Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2022 16:49
Static task
static1
Behavioral task
behavioral1
Sample
47e8ecad428d28536cc01427ce7e3f757223b48d639fbd27ea8281b0e098aa74.exe
Resource
win10v2004-20220812-en
General
-
Target
47e8ecad428d28536cc01427ce7e3f757223b48d639fbd27ea8281b0e098aa74.exe
-
Size
231KB
-
MD5
d77669f81b1144b5c6d938956eefe086
-
SHA1
ab5124f468d2b2bc7f916809d402f9ad07d68271
-
SHA256
47e8ecad428d28536cc01427ce7e3f757223b48d639fbd27ea8281b0e098aa74
-
SHA512
0eaf8a2cb6ff41661506f0ff5abdb9e77d66b7fee7ccab5b01d999f1b5d27836ca9a32e15cfb725a4f348b1e25dd4ca34b12ec7a9098af384b2debbf713b68fe
-
SSDEEP
3072:JXO++i+1L6VJcJDWdyynFoBOsXogCX3a6neBE09MumMuTroVS+CD8OM+jub:tv+1L6YJDWdfFossX7gGLnm6MTPzub
Malware Config
Extracted
redline
3m
jalocliche.xyz:81
chardhesha.xyz:81
-
auth_value
e7297ca71163c923562e84cf53f5dc0e
Extracted
eternity
http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module -
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/868-133-0x0000000000030000-0x0000000000039000-memory.dmp family_smokeloader -
Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/952-159-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral1/memory/952-160-0x00000000004221BA-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 149 2988 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
Processes:
gctdevf196.exeF72.exe1CE0.exerovwer.exeEternity.exee9bbde0444.exerovwer.exerovwer.exepid process 4740 gctdevf 2212 196.exe 4780 F72.exe 4116 1CE0.exe 2964 rovwer.exe 2700 Eternity.exe 5016 e9bbde0444.exe 3620 rovwer.exe 1612 rovwer.exe -
Processes:
resource yara_rule behavioral1/memory/4252-247-0x0000000000400000-0x0000000000BEB000-memory.dmp upx behavioral1/memory/4252-249-0x0000000000400000-0x0000000000BEB000-memory.dmp upx behavioral1/memory/4252-250-0x0000000000400000-0x0000000000BEB000-memory.dmp upx behavioral1/memory/4252-251-0x0000000000400000-0x0000000000BEB000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
F72.exerovwer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation F72.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation rovwer.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2988 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
Eternity.exerundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Eternity.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Eternity.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Eternity.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
rovwer.exee9bbde0444.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eternity.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000110000\\Eternity.exe" rovwer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\36213E914FC147068C2A39D11BA4318B = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1000114001\\e9bbde0444.exe\"" e9bbde0444.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e9bbde0444.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000114001\\e9bbde0444.exe" rovwer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 129 ip-api.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
196.exee9bbde0444.exe1CE0.exedescription pid process target process PID 2212 set thread context of 952 2212 196.exe InstallUtil.exe PID 5016 set thread context of 3716 5016 e9bbde0444.exe InstallUtil.exe PID 4116 set thread context of 4252 4116 1CE0.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3672 4780 WerFault.exe F72.exe 3876 3620 WerFault.exe rovwer.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
