Analysis
-
max time kernel
130s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2022 17:15
Static task
static1
Behavioral task
behavioral1
Sample
0e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e.exe
Resource
win10v2004-20221111-en
General
-
Target
0e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e.exe
-
Size
346KB
-
MD5
94cfb05ebec8347824c6a47b1f134cf1
-
SHA1
be422dfc6d32411c8e28fb83c0d77eb28103dc9a
-
SHA256
0e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e
-
SHA512
3b7ed9e8cebf8a32180906615d07ed97b16c47aebfd5a18e1778dacbbc8a0889ff0a4a826334e39654e13f6b565340e76dae313aacf1448f9539345a0cb8c130
-
SSDEEP
6144:BkXvLzTOjlPdnarcQH4nu58vk3m7eQj25En2E1a:Bk/fTOj7arVmZd7fjeUv
Malware Config
Extracted
raccoon
d8f44b07b06da3a90ad87ebc9249718c
http://79.137.205.87/
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 32 1096 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
rovwer.exefuoulvqwa.exerovwer.exerovwer.exerovwer.exepid process 1264 rovwer.exe 2388 fuoulvqwa.exe 3524 rovwer.exe 3760 rovwer.exe 4236 rovwer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e.exerovwer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 0e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e.exe Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation rovwer.exe -
Loads dropped DLL 4 IoCs
Processes:
vbc.exerundll32.exepid process 4124 vbc.exe 4124 vbc.exe 4124 vbc.exe 1096 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rovwer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fuoulvqwa.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000116001\\fuoulvqwa.exe" rovwer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fuoulvqwa.exedescription pid process target process PID 2388 set thread context of 4124 2388 fuoulvqwa.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2208 2988 WerFault.exe 0e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e.exe 972 3524 WerFault.exe rovwer.exe 3652 2388 WerFault.exe fuoulvqwa.exe 3972 3760 WerFault.exe rovwer.exe 2148 4236 WerFault.exe rovwer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 1096 rundll32.exe 1096 rundll32.exe 1096 rundll32.exe 1096 rundll32.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
0e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e.exerovwer.execmd.exefuoulvqwa.exedescription pid process target process PID 2988 wrote to memory of 1264 2988 0e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e.exe rovwer.exe PID 2988 wrote to memory of 1264 2988 0e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e.exe rovwer.exe PID 2988 wrote to memory of 1264 2988 0e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e.exe rovwer.exe PID 1264 wrote to memory of 4428 1264 rovwer.exe schtasks.exe PID 1264 wrote to memory of 4428 1264 rovwer.exe schtasks.exe PID 1264 wrote to memory of 4428 1264 rovwer.exe schtasks.exe PID 1264 wrote to memory of 1384 1264 rovwer.exe cmd.exe PID 1264 wrote to memory of 1384 1264 rovwer.exe cmd.exe PID 1264 wrote to memory of 1384 1264 rovwer.exe cmd.exe PID 1384 wrote to memory of 1104 1384 cmd.exe cmd.exe PID 1384 wrote to memory of 1104 1384 cmd.exe cmd.exe PID 1384 wrote to memory of 1104 1384 cmd.exe cmd.exe PID 1384 wrote to memory of 1044 1384 cmd.exe cacls.exe PID 1384 wrote to memory of 1044 1384 cmd.exe cacls.exe PID 1384 wrote to memory of 1044 1384 cmd.exe cacls.exe PID 1384 wrote to