Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2022 11:21
Static task
static1
Behavioral task
behavioral1
Sample
a12b477f3a02a42eeae121a8ce166030.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a12b477f3a02a42eeae121a8ce166030.exe
Resource
win10v2004-20221111-en
General
-
Target
a12b477f3a02a42eeae121a8ce166030.exe
-
Size
242KB
-
MD5
a12b477f3a02a42eeae121a8ce166030
-
SHA1
31a368c8958fd1a8f8f18058b3e2133d0f55ba8a
-
SHA256
5618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c
-
SHA512
6fcb63813bb21c0dd60be6b5b3686c40a9f6e690cfa180443b1e9f771b9c2afaef20990c0c62c091b0344c64c84b58c19dcd4edbe0b40bb326c467b40df33374
-
SSDEEP
3072:gZs1Re5JHklkmbUA4b9LKBEjMFcekSGVL/aNvpEQiYif1/ZR:LQmbZ45KBEjZdSGVLlOiP
Malware Config
Signatures
-
Detect Amadey credential stealer module 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module behavioral2/memory/1824-159-0x0000000001350000-0x0000000001374000-memory.dmp amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 28 1824 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
rovwer.exerovwer.exerovwer.exepid process 4264 rovwer.exe 3116 rovwer.exe 1756 rovwer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a12b477f3a02a42eeae121a8ce166030.exerovwer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation a12b477f3a02a42eeae121a8ce166030.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation rovwer.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 1824 rundll32.exe 1824 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1976 2596 WerFault.exe a12b477f3a02a42eeae121a8ce166030.exe 4728 3116 WerFault.exe rovwer.exe 892 1756 WerFault.exe rovwer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 1824 rundll32.exe 1824 rundll32.exe 1824 rundll32.exe 1824 rundll32.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
a12b477f3a02a42eeae121a8ce166030.exerovwer.execmd.exedescription pid process target process PID 2596 wrote to memory of 4264 2596 a12b477f3a02a42eeae121a8ce166030.exe rovwer.exe PID 2596 wrote to memory of 4264 2596 a12b477f3a02a42eeae121a8ce166030.exe rovwer.exe PID 2596 wrote to memory of 4264 2596 a12b477f3a02a42eeae121a8ce166030.exe rovwer.exe PID 4264 wrote to memory of 4796 4264 rovwer.exe schtasks.exe PID 4264 wrote to memory of 4796 4264 rovwer.exe schtasks.exe PID 4264 wrote to memory of 4796 4264 rovwer.exe schtasks.exe PID 4264 wrote to memory of 2752 4264 rovwer.exe cmd.exe PID 4264 wrote to memory of 2752 4264 rovwer.exe cmd.exe PID 4264 wrote to memory of 2752 4264 rovwer.exe cmd.exe PID 2752 wrote to memory of 1632 2752 cmd.exe cmd.exe PID 2752 wrote to memory of 1632 2752 cmd.exe cmd.exe PID 2752 wrote to memory of 1632 2752 cmd.exe cmd.exe PID 2752 wrote to memory of 1804 2752 cmd.exe cacls.exe PID 2752 wrote to memory of 1804 2752 cmd.exe cacls.exe PID 2752 wrote to memory of 1804 2752 cmd.exe cacls.exe PID 2752 wrote to memory of 4408 2752 cmd.exe cacls.exe PID 2752 wrote to memory of 4408 2752 cmd.exe cacls.exe PID 2752 wrote to memory of 4408 2752 cmd.exe cacls.exe PID 2752 wrote to memory of 4288 2752 cmd.exe cmd.exe PID 2752 wrote to memory of 4288 2752 cmd.exe cmd.exe PID 2752 wrote to memory of 4288 2752 cmd.exe cmd.exe PID 2752 wrote to memory of 3500 2752 cmd.exe cacls.exe PID 2752 wrote to memory of 3500 2752 cmd.exe cacls.exe PID 2752 wrote to memory of 3500 2752 cmd.exe cacls.exe PID 2752 wrote to memory of 5108 2752 cmd.exe cacls.exe PID 2752 wrote to memory of 5108 2752 cmd.exe cacls.exe PID 2752 wrote to memory of 5108 2752 cmd.exe cacls.exe PID 4264 wrote to memory of 1824 4264 rovwer.exe rundll32.exe PID 4264 wrote to memory of 1824 4264 rovwer.exe rundll32.exe PID 4264 wrote to memory of 1824 4264 rovwer.