gctdevf47e8ecad428d28536cc01427ce7e3f757223b48d639fbd27ea8281b0e098aa74.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gctdevf Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gctdevf Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 47e8ecad428d28536cc01427ce7e3f757223b48d639fbd27ea8281b0e098aa74.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 47e8ecad428d28536cc01427ce7e3f757223b48d639fbd27ea8281b0e098aa74.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 47e8ecad428d28536cc01427ce7e3f757223b48d639fbd27ea8281b0e098aa74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gctdevf -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Eternity.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Eternity.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Eternity.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 147 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
47e8ecad428d28536cc01427ce7e3f757223b48d639fbd27ea8281b0e098aa74.exepid process 868 47e8ecad428d28536cc01427ce7e3f757223b48d639fbd27ea8281b0e098aa74.exe 868 47e8ecad428d28536cc01427ce7e3f757223b48d639fbd27ea8281b0e098aa74.exe 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2864 -
Suspicious behavior: MapViewOfSection 20 IoCs
Processes:
47e8ecad428d28536cc01427ce7e3f757223b48d639fbd27ea8281b0e098aa74.exegctdevfpid process 868 47e8ecad428d28536cc01427ce7e3f757223b48d639fbd27ea8281b0e098aa74.exe 4740 gctdevf 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 2864 -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
Eternity.exeInstallUtil.exee9bbde0444.exeInstallUtil.exedescription pid process Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeDebugPrivilege 2700 Eternity.exe Token: SeDebugPrivilege 952 InstallUtil.exe Token: SeDebugPrivilege 5016 e9bbde0444.exe Token: SeDebugPrivilege 3716 InstallUtil.exe Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 Token: SeShutdownPrivilege 2864 Token: SeCreatePagefilePrivilege 2864 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
196.exeF72.exerovwer.execmd.exedescription pid process target process PID 2864 wrote to memory of 2212 2864 196.exe PID 2864 wrote to memory of 2212 2864 196.exe PID 2864 wrote to memory of 4780 2864 F72.exe PID 2864 wrote to memory of 4780 2864 F72.exe PID 2864 wrote to memory of 4780 2864 F72.exe PID 2864 wrote to memory of 4116 2864 1CE0.exe PID 2864 wrote to memory of 4116 2864 1CE0.exe PID 2864 wrote to memory of 2272 2864 explorer.exe PID 2864 wrote to memory of 2272 2864 explorer.exe PID 2864 wrote to memory of 2272 2864 explorer.exe PID 2864 wrote to memory of 2272 2864 explorer.exe PID 2212 wrote to memory of 952 2212 196.exe InstallUtil.exe PID 2212 wrote to memory of 952 2212 196.exe InstallUtil.exe PID 2212 wrote to memory of 952 2212 196.exe InstallUtil.exe PID 2212 wrote to memory of 952 2212 196.exe InstallUtil.exe PID 2212 wrote to memory of 952 2212 196.exe InstallUtil.exe PID 2212 wrote to memory of 952 2212 196.exe InstallUtil.exe PID 2212 wrote to memory of 952 2212 196.exe InstallUtil.exe PID 2212 wrote to memory of 952 2212 196.exe InstallUtil.exe PID 4780 wrote to memory of 2964 4780 F72.exe rovwer.exe PID 4780 wrote to memory of 2964 4780 