Analysis
-
max time kernel
210s -
max time network
230s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2022 10:10
Static task
static1
General
-
Target
8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966.exe
-
Size
209KB
-
MD5
9a557c8759ef2110b4fb56daf43a9376
-
SHA1
178ec11e910999d49f0c51e47ae25c3f60f327e2
-
SHA256
8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966
-
SHA512
ecf57244634a298de0fecf9765ef15d344ddd87d203e2df742d4cbed0e48c4a9d238b0be7e7ed8d9061a8822706846d7d29029e93fabfd604866bfbbf4f4643a
-
SSDEEP
6144:VLwQ3tESz48VdfPSqnk7e7d/+qvedJe8:VX2SzFVdf6qkkd/zmbe
Malware Config
Extracted
amadey
3.50
193.56.146.194/h49vlBP/index.php
Extracted
laplas
clipper.guru
-
api_key
ace492e9661223449782fcc8096dc6ef6289032d08d03a7b0a92179622c35bdb
Signatures
-
Detect Amadey credential stealer module 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll amadey_cred_module C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll amadey_cred_module -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 67 3208 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
rovwer.exerovwer.exerovwer.exegala.exepid process 3760 rovwer.exe 2504 rovwer.exe 1916 rovwer.exe 2224 gala.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rovwer.exe8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation rovwer.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3208 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4320 2320 WerFault.exe 8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966.exe 3508 2504 WerFault.exe rovwer.exe 3512 1916 WerFault.exe rovwer.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 3208 rundll32.exe 3208 rundll32.exe 3208 rundll32.exe 3208 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966.exerovwer.exedescription pid process target process PID 2320 wrote to memory of 3760 2320 8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966.exe rovwer.exe PID 2320 wrote to memory of 3760 2320 8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966.exe rovwer.exe PID 2320 wrote to memory of 3760 2320 8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966.exe rovwer.exe PID 3760 wrote to memory of 760 3760 rovwer.exe schtasks.exe PID 3760 wrote to memory of 760 3760 rovwer.exe schtasks.exe PID 3760 wrote to memory of 760 3760 rovwer.exe schtasks.exe PID 3760 wrote to memory of 3208 3760 rovwer.exe rundll32.exe PID 3760 wrote to memory of 3208 3760 rovwer.exe rundll32.exe PID 3760 wrote to memory of 3208 3760 rovwer.exe rundll32.exe PID 3760 wrote to memory of 2224 3760 rovwer.exe gala.exe PID 3760 wrote to memory of 2224 3760 rovwer.exe gala.exe PID 3760 wrote to memory of 2224 3760 rovwer.exe gala.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966.exe"C:\Users\Admin\AppData\Local\Temp\8fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exe"C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 9042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2320 -ip 23201⤵
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 4202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2504 -ip 25041⤵
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 4202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1916 -ip 19161⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exeFilesize
2.2MB
MD508f22a3693c2368a29dff26e7246b74a
SHA1f7100b6e13c67ef57c9b8c841fb12ea3668b1cfd
SHA256a3bde8f159c8b68f5b84249258ff3bf4bc6594820bf25a053e4b61eb913aebd1
SHA5126b651b6e2265da83d4c38c5d4f2006f01ebfd298a89746104bd1982908bfc8b4023cbe121d72fc253c949924ecff404a66b42deed6cc7e0efc2dc0964d59ee69
-
C:\Users\Admin\AppData\Local\Temp\1000147001\gala.exeFilesize
2.2MB
MD508f22a3693c2368a29dff26e7246b74a
SHA1f7100b6e13c67ef57c9b8c841fb12ea3668b1cfd
SHA256a3bde8f159c8b68f5b84249258ff3bf4bc6594820bf25a053e4b61eb913aebd1
