amadey | 1d1fc9d23aa14b4f484fb86c173c94084bc14a9f551747b6e06366649a229af5

Analysis

max time kernel
151s
max time network
146s
platform
windows7_x64
resource
win7-en-20211104
submitted
01-12-2021 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a430b2cbf785427c87c48d29a1a8c0f.exe
Size

329KB
MD5

1a430b2cbf785427c87c48d29a1a8c0f
SHA1

e9b392c34c1bf0e42599bb561f111e3bcea7b3d9
SHA256

1d1fc9d23aa14b4f484fb86c173c94084bc14a9f551747b6e06366649a229af5
SHA512

28ba06d7cc60f27c948071a19bf0e5a64e9db3aa262bdb419ad208c2fd6c7e075f9bda85c241a329239b1f584845fbf1faf590d69856e775fa27307eadf6fd8a

Score

10^/10

amadey arkei cryptbot redline smokeloader default backdoor discovery evasion infostealer spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

redline

92.255.76.197:38637

Extracted

Family

arkei

Botnet

Default

http://file-file-host4.com/tratata.php

Extracted

Family

amadey

Version

2.85

185.215.113.35/d2VxjasuwS/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Arkei
Arkei is an infostealer written in C++.
stealer arkei
CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/824-80-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/824-81-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/824-83-0x0000000000418EE6-mapping.dmp	family_redline
behavioral1/memory/824-85-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/824-82-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Arkei Stealer Payload 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1664-89-0x0000000000220000-0x0000000000241000-memory.dmp	family_arkei
behavioral1/memory/1664-90-0x0000000000400000-0x00000000004D7000-memory.dmp	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 11 IoCs

Processes:

9BF1.exeA21A.exeA565.exeA8FF.exe9BF1.exeBB57.exeA8FF.exeCBAE.exeCBAE.exeCBAE.exetkools.exe

pid process

568 9BF1.exe
644 A21A.exe
1664 A565.exe
1200 A8FF.exe
824 9BF1.exe
1976 BB57.exe
680 A8FF.exe
1592 CBAE.exe
1236 CBAE.exe
1932 CBAE.exe
1392 tkools.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BB57.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BB57.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BB57.exe

Deletes itself 1 IoCs

Processes:

pid process

1360

pid	process
1360

Loads dropped DLL 13 IoCs

Processes:

9BF1.exeA8FF.exeregsvr32.exeCBAE.exeA565.exeCBAE.exetkools.exe

pid	process
568	9BF1.exe
1200	A8FF.exe
1616	regsvr32.exe
1592	CBAE.exe
1592	CBAE.exe
1664	A565.exe
1664	A565.exe
1664	A565.exe
1664	A565.exe
1664	A565.exe
1932	CBAE.exe
1932	CBAE.exe
1392	tkools.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BB57.exe	themida
behavioral1/memory/1976-96-0x0000000001130000-0x0000000001812000-memory.dmp	themida
behavioral1/memory/1976-97-0x0000000001130000-0x0000000001812000-memory.dmp	themida
behavioral1/memory/1976-103-0x0000000001130000-0x0000000001812000-memory.dmp	themida
behavioral1/memory/1976-106-0x0000000001130000-0x0000000001812000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\BB57.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

BB57.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BB57.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

BB57.exe

pid process

1976 BB57.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BB57.exe

pid	process
1976	BB57.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

1a430b2cbf785427c87c48d29a1a8c0f.exe9BF1.exeA8FF.exeCBAE.exe

description	pid	process	target process
PID 1112 set thread context of 324	1112	1a430b2cbf785427c87c48d29a1a8c0f.exe	1a430b2cbf785427c87c48d29a1a8c0f.exe
PID 568 set thread context of 824	568	9BF1.exe	9BF1.exe
PID 1200 set thread context of 680	1200	A8FF.exe	A8FF.exe
PID 1592 set thread context of 1236	1592	CBAE.exe	CBAE.exe
PID 1592 set thread context of 1932	1592	CBAE.exe	CBAE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1a430b2cbf785427c87c48d29a1a8c0f.exeA21A.exeA8FF.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1a430b2cbf785427c87c48d29a1a8c0f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1a430b2cbf785427c87c48d29a1a8c0f.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A21A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A8FF.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A8FF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1a430b2cbf785427c87c48d29a1a8c0f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A21A.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A8FF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	A21A.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BB57.exeA565.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BB57.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BB57.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	A565.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	A565.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1596 timeout.exe
2016 timeout.exe

pid	process
1596	timeout.exe
2016	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1a430b2cbf785427c87c48d29a1a8c0f.exe

pid	process
324	1a430b2cbf785427c87c48d29a1a8c0f.exe
324	1a430b2cbf785427c87c48d29a1a8c0f.exe
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360
1360