F72.exe rovwer.exe PID 4780 wrote to memory of 2964 4780 F72.exe rovwer.exe PID 2864 wrote to memory of 628 2864 explorer.exe PID 2864 wrote to memory of 628 2864 explorer.exe PID 2864 wrote to memory of 628 2864 explorer.exe PID 2864 wrote to memory of 856 2864 explorer.exe PID 2864 wrote to memory of 856 2864 explorer.exe PID 2864 wrote to memory of 856 2864 explorer.exe PID 2864 wrote to memory of 856 2864 explorer.exe PID 2864 wrote to memory of 2284 2864 explorer.exe PID 2864 wrote to memory of 2284 2864 explorer.exe PID 2864 wrote to memory of 2284 2864 explorer.exe PID 2964 wrote to memory of 3224 2964 rovwer.exe schtasks.exe PID 2964 wrote to memory of 3224 2964 rovwer.exe schtasks.exe PID 2964 wrote to memory of 3224 2964 rovwer.exe schtasks.exe PID 2964 wrote to memory of 4508 2964 rovwer.exe cmd.exe PID 2964 wrote to memory of 4508 2964 rovwer.exe cmd.exe PID 2964 wrote to memory of 4508 2964 rovwer.exe cmd.exe PID 2864 wrote to memory of 3520 2864 explorer.exe PID 2864 wrote to memory of 3520 2864 explorer.exe PID 2864 wrote to memory of 3520 2864 explorer.exe PID 2864 wrote to memory of 3520 2864 explorer.exe PID 4508 wrote to memory of 1368 4508 cmd.exe cmd.exe PID 4508 wrote to memory of 1368 4508 cmd.exe cmd.exe PID 4508 wrote to memory of 1368 4508 cmd.exe cmd.exe PID 4508 wrote to memory of 800 4508 cmd.exe cacls.exe PID 4508 wrote to memory of 800 4508 cmd.exe cacls.exe PID 4508 wrote to memory of 800 4508 cmd.exe cacls.exe PID 4508 wrote to memory of 5108 4508 cmd.exe cacls.exe PID 4508 wrote to memory of 5108 4508 cmd.exe cacls.exe PID 4508 wrote to memory of 5108 4508 cmd.exe cacls.exe PID 4508 wrote to memory of 4748 4508 cmd.exe cmd.exe PID 4508 wrote to memory of 4748 4508 cmd.exe cmd.exe PID 4508 wrote to memory of 4748 4508 cmd.exe cmd.exe PID 4508 wrote to memory of 1924 4508 cmd.exe cacls.exe PID 4508 wrote to memory of 1924 4508 cmd.exe cacls.exe PID 4508 wrote to memory of 1924 4508 cmd.exe cacls.exe PID 4508 wrote to memory of 4760 4508 cmd.exe cacls.exe PID 4508 wrote to memory of 4760 4508 cmd.exe cacls.exe PID 4508 wrote to memory of 4760 4508 cmd.exe cacls.exe PID 2864 wrote to memory of 4028 2864 explorer.exe PID 2864 wrote to memory of 4028 2864 explorer.exe PID 2864 wrote to memory of 4028 2864 explorer.exe PID 2864 wrote to memory of 4028 2864 explorer.exe -
outlook_office_path 1 IoCs
Processes:
Eternity.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Eternity.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\47e8ecad428d28536cc01427ce7e3f757223b48d639fbd27ea8281b0e098aa74.exe"C:\Users\Admin\AppData\Local\Temp\47e8ecad428d28536cc01427ce7e3f757223b48d639fbd27ea8281b0e098aa74.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\gctdevfC:\Users\Admin\AppData\Roaming\gctdevf1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\196.exeC:\Users\Admin\AppData\Local\Temp\196.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\F72.exeC:\Users\Admin\AppData\Local\Temp\F72.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Users\Admin\AppData\Roaming\1000110000\Eternity.exe"C:\Users\Admin\AppData\Roaming\1000110000\Eternity.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
-
C:\Windows\system32\findstr.exefindstr All5⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key4⤵
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile name="65001" key=clear5⤵
