Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2022 15:12
Static task
static1
Behavioral task
behavioral1
Sample
1c2f93a2ccec9caf2e7ead8d3f3690bd.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
1c2f93a2ccec9caf2e7ead8d3f3690bd.exe
Resource
win10v2004-20220812-en
General
-
Target
1c2f93a2ccec9caf2e7ead8d3f3690bd.exe
-
Size
252KB
-
MD5
1c2f93a2ccec9caf2e7ead8d3f3690bd
-
SHA1
db0614385100370f8920380cd9cef7395a23a70c
-
SHA256
e2e84ad248c4744e5ae19a65f83715db30c11f896737f8108ac2f5b4705a4706
-
SHA512
ebd5698b4d934b3a402a0fc9f2bb6f4aeb6877f0d8de8cc7cf0e8fddb2ee37402674cb625edcb9d425ba61ca379ac3d97bc8a12f03fb79503b7e4dfc39c6eddb
-
SSDEEP
6144:qmTKp3msHzeDJZzEDb9VWHj57WSVPKzq9ml8:/m6FZzis7WS+qt
Malware Config
Signatures
-
Detect Amadey credential stealer module 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module behavioral2/memory/376-157-0x00000000001D0000-0x00000000001F4000-memory.dmp amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 54 376 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
rovwer.exerovwer.exerovwer.exepid process 3000 rovwer.exe 2508 rovwer.exe 1532 rovwer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1c2f93a2ccec9caf2e7ead8d3f3690bd.exerovwer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 1c2f93a2ccec9caf2e7ead8d3f3690bd.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation rovwer.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 376 rundll32.exe 376 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3456 4664 WerFault.exe 1c2f93a2ccec9caf2e7ead8d3f3690bd.exe 1460 2508 WerFault.exe rovwer.exe 2584 1532 WerFault.exe rovwer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
1c2f93a2ccec9caf2e7ead8d3f3690bd.exerovwer.execmd.exedescription pid process target process PID 4664 wrote to memory of 3000 4664 1c2f93a2ccec9caf2e7ead8d3f3690bd.exe rovwer.exe PID 4664 wrote to memory of 3000 4664 1c2f93a2ccec9caf2e7ead8d3f3690bd.exe rovwer.exe PID 4664 wrote to memory of 3000 4664 1c2f93a2ccec9caf2e7ead8d3f3690bd.exe rovwer.exe PID 3000 wrote to memory of 4932 3000 rovwer.exe schtasks.exe PID 3000 wrote to memory of 4932 3000 rovwer.exe schtasks.exe PID 3000 wrote to memory of 4932 3000 rovwer.exe schtasks.exe PID 3000 wrote to memory of 4892 3000 rovwer.exe cmd.exe PID 3000 wrote to memory of 4892 3000 rovwer.exe cmd.exe PID 3000 wrote to memory of 4892 3000 rovwer.exe cmd.exe PID 4892 wrote to memory of 696 4892 cmd.exe cmd.exe PID 4892 wrote to memory of 696 4892 cmd.exe cmd.exe PID 4892 wrote to memory of 696 4892 cmd.exe cmd.exe PID 4892 wrote to memory of 2044 4892 cmd.exe cacls.exe PID 4892 wrote to memory of 2044 4892 cmd.exe cacls.exe PID 4892 wrote to memory of 2044 4892 cmd.exe cacls.exe PID 4892 wrote to memory of 4196 4892 cmd.exe cacls.exe PID 4892 wrote to memory of 4196 4892 cmd.exe cacls.exe PID 4892 wrote to memory of 4196 4892 cmd.exe cacls.exe PID 4892 wrote to memory of 4100 4892 cmd.exe cmd.exe PID 4892 wrote to memory of 4100 4892 cmd.exe cmd.exe PID 4892 wrote to memory of 4100 4892 cmd.exe cmd.exe PID 4892 wrote to memory of 1980 4892 cmd.exe cacls.exe PID 4892 wrote to memory of 1980 4892 cmd.exe cacls.exe PID 4892 wrote to memory of 1980 4892 cmd.exe cacls.exe PID 4892 wrote to memory of 4256 4892 cmd.exe cacls.exe PID 4892 wrote to memory of 4256 4892 cmd.exe cacls.exe PID 4892 wrote to memory of 4256 4892 cmd.exe cacls.exe PID 3000 wrote to memory of 376 3000 rovwer.exe rundll32.exe PID 3000 wrote to memory of 376 3000 rovwer.exe rundll32.exe PID 3000 wrote to memory of 376 3000 rovwer.