Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
02/11/2022, 05:00
Static task
static1
Behavioral task
behavioral1
Sample
0d63ae41ebd3569f6469bb8893a5acf3816f1b4b177c89210e0b69453c5b333e.exe
Resource
win10-20220901-en
General
-
Target
0d63ae41ebd3569f6469bb8893a5acf3816f1b4b177c89210e0b69453c5b333e.exe
-
Size
361KB
-
MD5
237ba2b42480f768697f6728e5690230
-
SHA1
48121e6fd277f9ad0066550b8214dada4baa980a
-
SHA256
0d63ae41ebd3569f6469bb8893a5acf3816f1b4b177c89210e0b69453c5b333e
-
SHA512
0bf04f6b088552829c5701cafdf0a58ca32d9427f4683d355f3ca69515b2cf4344128d30534f890952b410caf395a60c3ed768b1c24dac04ff47344275ba7a60
-
SSDEEP
3072:HH8gbGUoly3Lc5StZ9icreSq1xROifqOAkDpwmQoz7SP6LpoI9wjWzVggjcGkNIq:n8gbIy7jQSqpOi1wmerImjm7ITsqF
Malware Config
Signatures
-
Detect Amadey credential stealer module 3 IoCs
resource yara_rule behavioral1/files/0x000d00000001abff-537.dat amadey_cred_module behavioral1/files/0x000d00000001abff-538.dat amadey_cred_module behavioral1/files/0x000d00000001abff-539.dat amadey_cred_module -
Blocklisted process makes network request 1 IoCs
flow pid Process 8 2620 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 956 rovwer.exe 4504 sfx_123_271.exe 2964 rovwer.exe 4652 rovwer.exe -
Loads dropped DLL 5 IoCs
pid Process 4716 rundll32.exe 4716 rundll32.exe 3380 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\sfx_123_271.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000006001\\sfx_123_271.exe" rovwer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 792 schtasks.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings sfx_123_271.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe 2620 rundll32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 3068 wrote to memory of 956 3068 0d63ae41ebd3569f6469bb8893a5acf3816f1b4b177c89210e0b69453c5b333e.exe 66 PID 3068 wrote to memory of 956 3068 0d63ae41ebd3569f6469bb8893a5acf3816f1b4b177c89210e0b69453c5b333e.exe 66 PID 3068 wrote to memory of 956 3068 0d63ae41ebd3569f6469bb8893a5acf3816f1b4b177c89210e0b69453c5b333e.exe 66 PID 956 wrote to memory of 792 956 rovwer.exe 67 PID 956 wrote to memory of 792 956 rovwer.exe 67 PID 956 wrote to memory of 792 956 rovwer.exe 67 PID 956 wrote to memory of 4504 956 rovwer.exe 69 PID 956 wrote to memory of 4504 956 rovwer.exe 69 PID 956 wrote to memory of 4504 956 rovwer.exe 69 PID 4504 wrote to memory of 3960 4504 sfx_123_271.exe 70 PID 4504 wrote to memory of 3960 4504 sfx_123_271.exe 70 PID 4504 wrote to memory of 3960 4504 sfx_123_271.exe 70 PID 3960 wrote to memory of 4716 3960 control.exe 72 PID 3960 wrote to memory of 4716 3960 control.exe 72 PID 3960 wrote to memory of 4716 3960 control.exe 72 PID 4716 wrote to memory of 220 4716 rundll32.exe 73 PID 4716 wrote to memory of 220 4716 rundll32.exe 73 PID 220 wrote to memory of 3380 220 RunDll32.exe 74 PID 220 wrote to memory of 3380 220 RunDll32.exe 74 PID 220 wrote to memory of 3380 220 RunDll32.exe 74 PID 956 wrote to memory of 2620 956 rovwer.exe 75 PID 956 wrote to memory of 2620 956 rovwer.exe 75 PID 956 wrote to memory of 2620 956 rovwer.exe 75 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d63ae41ebd3569f6469bb8893a5acf3816f1b4b177c89210e0b69453c5b333e.exe"C:\Users\Admin\AppData\Local\Temp\0d63ae41ebd3569f6469bb8893a5acf3816f1b4b177c89210e0b69453c5b333e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F3⤵
- Creates scheduled task(s)
PID:792
-
-
C:\Users\Admin\AppData\Local\Temp\1000006001\sfx_123_271.exe"C:\Users\Admin\AppData\Local\Temp\1000006001\sfx_123_271.exe"3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\9FGMMqh.Cpl",4⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\9FGMMqh.Cpl",5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\9FGMMqh.Cpl",6⤵
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\9FGMMqh.Cpl",7⤵
- Loads dropped DLL
PID:3380
-
-
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:2620
-
-
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exeC:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe1⤵
