Analysis
-
max time kernel
177s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18-11-2022 22:51
Static task
static1
Behavioral task
behavioral1
Sample
bff15961c6100bf76db0f20f434cd069.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bff15961c6100bf76db0f20f434cd069.exe
Resource
win10v2004-20221111-en
General
-
Target
bff15961c6100bf76db0f20f434cd069.exe
-
Size
221KB
-
MD5
bff15961c6100bf76db0f20f434cd069
-
SHA1
7ffcc4359779c74ca2b78526acbfbd147b097de1
-
SHA256
25ae1edc4fb4a251433e427c5ba19bf597e242befe7cb836da692f2cbb2949ed
-
SHA512
f1ec4e7220b65b27456d2d822fd609180d6eb781b08191b7537a972fcbab252ecb41eda85aa85ee783f3eb6fe6cf2c9a5f235eebfbf753af652dded22708d8d6
-
SSDEEP
6144:m8eY52kweddYIRDvxw4rjloyF8ICap6rx:m8efkw+YIRDZGna4
Malware Config
Extracted
amadey
3.50
193.56.146.174/g84kvj4jck/index.php
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 57 4296 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
rovwer.exerovwer.exerovwer.exepid process 2312 rovwer.exe 2348 rovwer.exe 652 rovwer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rovwer.exebff15961c6100bf76db0f20f434cd069.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation rovwer.exe Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation bff15961c6100bf76db0f20f434cd069.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4296 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2592 368 WerFault.exe bff15961c6100bf76db0f20f434cd069.exe 1420 2348 WerFault.exe rovwer.exe 648 652 WerFault.exe rovwer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 4296 rundll32.exe 4296 rundll32.exe 4296 rundll32.exe 4296 rundll32.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
bff15961c6100bf76db0f20f434cd069.exerovwer.execmd.exedescription pid process target process PID 368 wrote to memory of 2312 368 bff15961c6100bf76db0f20f434cd069.exe rovwer.exe PID 368 wrote to memory of 2312 368 bff15961c6100bf76db0f20f434cd069.exe rovwer.exe PID 368 wrote to memory of 2312 368 bff15961c6100bf76db0f20f434cd069.exe rovwer.exe PID 2312 wrote to memory of 936 2312 rovwer.exe schtasks.exe PID 2312 wrote to memory of 936 2312 rovwer.exe schtasks.exe PID 2312 wrote to memory of 936 2312 rovwer.exe schtasks.exe PID 2312 wrote to memory of 1620 2312 rovwer.exe cmd.exe PID 2312 wrote to memory of 1620 2312 rovwer.exe cmd.exe PID 2312 wrote to memory of 1620 2312 rovwer.exe cmd.exe PID 1620 wrote to memory of 5076 1620 cmd.exe cmd.exe PID 1620 wrote to memory of 5076 1620 cmd.exe cmd.exe PID 1620 wrote to memory of 5076 1620 cmd.exe cmd.exe PID 1620 wrote to memory of 3416 1620 cmd.exe cacls.exe PID 1620 wrote to memory of 3416 1620 cmd.exe cacls.exe PID 1620 wrote to memory of 3416 1620 cmd.exe cacls.exe PID 1620 wrote to memory of 4492 1620 cmd.exe cacls.exe PID 1620 wrote to memory of 4492 1620 cmd.exe cacls.exe PID 1620 wrote to memory of 4492 1620 cmd.exe cacls.exe PID 1620 wrote to memory of 1360 1620 cmd.exe cmd.exe PID 1620 wrote to memory of 1360 1620 cmd.exe cmd.exe PID 1620 wrote to memory of 1360 1620 cmd.exe cmd.exe PID 1620 wrote to memory of 1744 1620 cmd.exe cacls.exe PID 1620 wrote to memory of 1744 1620 cmd.exe cacls.exe PID 1620 wrote to memory of 1744 1620 cmd.exe cacls.exe PID 1620 wrote to memory of 3864 1620 cmd.exe cacls.exe PID 1620 wrote to memory of 3864 1620 cmd.exe cacls.exe PID 1620 wrote to memory of 3864 1620 cmd.exe cacls.exe PID 2312 wrote to memory of 4296 2312 rovwer.exe rundll32.exe PID 2312 wrote to memory of 4296 2312 rovwer.exe rundll32.exe PID 2312 wrote to memory of 4296 2312 rovwer.exe rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bff15961c6100bf76db0f20f434cd069.exe"C:\Users\Admin\AppData\Local\Temp\bff15961c6100bf76db0f20f434cd069.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 9002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 368 -ip 3681⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 2348 -ip 23481⤵
