Analysis Overview
SHA256
bc946f88dbdf73882b2b857c3f2bb4c21c39340dfc390ddd31d963b6a0bfe000
Threat Level: Known bad
The file bc946f88dbdf73882b2b857c3f2bb4c21c39340dfc390ddd31d963b6a0bfe000 was found to be: Known bad.
Malicious Activity Summary
Amadey
Amadey family
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 23:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 23:20
Reported
2024-11-09 23:22
Platform
win7-20240708-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Amadey
Amadey family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75db6a858e026323928c3da4d067bbb7a8056f7c21d3f5b20f34e5e46d26d954.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\75db6a858e026323928c3da4d067bbb7a8056f7c21d3f5b20f34e5e46d26d954.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\75db6a858e026323928c3da4d067bbb7a8056f7c21d3f5b20f34e5e46d26d954.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\75db6a858e026323928c3da4d067bbb7a8056f7c21d3f5b20f34e5e46d26d954.exe
"C:\Users\Admin\AppData\Local\Temp\75db6a858e026323928c3da4d067bbb7a8056f7c21d3f5b20f34e5e46d26d954.exe"
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
C:\Windows\system32\taskeng.exe
taskeng.exe {FF35E456-8127-47C3-A13F-EE462D3A3C55} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
Network
| Country | Destination | Domain | Proto |
| FR | 193.56.146.194:80 | tcp | |
| FR | 193.56.146.194:80 | tcp | |
| FR | 193.56.146.194:80 | tcp | |
| FR | 193.56.146.194:80 | tcp | |
| FR | 193.56.146.194:80 | tcp | |
| FR | 193.56.146.194:80 | tcp | |
| FR | 193.56.146.194:80 | tcp | |
| FR | 193.56.146.194:80 | tcp | |
| FR | 193.56.146.194:80 | tcp |
Files
memory/1724-1-0x0000000000C50000-0x0000000000D50000-memory.dmp
memory/1724-2-0x0000000000220000-0x000000000025E000-memory.dmp
memory/1724-3-0x0000000000400000-0x0000000000442000-memory.dmp
\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
| MD5 | 386d654392d2b43963377d022d51b7db |
| SHA1 | 75d1ede968f8ec61f450100b87b6bee850086f17 |
| SHA256 | 75db6a858e026323928c3da4d067bbb7a8056f7c21d3f5b20f34e5e46d26d954 |
| SHA512 | b24f565d3336ac3f7e07c50c8e8313deda29db3f13b55a1d58eb1cfdb3be1b967db88a309fc3a686cc1af31b87efc98b7c09c7d5e161d069fdc1759910024286 |
memory/1724-16-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1724-15-0x0000000000220000-0x000000000025E000-memory.dmp
memory/1724-14-0x0000000000400000-0x0000000000AE6000-memory.dmp
memory/2692-19-0x0000000000400000-0x0000000000AE6000-memory.dmp
memory/2692-21-0x0000000000400000-0x0000000000AE6000-memory.dmp
memory/2692-25-0x0000000000400000-0x0000000000AE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\551809350426
| MD5 | 515eb4615e5ecad7e703f0b386ce629e |
| SHA1 | 4ed04b54eaab30624c3a32bc0758e5574a266b7f |
| SHA256 | 32384eedeb37702373d928136d38b7d2af5f5361c100933526ac5eba80b0e3ae |
| SHA512 | d3ad13fd1735673aa6c6a4877e1153dc8f745e65d2c270aad6101e4fed1b04a04c6965e513901c363bfc64716b0a9e2dc2afbfe5ff39e8dbba037322eccf210a |
memory/2692-35-0x0000000000400000-0x0000000000AE6000-memory.dmp
memory/2836-38-0x0000000000400000-0x0000000000AE6000-memory.dmp
memory/2692-39-0x0000000000400000-0x0000000000AE6000-memory.dmp
memory/2692-43-0x0000000000400000-0x0000000000AE6000-memory.dmp
memory/588-47-0x0000000000400000-0x0000000000AE6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 23:20
Reported
2024-11-09 23:22
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
138s
Command Line
Signatures
Amadey