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c2f93a2ccec9caf2e7ead8d3f3690bd.exe"C:\Users\Admin\AppData\Local\Temp\1c2f93a2ccec9caf2e7ead8d3f3690bd.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 8802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4664 -ip 46641⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2508 -ip 25081⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1532 -ip 15321⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
252KB
MD51c2f93a2ccec9caf2e7ead8d3f3690bd
SHA1db0614385100370f8920380cd9cef7395a23a70c
SHA256e2e84ad248c4744e5ae19a65f83715db30c11f896737f8108ac2f5b4705a4706
SHA512ebd5698b4d934b3a402a0fc9f2bb6f4aeb6877f0d8de8cc7cf0e8fddb2ee37402674cb625edcb9d425ba61ca379ac3d97bc8a12f03fb79503b7e4dfc39c6eddb
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
252KB
MD51c2f93a2ccec9caf2e7ead8d3f3690bd
SHA1db0614385100370f8920380cd9cef7395a23a70c
SHA256e2e84ad248c4744e5ae19a65f83715db30c11f896737f8108ac2f5b4705a4706
SHA512ebd5698b4d934b3a402a0fc9f2bb6f4aeb6877f0d8de8cc7cf0e8fddb2ee37402674cb625edcb9d425ba61ca379ac3d97bc8a12f03fb79503b7e4dfc39c6eddb
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
252KB
MD51c2f93a2ccec9caf2e7ead8d3f3690bd
SHA1db0614385100370f8920380cd9cef7395a23a70c
SHA256e2e84ad248c4744e5ae19a65f83715db30c11f896737f8108ac2f5b4705a4706
SHA512ebd5698b4d934b3a402a0fc9f2bb6f4aeb6877f0d8de8cc7cf0e8fddb2ee37402674cb625edcb9d425ba61ca379ac3d97bc8a12f03fb79503b7e4dfc39c6eddb
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
252KB
MD51c2f93a2ccec9caf2e7ead8d3f3690bd
SHA1db0614385100370f8920380cd9cef7395a23a70c
SHA256e2e84ad248c4744e5ae19a65f83715db30c11f896737f8108ac2f5b4705a4706
SHA512ebd5698b4d934b3a402a0fc9f2bb6f4aeb6877f0d8de8cc7cf0e8fddb2ee37402674cb625edcb9d425ba61ca379ac3d97bc8a12f03fb79503b7e4dfc39c6eddb
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
memory/376-153-0x0000000000000000-mapping.dmp
-
memory/376-157-0x00000000001D0000-0x00000000001F4000-memory.dmpFilesize
144KB
-
memory/696-140-0x0000000000000000-mapping.dmp
-
memory/1532-159-0x000000000092C000-0x000000000094B000-memory.dmpFilesize
124KB
-
memory/1532-160-0x0000000000400000-0x00000000005A4000-memory.dmpFilesize
1.6MB
-
memory/1980-144-0x0000000000000000-mapping.dmp
-
memory/2044-141-0x0000000000000000-mapping.dmp
-
memory/2508-152-0x0000000000400000-0x00000000005A4000-memory.dmpFilesize
1.6MB
-
memory/2508-151-0x000000000086C000-0x000000000088B000-memory.dmpFilesize
124KB
-
memory/3000-146-0x00000000006F8000-0x0000000000717000-memory.dmpFilesize
124KB
-
memory/3000-149-0x0000000000400000-0x00000000005A4000-memory.dmpFilesize
1.6MB
-
memory/3000-148-0x00000000006F8000-0x0000000000717000-memory.dmpFilesize
124KB
-
memory/3000-147-0x0000000000400000-0x00000000005A4000-memory.dmpFilesize
1.6MB
-
memory/3000-132-0x0000000000000000-mapping.dmp
-
memory/4100-143-0x0000000000000000-mapping.dmp
-
memory/4196-142-0x0000000000000000-mapping.dmp
-
memory/4256-145-0x0000000000000000-mapping.dmp
-
memory/4664-137-0x0000000000400000-0x00000000005A4000-memory.dmpFilesize
1.6MB
-
memory/4664-135-0x00000000008F8000-0x0000000000917000-memory.dmpFilesize
124KB
-
memory/4664-136-0x0000000000840000-0x000000000087E000-memory.dmpFilesize
248KB
-
memory/4892-139-0x0000000000000000-mapping.dmp
-
memory/4932-138-0x0000000000000000-mapping.dmp