SHA5126b651b6e2265da83d4c38c5d4f2006f01ebfd298a89746104bd1982908bfc8b4023cbe121d72fc253c949924ecff404a66b42deed6cc7e0efc2dc0964d59ee69
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
209KB
MD59a557c8759ef2110b4fb56daf43a9376
SHA1178ec11e910999d49f0c51e47ae25c3f60f327e2
SHA2568fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966
SHA512ecf57244634a298de0fecf9765ef15d344ddd87d203e2df742d4cbed0e48c4a9d238b0be7e7ed8d9061a8822706846d7d29029e93fabfd604866bfbbf4f4643a
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
209KB
MD59a557c8759ef2110b4fb56daf43a9376
SHA1178ec11e910999d49f0c51e47ae25c3f60f327e2
SHA2568fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966
SHA512ecf57244634a298de0fecf9765ef15d344ddd87d203e2df742d4cbed0e48c4a9d238b0be7e7ed8d9061a8822706846d7d29029e93fabfd604866bfbbf4f4643a
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
209KB
MD59a557c8759ef2110b4fb56daf43a9376
SHA1178ec11e910999d49f0c51e47ae25c3f60f327e2
SHA2568fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966
SHA512ecf57244634a298de0fecf9765ef15d344ddd87d203e2df742d4cbed0e48c4a9d238b0be7e7ed8d9061a8822706846d7d29029e93fabfd604866bfbbf4f4643a
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeFilesize
209KB
MD59a557c8759ef2110b4fb56daf43a9376
SHA1178ec11e910999d49f0c51e47ae25c3f60f327e2
SHA2568fbe5f67479fc7a6532536299c765c41286c9b5347a8b6eded059d35dc218966
SHA512ecf57244634a298de0fecf9765ef15d344ddd87d203e2df742d4cbed0e48c4a9d238b0be7e7ed8d9061a8822706846d7d29029e93fabfd604866bfbbf4f4643a
-
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dllFilesize
126KB
MD5674cec24e36e0dfaec6290db96dda86e
SHA1581e3a7a541cc04641e751fc850d92e07236681f
SHA256de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA5126d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029
-
C:\Users\Admin\AppData\Roaming\bf045808586a24\cred64.dllFilesize
126KB
MD5674cec24e36e0dfaec6290db96dda86e
SHA1581e3a7a541cc04641e751fc850d92e07236681f
SHA256de81531468982b689451e85d249214d0aa484e2ffedfd32c58d43cf879f29ded
SHA5126d9898169073c240fe454bd45065fd7dc8458f1d323925b57eb58fa4305bb0d5631bbceb61835593b225e887e0867186ef637c440460279378cb29e832066029
-
memory/760-139-0x0000000000000000-mapping.dmp
-
memory/1916-153-0x000000000056F000-0x000000000058E000-memory.dmpFilesize
124KB
-
memory/1916-161-0x000000000056F000-0x000000000058E000-memory.dmpFilesize
124KB
-
memory/1916-156-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2224-158-0x00000000024E1000-0x0000000002700000-memory.dmpFilesize
2.1MB
-
memory/2224-154-0x0000000000000000-mapping.dmp
-
memory/2224-162-0x0000000000400000-0x00000000008CB000-memory.dmpFilesize
4.8MB
-
memory/2224-160-0x0000000000400000-0x00000000008CB000-memory.dmpFilesize
4.8MB
-
memory/2224-159-0x0000000002710000-0x0000000002BA9000-memory.dmpFilesize
4.6MB
-
memory/2320-148-0x000000000077D000-0x000000000079C000-memory.dmpFilesize
124KB
-
memory/2320-133-0x00000000005B0000-0x00000000005EE000-memory.dmpFilesize
248KB
-
memory/2320-138-0x000000000077D000-0x000000000079C000-memory.dmpFilesize
124KB
-
memory/2320-134-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2320-132-0x000000000077D000-0x000000000079C000-memory.dmpFilesize
124KB
-
memory/2320-143-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2504-147-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2504-146-0x000000000065F000-0x000000000067E000-memory.dmpFilesize
124KB
-
memory/3208-149-0x0000000000000000-mapping.dmp
-
memory/3760-135-0x0000000000000000-mapping.dmp
-
memory/3760-140-0x00000000004CC000-0x00000000004EB000-memory.dmpFilesize
124KB
-
memory/3760-142-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/3760-141-0x0000000001F90000-0x0000000001FCE000-memory.dmpFilesize
248KB
-
memory/3760-144-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB