Analysis
-
max time kernel
110s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16-11-2022 21:22
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
279KB
-
MD5
edb7e98faed74c17ea3b57fbfc80120c
-
SHA1
608e1ff59fd2d2d5adc401d061e66989f07b8ba0
-
SHA256
4531bab51ff2faf6dc606f50c3952804815e83b01c861d4eae8b606a8668ca39
-
SHA512
07df31279d7b15a2624f87a9b3b0e001224ebd45c34f39fbf8bb64fab6271dad4d1b963646ce57c8275ecef6bf93d9c3a2bdc6e95eaa6ba1002e12659ce19697
-
SSDEEP
6144:vHrL9EtBHC8q9NMLI3puFwlK1W+b6xFbJp6xGb:vLpYBHC5mLI3pywlKkZbJ8A
Malware Config
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 27 2080 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
rovwer.exerovwer.exerovwer.exepid process 3856 rovwer.exe 2568 rovwer.exe 3656 rovwer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exerovwer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation rovwer.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2080 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1348 4892 WerFault.exe file.exe 2428 2568 WerFault.exe rovwer.exe 2100 3656 WerFault.exe rovwer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 2080 rundll32.exe 2080 rundll32.exe 2080 rundll32.exe 2080 rundll32.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
file.exerovwer.execmd.exedescription pid process target process PID 4892 wrote to memory of 3856 4892 file.exe rovwer.exe PID 4892 wrote to memory of 3856 4892 file.exe rovwer.exe PID 4892 wrote to memory of 3856 4892 file.exe rovwer.exe PID 3856 wrote to memory of 1732 3856 rovwer.exe schtasks.exe PID 3856 wrote to memory of 1732 3856 rovwer.exe schtasks.exe PID 3856 wrote to memory of 1732 3856 rovwer.exe schtasks.exe PID 3856 wrote to memory of 4848 3856 rovwer.exe cmd.exe PID 3856 wrote to memory of 4848 3856 rovwer.exe cmd.exe PID 3856 wrote to memory of 4848 3856 rovwer.exe cmd.exe PID 4848 wrote to memory of 2908 4848 cmd.exe cmd.exe PID 4848 wrote to memory of 2908 4848 cmd.exe cmd.exe PID 4848 wrote to memory of 2908 4848 cmd.exe cmd.exe PID 4848 wrote to memory of 3428 4848 cmd.exe cacls.exe PID 4848 wrote to memory of 3428 4848 cmd.exe cacls.exe PID 4848 wrote to memory of 3428 4848 cmd.exe cacls.exe PID 4848 wrote to memory of 3268 4848 cmd.exe cacls.exe PID 4848 wrote to memory of 3268 4848 cmd.exe cacls.exe PID 4848 wrote to memory of 3268 4848 cmd.exe cacls.exe PID 4848 wrote to memory of 116 4848 cmd.exe cmd.exe PID 4848 wrote to memory of 116 4848 cmd.exe cmd.exe PID 4848 wrote to memory of 116 4848 cmd.exe cmd.exe PID 4848 wrote to memory of 224 4848 cmd.exe cacls.exe PID 4848 wrote to memory of 224 4848 cmd.exe cacls.exe PID 4848 wrote to memory of 224 4848 cmd.exe cacls.exe PID 4848 wrote to memory of 2924 4848 cmd.exe cacls.exe PID 4848 wrote to memory of 2924 4848 cmd.exe cacls.exe PID 4848 wrote to memory of 2924 4848 cmd.exe cacls.exe PID 3856 wrote to memory of 2080 3856 rovwer.exe rundll32.exe PID 3856 wrote to memory of 2080 3856 rovwer.exe rundll32.exe PID 3856 wrote to memory of 2080 3856 rovwer.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 11362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4892 -ip 48921⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2568 -ip 25681⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 4202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3656 -ip 36561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
279KB
MD5edb7e98faed74c17ea3b57fbfc80120c
SHA1608e1ff59fd2d2d5adc401d061e66989f07b8ba0
SHA2564531bab51ff2faf6dc606f50c3952804815e83b01c861d4eae8b606a8668ca39
SHA51207df31279d7b15a2624f87a9b3b0e001224ebd45c34f39fbf8bb64fab6271dad4d1b963646ce57c8275ecef6bf93d9c3a2bdc6e95eaa6ba1002e12659ce19697
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
279KB
MD5edb7e98faed74c17ea3b57fbfc80120c
SHA1608e1ff59fd2d2d5adc401d061e66989f07b8ba0
SHA2564531bab51ff2faf6dc606f50c3952804815e83b01c861d4eae8b606a8668ca39
SHA51207df31279d7b15a2624f87a9b3b0e001224ebd45c34f39fbf8bb64fab6271dad4d1b963646ce57c8275ecef6bf93d9c3a2bdc6e95eaa6ba1002e12659ce19697
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
279KB
MD5edb7e98faed74c17ea3b57fbfc80120c
SHA1608e1ff59fd2d2d5adc401d061e66989f07b8ba0
SHA2564531bab51ff2faf6dc606f50c3952804815e83b01c861d4eae8b606a8668ca39
SHA51207df31279d7b15a2624f87a9b3b0e001224ebd45c34f39fbf8bb64fab6271dad4d1b963646ce57c8275ecef6bf93d9c3a2bdc6e95eaa6ba1002e12659ce19697
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
279KB
MD5edb7e98faed74c17ea3b57fbfc80120c
SHA1608e1ff59fd2d2d5adc401d061e66989f07b8ba0
SHA2564531bab51ff2faf6dc606f50c3952804815e83b01c861d4eae8b606a8668ca39
SHA51207df31279d7b15a2624f87a9b3b0e001224ebd45c34f39fbf8bb64fab6271dad4d1b963646ce57c8275ecef6bf93d9c3a2bdc6e95eaa6ba1002e12659ce19697
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
memory/116-147-0x0000000000000000-mapping.dmp
-
memory/224-148-0x0000000000000000-mapping.dmp
-
memory/1732-142-0x0000000000000000-mapping.dmp
-
memory/2080-155-0x0000000000000000-mapping.dmp
-
memory/2568-154-0x0000000000400000-0x0000000000848000-memory.dmpFilesize
4.3MB
-
memory/2568-153-0x0000000000A6A000-0x0000000000A89000-memory.dmpFilesize
124KB
-
memory/2908-144-0x0000000000000000-mapping.dmp
-
memory/2924-149-0x0000000000000000-mapping.dmp
-
memory/3268-146-0x0000000000000000-mapping.dmp
-
memory/3428-145-0x0000000000000000-mapping.dmp
-
memory/3656-159-0x00000000009CA000-0x00000000009E9000-memory.dmpFilesize
124KB
-
memory/3656-160-0x0000000000400000-0x0000000000848000-memory.dmpFilesize
4.3MB
-
memory/3856-140-0x00000000008C6000-0x00000000008E5000-memory.dmpFilesize
124KB
-
memory/3856-151-0x0000000000400000-0x0000000000848000-memory.dmpFilesize
4.3MB
-
memory/3856-141-0x0000000000400000-0x0000000000848000-memory.dmpFilesize
4.3MB
-
memory/3856-135-0x0000000000000000-mapping.dmp
-
memory/3856-150-0x00000000008C6000-0x00000000008E5000-memory.dmpFilesize
124KB
-
memory/4848-143-0x0000000000000000-mapping.dmp
-
memory/4892-132-0x00000000009C7000-0x00000000009E6000-memory.dmpFilesize
124KB
-
memory/4892-139-0x0000000000400000-0x0000000000848000-memory.dmpFilesize
4.3MB
-
memory/4892-138-0x00000000009C7000-0x00000000009E6000-memory.dmpFilesize
124KB
-
memory/4892-134-0x0000000000400000-0x0000000000848000-memory.dmpFilesize
4.3MB
-
memory/4892-133-0x0000000000900000-0x000000000093E000-memory.dmpFilesize
248KB