Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2022 09:06
Static task
static1
Behavioral task
behavioral1
Sample
fcd520e66c1d5395d3d03dabd4f7f92e.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
fcd520e66c1d5395d3d03dabd4f7f92e.exe
Resource
win10v2004-20220812-en
General
-
Target
fcd520e66c1d5395d3d03dabd4f7f92e.exe
-
Size
402KB
-
MD5
fcd520e66c1d5395d3d03dabd4f7f92e
-
SHA1
870348a40c0f06d6c222b8e0ffc4ddcad2e510bf
-
SHA256
eba133e09515dd96cc878da6ef2e4d6728d0d263861fe8f55b31b27162b284ba
-
SHA512
3077e64abe8bd542626b07c8147b76344f27105decd5125af1e36bd35a8598b456d09df4926a974e61adeeacf74c8eab1031677d25ca23152d5a346698e7a601
-
SSDEEP
6144:F5aWaLr2KM18ijRjqaqnS5KIrqthzdKOJAkDHcM6++ra9n:iLOKM1t7qna7kqtkDI+6
Malware Config
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 46 4400 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
rovwer.exerovwer.exerovwer.exepid process 3448 rovwer.exe 1520 rovwer.exe 1596 rovwer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fcd520e66c1d5395d3d03dabd4f7f92e.exerovwer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation fcd520e66c1d5395d3d03dabd4f7f92e.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation rovwer.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4400 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5012 1436 WerFault.exe fcd520e66c1d5395d3d03dabd4f7f92e.exe 208 1520 WerFault.exe rovwer.exe 980 1596 WerFault.exe rovwer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 4400 rundll32.exe 4400 rundll32.exe 4400 rundll32.exe 4400 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
fcd520e66c1d5395d3d03dabd4f7f92e.exerovwer.exedescription pid process target process PID 1436 wrote to memory of 3448 1436 fcd520e66c1d5395d3d03dabd4f7f92e.exe rovwer.exe PID 1436 wrote to memory of 3448 1436 fcd520e66c1d5395d3d03dabd4f7f92e.exe rovwer.exe PID 1436 wrote to memory of 3448 1436 fcd520e66c1d5395d3d03dabd4f7f92e.exe rovwer.exe PID 3448 wrote to memory of 4912 3448 rovwer.exe schtasks.exe PID 3448 wrote to memory of 4912 3448 rovwer.exe schtasks.exe PID 3448 wrote to memory of 4912 3448 rovwer.exe schtasks.exe PID 3448 wrote to memory of 4400 3448 rovwer.exe rundll32.exe PID 3448 wrote to memory of 4400 3448 rovwer.exe rundll32.exe PID 3448 wrote to memory of 4400 3448 rovwer.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fcd520e66c1d5395d3d03dabd4f7f92e.exe"C:\Users\Admin\AppData\Local\Temp\fcd520e66c1d5395d3d03dabd4f7f92e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 8962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1436 -ip 14361⤵
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exeC:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 4202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1520 -ip 15201⤵
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exeC:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 4202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1596 -ip 15961⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exeFilesize
402KB
MD5fcd520e66c1d5395d3d03dabd4f7f92e
SHA1870348a40c0f06d6c222b8e0ffc4ddcad2e510bf
SHA256eba133e09515dd96cc878da6ef2e4d6728d0d263861fe8f55b31b27162b284ba
SHA5123077e64abe8bd542626b07c8147b76344f27105decd5125af1e36bd35a8598b456d09df4926a974e61adeeacf74c8eab1031677d25ca23152d5a346698e7a601
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exeFilesize
402KB
MD5fcd520e66c1d5395d3d03dabd4f7f92e
SHA1870348a40c0f06d6c222b8e0ffc4ddcad2e510bf
SHA256eba133e09515dd96cc878da6ef2e4d6728d0d263861fe8f55b31b27162b284ba
SHA5123077e64abe8bd542626b07c8147b76344f27105decd5125af1e36bd35a8598b456d09df4926a974e61adeeacf74c8eab1031677d25ca23152d5a346698e7a601
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exeFilesize
402KB
MD5fcd520e66c1d5395d3d03dabd4f7f92e
SHA1870348a40c0f06d6c222b8e0ffc4ddcad2e510bf
SHA256eba133e09515dd96cc878da6ef2e4d6728d0d263861fe8f55b31b27162b284ba
SHA5123077e64abe8bd542626b07c8147b76344f27105decd5125af1e36bd35a8598b456d09df4926a974e61adeeacf74c8eab1031677d25ca23152d5a346698e7a601
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exeFilesize
402KB
MD5fcd520e66c1d5395d3d03dabd4f7f92e
SHA1870348a40c0f06d6c222b8e0ffc4ddcad2e510bf
SHA256eba133e09515dd96cc878da6ef2e4d6728d0d263861fe8f55b31b27162b284ba
SHA5123077e64abe8bd542626b07c8147b76344f27105decd5125af1e36bd35a8598b456d09df4926a974e61adeeacf74c8eab1031677d25ca23152d5a346698e7a601
-
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dllFilesize
126KB
MD5522adad0782501491314a78c7f32006b
SHA1e487edceeef3a41e2a8eea1e684bcbc3b39adb97
SHA256351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba
SHA5125f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7
-
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dllFilesize
126KB
MD5522adad0782501491314a78c7f32006b
SHA1e487edceeef3a41e2a8eea1e684bcbc3b39adb97
SHA256351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba
SHA5125f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7
-
memory/1436-133-0x00000000024B0000-0x00000000024EE000-memory.dmpFilesize
248KB
-
memory/1436-134-0x0000000000400000-0x0000000000868000-memory.dmpFilesize
4.4MB
-
memory/1436-132-0x00000000009AB000-0x00000000009CA000-memory.dmpFilesize
124KB
-
memory/1436-141-0x00000000009AB000-0x00000000009CA000-memory.dmpFilesize
124KB
-
memory/1436-142-0x0000000000400000-0x0000000000868000-memory.dmpFilesize
4.4MB
-
memory/1520-147-0x0000000000400000-0x0000000000868000-memory.dmpFilesize
4.4MB
-
memory/1520-146-0x00000000009CE000-0x00000000009ED000-memory.dmpFilesize
124KB
-
memory/1596-152-0x0000000000B1E000-0x0000000000B3D000-memory.dmpFilesize
124KB
-
memory/1596-153-0x0000000000400000-0x0000000000868000-memory.dmpFilesize
4.4MB
-
memory/3448-144-0x0000000000400000-0x0000000000868000-memory.dmpFilesize
4.4MB
-
memory/3448-143-0x000000000091A000-0x0000000000939000-memory.dmpFilesize
124KB
-
memory/3448-140-0x0000000000400000-0x0000000000868000-memory.dmpFilesize
4.4MB
-
memory/3448-139-0x000000000091A000-0x0000000000939000-memory.dmpFilesize
124KB
-
memory/3448-135-0x0000000000000000-mapping.dmp
-
memory/4400-148-0x0000000000000000-mapping.dmp
-
memory/4912-138-0x0000000000000000-mapping.dmp