Analysis
-
max time kernel
114s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2022 14:45
Static task
static1
Behavioral task
behavioral1
Sample
1f32d31312ef205531030ae0cb1bcd78.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1f32d31312ef205531030ae0cb1bcd78.exe
Resource
win10v2004-20220812-en
General
-
Target
1f32d31312ef205531030ae0cb1bcd78.exe
-
Size
222KB
-
MD5
1f32d31312ef205531030ae0cb1bcd78
-
SHA1
dd09f691719633623397985e85fc2af01ee99158
-
SHA256
845d58361d94e714e6c56e856513d5717b9d846939f586c09c728d70440e7137
-
SHA512
e43a73edef0867888b6ec23e987d6cc9fba1a26151e1d5f3933e1e703658ad3b4098a58d060bb4a9d3d5393395b2f7067be14c7f55b0569d9c29adbe39579742
-
SSDEEP
3072:1qiVocKJs1Pc5FGFgH1jgXSKGQMzDrhC5GmljhvmTsO+sWnxGR96UDcD:1PPWsMLjeGaGml9mTsp0R96U
Malware Config
Extracted
amadey
3.50
193.56.146.174/g84kvj4jck/index.php
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 60 4004 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
rovwer.exerovwer.exerovwer.exepid process 4988 rovwer.exe 1272 rovwer.exe 1796 rovwer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1f32d31312ef205531030ae0cb1bcd78.exerovwer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 1f32d31312ef205531030ae0cb1bcd78.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation rovwer.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4004 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4020 676 WerFault.exe 1f32d31312ef205531030ae0cb1bcd78.exe 4132 1272 WerFault.exe rovwer.exe 2788 1796 WerFault.exe rovwer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 4004 rundll32.exe 4004 rundll32.exe 4004 rundll32.exe 4004 rundll32.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
1f32d31312ef205531030ae0cb1bcd78.exerovwer.execmd.exedescription pid process target process PID 676 wrote to memory of 4988 676 1f32d31312ef205531030ae0cb1bcd78.exe rovwer.exe PID 676 wrote to memory of 4988 676 1f32d31312ef205531030ae0cb1bcd78.exe rovwer.exe PID 676 wrote to memory of 4988 676 1f32d31312ef205531030ae0cb1bcd78.exe rovwer.exe PID 4988 wrote to memory of 4712 4988 rovwer.exe schtasks.exe PID 4988 wrote to memory of 4712 4988 rovwer.exe schtasks.exe PID 4988 wrote to memory of 4712 4988 rovwer.exe schtasks.exe PID 4988 wrote to memory of 2112 4988 rovwer.exe cmd.exe PID 4988 wrote to memory of 2112 4988 rovwer.exe cmd.exe PID 4988 wrote to memory of 2112 4988 rovwer.exe cmd.exe PID 2112 wrote to memory of 1468 2112 cmd.exe cmd.exe PID 2112 wrote to memory of 1468 2112 cmd.exe cmd.exe PID 2112 wrote to memory of 1468 2112 cmd.exe cmd.exe PID 2112 wrote to memory of 3440 2112 cmd.exe cacls.exe PID 2112 wrote to memory of 3440 2112 cmd.exe cacls.exe PID 2112 wrote to memory of 3440 2112 cmd.exe cacls.exe PID 2112 wrote to memory of 176 2112 cmd.exe cacls.exe PID 2112 wrote to memory of 176 2112 cmd.exe cacls.exe PID 2112 wrote to memory of 176 2112 cmd.exe cacls.exe PID 2112 wrote to memory of 220 2112 cmd.exe cmd.exe PID 2112 wrote to memory of 220 2112 cmd.exe cmd.exe PID 2112 wrote to memory of 220 2112 cmd.exe cmd.exe PID 2112 wrote to memory of 228 2112 cmd.exe cacls.exe PID 2112 wrote to memory of 228 2112 cmd.exe cacls.exe PID 2112 wrote to memory of 228 2112 cmd.exe cacls.exe PID 2112 wrote to memory of 796 2112 cmd.exe cacls.exe PID 2112 wrote to memory of 796 2112 cmd.exe cacls.exe PID 2112 wrote to memory of 796 2112 cmd.exe cacls.exe PID 4988 wrote to memory of 4004 4988 rovwer.exe rundll32.exe PID 4988 wrote to memory of 4004 4988 rovwer.exe rundll32.exe PID 4988 wrote to memory of 4004 4988 rovwer.