Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23/12/2024, 15:58
Static task
static1
Behavioral task
behavioral1
Sample
cf95dca92b0825e77760fdce4714de6aa1f53a157c5b7a8fe55051f5cb44b969.exe
Resource
win7-20240903-en
General
-
Target
cf95dca92b0825e77760fdce4714de6aa1f53a157c5b7a8fe55051f5cb44b969.exe
-
Size
293KB
-
MD5
fe096068c43e0291845e999f75f400c2
-
SHA1
dc288ee2967ec97f6c5e0e7fb8293b3ec0aa77ea
-
SHA256
cf95dca92b0825e77760fdce4714de6aa1f53a157c5b7a8fe55051f5cb44b969
-
SHA512
ae9c92883625d81df83c825473adead5cf9f6a802827e4f0578ba90eeea50f7f45419dd7d6563a5d78089a9580f93f5d25273b163f1fa681a63556bb1b884c4e
-
SSDEEP
6144:uvBqgSL8ckht0pMKiBtsFGUJsI/2QbxIwJ6c2:wBEIcg0iBQDsNQ1B0b
Malware Config
Extracted
amadey
3.47
87314e
http://176.113.115.201
-
install_dir
b667dbdcd8
-
install_file
rovwer.exe
-
strings_key
21188e16c91719cc2e7e1129fe4e3ad0
-
url_paths
/3g4mn5s/index.php
Signatures
-
Amadey family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation cf95dca92b0825e77760fdce4714de6aa1f53a157c5b7a8fe55051f5cb44b969.exe Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation rovwer.exe -
Executes dropped EXE 4 IoCs
pid Process 844 rovwer.exe 4212 rovwer.exe 3936 rovwer.exe 1060 rovwer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 3988 2772 WerFault.exe 81 876 4212 WerFault.exe 96 4756 3936 WerFault.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rovwer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf95dca92b0825e77760fdce4714de6aa1f53a157c5b7a8fe55051f5cb44b969.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4176 schtasks.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2772 wrote to memory of 844 2772 cf95dca92b0825e77760fdce4714de6aa1f53a157c5b7a8fe55051f5cb44b969.exe 82 PID 2772 wrote to memory of 844 2772 cf95dca92b0825e77760fdce4714de6aa1f53a157c5b7a8fe55051f5cb44b969.exe 82 PID 2772 wrote to memory of 844 2772 cf95dca92b0825e77760fdce4714de6aa1f53a157c5b7a8fe55051f5cb44b969.exe 82 PID 844 wrote to memory of 4176 844 rovwer.exe 86 PID 844 wrote to memory of 4176 844 rovwer.exe 86 PID 844 wrote to memory of 4176 844 rovwer.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf95dca92b0825e77760fdce4714de6aa1f53a157c5b7a8fe55051f5cb44b969.exe"C:\Users\Admin\AppData\Local\Temp\cf95dca92b0825e77760fdce4714de6aa1f53a157c5b7a8fe55051f5cb44b969.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe"C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4176
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 12882⤵
- Program crash
PID:3988
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2772 -ip 27721⤵PID:3660
-
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exeC:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe1⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 3122⤵
- Program crash
PID:876
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4212 -ip 42121⤵PID:432
-
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exeC:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe1⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 3122⤵
- Program crash
PID:4756
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3936 -ip 39361⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exeC:\Users\Admin\AppData\Local\Temp\b667dbdcd8\rovwer.exe1⤵
- Executes dropped EXE
PID:1060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
293KB
MD5fe096068c43e0291845e999f75f400c2
SHA1dc288ee2967ec97f6c5e0e7fb8293b3ec0aa77ea
SHA256cf95dca92b0825e77760fdce4714de6aa1f53a157c5b7a8fe55051f5cb44b969
SHA512ae9c92883625d81df83c825473adead5cf9f6a802827e4f0578ba90eeea50f7f45419dd7d6563a5d78089a9580f93f5d25273b163f1fa681a63556bb1b884c4e