amadey | 6a37c10bfbb386f63bfa5e3a4894a9c24defa658a69dc3c65c5bb7a5e5c9fac7

Analysis

max time kernel
190s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2022 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

189KB
MD5

37baee15b958483161bca383eac04d74
SHA1

d4556d5d33efabf07c734efe4cbec68ce5f39cb9
SHA256

6a37c10bfbb386f63bfa5e3a4894a9c24defa658a69dc3c65c5bb7a5e5c9fac7
SHA512

7feff62272fad28c9bef561ec051539c856528a9896aa42dc5b4f1fab31f2df9057ca932f8d2c170df58eb477500b4d401426f940c5da40867391ed29387abde
SSDEEP

3072:ZWyXtw4gpFOWBdeALjBQuAT/K7R6X5n7w4CG/sWZesYsf1v6uoe6:PtYpdLjBQuATBpMxJU1Auo

Score

10^/10

amadey smokeloader backdoor collection persistence spyware stealer trojan upx

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll	amadey_cred_module
behavioral2/memory/1236-172-0x00000000001D0000-0x00000000001F4000-memory.dmp	amadey_cred_module
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll	amadey_cred_module

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4952-133-0x00000000022D0000-0x00000000022D9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

74 1236 rundll32.exe
Downloads MZ/PE file

flow	pid	process
74	1236	rundll32.exe

Executes dropped EXE 11 IoCs

Processes:

9635.exerovwer.exerovwer.exe5B6A.exe8460.exeEAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exeLYKAA.exe972D.exe9BB2.exe972D.exerovwer.exe

pid	process
836	9635.exe
404	rovwer.exe
4512	rovwer.exe
512	5B6A.exe
4120	8460.exe
3380	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
4576	LYKAA.exe
4436	972D.exe
624	9BB2.exe
2676	972D.exe
4892	rovwer.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2472-173-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral2/memory/2472-176-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral2/memory/2472-177-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral2/memory/2472-178-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral2/memory/2472-182-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral2/memory/2472-184-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral2/memory/2676-199-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2676-201-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2676-203-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2676-207-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2676-210-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2676-209-0x0000000000400000-0x0000000000848000-memory.dmp	upx
behavioral2/memory/2676-238-0x0000000000400000-0x0000000000848000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5B6A.exeLYKAA.exe9635.exerovwer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	5B6A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	LYKAA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	9635.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	rovwer.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

1236 rundll32.exe
1236 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1236	rundll32.exe
1236	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

972D.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	972D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\""	972D.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8460.exe972D.exe

description pid process target process

PID 4120 set thread context of 2472 4120 8460.exe RegSvcs.exe
PID 4436 set thread context of 2676 4436 972D.exe 972D.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4856 836 WerFault.exe 9635.exe
3092 4512 WerFault.exe rovwer.exe
1044 624 WerFault.exe 9BB2.exe
3064 4892 WerFault.exe rovwer.exe

description	pid	process	target process
PID 4120 set thread context of 2472	4120	8460.exe	RegSvcs.exe
PID 4436 set thread context of 2676	4436	972D.exe	972D.exe

pid	pid_target	process	target process
4856	836	WerFault.exe	9635.exe
3092	4512	WerFault.exe	rovwer.exe
1044	624	WerFault.exe	9BB2.exe
3064	4892	WerFault.exe	rovwer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

640 schtasks.exe
4568 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4948 timeout.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 79 Go-http-client/1.1

pid	process
640	schtasks.exe
4568	schtasks.exe

pid	process
4948	timeout.exe

description	flow	ioc
HTTP User-Agent header	79	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
4952	file.exe
4952	file.exe
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2204
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

file.exe

pid process

4952 file.exe
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204
2204

pid	process
2204

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exeLYKAA.exe

description	pid	process
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeDebugPrivilege	3380	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeDebugPrivilege	4576	LYKAA.exe
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204
Token: SeShutdownPrivilege	2204
Token: SeCreatePagefilePrivilege	2204