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a12b477f3a02a42eeae121a8ce166030.exe"C:\Users\Admin\AppData\Local\Temp\a12b477f3a02a42eeae121a8ce166030.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 9082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2596 -ip 25961⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 2162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3116 -ip 31161⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 4242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1756 -ip 17561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
242KB
MD5a12b477f3a02a42eeae121a8ce166030
SHA131a368c8958fd1a8f8f18058b3e2133d0f55ba8a
SHA2565618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c
SHA5126fcb63813bb21c0dd60be6b5b3686c40a9f6e690cfa180443b1e9f771b9c2afaef20990c0c62c091b0344c64c84b58c19dcd4edbe0b40bb326c467b40df33374
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
242KB
MD5a12b477f3a02a42eeae121a8ce166030
SHA131a368c8958fd1a8f8f18058b3e2133d0f55ba8a
SHA2565618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c
SHA5126fcb63813bb21c0dd60be6b5b3686c40a9f6e690cfa180443b1e9f771b9c2afaef20990c0c62c091b0344c64c84b58c19dcd4edbe0b40bb326c467b40df33374
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
242KB
MD5a12b477f3a02a42eeae121a8ce166030
SHA131a368c8958fd1a8f8f18058b3e2133d0f55ba8a
SHA2565618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c
SHA5126fcb63813bb21c0dd60be6b5b3686c40a9f6e690cfa180443b1e9f771b9c2afaef20990c0c62c091b0344c64c84b58c19dcd4edbe0b40bb326c467b40df33374
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
242KB
MD5a12b477f3a02a42eeae121a8ce166030
SHA131a368c8958fd1a8f8f18058b3e2133d0f55ba8a
SHA2565618e1e649535b53a235907afb1e279d3143a8d93c63afcdfe75978d6aa1cc6c
SHA5126fcb63813bb21c0dd60be6b5b3686c40a9f6e690cfa180443b1e9f771b9c2afaef20990c0c62c091b0344c64c84b58c19dcd4edbe0b40bb326c467b40df33374
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
memory/1632-142-0x0000000000000000-mapping.dmp
-
memory/1756-161-0x000000000079C000-0x00000000007BB000-memory.dmpFilesize
124KB
-
memory/1756-162-0x0000000000400000-0x00000000005A1000-memory.dmpFilesize
1.6MB
-
memory/1804-143-0x0000000000000000-mapping.dmp
-
memory/1824-159-0x0000000001350000-0x0000000001374000-memory.dmpFilesize
144KB
-
memory/1824-155-0x0000000000000000-mapping.dmp
-
memory/2596-133-0x0000000000840000-0x000000000087E000-memory.dmpFilesize
248KB
-
memory/2596-139-0x0000000000400000-0x00000000005A1000-memory.dmpFilesize
1.6MB
-
memory/2596-138-0x00000000008D8000-0x00000000008F7000-memory.dmpFilesize
124KB
-
memory/2596-134-0x0000000000400000-0x00000000005A1000-memory.dmpFilesize
1.6MB
-
memory/2596-132-0x00000000008D8000-0x00000000008F7000-memory.dmpFilesize
124KB
-
memory/2752-141-0x0000000000000000-mapping.dmp
-
memory/3116-153-0x000000000090C000-0x000000000092B000-memory.dmpFilesize
124KB
-
memory/3116-154-0x0000000000400000-0x00000000005A1000-memory.dmpFilesize
1.6MB
-
memory/3500-146-0x0000000000000000-mapping.dmp
-
memory/4264-151-0x0000000000400000-0x00000000005A1000-memory.dmpFilesize
1.6MB
-
memory/4264-150-0x0000000000778000-0x0000000000797000-memory.dmpFilesize
124KB
-
memory/4264-149-0x0000000000400000-0x00000000005A1000-memory.dmpFilesize
1.6MB
-
memory/4264-148-0x0000000000778000-0x0000000000797000-memory.dmpFilesize
124KB
-
memory/4264-135-0x0000000000000000-mapping.dmp
-
memory/4288-145-0x0000000000000000-mapping.dmp
-
memory/4408-144-0x0000000000000000-mapping.dmp
-
memory/4796-140-0x0000000000000000-mapping.dmp
-
memory/5108-147-0x0000000000000000-mapping.dmp