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 4162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 652 -ip 6521⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
221KB
MD5bff15961c6100bf76db0f20f434cd069
SHA17ffcc4359779c74ca2b78526acbfbd147b097de1
SHA25625ae1edc4fb4a251433e427c5ba19bf597e242befe7cb836da692f2cbb2949ed
SHA512f1ec4e7220b65b27456d2d822fd609180d6eb781b08191b7537a972fcbab252ecb41eda85aa85ee783f3eb6fe6cf2c9a5f235eebfbf753af652dded22708d8d6
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
221KB
MD5bff15961c6100bf76db0f20f434cd069
SHA17ffcc4359779c74ca2b78526acbfbd147b097de1
SHA25625ae1edc4fb4a251433e427c5ba19bf597e242befe7cb836da692f2cbb2949ed
SHA512f1ec4e7220b65b27456d2d822fd609180d6eb781b08191b7537a972fcbab252ecb41eda85aa85ee783f3eb6fe6cf2c9a5f235eebfbf753af652dded22708d8d6
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
221KB
MD5bff15961c6100bf76db0f20f434cd069
SHA17ffcc4359779c74ca2b78526acbfbd147b097de1
SHA25625ae1edc4fb4a251433e427c5ba19bf597e242befe7cb836da692f2cbb2949ed
SHA512f1ec4e7220b65b27456d2d822fd609180d6eb781b08191b7537a972fcbab252ecb41eda85aa85ee783f3eb6fe6cf2c9a5f235eebfbf753af652dded22708d8d6
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeFilesize
221KB
MD5bff15961c6100bf76db0f20f434cd069
SHA17ffcc4359779c74ca2b78526acbfbd147b097de1
SHA25625ae1edc4fb4a251433e427c5ba19bf597e242befe7cb836da692f2cbb2949ed
SHA512f1ec4e7220b65b27456d2d822fd609180d6eb781b08191b7537a972fcbab252ecb41eda85aa85ee783f3eb6fe6cf2c9a5f235eebfbf753af652dded22708d8d6
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
126KB
MD5507e9dc7b9c42f535b6df96d79179835
SHA1acf41fb549750023115f060071aa5ca8c33f249e
SHA2563b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af
SHA51270907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302
-
memory/368-133-0x00000000022D0000-0x000000000230E000-memory.dmpFilesize
248KB
-
memory/368-134-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/368-150-0x0000000000608000-0x0000000000627000-memory.dmpFilesize
124KB
-
memory/368-151-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/368-132-0x0000000000608000-0x0000000000627000-memory.dmpFilesize
124KB
-
memory/652-160-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/652-159-0x000000000061C000-0x000000000063B000-memory.dmpFilesize
124KB
-
memory/936-138-0x0000000000000000-mapping.dmp
-
memory/1360-145-0x0000000000000000-mapping.dmp
-
memory/1620-141-0x0000000000000000-mapping.dmp
-
memory/1744-146-0x0000000000000000-mapping.dmp
-
memory/2312-139-0x00000000007F8000-0x0000000000817000-memory.dmpFilesize
124KB
-
memory/2312-149-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/2312-148-0x00000000007F8000-0x0000000000817000-memory.dmpFilesize
124KB
-
memory/2312-140-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/2312-135-0x0000000000000000-mapping.dmp
-
memory/2348-153-0x00000000005BC000-0x00000000005DB000-memory.dmpFilesize
124KB
-
memory/2348-154-0x0000000000400000-0x000000000059C000-memory.dmpFilesize
1.6MB
-
memory/3416-143-0x0000000000000000-mapping.dmp
-
memory/3864-147-0x0000000000000000-mapping.dmp
-
memory/4296-155-0x0000000000000000-mapping.dmp
-
memory/4492-144-0x0000000000000000-mapping.dmp
-
memory/5076-142-0x0000000000000000-mapping.dmp