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9635.exerovwer.exe5B6A.exe8460.exeEAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.execmd.exeLYKAA.execmd.exe972D.exe

description	pid	process	target process
PID 2204 wrote to memory of 836	2204		9635.exe
PID 2204 wrote to memory of 836	2204		9635.exe
PID 2204 wrote to memory of 836	2204		9635.exe
PID 836 wrote to memory of 404	836	9635.exe	rovwer.exe
PID 836 wrote to memory of 404	836	9635.exe	rovwer.exe
PID 836 wrote to memory of 404	836	9635.exe	rovwer.exe
PID 404 wrote to memory of 640	404	rovwer.exe	schtasks.exe
PID 404 wrote to memory of 640	404	rovwer.exe	schtasks.exe
PID 404 wrote to memory of 640	404	rovwer.exe	schtasks.exe
PID 2204 wrote to memory of 512	2204		5B6A.exe
PID 2204 wrote to memory of 512	2204		5B6A.exe
PID 404 wrote to memory of 1236	404	rovwer.exe	rundll32.exe
PID 404 wrote to memory of 1236	404	rovwer.exe	rundll32.exe
PID 404 wrote to memory of 1236	404	rovwer.exe	rundll32.exe
PID 512 wrote to memory of 3380	512	5B6A.exe	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
PID 512 wrote to memory of 3380	512	5B6A.exe	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
PID 2204 wrote to memory of 4120	2204		8460.exe
PID 2204 wrote to memory of 4120	2204		8460.exe
PID 4120 wrote to memory of 2472	4120	8460.exe	RegSvcs.exe
PID 4120 wrote to memory of 2472	4120	8460.exe	RegSvcs.exe
PID 4120 wrote to memory of 2472	4120	8460.exe	RegSvcs.exe
PID 4120 wrote to memory of 2472	4120	8460.exe	RegSvcs.exe
PID 4120 wrote to memory of 2472	4120	8460.exe	RegSvcs.exe
PID 4120 wrote to memory of 2472	4120	8460.exe	RegSvcs.exe
PID 4120 wrote to memory of 2472	4120	8460.exe	RegSvcs.exe
PID 3380 wrote to memory of 4104	3380	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe	cmd.exe
PID 3380 wrote to memory of 4104	3380	EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe	cmd.exe
PID 4104 wrote to memory of 4948	4104	cmd.exe	timeout.exe
PID 4104 wrote to memory of 4948	4104	cmd.exe	timeout.exe
PID 4104 wrote to memory of 4576	4104	cmd.exe	LYKAA.exe
PID 4104 wrote to memory of 4576	4104	cmd.exe	LYKAA.exe
PID 2204 wrote to memory of 4436	2204		972D.exe
PID 2204 wrote to memory of 4436	2204		972D.exe
PID 2204 wrote to memory of 4436	2204		972D.exe
PID 4576 wrote to memory of 4896	4576	LYKAA.exe	cmd.exe
PID 4576 wrote to memory of 4896	4576	LYKAA.exe	cmd.exe
PID 4896 wrote to memory of 4568	4896	cmd.exe	schtasks.exe
PID 4896 wrote to memory of 4568	4896	cmd.exe	schtasks.exe
PID 2204 wrote to memory of 624	2204		9BB2.exe
PID 2204 wrote to memory of 624	2204		9BB2.exe
PID 2204 wrote to memory of 624	2204		9BB2.exe
PID 2204 wrote to memory of 2584	2204		explorer.exe
PID 2204 wrote to memory of 2584	2204		explorer.exe
PID 2204 wrote to memory of 2584	2204		explorer.exe
PID 2204 wrote to memory of 2584	2204		explorer.exe
PID 4436 wrote to memory of 2676	4436	972D.exe	972D.exe
PID 4436 wrote to memory of 2676	4436	972D.exe	972D.exe
PID 4436 wrote to memory of 2676	4436	972D.exe	972D.exe
PID 4436 wrote to memory of 2676	4436	972D.exe	972D.exe
PID 4436 wrote to memory of 2676	4436	972D.exe	972D.exe
PID 4436 wrote to memory of 2676	4436	972D.exe	972D.exe
PID 4436 wrote to memory of 2676	4436	972D.exe	972D.exe
PID 4436 wrote to memory of 2676	4436	972D.exe	972D.exe
PID 2204 wrote to memory of 2400	2204		explorer.exe
PID 2204 wrote to memory of 2400	2204		explorer.exe
PID 2204 wrote to memory of 2400	2204		explorer.exe
PID 2204 wrote to memory of 2256	2204		explorer.exe
PID 2204 wrote to memory of 2256	2204		explorer.exe
PID 2204 wrote to memory of 2256	2204		explorer.exe
PID 2204 wrote to memory of 2256	2204		explorer.exe
PID 2204 wrote to memory of 3188	2204		explorer.exe
PID 2204 wrote to memory of 3188	2204		explorer.exe
PID 2204 wrote to memory of 3188	2204		explorer.exe
PID 2204 wrote to memory of 4664	2204		explorer.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4952

