Analysis
-
max time kernel
113s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2022 08:22
Static task
static1
Behavioral task
behavioral1
Sample
28bf368178051f91e19150c4e52806cc.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
28bf368178051f91e19150c4e52806cc.exe
Resource
win10v2004-20220812-en
General
-
Target
28bf368178051f91e19150c4e52806cc.exe
-
Size
271KB
-
MD5
28bf368178051f91e19150c4e52806cc
-
SHA1
6afc716814857c04fdfb301be034aeeaa6b4f5ac
-
SHA256
b5c70be2efa234a02e2becde40c95f71a35a3b8b528487a0d75619e4f0c6cf16
-
SHA512
a46179ee5d345a45e58bdffe84e2a3620bd7cbc5f5ac970be23d5fcdff3308bfeddfdcdc6640a598946e290af9d4f1d14370e7eef9f7fa53811e71a1a73556c6
-
SSDEEP
6144:klCLhTz/OOMwtbSErRXIYU0UD1CkcLjTwGUUs:k8Nz/OwbSIq0yC137UF
Malware Config
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 40 2684 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
rovwer.exerovwer.exerovwer.exepid process 4928 rovwer.exe 1028 rovwer.exe 3076 rovwer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
28bf368178051f91e19150c4e52806cc.exerovwer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 28bf368178051f91e19150c4e52806cc.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation rovwer.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2684 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 808 1048 WerFault.exe 28bf368178051f91e19150c4e52806cc.exe 4168 1028 WerFault.exe rovwer.exe 5060 3076 WerFault.exe rovwer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 2684 rundll32.exe 2684 rundll32.exe 2684 rundll32.exe 2684 rundll32.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
28bf368178051f91e19150c4e52806cc.exerovwer.execmd.exedescription pid process target process PID 1048 wrote to memory of 4928 1048 28bf368178051f91e19150c4e52806cc.exe rovwer.exe PID 1048 wrote to memory of 4928 1048 28bf368178051f91e19150c4e52806cc.exe rovwer.exe PID 1048 wrote to memory of 4928 1048 28bf368178051f91e19150c4e52806cc.exe rovwer.exe PID 4928 wrote to memory of 2032 4928 rovwer.exe schtasks.exe PID 4928 wrote to memory of 2032 4928 rovwer.exe schtasks.exe PID 4928 wrote to memory of 2032 4928 rovwer.exe schtasks.exe PID 4928 wrote to memory of 2332 4928 rovwer.exe cmd.exe PID 4928 wrote to memory of 2332 4928 rovwer.exe cmd.exe PID 4928 wrote to memory of 2332 4928 rovwer.exe cmd.exe PID 2332 wrote to memory of 2404 2332 cmd.exe cmd.exe PID 2332 wrote to memory of 2404 2332 cmd.exe cmd.exe PID 2332 wrote to memory of 2404 2332 cmd.exe cmd.exe PID 2332 wrote to memory of 4712 2332 cmd.exe cacls.exe PID 2332 wrote to memory of 4712 2332 cmd.exe cacls.exe PID 2332 wrote to memory of 4712 2332 cmd.exe cacls.exe PID 2332 wrote to memory of 212 2332 cmd.exe cacls.exe PID 2332 wrote to memory of 212 2332 cmd.exe cacls.exe PID 2332 wrote to memory of 212 2332 cmd.exe cacls.exe PID 2332 wrote to memory of 116 2332 cmd.exe cmd.exe PID 2332 wrote to memory of 116 2332 cmd.exe cmd.exe PID 2332 wrote to memory of 116 2332 cmd.exe cmd.exe PID 2332 wrote to memory of 312 2332 cmd.exe cacls.exe PID 2332 wrote to memory of 312 2332 cmd.exe cacls.exe PID 2332 wrote to memory of 312 2332 cmd.exe cacls.exe PID 2332 wrote to memory of 4032 2332 cmd.exe cacls.exe PID 2332 wrote to memory of 4032 2332 cmd.exe cacls.exe PID 2332 wrote to memory of 4032 2332 cmd.exe cacls.exe PID 4928 wrote to memory of 2684 4928 rovwer.exe rundll32.exe PID 4928 wrote to memory of 2684 4928 rovwer.exe rundll32.exe PID 4928 wrote to memory of 2684 4928 rovwer.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28bf368178051f91e19150c4e52806cc.exe"C:\Users\Admin\AppData\Local\Temp\28bf368178051f91e19150c4e52806cc.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 12842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1048 -ip 10481⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1028 -ip 10281⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3076 -ip 30761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