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1360
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

1a430b2cbf785427c87c48d29a1a8c0f.exeA21A.exeA8FF.exe

pid process

324 1a430b2cbf785427c87c48d29a1a8c0f.exe
644 A21A.exe
680 A8FF.exe

pid	process
1360

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

CBAE.exe9BF1.exetkools.exe

description	pid	process
Token: SeShutdownPrivilege	1360
Token: SeShutdownPrivilege	1360
Token: SeShutdownPrivilege	1360
Token: SeDebugPrivilege	1592	CBAE.exe
Token: SeDebugPrivilege	824	9BF1.exe
Token: SeDebugPrivilege	1392	tkools.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1360
1360
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1360
1360

pid	process
1360
1360

pid	process
1360
1360

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1a430b2cbf785427c87c48d29a1a8c0f.exe9BF1.exeA8FF.exeBB57.execmd.exeCBAE.exe

description	pid	process	target process
PID 1112 wrote to memory of 324	1112	1a430b2cbf785427c87c48d29a1a8c0f.exe	1a430b2cbf785427c87c48d29a1a8c0f.exe
PID 1112 wrote to memory of 324	1112	1a430b2cbf785427c87c48d29a1a8c0f.exe	1a430b2cbf785427c87c48d29a1a8c0f.exe
PID 1112 wrote to memory of 324	1112	1a430b2cbf785427c87c48d29a1a8c0f.exe	1a430b2cbf785427c87c48d29a1a8c0f.exe
PID 1112 wrote to memory of 324	1112	1a430b2cbf785427c87c48d29a1a8c0f.exe	1a430b2cbf785427c87c48d29a1a8c0f.exe
PID 1112 wrote to memory of 324	1112	1a430b2cbf785427c87c48d29a1a8c0f.exe	1a430b2cbf785427c87c48d29a1a8c0f.exe
PID 1112 wrote to memory of 324	1112	1a430b2cbf785427c87c48d29a1a8c0f.exe	1a430b2cbf785427c87c48d29a1a8c0f.exe
PID 1112 wrote to memory of 324	1112	1a430b2cbf785427c87c48d29a1a8c0f.exe	1a430b2cbf785427c87c48d29a1a8c0f.exe
PID 1360 wrote to memory of 568	1360		9BF1.exe
PID 1360 wrote to memory of 568	1360		9BF1.exe
PID 1360 wrote to memory of 568	1360		9BF1.exe
PID 1360 wrote to memory of 568	1360		9BF1.exe
PID 1360 wrote to memory of 644	1360		A21A.exe
PID 1360 wrote to memory of 644	1360		A21A.exe
PID 1360 wrote to memory of 644	1360		A21A.exe
PID 1360 wrote to memory of 644	1360		A21A.exe
PID 568 wrote to memory of 824	568	9BF1.exe	9BF1.exe
PID 568 wrote to memory of 824	568	9BF1.exe	9BF1.exe
PID 568 wrote to memory of 824	568	9BF1.exe	9BF1.exe
PID 568 wrote to memory of 824	568	9BF1.exe	9BF1.exe
PID 1360 wrote to memory of 1664	1360		A565.exe
PID 1360 wrote to memory of 1664	1360		A565.exe
PID 1360 wrote to memory of 1664	1360		A565.exe
PID 1360 wrote to memory of 1664	1360		A565.exe
PID 1360 wrote to memory of 1200	1360		A8FF.exe
PID 1360 wrote to memory of 1200	1360		A8FF.exe
PID 1360 wrote to memory of 1200	1360		A8FF.exe
PID 1360 wrote to memory of 1200	1360		A8FF.exe
PID 568 wrote to memory of 824	568	9BF1.exe	9BF1.exe
PID 568 wrote to memory of 824	568	9BF1.exe	9BF1.exe
PID 568 wrote to memory of 824	568	9BF1.exe	9BF1.exe
PID 568 wrote to memory of 824	568	9BF1.exe	9BF1.exe
PID 568 wrote to memory of 824	568	9BF1.exe	9BF1.exe