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f32d31312ef205531030ae0cb1bcd78.exe"C:\Users\Admin\AppData\Local\Temp\1f32d31312ef205531030ae0cb1bcd78.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 11362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 676 -ip 6761⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1272 -ip 12721⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1796 -ip 17961⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
222KB
MD51f32d31312ef205531030ae0cb1bcd78
SHA1dd09f691719633623397985e85fc2af01ee99158
SHA256845d58361d94e714e6c56e856513d5717b9d846939f586c09c728d70440e7137
SHA512e43a73edef0867888b6ec23e987d6cc9fba1a26151e1d5f3933e1e703658ad3b4098a58d060bb4a9d3d5393395b2f7067be14c7f55b0569d9c29adbe39579742
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
222KB
MD51f32d31312ef205531030ae0cb1bcd78
SHA1dd09f691719633623397985e85fc2af01ee99158
SHA256845d58361d94e714e6c56e856513d5717b9d846939f586c09c728d70440e7137
SHA512e43a73edef0867888b6ec23e987d6cc9fba1a26151e1d5f3933e1e703658ad3b4098a58d060bb4a9d3d5393395b2f7067be14c7f55b0569d9c29adbe39579742
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
222KB
MD51f32d31312ef205531030ae0cb1bcd78
SHA1dd09f691719633623397985e85fc2af01ee99158
SHA256845d58361d94e714e6c56e856513d5717b9d846939f586c09c728d70440e7137
SHA512e43a73edef0867888b6ec23e987d6cc9fba1a26151e1d5f3933e1e703658ad3b4098a58d060bb4a9d3d5393395b2f7067be14c7f55b0569d9c29adbe39579742
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
222KB
MD51f32d31312ef205531030ae0cb1bcd78
SHA1dd09f691719633623397985e85fc2af01ee99158
SHA256845d58361d94e714e6c56e856513d5717b9d846939f586c09c728d70440e7137
SHA512e43a73edef0867888b6ec23e987d6cc9fba1a26151e1d5f3933e1e703658ad3b4098a58d060bb4a9d3d5393395b2f7067be14c7f55b0569d9c29adbe39579742
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
memory/176-144-0x0000000000000000-mapping.dmp
-
memory/220-145-0x0000000000000000-mapping.dmp
-
memory/228-146-0x0000000000000000-mapping.dmp
-
memory/676-140-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/676-132-0x00000000006D8000-0x00000000006F7000-memory.dmpFilesize
124KB
-
memory/676-133-0x00000000022E0000-0x000000000231E000-memory.dmpFilesize
248KB
-
memory/676-134-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/676-138-0x00000000006D8000-0x00000000006F7000-memory.dmpFilesize
124KB
-
memory/796-147-0x0000000000000000-mapping.dmp
-
memory/1272-152-0x000000000074C000-0x000000000076B000-memory.dmpFilesize
124KB
-
memory/1272-153-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/1468-142-0x0000000000000000-mapping.dmp
-
memory/1796-159-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/1796-158-0x000000000061C000-0x000000000063B000-memory.dmpFilesize
124KB
-
memory/2112-141-0x0000000000000000-mapping.dmp
-
memory/3440-143-0x0000000000000000-mapping.dmp
-
memory/4004-154-0x0000000000000000-mapping.dmp
-
memory/4712-139-0x0000000000000000-mapping.dmp
-
memory/4988-135-0x0000000000000000-mapping.dmp
-
memory/4988-150-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/4988-149-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/4988-148-0x0000000000838000-0x0000000000857000-memory.dmpFilesize
124KB