Analysis
-
max time kernel
179s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 11:26
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
233KB
-
MD5
4149b7ced64c1cb7517446aab862ceed
-
SHA1
aacbf47e0f15775f3c35b4c0cd39861534bb4559
-
SHA256
5ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288
-
SHA512
cae9f023f97ee98d50fcd4d1a04f7c913c9e37bf85f1ee57f847dfcc3e11fce1c67dd74d571e0f9786150b55bc9ddecdbdba23efee50885815e142fa4f654170
-
SSDEEP
6144:G5FBs/1/P03oPswvDwJwohllMN+bW3VCf:GzB+9P0YPsw7wxhjXbWlCf
Malware Config
Extracted
amadey
3.50
193.56.146.174/g84kvj4jck/index.php
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
rovwer.exerovwer.exepid process 4312 rovwer.exe 3780 rovwer.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
file.exerovwer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation rovwer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1512 2216 WerFault.exe file.exe 1608 3780 WerFault.exe rovwer.exe 4572 2216 WerFault.exe file.exe 4556 3780 WerFault.exe rovwer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
file.exerovwer.execmd.exedescription pid process target process PID 2216 wrote to memory of 4312 2216 file.exe rovwer.exe PID 2216 wrote to memory of 4312 2216 file.exe rovwer.exe PID 2216 wrote to memory of 4312 2216 file.exe rovwer.exe PID 4312 wrote to memory of 4228 4312 rovwer.exe schtasks.exe PID 4312 wrote to memory of 4228 4312 rovwer.exe schtasks.exe PID 4312 wrote to memory of 4228 4312 rovwer.exe schtasks.exe PID 4312 wrote to memory of 2408 4312 rovwer.exe cmd.exe PID 4312 wrote to memory of 2408 4312 rovwer.exe cmd.exe PID 4312 wrote to memory of 2408 4312 rovwer.exe cmd.exe PID 2408 wrote to memory of 1808 2408 cmd.exe cmd.exe PID 2408 wrote to memory of 1808 2408 cmd.exe cmd.exe PID 2408 wrote to memory of 1808 2408 cmd.exe cmd.exe PID 2408 wrote to memory of 4864 2408 cmd.exe cacls.exe PID 2408 wrote to memory of 4864 2408 cmd.exe cacls.exe PID 2408 wrote to memory of 4864 2408 cmd.exe cacls.exe PID 2408 wrote to memory of 4240 2408 cmd.exe cacls.exe PID 2408 wrote to memory of 4240 2408 cmd.exe cacls.exe PID 2408 wrote to memory of 4240 2408 cmd.exe cacls.exe PID 2408 wrote to memory of 2244 2408 cmd.exe cmd.exe PID 2408 wrote to memory of 2244 2408 cmd.exe cmd.exe PID 2408 wrote to memory of 2244 2408 cmd.exe cmd.exe PID 2408 wrote to memory of 440 2408 cmd.exe cacls.exe PID 2408 wrote to memory of 440 2408 cmd.exe cacls.exe PID 2408 wrote to memory of 440 2408 cmd.exe cacls.exe PID 2408 wrote to memory of 1132 2408 cmd.exe cacls.exe PID 2408 wrote to memory of 1132 2408 cmd.exe cacls.exe PID 2408 wrote to memory of 1132 2408 cmd.exe cacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F3⤵
- Creates scheduled task(s)
PID:4228 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit3⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:1808
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:N"4⤵PID:4864
-
C:\Windows\SysWOW64\cacls.exeCACLS "rovwer.exe" /P "Admin:R" /E4⤵PID:4240
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"4⤵PID:2244
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:N"4⤵PID:440
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\99e342142d" /P "Admin:R" /E4⤵PID:1132
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 9042⤵
- Program crash
PID:1512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 12882⤵
- Program crash
PID:4572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 2216 -ip 22161⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exeC:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe1⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 4162⤵
- Program crash
PID:1608 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 4242⤵
- Program crash
PID:4556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3780 -ip 37801⤵PID:1932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2216 -ip 22161⤵PID:1496
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3780 -ip 37801⤵PID:2700
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
233KB
MD54149b7ced64c1cb7517446aab862ceed
SHA1aacbf47e0f15775f3c35b4c0cd39861534bb4559
SHA2565ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288
SHA512cae9f023f97ee98d50fcd4d1a04f7c913c9e37bf85f1ee57f847dfcc3e11fce1c67dd74d571e0f9786150b55bc9ddecdbdba23efee50885815e142fa4f654170
-
Filesize
233KB
MD54149b7ced64c1cb7517446aab862ceed
SHA1aacbf47e0f15775f3c35b4c0cd39861534bb4559
SHA2565ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288
SHA512cae9f023f97ee98d50fcd4d1a04f7c913c9e37bf85f1ee57f847dfcc3e11fce1c67dd74d571e0f9786150b55bc9ddecdbdba23efee50885815e142fa4f654170
-
Filesize
233KB
MD54149b7ced64c1cb7517446aab862ceed
SHA1aacbf47e0f15775f3c35b4c0cd39861534bb4559
SHA2565ba7ff89a3887877e42f64edd509686f5e0920d5b5c2b1de219014b771810288
SHA512cae9f023f97ee98d50fcd4d1a04f7c913c9e37bf85f1ee57f847dfcc3e11fce1c67dd74d571e0f9786150b55bc9ddecdbdba23efee50885815e142fa4f654170