-
C:\Windows\system32\findstr.exefindstr Key5⤵
-
C:\Users\Admin\AppData\Local\Temp\1000114001\e9bbde0444.exe"C:\Users\Admin\AppData\Local\Temp\1000114001\e9bbde0444.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 9002⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\1CE0.exeC:\Users\Admin\AppData\Local\Temp\1CE0.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4780 -ip 47801⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 4242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3620 -ip 36201⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000114001\e9bbde0444.exeFilesize
361KB
MD50d87aa7bbe296daf99e08d8cca67facd
SHA1c553925395abe9747f879bab702006e81fac3451
SHA25636db39aad52ff2ece38ada70f14ef45da78434311c1043bbb4beead602481d7e
SHA512f93bde2ccc7eefc15d05d96c1e1bbe07911617b430cec2fa37a87046bb3eb153cc1ee2ed41cf6edf2c3cb626450e16c563511655319192fe08084f464be43153
-
C:\Users\Admin\AppData\Local\Temp\1000114001\e9bbde0444.exeFilesize
361KB
MD50d87aa7bbe296daf99e08d8cca67facd
SHA1c553925395abe9747f879bab702006e81fac3451
SHA25636db39aad52ff2ece38ada70f14ef45da78434311c1043bbb4beead602481d7e
SHA512f93bde2ccc7eefc15d05d96c1e1bbe07911617b430cec2fa37a87046bb3eb153cc1ee2ed41cf6edf2c3cb626450e16c563511655319192fe08084f464be43153
-
C:\Users\Admin\AppData\Local\Temp\196.exeFilesize
459KB
MD5ad34726ca0dcac3df4a00c082eddee4b
SHA1705d715768046736632c6d21ab31a5d0cb437f08
SHA256af90b7982f9e83491575881365351306991619644e94fde6382d892f27a7fb1b
SHA5122d7820a101d66b9924a741f2c14fef70abb66d67794efb9f8d3a96ed18c1e8e2ac71e27569b945c1a339af42d9ff11c5aa9814b3b8a8d5799e49c4562602a17d
-
C:\Users\Admin\AppData\Local\Temp\196.exeFilesize
459KB
MD5ad34726ca0dcac3df4a00c082eddee4b
SHA1705d715768046736632c6d21ab31a5d0cb437f08
SHA256af90b7982f9e83491575881365351306991619644e94fde6382d892f27a7fb1b
SHA5122d7820a101d66b9924a741f2c14fef70abb66d67794efb9f8d3a96ed18c1e8e2ac71e27569b945c1a339af42d9ff11c5aa9814b3b8a8d5799e49c4562602a17d
-
C:\Users\Admin\AppData\Local\Temp\1CE0.exeFilesize
3.0MB
MD580d185239d0bc508cbd85e84d62b8b0c
SHA170bb4adc0138bd9d08a4479d2d9ef6bee93acdb5
SHA2566f6ee9be98feeb031891ea5849b296f2741e0bd6786ce0b4b4379841a96749dc
SHA512581e15c4e7fd8484401b9ed374bd1546c514fe6273444d4671a8890c330f7d22cfc74562e2a224a1b427902ddc957822cd7d5e683fb48ee3d4ac6c369655e4ce
-
C:\Users\Admin\AppData\Local\Temp\1CE0.exeFilesize
3.0MB
MD580d185239d0bc508cbd85e84d62b8b0c
SHA170bb4adc0138bd9d08a4479d2d9ef6bee93acdb5
SHA2566f6ee9be98feeb031891ea5849b296f2741e0bd6786ce0b4b4379841a96749dc
SHA512581e15c4e7fd8484401b9ed374bd1546c514fe6273444d4671a8890c330f7d22cfc74562e2a224a1b427902ddc957822cd7d5e683fb48ee3d4ac6c369655e4ce
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
270KB
MD50d52c23b8a957da3c4682bf65ef6239d
SHA1846e695305a6ae4e3aa877cb5b05caae26fb87fc
SHA256d7a5346d83487c6d884b98747a7874bbec44f90f752d9bfae181fe107612f449
SHA51239b9169b8d5c0493ae471cc17c6f89c62da43d79a757bffad44f1556558e8ffab85481154c5774d3d3282a84b369b34944b89214a8453795619e8f1596fe89f6
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
270KB
MD50d52c23b8a957da3c4682bf65ef6239d
SHA1846e695305a6ae4e3aa877cb5b05caae26fb87fc
SHA256d7a5346d83487c6d884b98747a7874bbec44f90f752d9bfae181fe107612f449
SHA51239b9169b8d5c0493ae471cc17c6f89c62da43d79a757bffad44f1556558e8ffab85481154c5774d3d3282a84b369b34944b89214a8453795619e8f1596fe89f6