C:\Users\Admin\AppData\Local\Temp\9635.exe
C:\Users\Admin\AppData\Local\Temp\9635.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:640

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 916
2⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 836 -ip 836
1⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
1⤵
- Executes dropped EXE
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 420
2⤵
- Program crash
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4512 -ip 4512
1⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\5B6A.exe
C:\Users\Admin\AppData\Local\Temp\5B6A.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:512

C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
"C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp88A3.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4948

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
"C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
6⤵
- Creates scheduled task(s)
PID:4568

C:\Users\Admin\AppData\Local\Temp\8460.exe
C:\Users\Admin\AppData\Local\Temp\8460.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\972D.exe
C:\Users\Admin\AppData\Local\Temp\972D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4436

C:\Users\Admin\AppData\Local\Temp\972D.exe
C:\Users\Admin\AppData\Local\Temp\972D.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2676

C:\Users\Admin\AppData\Local\Temp\9BB2.exe
C:\Users\Admin\AppData\Local\Temp\9BB2.exe
1⤵
- Executes dropped EXE
PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 448
2⤵
- Program crash
PID:1044

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2584

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 624 -ip 624
1⤵
PID:4860

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2256

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3188

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4664

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2896

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3956

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2316

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
1⤵
- Executes dropped EXE
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 420
2⤵
- Program crash
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4892 -ip 4892
1⤵
PID:2348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B6A.exe
Filesize
1.1MB

MD5
ae30203171ea1b8be4017efcab8dd23e

SHA1
597c1cbc27659181318bd9d4f44fcd55abc4e36e

SHA256
a232ab45ccd355e5ba96a254edcc53deb2bcbf154610732b444cb5d6d07ce401

SHA512
b1a963f6b0953673145191540e22d9eee4039efccbb8bf153517ba63257a056000a15fd52edf4c6a2dd572cca5267d675a174694c694e408d9a006e4dc933f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B6A.exe
Filesize
1.1MB

MD5
ae30203171ea1b8be4017efcab8dd23e

SHA1
597c1cbc27659181318bd9d4f44fcd55abc4e36e

SHA256
a232ab45ccd355e5ba96a254edcc53deb2bcbf154610732b444cb5d6d07ce401

SHA512
b1a963f6b0953673145191540e22d9eee4039efccbb8bf153517ba63257a056000a15fd52edf4c6a2dd572cca5267d675a174694c694e408d9a006e4dc933f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\8460.exe
Filesize
3.0MB

MD5
39dea452043651bbb94be8f3b009d6b5

SHA1
cad231a8730d3d09fdc34e212a6ed8e839b1cb90

SHA256
c1b946de49fe49cfd1c4033bf0d88b0724b93b73d83ed1ec208442359860055f

SHA512
0a029b8075cb5bfef0f499b2c807772b5be76db3e8a49cd7ffb5c890db7888c09c6aafe509c98e977d9df40a7e4e93e83c095e37cd3758ebd8d5cd2045ec0498