memory of 4932 1384 cmd.exe cacls.exe PID 1384 wrote to memory of 4932 1384 cmd.exe cacls.exe PID 1384 wrote to memory of 4932 1384 cmd.exe cacls.exe PID 1384 wrote to memory of 4644 1384 cmd.exe cmd.exe PID 1384 wrote to memory of 4644 1384 cmd.exe cmd.exe PID 1384 wrote to memory of 4644 1384 cmd.exe cmd.exe PID 1384 wrote to memory of 4908 1384 cmd.exe cacls.exe PID 1384 wrote to memory of 4908 1384 cmd.exe cacls.exe PID 1384 wrote to memory of 4908 1384 cmd.exe cacls.exe PID 1384 wrote to memory of 1612 1384 cmd.exe cacls.exe PID 1384 wrote to memory of 1612 1384 cmd.exe cacls.exe PID 1384 wrote to memory of 1612 1384 cmd.exe cacls.exe PID 1264 wrote to memory of 2388 1264 rovwer.exe fuoulvqwa.exe PID 1264 wrote to memory of 2388 1264 rovwer.exe fuoulvqwa.exe PID 1264 wrote to memory of 2388 1264 rovwer.exe fuoulvqwa.exe PID 2388 wrote to memory of 4124 2388 fuoulvqwa.exe vbc.exe PID 2388 wrote to memory of 4124 2388 fuoulvqwa.exe vbc.exe PID 2388 wrote to memory of 4124 2388 fuoulvqwa.exe vbc.exe PID 2388 wrote to memory of 4124 2388 fuoulvqwa.exe vbc.exe PID 2388 wrote to memory of 4124 2388 fuoulvqwa.exe vbc.exe PID 1264 wrote to memory of 1096 1264 rovwer.exe rundll32.exe PID 1264 wrote to memory of 1096 1264 rovwer.exe rundll32.exe PID 1264 wrote to memory of 1096 1264 rovwer.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e.exe"C:\Users\Admin\AppData\Local\Temp\0e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵
-
C:\Users\Admin\AppData\Local\Temp\1000116001\fuoulvqwa.exe"C:\Users\Admin\AppData\Local\Temp\1000116001\fuoulvqwa.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 1404⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 12042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2988 -ip 29881⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 4202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3524 -ip 35241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2388 -ip 23881⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 4202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3760 -ip 37601⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 4202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4236 -ip 42361⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\mozglue.dllFilesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
C:\Users\Admin\AppData\LocalLow\nss3.dllFilesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
C:\Users\Admin\AppData\LocalLow\sqlite3.dllFilesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
C:\Users\Admin\AppData\Local\Temp\1000116001\fuoulvqwa.exeFilesize
502KB
MD57603d680b2c7b88bd9339615f370c4d4
SHA14d28e7e6780af016b0eb58cfce8b97a8fa1060aa
SHA256e97908ddfbb553735e47a47bb05e870ce346c5f09aeee05db5bbccd9a96958fd
SHA512f886f509cef0d1344ce0dee3fb7dd7b995cb7552398f566682ac547c5891356c60f3dca5dde7f036e12f83c92b1136748c90d1d6235d4c8b46d204e26b935d41
-
C:\Users\Admin\AppData\Local\Temp\1000116001\fuoulvqwa.exeFilesize
502KB
MD57603d680b2c7b88bd9339615f370c4d4
SHA14d28e7e6780af016b0eb58cfce8b97a8fa1060aa
SHA256e97908ddfbb553735e47a47bb05e870ce346c5f09aeee05db5bbccd9a96958fd
SHA512f886f509cef0d1344ce0dee3fb7dd7b995cb7552398f566682ac547c5891356c60f3dca5dde7f036e12f83c92b1136748c90d1d6235d4c8b46d204e26b935d41
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
346KB
MD594cfb05ebec8347824c6a47b1f134cf1
SHA1be422dfc6d32411c8e28fb83c0d77eb28103dc9a