PID 1360 wrote to memory of 1976	1360		BB57.exe
PID 1360 wrote to memory of 1976	1360		BB57.exe
PID 1360 wrote to memory of 1976	1360		BB57.exe
PID 1360 wrote to memory of 1976	1360		BB57.exe
PID 1200 wrote to memory of 680	1200	A8FF.exe	A8FF.exe
PID 1200 wrote to memory of 680	1200	A8FF.exe	A8FF.exe
PID 1200 wrote to memory of 680	1200	A8FF.exe	A8FF.exe
PID 1200 wrote to memory of 680	1200	A8FF.exe	A8FF.exe
PID 1200 wrote to memory of 680	1200	A8FF.exe	A8FF.exe
PID 1200 wrote to memory of 680	1200	A8FF.exe	A8FF.exe
PID 1200 wrote to memory of 680	1200	A8FF.exe	A8FF.exe
PID 1360 wrote to memory of 1616	1360		regsvr32.exe
PID 1360 wrote to memory of 1616	1360		regsvr32.exe
PID 1360 wrote to memory of 1616	1360		regsvr32.exe
PID 1360 wrote to memory of 1616	1360		regsvr32.exe
PID 1360 wrote to memory of 1616	1360		regsvr32.exe
PID 1976 wrote to memory of 1888	1976	BB57.exe	cmd.exe
PID 1976 wrote to memory of 1888	1976	BB57.exe	cmd.exe
PID 1976 wrote to memory of 1888	1976	BB57.exe	cmd.exe
PID 1976 wrote to memory of 1888	1976	BB57.exe	cmd.exe
PID 1888 wrote to memory of 1596	1888	cmd.exe	timeout.exe
PID 1888 wrote to memory of 1596	1888	cmd.exe	timeout.exe
PID 1888 wrote to memory of 1596	1888	cmd.exe	timeout.exe
PID 1888 wrote to memory of 1596	1888	cmd.exe	timeout.exe
PID 1360 wrote to memory of 1592	1360		CBAE.exe
PID 1360 wrote to memory of 1592	1360		CBAE.exe
PID 1360 wrote to memory of 1592	1360		CBAE.exe
PID 1360 wrote to memory of 1592	1360		CBAE.exe
PID 1592 wrote to memory of 1236	1592	CBAE.exe	CBAE.exe
PID 1592 wrote to memory of 1236	1592	CBAE.exe	CBAE.exe
PID 1592 wrote to memory of 1236	1592	CBAE.exe	CBAE.exe
PID 1592 wrote to memory of 1236	1592	CBAE.exe	CBAE.exe

C:\Users\Admin\AppData\Local\Temp\1a430b2cbf785427c87c48d29a1a8c0f.exe
"C:\Users\Admin\AppData\Local\Temp\1a430b2cbf785427c87c48d29a1a8c0f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\1a430b2cbf785427c87c48d29a1a8c0f.exe
"C:\Users\Admin\AppData\Local\Temp\1a430b2cbf785427c87c48d29a1a8c0f.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:324

C:\Users\Admin\AppData\Local\Temp\9BF1.exe
C:\Users\Admin\AppData\Local\Temp\9BF1.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\9BF1.exe
C:\Users\Admin\AppData\Local\Temp\9BF1.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Users\Admin\AppData\Local\Temp\A21A.exe
C:\Users\Admin\AppData\Local\Temp\A21A.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:644

C:\Users\Admin\AppData\Local\Temp\A565.exe
C:\Users\Admin\AppData\Local\Temp\A565.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\A565.exe" & exit
2⤵
PID:880

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
3⤵
- Delays execution with timeout.exe
PID:2016

C:\Users\Admin\AppData\Local\Temp\A8FF.exe
C:\Users\Admin\AppData\Local\Temp\A8FF.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\A8FF.exe
C:\Users\Admin\AppData\Local\Temp\A8FF.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:680

