Analysis
-
max time kernel
154s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2022 09:38
Static task
static1
Behavioral task
behavioral1
Sample
8ceb3e5ac71e9c98006f36608b2c33706e00a5eaaa69fc0dee304fc89abae50b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8ceb3e5ac71e9c98006f36608b2c33706e00a5eaaa69fc0dee304fc89abae50b.exe
Resource
win10v2004-20220812-en
General
-
Target
8ceb3e5ac71e9c98006f36608b2c33706e00a5eaaa69fc0dee304fc89abae50b.exe
-
Size
248KB
-
MD5
908564324457fbae5493c6b6b862a1c0
-
SHA1
75c6e69ce15e3c77de5b2af9218b769be0608dbf
-
SHA256
8ceb3e5ac71e9c98006f36608b2c33706e00a5eaaa69fc0dee304fc89abae50b
-
SHA512
2a6e6efacb86a397e2ce0f85deee59d24dd958ec4b935b70fa56e3fd4b97f71c5f306704b10f3effc3b76a4066dd88ca70cfe6b66fcd595cff2bdc3aa778892a
-
SSDEEP
3072:LUX4170EsHLj/0KGW31RvWkumJUIP/GTja52TS3rKJjz+8LKrS56uZY:E41QDLz0KGWTWkuG3P/dcTErGC8ASYc
Malware Config
Signatures
-
Detect Amadey credential stealer module 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll amadey_cred_module behavioral2/memory/4688-151-0x0000000000610000-0x0000000000634000-memory.dmp amadey_cred_module C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 43 4688 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
rovwer.exerovwer.exepid process 4860 rovwer.exe 2968 rovwer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8ceb3e5ac71e9c98006f36608b2c33706e00a5eaaa69fc0dee304fc89abae50b.exerovwer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 8ceb3e5ac71e9c98006f36608b2c33706e00a5eaaa69fc0dee304fc89abae50b.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation rovwer.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 4688 rundll32.exe 4688 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1856 2288 WerFault.exe 8ceb3e5ac71e9c98006f36608b2c33706e00a5eaaa69fc0dee304fc89abae50b.exe 5112 2968 WerFault.exe rovwer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 4688 rundll32.exe 4688 rundll32.exe 4688 rundll32.exe 4688 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8ceb3e5ac71e9c98006f36608b2c33706e00a5eaaa69fc0dee304fc89abae50b.exerovwer.exedescription pid process target process PID 2288 wrote to memory of 4860 2288 8ceb3e5ac71e9c98006f36608b2c33706e00a5eaaa69fc0dee304fc89abae50b.exe rovwer.exe PID 2288 wrote to memory of 4860 2288 8ceb3e5ac71e9c98006f36608b2c33706e00a5eaaa69fc0dee304fc89abae50b.exe rovwer.exe PID 2288 wrote to memory of 4860 2288 8ceb3e5ac71e9c98006f36608b2c33706e00a5eaaa69fc0dee304fc89abae50b.exe rovwer.exe PID 4860 wrote to memory of 1648 4860 rovwer.exe schtasks.exe PID 4860 wrote to memory of 1648 4860 rovwer.exe schtasks.exe PID 4860 wrote to memory of 1648 4860 rovwer.exe schtasks.exe PID 4860 wrote to memory of 4688 4860 rovwer.exe rundll32.exe PID 4860 wrote to memory of 4688 4860 rovwer.exe rundll32.exe PID 4860 wrote to memory of 4688 4860 rovwer.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ceb3e5ac71e9c98006f36608b2c33706e00a5eaaa69fc0dee304fc89abae50b.exe"C:\Users\Admin\AppData\Local\Temp\8ceb3e5ac71e9c98006f36608b2c33706e00a5eaaa69fc0dee304fc89abae50b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 12642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2288 -ip 22881⤵
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exeC:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 2322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2968 -ip 29681⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exeFilesize
