Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2022 18:27
Static task
static1
Behavioral task
behavioral1
Sample
27a3ea6c85bda6257175fd59e595d0e9610059c7f60d92e392a944e8ddc30508.exe
Resource
win10v2004-20220812-en
General
-
Target
27a3ea6c85bda6257175fd59e595d0e9610059c7f60d92e392a944e8ddc30508.exe
-
Size
247KB
-
MD5
47fda80c9b229f2dff4a8ee998ff0cdd
-
SHA1
b33f66efb6503e11bcfc9abf99e3e16ba10adc14
-
SHA256
27a3ea6c85bda6257175fd59e595d0e9610059c7f60d92e392a944e8ddc30508
-
SHA512
2cdc3914e40ea68e4187b47b42bb099479c661244dd28bd3080b5d747351144809c7d2e23ac350ccd637ea9096b620f027ebe23d2a79bdf78678c5205730a495
-
SSDEEP
3072:vsaNPBwDtcWpCh5KuVeYEemZb7MGdWWX8M90LOnTU60q7KlxbI/HfX:vskru8VeD9Zb7MG4UZH01bYv
Malware Config
Extracted
amadey
3.50
193.56.146.194/h49vlBP/index.php
Signatures
-
Detect Amadey credential stealer module 2 IoCs
resource yara_rule behavioral1/files/0x0007000000022e03-147.dat amadey_cred_module behavioral1/files/0x0007000000022e03-148.dat amadey_cred_module -
Blocklisted process makes network request 1 IoCs
flow pid Process 28 4612 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 376 rovwer.exe 216 rovwer.exe 4628 rovwer.exe 4348 rovwer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 27a3ea6c85bda6257175fd59e595d0e9610059c7f60d92e392a944e8ddc30508.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation rovwer.exe -
Loads dropped DLL 1 IoCs
pid Process 4612 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
pid pid_target Process procid_target 1352 4724 WerFault.exe 80 2804 216 WerFault.exe 87 1388 4628 WerFault.exe 91 3636 4348 WerFault.exe 100 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4904 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4612 rundll32.exe 4612 rundll32.exe 4612 rundll32.exe 4612 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4724 wrote to memory of 376 4724 27a3ea6c85bda6257175fd59e595d0e9610059c7f60d92e392a944e8ddc30508.exe 81 PID 4724 wrote to memory of 376 4724 27a3ea6c85bda6257175fd59e595d0e9610059c7f60d92e392a944e8ddc30508.exe 81 PID 4724 wrote to memory of 376 4724 27a3ea6c85bda6257175fd59e595d0e9610059c7f60d92e392a944e8ddc30508.exe 81 PID 376 wrote to memory of 4904 376 rovwer.exe 84 PID 376 wrote to memory of 4904 376 rovwer.exe 84 PID 376 wrote to memory of 4904 376 rovwer.exe 84 PID 376 wrote to memory of 4612 376 rovwer.exe 90 PID 376 wrote to memory of 4612 376 rovwer.exe 90 PID 376 wrote to memory of 4612 376 rovwer.exe 90 -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27a3ea6c85bda6257175fd59e595d0e9610059c7f60d92e392a944e8ddc30508.exe"C:\Users\Admin\AppData\Local\Temp\27a3ea6c85bda6257175fd59e595d0e9610059c7f60d92e392a944e8ddc30508.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F3⤵
- Creates scheduled task(s)
PID:4904
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:4612
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 8802⤵
- Program crash
PID:1352
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4724 -ip 47241⤵PID:4120
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 4162⤵
- Program crash
PID:2804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 216 -ip 2161⤵PID:32
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
PID:4628 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 4242⤵
- Program crash
PID:1388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4628 -ip 46281⤵PID:1744
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 4162⤵
- Program crash
PID:3636
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 43481⤵PID:4928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
247KB
MD547fda80c9b229f2dff4a8ee998ff0cdd
SHA1b33f66efb6503e11bcfc9abf99e3e16ba10adc14
SHA25627a3ea6c85bda6257175fd59e595d0e9610059c7f60d92e392a944e8ddc30508
SHA5122cdc3914e40ea68e4187b47b42bb099479c661244dd28bd3080b5d747351144809c7d2e23ac350ccd637ea9096b620f027ebe23d2a79bdf78678c5205730a495
-
Filesize
247KB
MD547fda80c9b229f2dff4a8ee998ff0cdd
SHA1b33f66efb6503e11bcfc9abf99e3e16ba10adc14
SHA25627a3ea6c85bda6257175fd59e595d0e9610059c7f60d92e392a944e8ddc30508
SHA5122cdc3914e40ea68e4187b47b42bb099479c661244dd28bd3080b5d747351144809c7d2e23ac350ccd637ea9096b620f027ebe23d2a79bdf78678c5205730a495
-
Filesize
247KB
MD547fda80c9b229f2dff4a8ee998ff0cdd
SHA1b33f66efb6503e11bcfc9abf99e3e16ba10adc14
SHA25627a3ea6c85bda6257175fd59e595d0e9610059c7f60d92e392a944e8ddc30508
SHA5122cdc3914e40ea68e4187b47b42bb099479c661244dd28bd3080b5d747351144809c7d2e23ac350ccd637ea9096b620f027ebe23d2a79bdf78678c5205730a495
-
Filesize
247KB
MD547fda80c9b229f2dff4a8ee998ff0cdd
SHA1b33f66efb6503e11bcfc9abf99e3e16ba10adc14
SHA25627a3ea6c85bda6257175fd59e595d0e9610059c7f60d92e392a944e8ddc30508
SHA5122cdc3914e40ea68e4187b47b42bb099479c661244dd28bd3080b5d747351144809c7d2e23ac350ccd637ea9096b620f027ebe23d2a79bdf78678c5205730a495
-
Filesize
247KB
MD547fda80c9b229f2dff4a8ee998ff0cdd
SHA1b33f66efb6503e11bcfc9abf99e3e16ba10adc14
SHA25627a3ea6c85bda6257175fd59e595d0e9610059c7f60d92e392a944e8ddc30508
SHA5122cdc3914e40ea68e4187b47b42bb099479c661244dd28bd3080b5d747351144809c7d2e23ac350ccd637ea9096b620f027ebe23d2a79bdf78678c5205730a495
-
Filesize
126KB
MD5674cec24e36e0dfaec6290db96dda86e
SHA1581e3a7a541cc04641e751fc850d92e07236681f
SHA256de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA5126d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029
-
Filesize
126KB
MD5674cec24e36e0dfaec6290db96dda86e
SHA1581e3a7a541cc04641e751fc850d92e07236681f
SHA256de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA5126d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029