C:\Users\Admin\AppData\Local\Temp\BB57.exe
C:\Users\Admin\AppData\Local\Temp\BB57.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\qjGOaiqfcyJ & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\BB57.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:1596

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C5D4.dll
1⤵
- Loads dropped DLL
PID:1616

C:\Users\Admin\AppData\Local\Temp\CBAE.exe
C:\Users\Admin\AppData\Local\Temp\CBAE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\CBAE.exe
C:\Users\Admin\AppData\Local\Temp\CBAE.exe
2⤵
- Executes dropped EXE
PID:1236

C:\Users\Admin\AppData\Local\Temp\CBAE.exe
C:\Users\Admin\AppData\Local\Temp\CBAE.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:N"
3⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1896

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:N"
4⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:R" /E
3⤵
PID:908

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:R" /E
4⤵
PID:820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:N"
3⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:920

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:N"
4⤵
PID:784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:R" /E
3⤵
PID:548

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:R" /E
4⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
"C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
4⤵
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
MD5
97617914d6e8a6e3cbee8a5e5ff39aa5

SHA1
caf7fef0efd3dbcf176c7cfc85cc545dd0dc9efd

SHA256
7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112

SHA512
f4c79f9e41124044aa1d0a44e86d0a184beda33163d7b0973dc23b4ff5087c708175bd89f73ffc2c160a66bf23f09835c422b654353dc67cb59ea053cf60eabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
MD5
97617914d6e8a6e3cbee8a5e5ff39aa5

SHA1
caf7fef0efd3dbcf176c7cfc85cc545dd0dc9efd

SHA256
7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112

SHA512
f4c79f9e41124044aa1d0a44e86d0a184beda33163d7b0973dc23b4ff5087c708175bd89f73ffc2c160a66bf23f09835c422b654353dc67cb59ea053cf60eabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BF1.exe
MD5
5115e5dab211559a85cd0154e8100f53

SHA1
347800b72ac53ec6e2c87e433763b20282a2c06d

SHA256
ef156fb3a203fe197d89d63e2ea7805a1b9af505dfff5a58532dbfe34e7aabaa

SHA512
d03e58376be1e299a6da57a28ed5db176999baded713aa54ddb59cf8c82b97e8c0b028ce07bddb6989c7c77e518e151e112dde2f1d5244ac2572e4371fa68c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BF1.exe
MD5
5115e5dab211559a85cd0154e8100f53

SHA1
347800b72ac53ec6e2c87e433763b20282a2c06d

SHA256
ef156fb3a203fe197d89d63e2ea7805a1b9af505dfff5a58532dbfe34e7aabaa

SHA512
d03e58376be1e299a6da57a28ed5db176999baded713aa54ddb59cf8c82b97e8c0b028ce07bddb6989c7c77e518e151e112dde2f1d5244ac2572e4371fa68c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\9BF1.exe
MD5
5115e5dab211559a85cd0154e8100f53

SHA1
347800b72ac53ec6e2c87e433763b20282a2c06d

SHA256
ef156fb3a203fe197d89d63e2ea7805a1b9af505dfff5a58532dbfe34e7aabaa

SHA512
d03e58376be1e299a6da57a28ed5db176999baded713aa54ddb59cf8c82b97e8c0b028ce07bddb6989c7c77e518e151e112dde2f1d5244ac2572e4371fa68c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\A21A.exe
MD5
df13fac0d8b182e4d8b9a02ba87a9571

SHA1
b2187debc6fde96e08d5014ce4f1af5cf568bce5

SHA256
af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

SHA512
bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816

Download Submit
C:\Users\Admin\AppData\Local\Temp\A565.exe
MD5
45d0a6bb2ca00643fb04bf15d4aaa2c9

SHA1
ba7ef4495bfdd4d4a89a61cd9961715618efb768

SHA256
d1f548773aedafb4836901da6c0d6580fa4d836e46665e9e844915bb85d4e3e0

SHA512
1688ddb5683fa104cb9fc4ec6de9e402190f856bdea9d4bd7cd64f5344f5a0527e77c56fdad8d32c80f25025da3f3e6f75829b390ae58b1c82970f76759285bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8FF.exe
MD5
d2331edf10b3c0e6a5c8fec0a1a6392e