Download Submit
C:\Users\Admin\AppData\Local\Temp\8460.exe
Filesize
3.0MB

MD5
39dea452043651bbb94be8f3b009d6b5

SHA1
cad231a8730d3d09fdc34e212a6ed8e839b1cb90

SHA256
c1b946de49fe49cfd1c4033bf0d88b0724b93b73d83ed1ec208442359860055f

SHA512
0a029b8075cb5bfef0f499b2c807772b5be76db3e8a49cd7ffb5c890db7888c09c6aafe509c98e977d9df40a7e4e93e83c095e37cd3758ebd8d5cd2045ec0498

Download Submit
C:\Users\Admin\AppData\Local\Temp\9635.exe
Filesize
247KB

MD5
ccb5ae8e6ed4a39685df98655a5b47c5

SHA1
7fda1d42b8e45d08b8567324e83a6784338fffb3

SHA256
6fe40e4f6c5713973f4a1ce6d557a3270d6aebbf23097a433c029269d10fcf67

SHA512
2872862dd87e7240c9e09f312aa12731d6b8197abab2c71b1bc3cb221a7e0d5a92c429bed1038eb61b18fa9866ffb78534adb826ca0d7937a87c0e62073d1675

Download Submit
C:\Users\Admin\AppData\Local\Temp\9635.exe
Filesize
247KB

MD5
ccb5ae8e6ed4a39685df98655a5b47c5

SHA1
7fda1d42b8e45d08b8567324e83a6784338fffb3

SHA256
6fe40e4f6c5713973f4a1ce6d557a3270d6aebbf23097a433c029269d10fcf67

SHA512
2872862dd87e7240c9e09f312aa12731d6b8197abab2c71b1bc3cb221a7e0d5a92c429bed1038eb61b18fa9866ffb78534adb826ca0d7937a87c0e62073d1675

Download Submit
C:\Users\Admin\AppData\Local\Temp\972D.exe
Filesize
1.8MB

MD5
698b2c177b1627d0e2c52aeab443f787

SHA1
777565e164cd68f27cc15391b3be4b41e2f57f97

SHA256
f0bcd3a4a5ee8715e33887e40248d7ec40fc1479516e38787f86ec32ca5ad358

SHA512
766645f291d5456500983f417741a4a83fd51af453ff3345abaa5b5b59d336b684f1740ce121af03efdc49563997af07d28dedde4d2fd5812c5534362c9eba72

Download Submit
C:\Users\Admin\AppData\Local\Temp\972D.exe
Filesize
1.8MB

MD5
698b2c177b1627d0e2c52aeab443f787

SHA1
777565e164cd68f27cc15391b3be4b41e2f57f97

SHA256
f0bcd3a4a5ee8715e33887e40248d7ec40fc1479516e38787f86ec32ca5ad358

SHA512
766645f291d5456500983f417741a4a83fd51af453ff3345abaa5b5b59d336b684f1740ce121af03efdc49563997af07d28dedde4d2fd5812c5534362c9eba72

Download Submit
C:\Users\Admin\AppData\Local\Temp\972D.exe
Filesize
1.8MB

MD5
698b2c177b1627d0e2c52aeab443f787

SHA1
777565e164cd68f27cc15391b3be4b41e2f57f97

SHA256
f0bcd3a4a5ee8715e33887e40248d7ec40fc1479516e38787f86ec32ca5ad358

SHA512
766645f291d5456500983f417741a4a83fd51af453ff3345abaa5b5b59d336b684f1740ce121af03efdc49563997af07d28dedde4d2fd5812c5534362c9eba72

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BB2.exe
Filesize
247KB

MD5
a44566207fe67425f05bf97232321f79

SHA1
9837ba49d890080a9c14f0e5cb4d44c28384a024

SHA256
70117fb2e7f009fb4750d8334603aa9e728b782b6757f39ae1267ad7b6db227d

SHA512
75788076920b2b38c51da4c78ee44e1f94d72eafd9e53200e6fa75d3298ce6970b0afa4222da6e8bcc81a75924bae124445c8c4fa41680bbd9ce51643edb035f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BB2.exe
Filesize
247KB

