process 848 ECEC21BC458DA2A9F57365C6B937A4C9.exe 2020 ECEC21BC458DA2A9F57365C6B937A4C9.tmp 2020 ECEC21BC458DA2A9F57365C6B937A4C9.tmp 2020 ECEC21BC458DA2A9F57365C6B937A4C9.tmp 2020 ECEC21BC458DA2A9F57365C6B937A4C9.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
Processes:
ECEC21BC458DA2A9F57365C6B937A4C9.tmpdescription ioc process File created C:\Windows\SysWOW64\is-6A0UP.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp -
Drops file in Program Files directory 21 IoCs
Processes:
ECEC21BC458DA2A9F57365C6B937A4C9.tmpdescription ioc process File created \??\c:\program files\amtek\is-DSHHQ.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-I6B58.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-JMNJT.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-9U5G6.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-QCA66.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-TVKVC.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-UVRED.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-KB6BQ.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-KPHJ1.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-HNMG2.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-L2ODL.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-NLHVM.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-16R9E.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-6666B.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-0MQKB.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-4UV8V.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-A1LST.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-FPF1H.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\unins000.dat ECEC21BC458DA2A9F57365C6B937A4C9.tmp File opened for modification \??\c:\program files\amtek\unins000.dat ECEC21BC458DA2A9F57365C6B937A4C9.tmp File created \??\c:\program files\amtek\is-DS9D4.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
ECEC21BC458DA2A9F57365C6B937A4C9.tmppid process 2020 ECEC21BC458DA2A9F57365C6B937A4C9.tmp -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
ECEC21BC458DA2A9F57365C6B937A4C9.exedescription pid process target process PID 848 wrote to memory of 2020 848 ECEC21BC458DA2A9F57365C6B937A4C9.exe ECEC21BC458DA2A9F57365C6B937A4C9.tmp PID 848 wrote to memory of 2020 848 ECEC21BC458DA2A9F57365C6B937A4C9.exe ECEC21BC458DA2A9F57365C6B937A4C9.tmp PID 848 wrote to memory of 2020 848 ECEC21BC458DA2A9F57365C6B937A4C9.exe ECEC21BC458DA2A9F57365C6B937A4C9.tmp PID 848 wrote to memory of 2020 848 ECEC21BC458DA2A9F57365C6B937A4C9.exe ECEC21BC458DA2A9F57365C6B937A4C9.tmp PID 848 wrote to memory of 2020 848 ECEC21BC458DA2A9F57365C6B937A4C9.exe ECEC21BC458DA2A9F57365C6B937A4C9.tmp PID 848 wrote to memory of 2020 848 ECEC21BC458DA2A9F57365C6B937A4C9.exe ECEC21BC458DA2A9F57365C6B937A4C9.tmp PID 848 wrote to memory of 2020 848 ECEC21BC458DA2A9F57365C6B937A4C9.exe ECEC21BC458DA2A9F57365C6B937A4C9.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\ECEC21BC458DA2A9F57365C6B937A4C9.exe"C:\Users\Admin\AppData\Local\Temp\ECEC21BC458DA2A9F57365C6B937A4C9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-GPF53.tmp\ECEC21BC458DA2A9F57365C6B937A4C9.tmp"C:\Users\Admin\AppData\Local\Temp\is-GPF53.tmp\ECEC21BC458DA2A9F57365C6B937A4C9.tmp" /SL5="$80022,1643523,54272,C:\Users\Admin\AppData\Local\Temp\ECEC21BC458DA2A9F57365C6B937A4C9.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\amtek\AUTOEXEC.NTFilesize