SHA1
f988addbbf47cf6dd3ac9c83baa1aced7309eff1

SHA256
bb19a312c32f06dc9748bf7317f066a9ec2aecd4b09456a03c097d4118f0ecf9

SHA512
bf326f98dd84e1b0baa695ce0e26a52569efd1b6af13430568f52277572a42205232b0436cb966e665611a89f8f25564b8b8f5f652fe45a95be20688cc7c8f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8FF.exe
MD5
d2331edf10b3c0e6a5c8fec0a1a6392e

SHA1
f988addbbf47cf6dd3ac9c83baa1aced7309eff1

SHA256
bb19a312c32f06dc9748bf7317f066a9ec2aecd4b09456a03c097d4118f0ecf9

SHA512
bf326f98dd84e1b0baa695ce0e26a52569efd1b6af13430568f52277572a42205232b0436cb966e665611a89f8f25564b8b8f5f652fe45a95be20688cc7c8f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8FF.exe
MD5
d2331edf10b3c0e6a5c8fec0a1a6392e

SHA1
f988addbbf47cf6dd3ac9c83baa1aced7309eff1

SHA256
bb19a312c32f06dc9748bf7317f066a9ec2aecd4b09456a03c097d4118f0ecf9

SHA512
bf326f98dd84e1b0baa695ce0e26a52569efd1b6af13430568f52277572a42205232b0436cb966e665611a89f8f25564b8b8f5f652fe45a95be20688cc7c8f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB57.exe
MD5
ca16ca4aa9cf9777274447c9f4ba222e

SHA1
1025ed93e5f44d51b96f1a788764cc4487ee477e

SHA256
0016755526279c5c404b670ecb2d81af46066d879c389924a6574ab9864b5c04

SHA512
72d8d2a729b8ce2940235d3a317ee3eb0eb8d1411e847d6d11e36484f520bb88b3cabd03716b3c2988b0a053426be14aace154f13d306883788f952cd03cf712

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB57.exe
MD5
ca16ca4aa9cf9777274447c9f4ba222e

SHA1
1025ed93e5f44d51b96f1a788764cc4487ee477e

SHA256
0016755526279c5c404b670ecb2d81af46066d879c389924a6574ab9864b5c04

SHA512
72d8d2a729b8ce2940235d3a317ee3eb0eb8d1411e847d6d11e36484f520bb88b3cabd03716b3c2988b0a053426be14aace154f13d306883788f952cd03cf712

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5D4.dll
MD5
2ee33ef3b24574c9fb54fd75e29fdf6e

SHA1
158a048f5f5feac85eb5791fbb25ba6aaf262712

SHA256
46e20b3931c4550ade3e4abd395a289621ea3f42f6aa44c90083ebb7f7be2704

SHA512
0655a316b91070c8275afba7ab8437da66cd8b00e4ddcc58c86fa28444deb66700d19e76e93329910c7e44ef28ec488556e2026221980b6aacaa804745a56c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBAE.exe
MD5
97617914d6e8a6e3cbee8a5e5ff39aa5

SHA1
caf7fef0efd3dbcf176c7cfc85cc545dd0dc9efd

SHA256
7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112

SHA512
f4c79f9e41124044aa1d0a44e86d0a184beda33163d7b0973dc23b4ff5087c708175bd89f73ffc2c160a66bf23f09835c422b654353dc67cb59ea053cf60eabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBAE.exe
MD5
97617914d6e8a6e3cbee8a5e5ff39aa5

SHA1
caf7fef0efd3dbcf176c7cfc85cc545dd0dc9efd

SHA256
7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112

SHA512
f4c79f9e41124044aa1d0a44e86d0a184beda33163d7b0973dc23b4ff5087c708175bd89f73ffc2c160a66bf23f09835c422b654353dc67cb59ea053cf60eabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBAE.exe
MD5
97617914d6e8a6e3cbee8a5e5ff39aa5

SHA1
caf7fef0efd3dbcf176c7cfc85cc545dd0dc9efd

SHA256
7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112

SHA512
f4c79f9e41124044aa1d0a44e86d0a184beda33163d7b0973dc23b4ff5087c708175bd89f73ffc2c160a66bf23f09835c422b654353dc67cb59ea053cf60eabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBAE.exe
MD5
97617914d6e8a6e3cbee8a5e5ff39aa5