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
270KB
MD50d52c23b8a957da3c4682bf65ef6239d
SHA1846e695305a6ae4e3aa877cb5b05caae26fb87fc
SHA256d7a5346d83487c6d884b98747a7874bbec44f90f752d9bfae181fe107612f449
SHA51239b9169b8d5c0493ae471cc17c6f89c62da43d79a757bffad44f1556558e8ffab85481154c5774d3d3282a84b369b34944b89214a8453795619e8f1596fe89f6
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
270KB
MD50d52c23b8a957da3c4682bf65ef6239d
SHA1846e695305a6ae4e3aa877cb5b05caae26fb87fc
SHA256d7a5346d83487c6d884b98747a7874bbec44f90f752d9bfae181fe107612f449
SHA51239b9169b8d5c0493ae471cc17c6f89c62da43d79a757bffad44f1556558e8ffab85481154c5774d3d3282a84b369b34944b89214a8453795619e8f1596fe89f6
-
C:\Users\Admin\AppData\Local\Temp\F72.exeFilesize
270KB
MD50d52c23b8a957da3c4682bf65ef6239d
SHA1846e695305a6ae4e3aa877cb5b05caae26fb87fc
SHA256d7a5346d83487c6d884b98747a7874bbec44f90f752d9bfae181fe107612f449
SHA51239b9169b8d5c0493ae471cc17c6f89c62da43d79a757bffad44f1556558e8ffab85481154c5774d3d3282a84b369b34944b89214a8453795619e8f1596fe89f6
-
C:\Users\Admin\AppData\Local\Temp\F72.exeFilesize
270KB
MD50d52c23b8a957da3c4682bf65ef6239d
SHA1846e695305a6ae4e3aa877cb5b05caae26fb87fc
SHA256d7a5346d83487c6d884b98747a7874bbec44f90f752d9bfae181fe107612f449
SHA51239b9169b8d5c0493ae471cc17c6f89c62da43d79a757bffad44f1556558e8ffab85481154c5774d3d3282a84b369b34944b89214a8453795619e8f1596fe89f6
-
C:\Users\Admin\AppData\Roaming\1000110000\Eternity.exeFilesize
334KB
MD5a841724e4e82cecd3a00fac001ca9230
SHA1dd311ab9e15bbf519a0f4c0beaa6e4580f6a7b12
SHA2569e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59
SHA51229755bd7da2bfb99902d76f6283c07380a1af1ef4a3580e35466a508ae1c511b93fb5d6bb2cc9ffff8db39d17f3988c7fc1abc5b3b62b99f1dfd12667db2bac9
-
C:\Users\Admin\AppData\Roaming\1000110000\Eternity.exeFilesize
334KB
MD5a841724e4e82cecd3a00fac001ca9230
SHA1dd311ab9e15bbf519a0f4c0beaa6e4580f6a7b12
SHA2569e789a306089eb12501a620add9a90e4acc45ea9bbb88c2b6c031ff36625dd59
SHA51229755bd7da2bfb99902d76f6283c07380a1af1ef4a3580e35466a508ae1c511b93fb5d6bb2cc9ffff8db39d17f3988c7fc1abc5b3b62b99f1dfd12667db2bac9
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\gctdevfFilesize
231KB
MD5d77669f81b1144b5c6d938956eefe086
SHA1ab5124f468d2b2bc7f916809d402f9ad07d68271
SHA25647e8ecad428d28536cc01427ce7e3f757223b48d639fbd27ea8281b0e098aa74
SHA5120eaf8a2cb6ff41661506f0ff5abdb9e77d66b7fee7ccab5b01d999f1b5d27836ca9a32e15cfb725a4f348b1e25dd4ca34b12ec7a9098af384b2debbf713b68fe
-
C:\Users\Admin\AppData\Roaming\gctdevfFilesize
231KB
MD5d77669f81b1144b5c6d938956eefe086
SHA1ab5124f468d2b2bc7f916809d402f9ad07d68271
SHA25647e8ecad428d28536cc01427ce7e3f757223b48d639fbd27ea8281b0e098aa74
SHA5120eaf8a2cb6ff41661506f0ff5abdb9e77d66b7fee7ccab5b01d999f1b5d27836ca9a32e15cfb725a4f348b1e25dd4ca34b12ec7a9098af384b2debbf713b68fe
-
memory/372-206-0x0000000000CF0000-0x0000000000CFB000-memory.dmpFilesize
44KB
-
memory/372-205-0x0000000000D00000-0x0000000000D06000-memory.dmpFilesize
24KB
-
memory/372-199-0x0000000000000000-mapping.dmp
-
memory/628-166-0x0000000000000000-mapping.dmp
-
memory/628-227-0x0000000001220000-0x0000000001229000-memory.dmpFilesize
36KB
-
memory/628-169-0x0000000001210000-0x000000000121F000-memory.dmpFilesize
60KB
-
memory/628-168-0x0000000001220000-0x0000000001229000-memory.dmpFilesize
36KB
-
memory/800-188-0x0000000000000000-mapping.dmp
-
