File name: | 322d183f55d629ffaad41fdb10ec48b9.doc |
Full analysis: | https://app.any.run/tasks/3a1a715d-2028-4df7-897e-8f4f32688f06 |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | April 25, 2019, 08:20:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 322D183F55D629FFAAD41FDB10EC48B9 |
SHA1: | 92EBAB7A11247622EA63B572F0D409292576ACE2 |
SHA256: | D590B0F0F349C759FCBA252474EADFA401677C2D214B7E3572C3964B6D890FA1 |
SSDEEP: | 3072:AB4IgEY12E1k4hDu5pbRNIC06xHDTHaOkayR+hzCOZxNJhotB8pD8:A5gEWDu5BRNV0W/HaOkeXVoTQ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2188 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\322d183f55d629ffaad41fdb10ec48b9.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3116 | C:\Users\admin\AppData\Local\Temp\vuyj43.tmp | C:\Users\admin\AppData\Local\Temp\vuyj43.tmp | WINWORD.EXE | |
User: admin Company: Wargaming.net Integrity Level: MEDIUM Description: Pendedit Didntw Flex Ice Recrdsets Attained Exit code: 0 Version: 5.4.22.5 | ||||
2580 | c:\programdata\189fecf19f\cmualrc.exe | c:\programdata\189fecf19f\cmualrc.exe | vuyj43.tmp | |
User: admin Company: Wargaming.net Integrity Level: MEDIUM Description: Pendedit Didntw Flex Ice Recrdsets Attained Version: 5.4.22.5 | ||||
2616 | REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\189fecf19f | C:\Windows\system32\REG.exe | cmualrc.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2188 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR5EF4.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2188 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFB2E9EACC76FBDB7E.TMP | — | |
MD5:— | SHA256:— | |||
2188 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFCCBA8F649568E324.TMP | — | |
MD5:— | SHA256:— | |||
2188 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF222B272C38E70211.TMP | — | |
MD5:— | SHA256:— | |||
2188 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF1D35CFF4A202107E.TMP | — | |
MD5:— | SHA256:— | |||
2188 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFF91E4B65ADEABA51.TMP | — | |
MD5:— | SHA256:— | |||
2188 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF1416DE074DAD05C6.TMP | — | |
MD5:— | SHA256:— | |||
3116 | vuyj43.tmp | C:\ProgramData\0 | — | |
MD5:— | SHA256:— | |||
3116 | vuyj43.tmp | C:\programdata\189fecf19f\cmualrc.exe:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
2580 | cmualrc.exe | C:\ProgramData\0 | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2188 | WINWORD.EXE | GET | 200 | 87.98.158.248:80 | http://achmannatgagamico.info/word77.tmp | FR | executable | 588 Kb | suspicious |
2580 | cmualrc.exe | POST | 200 | 142.93.231.106:80 | http://142.93.231.106/ppk/index.php | CA | text | 6 b | malicious |
2580 | cmualrc.exe | POST | 200 | 142.93.231.106:80 | http://142.93.231.106/ppk/index.php | CA | text | 6 b | malicious |
2580 | cmualrc.exe | POST | 200 | 142.93.231.106:80 | http://142.93.231.106/ppk/index.php | CA | text | 6 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2188 | WINWORD.EXE | 87.98.158.248:80 | achmannatgagamico.info | OVH SAS | FR | suspicious |
2580 | cmualrc.exe | 142.93.231.106:80 | — | — | CA | malicious |
— | — | 142.93.231.106:80 | — | — | CA | malicious |
Domain | IP | Reputation |
---|---|---|
achmannatgagamico.info |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2188 | WINWORD.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2188 | WINWORD.EXE | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
2580 | cmualrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
2580 | cmualrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
2580 | cmualrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
2580 | cmualrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
2580 | cmualrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |
2580 | cmualrc.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Amadey |