SHA1
caf7fef0efd3dbcf176c7cfc85cc545dd0dc9efd

SHA256
7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112

SHA512
f4c79f9e41124044aa1d0a44e86d0a184beda33163d7b0973dc23b4ff5087c708175bd89f73ffc2c160a66bf23f09835c422b654353dc67cb59ea053cf60eabb

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\sqlite3.dll
MD5
e477a96c8f2b18d6b5c27bde49c990bf

SHA1
e980c9bf41330d1e5bd04556db4646a0210f7409

SHA256
16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660

SHA512
335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
MD5
97617914d6e8a6e3cbee8a5e5ff39aa5

SHA1
caf7fef0efd3dbcf176c7cfc85cc545dd0dc9efd

SHA256
7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112

SHA512
f4c79f9e41124044aa1d0a44e86d0a184beda33163d7b0973dc23b4ff5087c708175bd89f73ffc2c160a66bf23f09835c422b654353dc67cb59ea053cf60eabb

Download Submit
\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
MD5
97617914d6e8a6e3cbee8a5e5ff39aa5

SHA1
caf7fef0efd3dbcf176c7cfc85cc545dd0dc9efd

SHA256
7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112

SHA512
f4c79f9e41124044aa1d0a44e86d0a184beda33163d7b0973dc23b4ff5087c708175bd89f73ffc2c160a66bf23f09835c422b654353dc67cb59ea053cf60eabb

Download Submit
\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
MD5
97617914d6e8a6e3cbee8a5e5ff39aa5

SHA1
caf7fef0efd3dbcf176c7cfc85cc545dd0dc9efd

SHA256
7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112

SHA512
f4c79f9e41124044aa1d0a44e86d0a184beda33163d7b0973dc23b4ff5087c708175bd89f73ffc2c160a66bf23f09835c422b654353dc67cb59ea053cf60eabb

Download Submit
\Users\Admin\AppData\Local\Temp\9BF1.exe
MD5
5115e5dab211559a85cd0154e8100f53

SHA1
347800b72ac53ec6e2c87e433763b20282a2c06d

SHA256
ef156fb3a203fe197d89d63e2ea7805a1b9af505dfff5a58532dbfe34e7aabaa

SHA512
d03e58376be1e299a6da57a28ed5db176999baded713aa54ddb59cf8c82b97e8c0b028ce07bddb6989c7c77e518e151e112dde2f1d5244ac2572e4371fa68c12

Download Submit
\Users\Admin\AppData\Local\Temp\A8FF.exe
MD5
d2331edf10b3c0e6a5c8fec0a1a6392e

SHA1
f988addbbf47cf6dd3ac9c83baa1aced7309eff1

SHA256
bb19a312c32f06dc9748bf7317f066a9ec2aecd4b09456a03c097d4118f0ecf9

SHA512
bf326f98dd84e1b0baa695ce0e26a52569efd1b6af13430568f52277572a42205232b0436cb966e665611a89f8f25564b8b8f5f652fe45a95be20688cc7c8f1a

Download Submit
\Users\Admin\AppData\Local\Temp\C5D4.dll
MD5
2ee33ef3b24574c9fb54fd75e29fdf6e

SHA1
158a048f5f5feac85eb5791fbb25ba6aaf262712

SHA256
46e20b3931c4550ade3e4abd395a289621ea3f42f6aa44c90083ebb7f7be2704

SHA512
0655a316b91070c8275afba7ab8437da66cd8b00e4ddcc58c86fa28444deb66700d19e76e93329910c7e44ef28ec488556e2026221980b6aacaa804745a56c5e

Download Submit
\Users\Admin\AppData\Local\Temp\CBAE.exe
MD5
97617914d6e8a6e3cbee8a5e5ff39aa5

SHA1
caf7fef0efd3dbcf176c7cfc85cc545dd0dc9efd

SHA256
7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112

SHA512
f4c79f9e41124044aa1d0a44e86d0a184beda33163d7b0973dc23b4ff5087c708175bd89f73ffc2c160a66bf23f09835c422b654353dc67cb59ea053cf60eabb

