Analysis
-
max time kernel
126s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2022 17:30
Static task
static1
Behavioral task
behavioral1
Sample
983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067.exe
Resource
win10v2004-20220901-en
General
-
Target
983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067.exe
-
Size
346KB
-
MD5
d026a419ee15d08ebd5431c1a482b946
-
SHA1
bf9c55373d6d2299ee4b2457f55b27bdedd9748c
-
SHA256
983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067
-
SHA512
41bbcdaa9a0373e6cc849dbf3c84a8302891367a2b4e17fc4c37080db9dd6fe741e638afc9aa6d7862782c7968632ac121728eac7ceb416e2b0280592e1d501f
-
SSDEEP
6144:0hsoL5TODllI6YYOTk0hkIkkql07KNx+s3C1En2E1a:0hRlTODLI6TOYr3k37KWsS1Uv
Malware Config
Extracted
raccoon
d8f44b07b06da3a90ad87ebc9249718c
http://79.137.205.87/
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 39 4748 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
rovwer.exefuoulvqwa.exerovwer.exerovwer.exepid process 1512 rovwer.exe 3316 fuoulvqwa.exe 2540 rovwer.exe 480 rovwer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067.exerovwer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation rovwer.exe -
Loads dropped DLL 4 IoCs
Processes:
vbc.exerundll32.exepid process 3784 vbc.exe 3784 vbc.exe 3784 vbc.exe 4748 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rovwer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuoulvqwa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000116001\\fuoulvqwa.exe" rovwer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fuoulvqwa.exedescription pid process target process PID 3316 set thread context of 3784 3316 fuoulvqwa.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3848 4884 WerFault.exe 983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067.exe 780 3316 WerFault.exe fuoulvqwa.exe 5112 2540 WerFault.exe rovwer.exe 1624 480 WerFault.exe rovwer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 4748 rundll32.exe 4748 rundll32.exe 4748 rundll32.exe 4748 rundll32.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067.exerovwer.execmd.exefuoulvqwa.exedescription pid process target process PID 4884 wrote to memory of 1512 4884 983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067.exe rovwer.exe PID 4884 wrote to memory of 1512 4884 983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067.exe rovwer.exe PID 4884 wrote to memory of 1512 4884 983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067.exe rovwer.exe PID 1512 wrote to memory of 1572 1512 rovwer.exe schtasks.exe PID 1512 wrote to memory of 1572 1512 rovwer.exe schtasks.exe PID 1512 wrote to memory of 1572 1512 rovwer.exe schtasks.exe PID 1512 wrote to memory of 4596 1512 rovwer.exe cmd.exe PID 1512 wrote to memory of 4596 1512 rovwer.exe cmd.exe PID 1512 wrote to memory of 4596 1512 rovwer.exe cmd.exe PID 4596 wrote to memory of 3168 4596 cmd.exe cmd.exe PID 4596 wrote to memory of 3168 4596 cmd.exe cmd.exe PID 4596 wrote to memory of 3168 4596 cmd.exe cmd.exe PID 4596 wrote to memory of 2400 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 2400 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 2400 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 4308 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 4308 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 4308 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 924 4596 cmd.exe cmd.exe PID 4596 wrote to memory of 924 4596 cmd.exe cmd.exe PID 4596 wrote to memory of 924 4596 cmd.exe cmd.exe PID 4596 wrote to memory of 1956 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 1956 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 1956 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 4740 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 4740 4596 cmd.exe cacls.exe PID 4596 wrote to memory of 4740 4596 cmd.exe cacls.exe PID 1512 wrote to memory of 3316 1512 rovwer.exe fuoulvqwa.exe PID 1512 wrote to memory of 3316 1512 rovwer.exe fuoulvqwa.exe PID 1512 wrote to memory of 3316 1512 rovwer.exe fuoulvqwa.exe PID 3316 wrote to memory of 3784 3316 fuoulvqwa.exe vbc.exe PID 3316 wrote to memory of 3784 3316 fuoulvqwa.exe vbc.exe PID 3316 wrote to memory of 3784 3316 fuoulvqwa.exe vbc.exe PID 3316 wrote to memory of 3784 3316 fuoulvqwa.exe vbc.exe PID 3316 wrote to memory of 3784 3316 fuoulvqwa.exe vbc.exe PID 1512 wrote to memory of 4748 1512 rovwer.exe rundll32.exe PID 1512 wrote to memory of 4748 1512 rovwer.exe rundll32.exe PID 1512 wrote to memory of 4748 1512 rovwer.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067.exe"C:\Users\Admin\AppData\Local\Temp\983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000116001\fuoulvqwa.exe"C:\Users\Admin\AppData\Local\Temp\1000116001\fuoulvqwa.