MD5
a44566207fe67425f05bf97232321f79

SHA1
9837ba49d890080a9c14f0e5cb4d44c28384a024

SHA256
70117fb2e7f009fb4750d8334603aa9e728b782b6757f39ae1267ad7b6db227d

SHA512
75788076920b2b38c51da4c78ee44e1f94d72eafd9e53200e6fa75d3298ce6970b0afa4222da6e8bcc81a75924bae124445c8c4fa41680bbd9ce51643edb035f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
Filesize
247KB

MD5
ccb5ae8e6ed4a39685df98655a5b47c5

SHA1
7fda1d42b8e45d08b8567324e83a6784338fffb3

SHA256
6fe40e4f6c5713973f4a1ce6d557a3270d6aebbf23097a433c029269d10fcf67

SHA512
2872862dd87e7240c9e09f312aa12731d6b8197abab2c71b1bc3cb221a7e0d5a92c429bed1038eb61b18fa9866ffb78534adb826ca0d7937a87c0e62073d1675

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
Filesize
247KB

MD5
ccb5ae8e6ed4a39685df98655a5b47c5

SHA1
7fda1d42b8e45d08b8567324e83a6784338fffb3

SHA256
6fe40e4f6c5713973f4a1ce6d557a3270d6aebbf23097a433c029269d10fcf67

SHA512
2872862dd87e7240c9e09f312aa12731d6b8197abab2c71b1bc3cb221a7e0d5a92c429bed1038eb61b18fa9866ffb78534adb826ca0d7937a87c0e62073d1675

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
Filesize
247KB

MD5
ccb5ae8e6ed4a39685df98655a5b47c5

SHA1
7fda1d42b8e45d08b8567324e83a6784338fffb3

SHA256
6fe40e4f6c5713973f4a1ce6d557a3270d6aebbf23097a433c029269d10fcf67

SHA512
2872862dd87e7240c9e09f312aa12731d6b8197abab2c71b1bc3cb221a7e0d5a92c429bed1038eb61b18fa9866ffb78534adb826ca0d7937a87c0e62073d1675

Download Submit
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe
Filesize
247KB

MD5
ccb5ae8e6ed4a39685df98655a5b47c5

SHA1
7fda1d42b8e45d08b8567324e83a6784338fffb3

SHA256
6fe40e4f6c5713973f4a1ce6d557a3270d6aebbf23097a433c029269d10fcf67

SHA512
2872862dd87e7240c9e09f312aa12731d6b8197abab2c71b1bc3cb221a7e0d5a92c429bed1038eb61b18fa9866ffb78534adb826ca0d7937a87c0e62073d1675

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp88A3.tmp.bat
Filesize
153B

MD5
7c9241848b60b6cd0dcabfea582b15c6

SHA1
21d93a5313cbe7df30f898c7e3dda25ec9931ff6

SHA256
40f09732286798c39a903f2b848d0e348dca3baf67bd9ca921342e1dcbee78db

SHA512
620c0893163296cc788ecfd7e611c17d2a887c27a078a0cc7a05a15fa4b9b05a60c853270726546381aaa956903748ce3c5b7039242502b15093db4d55627470

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll
Filesize
126KB

MD5
522adad0782501491314a78c7f32006b

SHA1
e487edceeef3a41e2a8eea1e684bcbc3b39adb97

SHA256
351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba

SHA512
5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll
Filesize
126KB

MD5
522adad0782501491314a78c7f32006b

SHA1
e487edceeef3a41e2a8eea1e684bcbc3b39adb97

SHA256
351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba

SHA512
5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7

Download Submit
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll
Filesize
126KB

MD5
522adad0782501491314a78c7f32006b

SHA1
e487edceeef3a41e2a8eea1e684bcbc3b39adb97

SHA256
351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba

SHA512
5f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7

Download Submit
C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
C:\Users\Admin\AppData\Roaming\EAEHCHcAAKSescACHUHCAAHKhACsKfCeCHhFCAHFAEehaheeHsAKhuh.exe
Filesize
836KB