Download Submit
\Users\Admin\AppData\Local\Temp\CBAE.exe
MD5
97617914d6e8a6e3cbee8a5e5ff39aa5

SHA1
caf7fef0efd3dbcf176c7cfc85cc545dd0dc9efd

SHA256
7c1c287f9ce0d8d90c95851781ff2732780177f6c1affecc9eed376436981112

SHA512
f4c79f9e41124044aa1d0a44e86d0a184beda33163d7b0973dc23b4ff5087c708175bd89f73ffc2c160a66bf23f09835c422b654353dc67cb59ea053cf60eabb

Download Submit
memory/324-59-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/324-58-0x0000000000402F47-mapping.dmp

Download
memory/324-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/548-142-0x0000000000000000-mapping.dmp

Download
memory/568-66-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/568-64-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/568-61-0x0000000000000000-mapping.dmp

Download
memory/644-71-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/644-67-0x0000000000000000-mapping.dmp

Download
memory/644-77-0x0000000000400000-0x0000000002B64000-memory.dmp

Filesize
39.4MB

Download
memory/644-70-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/680-102-0x0000000000402F47-mapping.dmp

Download
memory/820-136-0x0000000000000000-mapping.dmp

Download
memory/824-80-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/824-82-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/824-85-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/824-83-0x0000000000418EE6-mapping.dmp

Download
memory/824-81-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/824-79-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/824-78-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/824-91-0x0000000004580000-0x0000000004581000-memory.dmp

Filesize
4KB

Download
memory/880-151-0x0000000000000000-mapping.dmp

Download
memory/908-135-0x0000000000000000-mapping.dmp

Download
memory/1068-133-0x0000000000000000-mapping.dmp

Download
memory/1112-55-0x0000000000268000-0x0000000000279000-memory.dmp

Filesize
68KB

Download
memory/1112-56-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1200-75-0x0000000000000000-mapping.dmp

Download
memory/1200-98-0x00000000005A8000-0x00000000005B9000-memory.dmp

Filesize
68KB

Download
memory/1360-121-0x0000000004150000-0x0000000004166000-memory.dmp

Filesize
88KB

Download
memory/1360-60-0x00000000029C0000-0x00000000029D6000-memory.dmp

Filesize
88KB

Download
memory/1360-95-0x0000000003DF0000-0x0000000003E06000-memory.dmp

Filesize
88KB

Download
memory/1392-155-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1392-154-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/1392-146-0x0000000000000000-mapping.dmp

Download
memory/1392-148-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1396-130-0x0000000000000000-mapping.dmp

Download
memory/1592-113-0x0000000000000000-mapping.dmp

Download
memory/1592-118-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1592-119-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1592-116-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1596-112-0x0000000000000000-mapping.dmp

Download
memory/1616-107-0x0000000000000000-mapping.dmp

Download
memory/1616-108-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download
memory/1664-87-0x00000000005F8000-0x000000000060C000-memory.dmp

Filesize
80KB

Download
memory/1664-90-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1664-72-0x0000000000000000-mapping.dmp

Download
memory/1664-89-0x0000000000220000-0x0000000000241000-memory.dmp

Filesize
132KB

Download
memory/1888-111-0x0000000000000000-mapping.dmp

Download
memory/1896-131-0x0000000000000000-mapping.dmp

Download
memory/1900-141-0x0000000000000000-mapping.dmp

Download
memory/1920-143-0x0000000000000000-mapping.dmp

Download
memory/1932-129-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1932-125-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1932-126-0x0000000000414C3C-mapping.dmp

Download
memory/1976-103-0x0000000001130000-0x0000000001812000-memory.dmp

Filesize
6.9MB

Download
memory/1976-97-0x0000000001130000-0x0000000001812000-memory.dmp

Filesize
6.9MB

Download
memory/1976-96-0x0000000001130000-0x0000000001812000-memory.dmp

Filesize
6.9MB

Download
memory/1976-92-0x0000000000000000-mapping.dmp

Download
memory/1976-106-0x0000000001130000-0x0000000001812000-memory.dmp

Filesize
6.9MB

Download
memory/2016-153-0x0000000000000000-mapping.dmp

Download