memory/856-172-0x0000000000B10000-0x0000000000B19000-memory.dmpFilesize
36KB
-
memory/856-171-0x0000000000B20000-0x0000000000B25000-memory.dmpFilesize
20KB
-
memory/856-170-0x0000000000000000-mapping.dmp
-
memory/856-228-0x0000000000B20000-0x0000000000B25000-memory.dmpFilesize
20KB
-
memory/868-134-0x0000000000400000-0x000000000083D000-memory.dmpFilesize
4.2MB
-
memory/868-136-0x0000000000400000-0x000000000083D000-memory.dmpFilesize
4.2MB
-
memory/868-132-0x0000000000997000-0x00000000009AC000-memory.dmpFilesize
84KB
-
memory/868-133-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/868-135-0x0000000000997000-0x00000000009AC000-memory.dmpFilesize
84KB
-
memory/952-193-0x00000000053B0000-0x00000000053EC000-memory.dmpFilesize
240KB
-
memory/952-174-0x0000000005730000-0x0000000005D48000-memory.dmpFilesize
6.1MB
-
memory/952-159-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/952-244-0x0000000006B90000-0x0000000006D52000-memory.dmpFilesize
1.8MB
-
memory/952-160-0x00000000004221BA-mapping.dmp
-
memory/952-185-0x00000000051D0000-0x00000000051E2000-memory.dmpFilesize
72KB
-
memory/952-242-0x0000000006710000-0x00000000067A2000-memory.dmpFilesize
584KB
-
memory/952-243-0x0000000006D60000-0x0000000007304000-memory.dmpFilesize
5.6MB
-
memory/952-175-0x00000000052A0000-0x00000000053AA000-memory.dmpFilesize
1.0MB
-
memory/1288-221-0x0000000000000000-mapping.dmp
-
memory/1368-187-0x0000000000000000-mapping.dmp
-
memory/1756-218-0x0000000000000000-mapping.dmp
-
memory/1792-215-0x0000000000000000-mapping.dmp
-
memory/1896-219-0x0000000000000000-mapping.dmp
-
memory/1924-191-0x0000000000000000-mapping.dmp
-
memory/2136-217-0x0000000000000000-mapping.dmp
-
memory/2212-147-0x000001DA7EDA0000-0x000001DA7EDBE000-memory.dmpFilesize
120KB
-
memory/2212-139-0x0000000000000000-mapping.dmp
-
memory/2212-146-0x00007FFDDFAC0000-0x00007FFDE0581000-memory.dmpFilesize
10.8MB
-
memory/2212-161-0x00007FFDDFAC0000-0x00007FFDE0581000-memory.dmpFilesize
10.8MB
-
memory/2212-142-0x000001DA7C870000-0x000001DA7C8E6000-memory.dmpFilesize
472KB
-
memory/2212-143-0x000001DA7ECB0000-0x000001DA7ED26000-memory.dmpFilesize
472KB
-
memory/2272-162-0x0000000000B20000-0x0000000000B27000-memory.dmpFilesize
28KB
-
memory/2272-158-0x0000000000000000-mapping.dmp
-
memory/2272-167-0x0000000000B10000-0x0000000000B1B000-memory.dmpFilesize
44KB
-
memory/2284-173-0x0000000000000000-mapping.dmp
-
memory/2284-231-0x0000000001290000-0x0000000001296000-memory.dmpFilesize
24KB
-
memory/2284-182-0x0000000001280000-0x000000000128C000-memory.dmpFilesize
48KB
-
memory/2284-181-0x0000000001290000-0x0000000001296000-memory.dmpFilesize
24KB
-
memory/2592-214-0x0000000000000000-mapping.dmp
-
memory/2700-237-0x00007FFDDF8D0000-0x00007FFDE0391000-memory.dmpFilesize
10.8MB
-
memory/2700-207-0x00007FFDDF8D0000-0x00007FFDE0391000-memory.dmpFilesize
10.8MB
-
memory/2700-203-0x0000026FBCD20000-0x0000026FBCD7A000-memory.dmpFilesize
360KB
-
memory/2700-213-0x0000026FD80C0000-0x0000026FD8110000-memory.dmpFilesize
320KB
-
memory/2700-200-0x0000000000000000-mapping.dmp
-
memory/2964-184-0x0000000000A06000-0x0000000000A25000-memory.dmpFilesize
124KB
-
memory/2964-233-0x0000000000A06000-0x0000000000A25000-memory.dmpFilesize
124KB
-
memory/2964-186-0x0000000000400000-0x0000000000846000-memory.dmpFilesize
4.3MB
-
memory/2964-163-0x0000000000000000-mapping.dmp
-
memory/2964-234-0x0000000000400000-0x0000000000846000-memory.dmpFilesize