- Executes dropped EXE
PID:2964
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exeC:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe1⤵
- Executes dropped EXE
PID:4652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5803dd7940f6015b50f58db0bf6961b65
SHA1bef50d1b1cd5fd765090d45b0f4ae6b554efdc59
SHA2563487a8dc1c169a1dae88f7396abff10ec11eccc0daea64a002fd393c6d0d5964
SHA512a096107b7acdf26d583660bf41e4cc118a8697b3085af7fc428ccc09e521fbfa9d3a56b2edd0d61e2c298f19fc768ebe440234f27fe070622880f7fedc752117
-
Filesize
1.6MB
MD5803dd7940f6015b50f58db0bf6961b65
SHA1bef50d1b1cd5fd765090d45b0f4ae6b554efdc59
SHA2563487a8dc1c169a1dae88f7396abff10ec11eccc0daea64a002fd393c6d0d5964
SHA512a096107b7acdf26d583660bf41e4cc118a8697b3085af7fc428ccc09e521fbfa9d3a56b2edd0d61e2c298f19fc768ebe440234f27fe070622880f7fedc752117
-
Filesize
1.8MB
MD5bf0e44bf7e7d3dae0ab3ab6f8c2e6b6d
SHA1a154acf8454142b2e7f90a957b5ec464a686ab20
SHA2569445420553911716f3247d3211618824327aa849c5778384bcd83ca3dfc07f25
SHA5128786607ec969b95dfe9d26ae09e73f1df99c9deaebb1d9e2695819ea2e388de6834231ec0e3222fcc7f4ef655b1d0e29c7bb9bfebd755dfc8539c9349a28d7a4
-
Filesize
361KB
MD5237ba2b42480f768697f6728e5690230
SHA148121e6fd277f9ad0066550b8214dada4baa980a
SHA2560d63ae41ebd3569f6469bb8893a5acf3816f1b4b177c89210e0b69453c5b333e
SHA5120bf04f6b088552829c5701cafdf0a58ca32d9427f4683d355f3ca69515b2cf4344128d30534f890952b410caf395a60c3ed768b1c24dac04ff47344275ba7a60
-
Filesize
361KB
MD5237ba2b42480f768697f6728e5690230
SHA148121e6fd277f9ad0066550b8214dada4baa980a
SHA2560d63ae41ebd3569f6469bb8893a5acf3816f1b4b177c89210e0b69453c5b333e
SHA5120bf04f6b088552829c5701cafdf0a58ca32d9427f4683d355f3ca69515b2cf4344128d30534f890952b410caf395a60c3ed768b1c24dac04ff47344275ba7a60
-
Filesize
361KB
MD5237ba2b42480f768697f6728e5690230
SHA148121e6fd277f9ad0066550b8214dada4baa980a
SHA2560d63ae41ebd3569f6469bb8893a5acf3816f1b4b177c89210e0b69453c5b333e
SHA5120bf04f6b088552829c5701cafdf0a58ca32d9427f4683d355f3ca69515b2cf4344128d30534f890952b410caf395a60c3ed768b1c24dac04ff47344275ba7a60
-
Filesize
361KB
MD5237ba2b42480f768697f6728e5690230
SHA148121e6fd277f9ad0066550b8214dada4baa980a
SHA2560d63ae41ebd3569f6469bb8893a5acf3816f1b4b177c89210e0b69453c5b333e
SHA5120bf04f6b088552829c5701cafdf0a58ca32d9427f4683d355f3ca69515b2cf4344128d30534f890952b410caf395a60c3ed768b1c24dac04ff47344275ba7a60
-
Filesize
126KB
MD5522adad0782501491314a78c7f32006b
SHA1e487edceeef3a41e2a8eea1e684bcbc3b39adb97
SHA256351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba
SHA5125f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7
-
Filesize
1.8MB
MD5bf0e44bf7e7d3dae0ab3ab6f8c2e6b6d
SHA1a154acf8454142b2e7f90a957b5ec464a686ab20
SHA2569445420553911716f3247d3211618824327aa849c5778384bcd83ca3dfc07f25
SHA5128786607ec969b95dfe9d26ae09e73f1df99c9deaebb1d9e2695819ea2e388de6834231ec0e3222fcc7f4ef655b1d0e29c7bb9bfebd755dfc8539c9349a28d7a4
-
Filesize
1.8MB
MD5bf0e44bf7e7d3dae0ab3ab6f8c2e6b6d
SHA1a154acf8454142b2e7f90a957b5ec464a686ab20
SHA2569445420553911716f3247d3211618824327aa849c5778384bcd83ca3dfc07f25
SHA5128786607ec969b95dfe9d26ae09e73f1df99c9deaebb1d9e2695819ea2e388de6834231ec0e3222fcc7f4ef655b1d0e29c7bb9bfebd755dfc8539c9349a28d7a4
-
Filesize
1.8MB
MD5bf0e44bf7e7d3dae0ab3ab6f8c2e6b6d
SHA1a154acf8454142b2e7f90a957b5ec464a686ab20
SHA2569445420553911716f3247d3211618824327aa849c5778384bcd83ca3dfc07f25
SHA5128786607ec969b95dfe9d26ae09e73f1df99c9deaebb1d9e2695819ea2e388de6834231ec0e3222fcc7f4ef655b1d0e29c7bb9bfebd755dfc8539c9349a28d7a4
-
Filesize
126KB
MD5522adad0782501491314a78c7f32006b
SHA1e487edceeef3a41e2a8eea1e684bcbc3b39adb97
SHA256351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba
SHA5125f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7
-
Filesize
126KB
MD5522adad0782501491314a78c7f32006b
SHA1e487edceeef3a41e2a8eea1e684bcbc3b39adb97
SHA256351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba
SHA5125f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7