MD5
edb6463d39eb1305c07400d169a40eba

SHA1
456f4da4c204f7dd77af1834275213f663128e11

SHA256
b0319fee29612b6f40ee9a9368cc23273c233547d9b1aa3bb551f8b57496ceb9

SHA512
ab03697252ef332f4c8373bc47e3584302b58d3b314cecf9f9f39b3bbc7b1771080671185c4d29d57b1cfcc605afe70132ece7667d638a64096853e6d7c72306

Download Submit
memory/404-145-0x000000000098C000-0x00000000009AB000-memory.dmp

Filesize
124KB

Download
memory/404-147-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/404-142-0x0000000000000000-mapping.dmp

Download
memory/404-152-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/404-151-0x000000000098C000-0x00000000009AB000-memory.dmp

Filesize
124KB

Download
memory/404-146-0x00000000021D0000-0x000000000220E000-memory.dmp

Filesize
248KB

Download
memory/512-163-0x00007FFC92220000-0x00007FFC92CE1000-memory.dmp

Filesize
10.8MB

Download
memory/512-159-0x0000000000840000-0x0000000000960000-memory.dmp

Filesize
1.1MB

Download
memory/512-174-0x00007FFC92220000-0x00007FFC92CE1000-memory.dmp

Filesize
10.8MB

Download
memory/512-156-0x0000000000000000-mapping.dmp

Download
memory/624-194-0x0000000000000000-mapping.dmp

Download
memory/624-212-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/624-211-0x000000000064D000-0x000000000066C000-memory.dmp

Filesize
124KB

Download
memory/640-148-0x0000000000000000-mapping.dmp

Download
memory/836-139-0x000000000067D000-0x000000000069C000-memory.dmp

Filesize
124KB

Download
memory/836-141-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/836-136-0x0000000000000000-mapping.dmp

Download
memory/836-150-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/836-140-0x00000000021D0000-0x000000000220E000-memory.dmp

Filesize
248KB

Download
memory/836-149-0x000000000067D000-0x000000000069C000-memory.dmp

Filesize
124KB

Download
memory/1236-160-0x0000000000000000-mapping.dmp

Download
memory/1236-172-0x00000000001D0000-0x00000000001F4000-memory.dmp

Filesize
144KB

Download
memory/2256-217-0x0000000000E10000-0x0000000000E15000-memory.dmp

Filesize
20KB

Download
memory/2256-218-0x0000000000E00000-0x0000000000E09000-memory.dmp

Filesize
36KB

Download
memory/2256-240-0x0000000000E10000-0x0000000000E15000-memory.dmp

Filesize
20KB

Download
memory/2256-215-0x0000000000000000-mapping.dmp

Download
memory/2316-245-0x00000000003F0000-0x00000000003F7000-memory.dmp

Filesize
28KB

Download
memory/2316-230-0x0000000000000000-mapping.dmp

Download
memory/2316-232-0x00000000003E0000-0x00000000003ED000-memory.dmp

Filesize
52KB

Download
memory/2316-231-0x00000000003F0000-0x00000000003F7000-memory.dmp

Filesize
28KB

Download
memory/2400-213-0x0000000000FA0000-0x0000000000FA9000-memory.dmp

Filesize
36KB

Download
memory/2400-208-0x0000000000000000-mapping.dmp

Download
memory/2400-214-0x0000000000F90000-0x0000000000F9F000-memory.dmp

Filesize
60KB

Download
memory/2400-239-0x0000000000FA0000-0x0000000000FA9000-memory.dmp

Filesize
36KB

Download
memory/2472-184-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/2472-182-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/2472-178-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/2472-177-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/2472-176-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/2472-175-0x0000000000BE8EA0-mapping.dmp

Download
memory/2472-173-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/2584-206-0x00000000003C0000-0x00000000003CB000-memory.dmp

Filesize
44KB

Download
memory/2584-205-0x00000000003D0000-0x00000000003D7000-memory.dmp

Filesize
28KB

Download
memory/2584-237-0x00000000003D0000-0x00000000003D7000-memory.dmp

Filesize
28KB

Download
memory/2584-197-0x0000000000000000-mapping.dmp

Download
memory/2676-201-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2676-203-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2676-238-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2676-199-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2676-207-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2676-210-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2676-209-0x0000000000400000-0x0000000000848000-memory.dmp

