563b8804db86f842d0cd46ff0129a877271e8145f2bbc8eca6ba6106f7a0afd9

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-03-2023 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ECEC21BC458DA2A9F57365C6B937A4C9.exe
Size

1.8MB
MD5

ecec21bc458da2a9f57365c6b937a4c9
SHA1

755ef702c8b7da9312f696788f333292a51f2d48
SHA256

563b8804db86f842d0cd46ff0129a877271e8145f2bbc8eca6ba6106f7a0afd9
SHA512

65bd4598ff7c9afb809eee70a4250e5dafbacbb624ffcc8534d2127c837e8ac9c70fbedbb1cbd90d95b33c469dea2eb0183d3fb57e5e0d966e2972d7243586aa
SSDEEP

49152:5akK7v1gAdM+m+s2jkeMci3ZbfC5S+mti1N7048oBbdTuCg353u9TDam:Q57vqFEsEMci3ZbfCB1N70yu/A93

Score

8^/10

discovery macro macro_on_action

Malware Config

Signatures

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

Processes:

resource	yara_rule
C:\Users\Admin\Documents\Amtek\qtbuild.xls	office_macro_on_action

Executes dropped EXE 1 IoCs

Processes:

ECEC21BC458DA2A9F57365C6B937A4C9.tmp

pid process

2020 ECEC21BC458DA2A9F57365C6B937A4C9.tmp

pid	process
2020	ECEC21BC458DA2A9F57365C6B937A4C9.tmp

Loads dropped DLL 5 IoCs

Processes:

ECEC21BC458DA2A9F57365C6B937A4C9.exeECEC21BC458DA2A9F57365C6B937A4C9.tmp

pid	process
848	ECEC21BC458DA2A9F57365C6B937A4C9.exe
2020	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
2020	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
2020	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
2020	ECEC21BC458DA2A9F57365C6B937A4C9.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops file in System32 directory 1 IoCs

Processes:

ECEC21BC458DA2A9F57365C6B937A4C9.tmp

description ioc process

File created C:\Windows\SysWOW64\is-6A0UP.tmp ECEC21BC458DA2A9F57365C6B937A4C9.tmp

description	ioc	process
File created	C:\Windows\SysWOW64\is-6A0UP.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp

Drops file in Program Files directory 21 IoCs

Processes:

ECEC21BC458DA2A9F57365C6B937A4C9.tmp

description	ioc	process
File created	\??\c:\program files\amtek\is-DSHHQ.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-I6B58.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-JMNJT.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-9U5G6.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-QCA66.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-TVKVC.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-UVRED.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-KB6BQ.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-KPHJ1.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-HNMG2.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-L2ODL.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-NLHVM.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-16R9E.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-6666B.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-0MQKB.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-4UV8V.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-A1LST.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-FPF1H.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\unins000.dat	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File opened for modification	\??\c:\program files\amtek\unins000.dat	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
File created	\??\c:\program files\amtek\is-DS9D4.tmp	ECEC21BC458DA2A9F57365C6B937A4C9.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ECEC21BC458DA2A9F57365C6B937A4C9.tmp

pid process

2020 ECEC21BC458DA2A9F57365C6B937A4C9.tmp

pid	process
2020	ECEC21BC458DA2A9F57365C6B937A4C9.tmp

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

ECEC21BC458DA2A9F57365C6B937A4C9.exe

description	pid	process	target process
PID 848 wrote to memory of 2020	848	ECEC21BC458DA2A9F57365C6B937A4C9.exe	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
PID 848 wrote to memory of 2020	848	ECEC21BC458DA2A9F57365C6B937A4C9.exe	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
PID 848 wrote to memory of 2020	848	ECEC21BC458DA2A9F57365C6B937A4C9.exe	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
PID 848 wrote to memory of 2020	848	ECEC21BC458DA2A9F57365C6B937A4C9.exe	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
PID 848 wrote to memory of 2020	848	ECEC21BC458DA2A9F57365C6B937A4C9.exe	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
PID 848 wrote to memory of 2020	848	ECEC21BC458DA2A9F57365C6B937A4C9.exe	ECEC21BC458DA2A9F57365C6B937A4C9.tmp
PID 848 wrote to memory of 2020	848	ECEC21BC458DA2A9F57365C6B937A4C9.exe	ECEC21BC458DA2A9F57365C6B937A4C9.tmp

C:\Users\Admin\AppData\Local\Temp\ECEC21BC458DA2A9F57365C6B937A4C9.exe
"C:\Users\Admin\AppData\Local\Temp\ECEC21BC458DA2A9F57365C6B937A4C9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Local\Temp\is-GPF53.tmp\ECEC21BC458DA2A9F57365C6B937A4C9.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GPF53.tmp\ECEC21BC458DA2A9F57365C6B937A4C9.tmp" /SL5="$80022,1643523,54272,C:\Users\Admin\AppData\Local\Temp\ECEC21BC458DA2A9F57365C6B937A4C9.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2020

