Analysis
-
max time kernel
145s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 23:35
Static task
static1
Behavioral task
behavioral1
Sample
914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe
Resource
win7-20241010-en
General
-
Target
914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe
-
Size
212KB
-
MD5
f57c2b72ee75c357a12ce03a08be95b8
-
SHA1
c0e8867ac37614f7e0e40fab9a66b9c6ef1c3249
-
SHA256
914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2
-
SHA512
59123bbe391f391b3c248f5be7889fad1cc806bbcbbe9ed1653c3ca687f7d27f21ba7e75215e225ddc04e29195d5e5a712e7a6219968eb1ff0e74c32d69da5da
-
SSDEEP
3072:qeJLLpTnq5URrqNqYd31LgpI01TEr4J6anBbkPzHM38ad:zLLpThR4qYh1UG01TEr4nWw38s
Malware Config
Extracted
amadey
3.50
0237fa
http://193.56.146.194
-
install_dir
50c1695437
-
install_file
rovwer.exe
-
strings_key
b6d412dd2efdf33d84e939e52040748f
-
url_paths
/h49vlBP/index.php
Signatures
-
Amadey family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation rovwer.exe -
Executes dropped EXE 4 IoCs
pid Process 2528 rovwer.exe 4548 rovwer.exe 4716 rovwer.exe 2524 rovwer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
pid pid_target Process procid_target 1516 3136 WerFault.exe 83 1804 4548 WerFault.exe 102 1036 4716 WerFault.exe 109 1580 2524 WerFault.exe 113 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rovwer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3608 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3136 wrote to memory of 2528 3136 914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe 84 PID 3136 wrote to memory of 2528 3136 914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe 84 PID 3136 wrote to memory of 2528 3136 914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe 84 PID 2528 wrote to memory of 3608 2528 rovwer.exe 88 PID 2528 wrote to memory of 3608 2528 rovwer.exe 88 PID 2528 wrote to memory of 3608 2528 rovwer.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe"C:\Users\Admin\AppData\Local\Temp\914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3608
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 11402⤵
- Program crash
PID:1516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3136 -ip 31361⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
PID:4548 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 4162⤵
- Program crash
PID:1804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4548 -ip 45481⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 4162⤵
- Program crash
PID:1036
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4716 -ip 47161⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exeC:\Users\Admin\AppData\Local\Temp\50c1695437\rovwer.exe1⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 4202⤵
- Program crash
PID:1580
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2524 -ip 25241⤵PID:2320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD5fdb0c6359b8c59d47e6921d31e8ee6da
SHA1cc6f249ecb5dc2b0b3097096cbb59e483124ede8
SHA256f48dd8010f74b8e1c1df8bcb2e804059ac75eb870fbb9f364d43f538e879fd28
SHA51286278ea2dc82db6a425eb2b6418c4f317a53524336dc7d31099a7bdf23a66f5bc5c54889025dfb6d7be77f17eaa65304fb68bba99d4507fd49eae40a7799cb8c
-
Filesize
212KB
MD5f57c2b72ee75c357a12ce03a08be95b8
SHA1c0e8867ac37614f7e0e40fab9a66b9c6ef1c3249
SHA256914935fe8c30b7184ccfa19097c53eca43dd157b63c29429171a194dce8f9af2
SHA51259123bbe391f391b3c248f5be7889fad1cc806bbcbbe9ed1653c3ca687f7d27f21ba7e75215e225ddc04e29195d5e5a712e7a6219968eb1ff0e74c32d69da5da