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 2604⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 9042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4884 -ip 48841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3316 -ip 33161⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 4202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2540 -ip 25401⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 4242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 480 -ip 4801⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\mozglue.dllFilesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
C:\Users\Admin\AppData\LocalLow\nss3.dllFilesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
C:\Users\Admin\AppData\LocalLow\sqlite3.dllFilesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
C:\Users\Admin\AppData\Local\Temp\1000116001\fuoulvqwa.exeFilesize
502KB
MD57603d680b2c7b88bd9339615f370c4d4
SHA14d28e7e6780af016b0eb58cfce8b97a8fa1060aa
SHA256e97908ddfbb553735e47a47bb05e870ce346c5f09aeee05db5bbccd9a96958fd
SHA512f886f509cef0d1344ce0dee3fb7dd7b995cb7552398f566682ac547c5891356c60f3dca5dde7f036e12f83c92b1136748c90d1d6235d4c8b46d204e26b935d41
-
C:\Users\Admin\AppData\Local\Temp\1000116001\fuoulvqwa.exeFilesize
502KB
MD57603d680b2c7b88bd9339615f370c4d4
SHA14d28e7e6780af016b0eb58cfce8b97a8fa1060aa
SHA256e97908ddfbb553735e47a47bb05e870ce346c5f09aeee05db5bbccd9a96958fd
SHA512f886f509cef0d1344ce0dee3fb7dd7b995cb7552398f566682ac547c5891356c60f3dca5dde7f036e12f83c92b1136748c90d1d6235d4c8b46d204e26b935d41
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
346KB
MD5d026a419ee15d08ebd5431c1a482b946
SHA1bf9c55373d6d2299ee4b2457f55b27bdedd9748c
SHA256983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067
SHA51241bbcdaa9a0373e6cc849dbf3c84a8302891367a2b4e17fc4c37080db9dd6fe741e638afc9aa6d7862782c7968632ac121728eac7ceb416e2b0280592e1d501f
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
346KB
MD5d026a419ee15d08ebd5431c1a482b946
SHA1bf9c55373d6d2299ee4b2457f55b27bdedd9748c
SHA256983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067
SHA51241bbcdaa9a0373e6cc849dbf3c84a8302891367a2b4e17fc4c37080db9dd6fe741e638afc9aa6d7862782c7968632ac121728eac7ceb416e2b0280592e1d501f
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
346KB
MD5d026a419ee15d08ebd5431c1a482b946
SHA1bf9c55373d6d2299ee4b2457f55b27bdedd9748c
SHA256983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067
SHA51241bbcdaa9a0373e6cc849dbf3c84a8302891367a2b4e17fc4c37080db9dd6fe741e638afc9aa6d7862782c7968632ac121728eac7ceb416e2b0280592e1d501f
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
346KB
MD5d026a419ee15d08ebd5431c1a482b946
SHA1bf9c55373d6d2299ee4b2457f55b27bdedd9748c
SHA256983ae55c5100ebb120a6c474fc12e0602289a9962b8d1c1679b0d1beff055067
SHA51241bbcdaa9a0373e6cc849dbf3c84a8302891367a2b4e17fc4c37080db9dd6fe741e638afc9aa6d7862782c7968632ac121728eac7ceb416e2b0280592e1d501f
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
memory/480-172-0x0000000000904000-0x0000000000922000-memory.dmpFilesize
120KB
-
memory/480-173-0x0000000000400000-0x0000000000859000-memory.dmpFilesize
4.3MB
-
memory/924-146-0x0000000000000000-mapping.dmp
-
memory/1512-132-0x0000000000000000-mapping.dmp
-
memory/1512-143-0x0000000000920000-0x0000000000A20000-memory.dmpFilesize
1024KB
-
memory/1512-145-0x0000000000400000-0x0000000000859000-memory.dmpFilesize
4.3MB
-
memory/1512-152-0x0000000000920000-0x0000000000A20000-memory.dmpFilesize
1024KB
-
memory/1512-153-0x0000000000400000-0x0000000000859000-memory.dmpFilesize
4.3MB
-
memory/1572-139-0x0000000000000000-mapping.dmp
-
memory/1956-147-0x0000000000000000-mapping.dmp
-
memory/2400-142-0x0000000000000000-mapping.dmp
-
memory/2540-170-0x0000000000400000-0x0000000000859000-memory.dmpFilesize
4.3MB
-
memory/2540-169-0x0000000000884000-0x00000000008A2000-memory.dmpFilesize
120KB
-
memory/3168-141-0x0000000000000000-mapping.dmp
-
memory/3316-149-0x0000000000000000-mapping.dmp
-
memory/3784-155-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3784-154-0x0000000000000000-mapping.dmp
-
memory/3784-161-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4308-144-0x0000000000000000-mapping.dmp
-
memory/4596-140-0x0000000000000000-mapping.dmp
-
memory/4740-148-0x0000000000000000-mapping.dmp
-
memory/4748-165-0x0000000000000000-mapping.dmp
-
memory/4884-137-0x0000000000400000-0x0000000000859000-memory.dmpFilesize
4.3MB
-
memory/4884-136-0x00000000009C0000-0x00000000009FE000-memory.dmpFilesize
248KB
-
memory/4884-135-0x0000000000A32000-0x0000000000A51000-memory.dmpFilesize
124KB