SHA2560e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e
SHA5123b7ed9e8cebf8a32180906615d07ed97b16c47aebfd5a18e1778dacbbc8a0889ff0a4a826334e39654e13f6b565340e76dae313aacf1448f9539345a0cb8c130
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
346KB
MD594cfb05ebec8347824c6a47b1f134cf1
SHA1be422dfc6d32411c8e28fb83c0d77eb28103dc9a
SHA2560e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e
SHA5123b7ed9e8cebf8a32180906615d07ed97b16c47aebfd5a18e1778dacbbc8a0889ff0a4a826334e39654e13f6b565340e76dae313aacf1448f9539345a0cb8c130
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
346KB
MD594cfb05ebec8347824c6a47b1f134cf1
SHA1be422dfc6d32411c8e28fb83c0d77eb28103dc9a
SHA2560e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e
SHA5123b7ed9e8cebf8a32180906615d07ed97b16c47aebfd5a18e1778dacbbc8a0889ff0a4a826334e39654e13f6b565340e76dae313aacf1448f9539345a0cb8c130
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
346KB
MD594cfb05ebec8347824c6a47b1f134cf1
SHA1be422dfc6d32411c8e28fb83c0d77eb28103dc9a
SHA2560e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e
SHA5123b7ed9e8cebf8a32180906615d07ed97b16c47aebfd5a18e1778dacbbc8a0889ff0a4a826334e39654e13f6b565340e76dae313aacf1448f9539345a0cb8c130
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
346KB
MD594cfb05ebec8347824c6a47b1f134cf1
SHA1be422dfc6d32411c8e28fb83c0d77eb28103dc9a
SHA2560e33b9e1a35c18a87afd29b937ea7e04c246392939c616bd17c448632163aa8e
SHA5123b7ed9e8cebf8a32180906615d07ed97b16c47aebfd5a18e1778dacbbc8a0889ff0a4a826334e39654e13f6b565340e76dae313aacf1448f9539345a0cb8c130
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
memory/1044-142-0x0000000000000000-mapping.dmp
-
memory/1096-167-0x0000000000000000-mapping.dmp
-
memory/1104-141-0x0000000000000000-mapping.dmp
-
memory/1264-148-0x0000000000400000-0x0000000000859000-memory.dmpFilesize
4.3MB
-
memory/1264-155-0x0000000000400000-0x0000000000859000-memory.dmpFilesize
4.3MB
-
memory/1264-147-0x0000000000B93000-0x0000000000BB2000-memory.dmpFilesize
124KB
-
memory/1264-133-0x0000000000000000-mapping.dmp
-
memory/1384-140-0x0000000000000000-mapping.dmp
-
memory/1612-146-0x0000000000000000-mapping.dmp
-
memory/2388-149-0x0000000000000000-mapping.dmp
-
memory/2988-138-0x00000000009F2000-0x0000000000A11000-memory.dmpFilesize
124KB
-
memory/2988-132-0x00000000009F2000-0x0000000000A11000-memory.dmpFilesize
124KB
-
memory/2988-137-0x0000000000400000-0x0000000000859000-memory.dmpFilesize
4.3MB
-
memory/2988-136-0x0000000000BE0000-0x0000000000C1E000-memory.dmpFilesize
248KB
-
memory/3524-153-0x00000000009A4000-0x00000000009C2000-memory.dmpFilesize
120KB
-
memory/3524-154-0x0000000000400000-0x0000000000859000-memory.dmpFilesize
4.3MB
-
memory/3760-172-0x0000000000400000-0x0000000000859000-memory.dmpFilesize
4.3MB
-
memory/3760-171-0x0000000000B34000-0x0000000000B52000-memory.dmpFilesize
120KB
-
memory/4124-163-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4124-157-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4124-156-0x0000000000000000-mapping.dmp
-
memory/4236-174-0x0000000000AD4000-0x0000000000AF2000-memory.dmpFilesize
120KB
-
memory/4236-175-0x0000000000400000-0x0000000000859000-memory.dmpFilesize
4.3MB
-
memory/4428-139-0x0000000000000000-mapping.dmp
-
memory/4644-144-0x0000000000000000-mapping.dmp
-
memory/4908-145-0x0000000000000000-mapping.dmp
-
memory/4932-143-0x0000000000000000-mapping.dmp