248KB
MD5908564324457fbae5493c6b6b862a1c0
SHA175c6e69ce15e3c77de5b2af9218b769be0608dbf
SHA2568ceb3e5ac71e9c98006f36608b2c33706e00a5eaaa69fc0dee304fc89abae50b
SHA5122a6e6efacb86a397e2ce0f85deee59d24dd958ec4b935b70fa56e3fd4b97f71c5f306704b10f3effc3b76a4066dd88ca70cfe6b66fcd595cff2bdc3aa778892a
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exeFilesize
248KB
MD5908564324457fbae5493c6b6b862a1c0
SHA175c6e69ce15e3c77de5b2af9218b769be0608dbf
SHA2568ceb3e5ac71e9c98006f36608b2c33706e00a5eaaa69fc0dee304fc89abae50b
SHA5122a6e6efacb86a397e2ce0f85deee59d24dd958ec4b935b70fa56e3fd4b97f71c5f306704b10f3effc3b76a4066dd88ca70cfe6b66fcd595cff2bdc3aa778892a
-
C:\Users\Admin\AppData\Local\Temp\e94c2b28f2\rovwer.exeFilesize
248KB
MD5908564324457fbae5493c6b6b862a1c0
SHA175c6e69ce15e3c77de5b2af9218b769be0608dbf
SHA2568ceb3e5ac71e9c98006f36608b2c33706e00a5eaaa69fc0dee304fc89abae50b
SHA5122a6e6efacb86a397e2ce0f85deee59d24dd958ec4b935b70fa56e3fd4b97f71c5f306704b10f3effc3b76a4066dd88ca70cfe6b66fcd595cff2bdc3aa778892a
-
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dllFilesize
126KB
MD5522adad0782501491314a78c7f32006b
SHA1e487edceeef3a41e2a8eea1e684bcbc3b39adb97
SHA256351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba
SHA5125f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7
-
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dllFilesize
126KB
MD5522adad0782501491314a78c7f32006b
SHA1e487edceeef3a41e2a8eea1e684bcbc3b39adb97
SHA256351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba
SHA5125f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7
-
C:\Users\Admin\AppData\Roaming\80b59841e5c623\cred64.dllFilesize
126KB
MD5522adad0782501491314a78c7f32006b
SHA1e487edceeef3a41e2a8eea1e684bcbc3b39adb97
SHA256351fd9b73fa0cbbdfbce0793ca41544f5191650d79317a34024f3c09f73ac9ba
SHA5125f8a103deea3ed5f8641d1f4c91a4f891a8208b679cadbfac4a068afbad0d2f777cd29ace4bdfec590e722435473e4f8465fb80d5cda792dc0236646580101a7
-
memory/1648-143-0x0000000000000000-mapping.dmp
-
memory/2288-136-0x00000000022F0000-0x000000000232E000-memory.dmpFilesize
248KB
-
memory/2288-137-0x0000000000400000-0x0000000000599000-memory.dmpFilesize
1.6MB
-
memory/2288-135-0x0000000000698000-0x00000000006B7000-memory.dmpFilesize
124KB
-
memory/2288-144-0x0000000000400000-0x0000000000599000-memory.dmpFilesize
1.6MB
-
memory/2288-134-0x0000000000400000-0x0000000000599000-memory.dmpFilesize
1.6MB
-
memory/2288-133-0x00000000022F0000-0x000000000232E000-memory.dmpFilesize
248KB
-
memory/2288-132-0x0000000000698000-0x00000000006B7000-memory.dmpFilesize
124KB
-
memory/2968-154-0x0000000000400000-0x0000000000599000-memory.dmpFilesize
1.6MB
-
memory/2968-153-0x000000000074C000-0x000000000076B000-memory.dmpFilesize
124KB
-
memory/4688-147-0x0000000000000000-mapping.dmp
-
memory/4688-151-0x0000000000610000-0x0000000000634000-memory.dmpFilesize
144KB
-
memory/4860-146-0x0000000000400000-0x0000000000599000-memory.dmpFilesize
1.6MB
-
memory/4860-145-0x0000000000908000-0x0000000000928000-memory.dmpFilesize
128KB
-
memory/4860-142-0x0000000000400000-0x0000000000599000-memory.dmpFilesize
1.6MB
-
memory/4860-141-0x0000000000908000-0x0000000000928000-memory.dmpFilesize
128KB
-
memory/4860-138-0x0000000000000000-mapping.dmp