1KB
MD530475f091008e24550523515a023270d
SHA1d101605baaa6b2b4a86e62acb45f8c8b5057df58
SHA256730f91694eeaa5043e6bf4e999f6cc4324cce87799fa35daa037d50827fa5193
SHA512a7c6571b64699833c19c6deec68e98093268e1b9a88440bf403fafd41212504a8ff6edefb31acf0efd7975578ae19e4dd4857bde40b4c8581c50f8093c079d2e
-
C:\Program Files\amtek\util32a.exeFilesize
880KB
MD530d1f49c57c023b82dc7e579a9d3c5b6
SHA17dc55f7456ec4126408da5078ca8f71ed08c3991
SHA2562456568024e320a3fc66ab96885673c5d0106df3f2643da5bc4a73b1f637f70e
SHA512287886c9c6d121c9b75b092a7d920a287017f92c08c4af9432825606b6a02e0434d261116287aadcf0136bcada3c623057614e745766287eaf021eb39c700c57
-
C:\Users\Admin\AppData\Local\Temp\is-GPF53.tmp\ECEC21BC458DA2A9F57365C6B937A4C9.tmpFilesize
687KB
MD58f144bcbcad0417e7823dd8e60218530
SHA19df092a764b8ad278ed574f00d1c065683eef6ac
SHA25639dfa032878743bba8244c73173c263e669131f0084a38f22c52b1383f627ba0
SHA512e093f69030fee17d8b55bde8337d409e8dfb583c97a81ed37425fb72122318d4c1f996d0d1bca28f24182ff5c8afe2be25eadc27951463ddca5c0abceca2a72d
-
C:\Users\Admin\AppData\Local\Temp\is-GPF53.tmp\ECEC21BC458DA2A9F57365C6B937A4C9.tmpFilesize
687KB
MD58f144bcbcad0417e7823dd8e60218530
SHA19df092a764b8ad278ed574f00d1c065683eef6ac
SHA25639dfa032878743bba8244c73173c263e669131f0084a38f22c52b1383f627ba0
SHA512e093f69030fee17d8b55bde8337d409e8dfb583c97a81ed37425fb72122318d4c1f996d0d1bca28f24182ff5c8afe2be25eadc27951463ddca5c0abceca2a72d
-
C:\Users\Admin\Documents\Amtek\qtbuild.xlsFilesize
489KB
MD5c84bca227eb2331bab73724ec7cb4c96
SHA1202fabcf6fac47c49acf50d6126356c6b89e3977
SHA256de259ac66a9b9a7048ab8372c71052830242ba13024c6cf5f4f2ce18785fce8a
SHA512871a672471408b49e4925e6094d6e2dd2ec02f3369f0daf7291fdd1820af7fe733a54b5ef2e4e2b264454016af0e64a82d9572a06914cd720992eebadcf72e2f
-
\Program Files\amtek\util32a.exeFilesize
880KB
MD530d1f49c57c023b82dc7e579a9d3c5b6
SHA17dc55f7456ec4126408da5078ca8f71ed08c3991
SHA2562456568024e320a3fc66ab96885673c5d0106df3f2643da5bc4a73b1f637f70e
SHA512287886c9c6d121c9b75b092a7d920a287017f92c08c4af9432825606b6a02e0434d261116287aadcf0136bcada3c623057614e745766287eaf021eb39c700c57
-
\Program Files\amtek\util32a.exeFilesize
880KB
MD530d1f49c57c023b82dc7e579a9d3c5b6
SHA17dc55f7456ec4126408da5078ca8f71ed08c3991
SHA2562456568024e320a3fc66ab96885673c5d0106df3f2643da5bc4a73b1f637f70e
SHA512287886c9c6d121c9b75b092a7d920a287017f92c08c4af9432825606b6a02e0434d261116287aadcf0136bcada3c623057614e745766287eaf021eb39c700c57
-
\Users\Admin\AppData\Local\Temp\is-46EA0.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-46EA0.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-GPF53.tmp\ECEC21BC458DA2A9F57365C6B937A4C9.tmpFilesize
687KB
MD58f144bcbcad0417e7823dd8e60218530
SHA19df092a764b8ad278ed574f00d1c065683eef6ac
SHA25639dfa032878743bba8244c73173c263e669131f0084a38f22c52b1383f627ba0
SHA512e093f69030fee17d8b55bde8337d409e8dfb583c97a81ed37425fb72122318d4c1f996d0d1bca28f24182ff5c8afe2be25eadc27951463ddca5c0abceca2a72d
-
memory/848-69-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/848-54-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/848-145-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2020-70-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB
-
memory/2020-68-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2020-144-0x0000000000400000-0x00000000004BC000-memory.dmpFilesize
752KB