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\amtek\AUTOEXEC.NT
Filesize
1KB

MD5
30475f091008e24550523515a023270d

SHA1
d101605baaa6b2b4a86e62acb45f8c8b5057df58

SHA256
730f91694eeaa5043e6bf4e999f6cc4324cce87799fa35daa037d50827fa5193

SHA512
a7c6571b64699833c19c6deec68e98093268e1b9a88440bf403fafd41212504a8ff6edefb31acf0efd7975578ae19e4dd4857bde40b4c8581c50f8093c079d2e

Download Submit
C:\Program Files\amtek\util32a.exe
Filesize
880KB

MD5
30d1f49c57c023b82dc7e579a9d3c5b6

SHA1
7dc55f7456ec4126408da5078ca8f71ed08c3991

SHA256
2456568024e320a3fc66ab96885673c5d0106df3f2643da5bc4a73b1f637f70e

SHA512
287886c9c6d121c9b75b092a7d920a287017f92c08c4af9432825606b6a02e0434d261116287aadcf0136bcada3c623057614e745766287eaf021eb39c700c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GPF53.tmp\ECEC21BC458DA2A9F57365C6B937A4C9.tmp
Filesize
687KB

MD5
8f144bcbcad0417e7823dd8e60218530

SHA1
9df092a764b8ad278ed574f00d1c065683eef6ac

SHA256
39dfa032878743bba8244c73173c263e669131f0084a38f22c52b1383f627ba0

SHA512
e093f69030fee17d8b55bde8337d409e8dfb583c97a81ed37425fb72122318d4c1f996d0d1bca28f24182ff5c8afe2be25eadc27951463ddca5c0abceca2a72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GPF53.tmp\ECEC21BC458DA2A9F57365C6B937A4C9.tmp
Filesize
687KB

MD5
8f144bcbcad0417e7823dd8e60218530

SHA1
9df092a764b8ad278ed574f00d1c065683eef6ac

SHA256
39dfa032878743bba8244c73173c263e669131f0084a38f22c52b1383f627ba0

SHA512
e093f69030fee17d8b55bde8337d409e8dfb583c97a81ed37425fb72122318d4c1f996d0d1bca28f24182ff5c8afe2be25eadc27951463ddca5c0abceca2a72d

Download Submit
C:\Users\Admin\Documents\Amtek\qtbuild.xls
Filesize
489KB

MD5
c84bca227eb2331bab73724ec7cb4c96

SHA1
202fabcf6fac47c49acf50d6126356c6b89e3977

SHA256
de259ac66a9b9a7048ab8372c71052830242ba13024c6cf5f4f2ce18785fce8a

SHA512
871a672471408b49e4925e6094d6e2dd2ec02f3369f0daf7291fdd1820af7fe733a54b5ef2e4e2b264454016af0e64a82d9572a06914cd720992eebadcf72e2f

Download Submit
\Program Files\amtek\util32a.exe
Filesize
880KB

MD5
30d1f49c57c023b82dc7e579a9d3c5b6

SHA1
7dc55f7456ec4126408da5078ca8f71ed08c3991

SHA256
2456568024e320a3fc66ab96885673c5d0106df3f2643da5bc4a73b1f637f70e

SHA512
287886c9c6d121c9b75b092a7d920a287017f92c08c4af9432825606b6a02e0434d261116287aadcf0136bcada3c623057614e745766287eaf021eb39c700c57

Download Submit
\Program Files\amtek\util32a.exe
Filesize
880KB

MD5
30d1f49c57c023b82dc7e579a9d3c5b6

SHA1
7dc55f7456ec4126408da5078ca8f71ed08c3991

SHA256
2456568024e320a3fc66ab96885673c5d0106df3f2643da5bc4a73b1f637f70e

SHA512
287886c9c6d121c9b75b092a7d920a287017f92c08c4af9432825606b6a02e0434d261116287aadcf0136bcada3c623057614e745766287eaf021eb39c700c57

Download Submit
\Users\Admin\AppData\Local\Temp\is-46EA0.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-46EA0.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-GPF53.tmp\ECEC21BC458DA2A9F57365C6B937A4C9.tmp
Filesize
687KB

MD5
8f144bcbcad0417e7823dd8e60218530

SHA1
9df092a764b8ad278ed574f00d1c065683eef6ac

SHA256
39dfa032878743bba8244c73173c263e669131f0084a38f22c52b1383f627ba0

SHA512
e093f69030fee17d8b55bde8337d409e8dfb583c97a81ed37425fb72122318d4c1f996d0d1bca28f24182ff5c8afe2be25eadc27951463ddca5c0abceca2a72d

Download Submit
memory/848-69-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/848-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/848-145-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2020-70-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2020-68-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2020-144-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads