Analysis
-
max time kernel
131s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2022 15:01
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
232KB
-
MD5
7b33b63bf2ee044adea84fec13b603b2
-
SHA1
3f1be9575126a2683b10f079ec835f09504a567f
-
SHA256
47d56f7eec9f28d92c470a130f777a5a2b8a62e1510fef353b90472734382e36
-
SHA512
378585602792e6dac3069939d3051cf52047f48c662789dbf085b64478b756e89258f3de96755e701a054a8b20943c39d9e0040ce1b2c4b81209fc2174a6c885
-
SSDEEP
6144:4yfLbDpCpjAnCXJMpxXrEr2eTxJ/qsaXG:4yfXVWACXJMpxQCyCsY
Malware Config
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 66 5052 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
rovwer.exedron.exerovwer.exerovwer.exerovwer.exepid process 3220 rovwer.exe 1140 dron.exe 3632 rovwer.exe 1988 rovwer.exe 2152 rovwer.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1000002001\dron.exe upx C:\Users\Admin\AppData\Local\Temp\1000002001\dron.exe upx behavioral2/memory/1140-146-0x0000000000340000-0x0000000000B2B000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exerovwer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation rovwer.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 5052 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rovwer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dron.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000002001\\dron.exe" rovwer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 504 3196 WerFault.exe file.exe 1304 3632 WerFault.exe rovwer.exe 1860 1988 WerFault.exe rovwer.exe 4312 2152 WerFault.exe rovwer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 22 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe 5052 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
file.exerovwer.exedescription pid process target process PID 3196 wrote to memory of 3220 3196 file.exe rovwer.exe PID 3196 wrote to memory of 3220 3196 file.exe rovwer.exe PID 3196 wrote to memory of 3220 3196 file.exe rovwer.exe PID 3220 wrote to memory of 1548 3220 rovwer.exe schtasks.exe PID 3220 wrote to memory of 1548 3220 rovwer.exe schtasks.exe PID 3220 wrote to memory of 1548 3220 rovwer.exe schtasks.exe PID 3220 wrote to memory of 1140 3220 rovwer.exe dron.exe PID 3220 wrote to memory of 1140 3220 rovwer.exe dron.exe PID 3220 wrote to memory of 5052 3220 rovwer.exe rundll32.exe PID 3220 wrote to memory of 5052 3220 rovwer.exe rundll32.exe PID 3220 wrote to memory of 5052 3220 rovwer.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1000002001\dron.exe"C:\Users\Admin\AppData\Local\Temp\1000002001\dron.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 11842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3196 -ip 31961⤵
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3632 -ip 36321⤵
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 4242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1988 -ip 19881⤵
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 4202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2152 -ip 21521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000002001\dron.exeFilesize
2.8MB
MD56764e377307a024b31625984b2f07e1b
SHA1835f032a815413da3612c994ed99737dea56bf82
SHA256df382046dd17766213b03aaa054c1e6bd52754779020802189f6db5003941781
SHA5125639fb391a28f228799a4b3cdb84d0348df13ea74643199553e92ad33e80e3e5ac287dd34a68f7601543ad87fdf9d2b7111b671dc9a62c3ba592e441ba8b9a82
-
C:\Users\Admin\AppData\Local\Temp\1000002001\dron.exeFilesize
2.8MB
MD56764e377307a024b31625984b2f07e1b
SHA1835f032a815413da3612c994ed99737dea56bf82
SHA256df382046dd17766213b03aaa054c1e6bd52754779020802189f6db5003941781
SHA5125639fb391a28f228799a4b3cdb84d0348df13ea74643199553e92ad33e80e3e5ac287dd34a68f7601543ad87fdf9d2b7111b671dc9a62c3ba592e441ba8b9a82