4.3MB
-
memory/2988-257-0x0000000000000000-mapping.dmp
-
memory/3224-176-0x0000000000000000-mapping.dmp
-
memory/3448-216-0x0000000000000000-mapping.dmp
-
memory/3520-195-0x0000000000170000-0x0000000000192000-memory.dmpFilesize
136KB
-
memory/3520-179-0x0000000000000000-mapping.dmp
-
memory/3520-196-0x0000000000140000-0x0000000000167000-memory.dmpFilesize
156KB
-
memory/3520-235-0x0000000000170000-0x0000000000192000-memory.dmpFilesize
136KB
-
memory/3716-230-0x000000000040B65E-mapping.dmp
-
memory/3716-229-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3716-240-0x0000000005D70000-0x0000000005E0C000-memory.dmpFilesize
624KB
-
memory/3716-241-0x0000000005E10000-0x0000000005E76000-memory.dmpFilesize
408KB
-
memory/4028-194-0x0000000000000000-mapping.dmp
-
memory/4028-197-0x0000000001460000-0x0000000001465000-memory.dmpFilesize
20KB
-
memory/4028-198-0x0000000001450000-0x0000000001459000-memory.dmpFilesize
36KB
-
memory/4028-236-0x0000000001460000-0x0000000001465000-memory.dmpFilesize
20KB
-
memory/4116-155-0x0000000000000000-mapping.dmp
-
memory/4252-249-0x0000000000400000-0x0000000000BEB000-memory.dmpFilesize
7.9MB
-
memory/4252-248-0x0000000000BE8EA0-mapping.dmp
-
memory/4252-251-0x0000000000400000-0x0000000000BEB000-memory.dmpFilesize
7.9MB
-
memory/4252-247-0x0000000000400000-0x0000000000BEB000-memory.dmpFilesize
7.9MB
-
memory/4252-250-0x0000000000400000-0x0000000000BEB000-memory.dmpFilesize
7.9MB
-
memory/4464-210-0x0000000000940000-0x0000000000947000-memory.dmpFilesize
28KB
-
memory/4464-238-0x0000000000940000-0x0000000000947000-memory.dmpFilesize
28KB
-
memory/4464-208-0x0000000000930000-0x000000000093D000-memory.dmpFilesize
52KB
-
memory/4464-204-0x0000000000000000-mapping.dmp
-
memory/4508-178-0x0000000000000000-mapping.dmp
-
memory/4740-151-0x0000000000400000-0x000000000083D000-memory.dmpFilesize
4.2MB
-
memory/4740-145-0x0000000000400000-0x000000000083D000-memory.dmpFilesize
4.2MB
-
memory/4740-144-0x0000000000967000-0x000000000097C000-memory.dmpFilesize
84KB
-
memory/4748-190-0x0000000000000000-mapping.dmp
-
memory/4760-192-0x0000000000000000-mapping.dmp
-
memory/4780-148-0x0000000000000000-mapping.dmp
-
memory/4780-152-0x0000000000927000-0x0000000000945000-memory.dmpFilesize
120KB
-
memory/4780-153-0x00000000008C0000-0x00000000008FE000-memory.dmpFilesize
248KB
-
memory/4780-154-0x0000000000400000-0x0000000000846000-memory.dmpFilesize
4.3MB
-
memory/4780-177-0x0000000000927000-0x0000000000945000-memory.dmpFilesize
120KB
-
memory/4780-180-0x00000000008C0000-0x00000000008FE000-memory.dmpFilesize
248KB
-
memory/4780-183-0x0000000000400000-0x0000000000846000-memory.dmpFilesize
4.3MB
-
memory/5000-209-0x0000000000000000-mapping.dmp
-
memory/5000-211-0x0000000000C70000-0x0000000000C78000-memory.dmpFilesize
32KB
-
memory/5000-212-0x0000000000C60000-0x0000000000C6B000-memory.dmpFilesize
44KB
-
memory/5000-239-0x0000000000C70000-0x0000000000C78000-memory.dmpFilesize
32KB
-
memory/5016-232-0x00007FFDDF8D0000-0x00007FFDE0391000-memory.dmpFilesize
10.8MB
-
memory/5016-222-0x0000000000000000-mapping.dmp
-
memory/5016-225-0x00000207F88C0000-0x00000207F891E000-memory.dmpFilesize
376KB
-
memory/5016-226-0x00007FFDDF8D0000-0x00007FFDE0391000-memory.dmpFilesize
10.8MB
-
memory/5092-220-0x0000000000000000-mapping.dmp
-
memory/5108-189-0x0000000000000000-mapping.dmp