Filesize
4.3MB

Download
memory/2676-198-0x0000000000000000-mapping.dmp

Download
memory/2896-226-0x0000000000EA0000-0x0000000000EA9000-memory.dmp

Filesize
36KB

Download
memory/2896-225-0x0000000000EB0000-0x0000000000EB5000-memory.dmp

Filesize
20KB

Download
memory/2896-223-0x0000000000000000-mapping.dmp

Download
memory/2896-243-0x0000000000EB0000-0x0000000000EB5000-memory.dmp

Filesize
20KB

Download
memory/3188-220-0x0000000000FF0000-0x0000000000FF6000-memory.dmp

Filesize
24KB

Download
memory/3188-216-0x0000000000000000-mapping.dmp

Download
memory/3188-221-0x0000000000FE0000-0x0000000000FEC000-memory.dmp

Filesize
48KB

Download
memory/3188-241-0x0000000000FF0000-0x0000000000FF6000-memory.dmp

Filesize
24KB

Download
memory/3380-161-0x0000000000000000-mapping.dmp

Download
memory/3380-181-0x00007FFC92220000-0x00007FFC92CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3380-168-0x0000000000610000-0x00000000006E6000-memory.dmp

Filesize
856KB

Download
memory/3956-227-0x0000000000000000-mapping.dmp

Download
memory/3956-228-0x0000000000DA0000-0x0000000000DA6000-memory.dmp

Filesize
24KB

Download
memory/3956-244-0x0000000000DA0000-0x0000000000DA6000-memory.dmp

Filesize
24KB

Download
memory/3956-229-0x0000000000D90000-0x0000000000D9B000-memory.dmp

Filesize
44KB

Download
memory/4104-179-0x0000000000000000-mapping.dmp

Download
memory/4120-162-0x0000000000000000-mapping.dmp

Download
memory/4436-188-0x0000000000000000-mapping.dmp

Download
memory/4436-202-0x0000000002413000-0x00000000025CB000-memory.dmp

Filesize
1.7MB

Download
memory/4436-204-0x00000000025D0000-0x0000000002787000-memory.dmp

Filesize
1.7MB

Download
memory/4512-154-0x00000000005EF000-0x000000000060E000-memory.dmp

Filesize
124KB

Download
memory/4512-155-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4568-193-0x0000000000000000-mapping.dmp

Download
memory/4576-236-0x00007FFC91ED0000-0x00007FFC92991000-memory.dmp

Filesize
10.8MB

Download
memory/4576-185-0x0000000000000000-mapping.dmp

Download
memory/4576-191-0x00007FFC91ED0000-0x00007FFC92991000-memory.dmp

Filesize
10.8MB

Download
memory/4624-233-0x0000000000000000-mapping.dmp

Download
memory/4624-234-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/4624-235-0x0000000000E00000-0x0000000000E0B000-memory.dmp

Filesize
44KB

Download
memory/4624-246-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/4664-222-0x0000000001600000-0x0000000001627000-memory.dmp

Filesize
156KB

Download
memory/4664-219-0x0000000000000000-mapping.dmp

Download
memory/4664-242-0x0000000001630000-0x0000000001652000-memory.dmp

Filesize
136KB

Download
memory/4664-224-0x0000000001630000-0x0000000001652000-memory.dmp

Filesize
136KB

Download
memory/4892-248-0x000000000072F000-0x000000000074E000-memory.dmp

Filesize
124KB

Download
memory/4892-249-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/4896-192-0x0000000000000000-mapping.dmp

Download
memory/4948-183-0x0000000000000000-mapping.dmp

Download
memory/4952-135-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/4952-132-0x00000000005BD000-0x00000000005CE000-memory.dmp

Filesize
68KB

Download
memory/4952-134-0x0000000000400000-0x000000000058A000-memory.dmp

Filesize
1.5MB

Download
memory/4952-133-0x00000000022D0000-0x00000000022D9000-memory.dmp

Filesize
36KB

Download