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
232KB
MD57b33b63bf2ee044adea84fec13b603b2
SHA13f1be9575126a2683b10f079ec835f09504a567f
SHA25647d56f7eec9f28d92c470a130f777a5a2b8a62e1510fef353b90472734382e36
SHA512378585602792e6dac3069939d3051cf52047f48c662789dbf085b64478b756e89258f3de96755e701a054a8b20943c39d9e0040ce1b2c4b81209fc2174a6c885
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
232KB
MD57b33b63bf2ee044adea84fec13b603b2
SHA13f1be9575126a2683b10f079ec835f09504a567f
SHA25647d56f7eec9f28d92c470a130f777a5a2b8a62e1510fef353b90472734382e36
SHA512378585602792e6dac3069939d3051cf52047f48c662789dbf085b64478b756e89258f3de96755e701a054a8b20943c39d9e0040ce1b2c4b81209fc2174a6c885
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
232KB
MD57b33b63bf2ee044adea84fec13b603b2
SHA13f1be9575126a2683b10f079ec835f09504a567f
SHA25647d56f7eec9f28d92c470a130f777a5a2b8a62e1510fef353b90472734382e36
SHA512378585602792e6dac3069939d3051cf52047f48c662789dbf085b64478b756e89258f3de96755e701a054a8b20943c39d9e0040ce1b2c4b81209fc2174a6c885
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
232KB
MD57b33b63bf2ee044adea84fec13b603b2
SHA13f1be9575126a2683b10f079ec835f09504a567f
SHA25647d56f7eec9f28d92c470a130f777a5a2b8a62e1510fef353b90472734382e36
SHA512378585602792e6dac3069939d3051cf52047f48c662789dbf085b64478b756e89258f3de96755e701a054a8b20943c39d9e0040ce1b2c4b81209fc2174a6c885
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
232KB
MD57b33b63bf2ee044adea84fec13b603b2
SHA13f1be9575126a2683b10f079ec835f09504a567f
SHA25647d56f7eec9f28d92c470a130f777a5a2b8a62e1510fef353b90472734382e36
SHA512378585602792e6dac3069939d3051cf52047f48c662789dbf085b64478b756e89258f3de96755e701a054a8b20943c39d9e0040ce1b2c4b81209fc2174a6c885
-
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dllFilesize
126KB
MD5674cec24e36e0dfaec6290db96dda86e
SHA1581e3a7a541cc04641e751fc850d92e07236681f
SHA256de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA5126d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029
-
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dllFilesize
126KB
MD5674cec24e36e0dfaec6290db96dda86e
SHA1581e3a7a541cc04641e751fc850d92e07236681f
SHA256de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA5126d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029
-
memory/1140-146-0x0000000000340000-0x0000000000B2B000-memory.dmpFilesize
7.9MB
-
memory/1140-143-0x0000000000000000-mapping.dmp
-
memory/1548-138-0x0000000000000000-mapping.dmp
-
memory/1988-156-0x0000000000400000-0x0000000000596000-memory.dmpFilesize
1.6MB
-
memory/1988-155-0x000000000077C000-0x000000000079B000-memory.dmpFilesize
124KB
-
memory/2152-159-0x0000000000400000-0x0000000000596000-memory.dmpFilesize
1.6MB
-
memory/2152-158-0x000000000089C000-0x00000000008BB000-memory.dmpFilesize
124KB
-
memory/3196-134-0x0000000000400000-0x0000000000596000-memory.dmpFilesize
1.6MB
-
memory/3196-139-0x00000000008B9000-0x00000000008D8000-memory.dmpFilesize
124KB
-
memory/3196-133-0x0000000000850000-0x000000000088E000-memory.dmpFilesize
248KB
-
memory/3196-132-0x00000000008B9000-0x00000000008D8000-memory.dmpFilesize
124KB
-
memory/3196-140-0x0000000000400000-0x0000000000596000-memory.dmpFilesize
1.6MB
-
memory/3220-150-0x0000000000400000-0x0000000000596000-memory.dmpFilesize
1.6MB
-
memory/3220-135-0x0000000000000000-mapping.dmp
-
memory/3220-141-0x0000000000718000-0x0000000000737000-memory.dmpFilesize
124KB
-
memory/3220-142-0x0000000000400000-0x0000000000596000-memory.dmpFilesize
1.6MB
-
memory/3632-149-0x0000000000400000-0x0000000000596000-memory.dmpFilesize
1.6MB
-
memory/3632-148-0x000000000081C000-0x000000000083B000-memory.dmpFilesize
124KB
-
memory/5052-151-0x0000000000000000-mapping.dmp