Amadey family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\75db6a858e026323928c3da4d067bbb7a8056f7c21d3f5b20f34e5e46d26d954.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\75db6a858e026323928c3da4d067bbb7a8056f7c21d3f5b20f34e5e46d26d954.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2464 wrote to memory of 116 | N/A | C:\Users\Admin\AppData\Local\Temp\75db6a858e026323928c3da4d067bbb7a8056f7c21d3f5b20f34e5e46d26d954.exe | C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe |
| PID 2464 wrote to memory of 116 | N/A | C:\Users\Admin\AppData\Local\Temp\75db6a858e026323928c3da4d067bbb7a8056f7c21d3f5b20f34e5e46d26d954.exe | C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe |
| PID 2464 wrote to memory of 116 | N/A | C:\Users\Admin\AppData\Local\Temp\75db6a858e026323928c3da4d067bbb7a8056f7c21d3f5b20f34e5e46d26d954.exe | C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe |
| PID 116 wrote to memory of 4264 | N/A | C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 116 wrote to memory of 4264 | N/A | C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 116 wrote to memory of 4264 | N/A | C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\75db6a858e026323928c3da4d067bbb7a8056f7c21d3f5b20f34e5e46d26d954.exe
"C:\Users\Admin\AppData\Local\Temp\75db6a858e026323928c3da4d067bbb7a8056f7c21d3f5b20f34e5e46d26d954.exe"
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2464 -ip 2464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1260
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 416
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2072 -ip 2072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 424
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FR | 193.56.146.194:80 | tcp | |
| FR | 193.56.146.194:80 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| FR | 193.56.146.194:80 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| FR | 193.56.146.194:80 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FR | 193.56.146.194:80 | tcp |
Files
memory/2464-1-0x0000000000CB0000-0x0000000000DB0000-memory.dmp
memory/2464-2-0x0000000002850000-0x000000000288E000-memory.dmp
memory/2464-3-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe
| MD5 | 386d654392d2b43963377d022d51b7db |
| SHA1 | 75d1ede968f8ec61f450100b87b6bee850086f17 |
| SHA256 | 75db6a858e026323928c3da4d067bbb7a8056f7c21d3f5b20f34e5e46d26d954 |
| SHA512 | b24f565d3336ac3f7e07c50c8e8313deda29db3f13b55a1d58eb1cfdb3be1b967db88a309fc3a686cc1af31b87efc98b7c09c7d5e161d069fdc1759910024286 |
memory/2464-14-0x0000000002850000-0x000000000288E000-memory.dmp
memory/2464-15-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2464-13-0x0000000000400000-0x0000000000AE6000-memory.dmp
memory/116-17-0x0000000000400000-0x0000000000AE6000-memory.dmp
memory/116-18-0x0000000000400000-0x0000000000AE6000-memory.dmp
memory/116-23-0x0000000000400000-0x0000000000AE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\089630652159
| MD5 | 21c2e733fd149d1bfd720bfca8799d04 |
| SHA1 | 4bb18462b330b9743b39367e6cbb072bd21714eb |
| SHA256 | 9172c7b2afdb0f9c06fa524b5bd6b1e0e64f1b704ae7104104527941be35738a |
| SHA512 | 6a63ad75a0bccd261f9b91a1c301875f248da821263a9c6ab7944ae5fdf55c747a2f7352ba0367b35dc16ff27d45c39d61cf4e7f5f70da76347e1d5cad37303d |
memory/116-31-0x0000000000400000-0x0000000000AE6000-memory.dmp
memory/5020-36-0x0000000000400000-0x0000000000AE6000-memory.dmp
memory/116-37-0x0000000000400000-0x0000000000AE6000-memory.dmp
memory/116-39-0x0000000000400000-0x0000000000AE6000-memory.dmp
memory/2072-45-0x0000000000400000-0x0000000000AE6000-memory.dmp
memory/116-47-0x0000000000400000-0x0000000000AE6000-memory.dmp