Analysis
-
max time kernel
113s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
17-11-2022 08:22
General
-
Target
28bf368178051f91e19150c4e52806cc.exe
-
Size
271KB
-
MD5
28bf368178051f91e19150c4e52806cc
-
SHA1
6afc716814857c04fdfb301be034aeeaa6b4f5ac
-
SHA256
b5c70be2efa234a02e2becde40c95f71a35a3b8b528487a0d75619e4f0c6cf16
-
SHA512
a46179ee5d345a45e58bdffe84e2a3620bd7cbc5f5ac970be23d5fcdff3308bfeddfdcdc6640a598946e290af9d4f1d14370e7eef9f7fa53811e71a1a73556c6
-
SSDEEP
6144:klCLhTz/OOMwtbSErRXIYU0UD1CkcLjTwGUUs:k8Nz/OwbSIq0yC137UF
Malware Config
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Detect Amadey credential stealer module 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\28bf368178051f91e19150c4e52806cc.exe"C:\Users\Admin\AppData\Local\Temp\28bf368178051f91e19150c4e52806cc.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 12842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1048 -ip 10481⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1028 -ip 10281⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3076 -ip 30761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
271KB
MD528bf368178051f91e19150c4e52806cc
SHA16afc716814857c04fdfb301be034aeeaa6b4f5ac
SHA256b5c70be2efa234a02e2becde40c95f71a35a3b8b528487a0d75619e4f0c6cf16
SHA512a46179ee5d345a45e58bdffe84e2a3620bd7cbc5f5ac970be23d5fcdff3308bfeddfdcdc6640a598946e290af9d4f1d14370e7eef9f7fa53811e71a1a73556c6
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
271KB
MD528bf368178051f91e19150c4e52806cc
SHA16afc716814857c04fdfb301be034aeeaa6b4f5ac
SHA256b5c70be2efa234a02e2becde40c95f71a35a3b8b528487a0d75619e4f0c6cf16
SHA512a46179ee5d345a45e58bdffe84e2a3620bd7cbc5f5ac970be23d5fcdff3308bfeddfdcdc6640a598946e290af9d4f1d14370e7eef9f7fa53811e71a1a73556c6
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
271KB
MD528bf368178051f91e19150c4e52806cc
SHA16afc716814857c04fdfb301be034aeeaa6b4f5ac
SHA256b5c70be2efa234a02e2becde40c95f71a35a3b8b528487a0d75619e4f0c6cf16
SHA512a46179ee5d345a45e58bdffe84e2a3620bd7cbc5f5ac970be23d5fcdff3308bfeddfdcdc6640a598946e290af9d4f1d14370e7eef9f7fa53811e71a1a73556c6
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
271KB
MD528bf368178051f91e19150c4e52806cc
SHA16afc716814857c04fdfb301be034aeeaa6b4f5ac
SHA256b5c70be2efa234a02e2becde40c95f71a35a3b8b528487a0d75619e4f0c6cf16
SHA512a46179ee5d345a45e58bdffe84e2a3620bd7cbc5f5ac970be23d5fcdff3308bfeddfdcdc6640a598946e290af9d4f1d14370e7eef9f7fa53811e71a1a73556c6
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
memory/116-147-0x0000000000000000-mapping.dmp
-
memory/212-146-0x0000000000000000-mapping.dmp
-
memory/312-148-0x0000000000000000-mapping.dmp
-
memory/1028-153-0x0000000000ABA000-0x0000000000AD9000-memory.dmpFilesize
124KB
-
memory/1028-154-0x0000000000400000-0x0000000000847000-memory.dmpFilesize
4.3MB
-
memory/1048-139-0x0000000000400000-0x0000000000847000-memory.dmpFilesize
4.3MB
-
memory/1048-133-0x0000000000960000-0x000000000099E000-memory.dmpFilesize
248KB
-
memory/1048-134-0x0000000000400000-0x0000000000847000-memory.dmpFilesize
4.3MB
-
memory/1048-132-0x0000000000B77000-0x0000000000B96000-memory.dmpFilesize
124KB
-
memory/1048-138-0x0000000000B77000-0x0000000000B96000-memory.dmpFilesize
124KB
-
memory/2032-141-0x0000000000000000-mapping.dmp
-
memory/2332-143-0x0000000000000000-mapping.dmp
-
memory/2404-144-0x0000000000000000-mapping.dmp
-
memory/2684-155-0x0000000000000000-mapping.dmp
-
memory/3076-159-0x000000000091A000-0x0000000000939000-memory.dmpFilesize
124KB
-
memory/3076-160-0x0000000000400000-0x0000000000847000-memory.dmpFilesize
4.3MB
-
memory/4032-149-0x0000000000000000-mapping.dmp
-
memory/4712-145-0x0000000000000000-mapping.dmp
-
memory/4928-150-0x0000000000B56000-0x0000000000B75000-memory.dmpFilesize
124KB
-
memory/4928-151-0x0000000000400000-0x0000000000847000-memory.dmpFilesize
4.3MB
-
memory/4928-140-0x0000000000B56000-0x0000000000B75000-memory.dmpFilesize
124KB
-
memory/4928-142-0x0000000000400000-0x0000000000847000-memory.dmpFilesize
4.3MB
-
memory/4928-135-0x0000000000000000-mapping.dmp