271KB
MD528bf368178051f91e19150c4e52806cc
SHA16afc716814857c04fdfb301be034aeeaa6b4f5ac
SHA256b5c70be2efa234a02e2becde40c95f71a35a3b8b528487a0d75619e4f0c6cf16
SHA512a46179ee5d345a45e58bdffe84e2a3620bd7cbc5f5ac970be23d5fcdff3308bfeddfdcdc6640a598946e290af9d4f1d14370e7eef9f7fa53811e71a1a73556c6
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
271KB
MD528bf368178051f91e19150c4e52806cc
SHA16afc716814857c04fdfb301be034aeeaa6b4f5ac
SHA256b5c70be2efa234a02e2becde40c95f71a35a3b8b528487a0d75619e4f0c6cf16
SHA512a46179ee5d345a45e58bdffe84e2a3620bd7cbc5f5ac970be23d5fcdff3308bfeddfdcdc6640a598946e290af9d4f1d14370e7eef9f7fa53811e71a1a73556c6
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
271KB
MD528bf368178051f91e19150c4e52806cc
SHA16afc716814857c04fdfb301be034aeeaa6b4f5ac
SHA256b5c70be2efa234a02e2becde40c95f71a35a3b8b528487a0d75619e4f0c6cf16
SHA512a46179ee5d345a45e58bdffe84e2a3620bd7cbc5f5ac970be23d5fcdff3308bfeddfdcdc6640a598946e290af9d4f1d14370e7eef9f7fa53811e71a1a73556c6
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
271KB
MD528bf368178051f91e19150c4e52806cc
SHA16afc716814857c04fdfb301be034aeeaa6b4f5ac
SHA256b5c70be2efa234a02e2becde40c95f71a35a3b8b528487a0d75619e4f0c6cf16
SHA512a46179ee5d345a45e58bdffe84e2a3620bd7cbc5f5ac970be23d5fcdff3308bfeddfdcdc6640a598946e290af9d4f1d14370e7eef9f7fa53811e71a1a73556c6
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
memory/116-147-0x0000000000000000-mapping.dmp
-
memory/212-146-0x0000000000000000-mapping.dmp
-
memory/312-148-0x0000000000000000-mapping.dmp
-
memory/1028-153-0x0000000000ABA000-0x0000000000AD9000-memory.dmpFilesize
124KB
-
memory/1028-154-0x0000000000400000-0x0000000000847000-memory.dmpFilesize
4.3MB
-
memory/1048-139-0x0000000000400000-0x0000000000847000-memory.dmpFilesize
4.3MB
-
memory/1048-133-0x0000000000960000-0x000000000099E000-memory.dmpFilesize
248KB
-
memory/1048-134-0x0000000000400000-0x0000000000847000-memory.dmpFilesize
4.3MB
-
memory/1048-132-0x0000000000B77000-0x0000000000B96000-memory.dmpFilesize
124KB
-
memory/1048-138-0x0000000000B77000-0x0000000000B96000-memory.dmpFilesize
124KB
-
memory/2032-141-0x0000000000000000-mapping.dmp
-
memory/2332-143-0x0000000000000000-mapping.dmp
-
memory/2404-144-0x0000000000000000-mapping.dmp
-
memory/2684-155-0x0000000000000000-mapping.dmp
-
memory/3076-159-0x000000000091A000-0x0000000000939000-memory.dmpFilesize
124KB
-
memory/3076-160-0x0000000000400000-0x0000000000847000-memory.dmpFilesize
4.3MB
-
memory/4032-149-0x0000000000000000-mapping.dmp
-
memory/4712-145-0x0000000000000000-mapping.dmp
-
memory/4928-150-0x0000000000B56000-0x0000000000B75000-memory.dmpFilesize
124KB
-
memory/4928-151-0x0000000000400000-0x0000000000847000-memory.dmpFilesize
4.3MB
-
memory/4928-140-0x0000000000B56000-0x0000000000B75000-memory.dmpFilesize
124KB
-
memory/4928-142-0x0000000000400000-0x0000000000847000-memory.dmpFilesize
4.3MB
-
memory/4928-135-0x0000000000000000-mapping.dmp