amadey | 983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26

Analysis

max time kernel
93s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
Size

21KB
MD5

d5d6d152edeeb1a13020514aceaad436
SHA1

1909b7fd2f20c4c2e4ecd8c186863f0ca90867d9
SHA256

983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26
SHA512

1e398c67483e9cab11e99af590c59274d5f6c23c5a69c88a019052074890b69c8148728fd880ecd7f91ad53f310a061b86154d985948ccc12f33640a0f23b6d0

Score

10^/10

amadey quasar malek collection persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.08

190.123.44.138/Qbv2ff03/index.php

Extracted

Family

quasar

Version

2.8.0.1

Botnet

Malek

54.237.250.208:5553

Mutex

COjIFE2SxD895kMBY2

Attributes

encryption_key
1Xdt7BW8AuSSiRQFMe7U
install_name
Notepad.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Notepad
subdirectory

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Quasar Payload 13 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe	family_quasar
\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe	family_quasar
\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe	family_quasar
\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe	family_quasar
behavioral1/memory/1740-82-0x0000000001040000-0x0000000001144000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\Notepad.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Notepad.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Notepad.exe	family_quasar
behavioral1/memory/1616-88-0x00000000009D0000-0x0000000000AD4000-memory.dmp	family_quasar
\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
suricata: ET MALWARE Possible Kelihos.F EXE Download Common Structure
suricata
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

13 1776 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

Notepad.exeNotepad.exeNotepad.exe

pid process

1740 Notepad.exe
1616 Notepad.exe
2016 Notepad.exe

flow	pid	process
13	1776	rundll32.exe

pid	process
1740	Notepad.exe
1616	Notepad.exe
2016	Notepad.exe

Drops startup file 2 IoCs

Processes:

983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

Loads dropped DLL 10 IoCs

Processes:

983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exeNotepad.execmd.exerundll32.exe

pid	process
1132	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1132	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1132	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1132	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1740	Notepad.exe
932	cmd.exe
1776	rundll32.exe
1776	rundll32.exe
1776	rundll32.exe
1776	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com

flow	ioc
7	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

description	pid	process	target process
PID 1980 set thread context of 1132	1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1588 PING.EXE

pid	process
1588	PING.EXE

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exerundll32.exe

pid	process
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
1776	rundll32.exe
1776	rundll32.exe
1776	rundll32.exe
1776	rundll32.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exeNotepad.exeNotepad.exe

description	pid	process
Token: SeDebugPrivilege	1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
Token: SeDebugPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeSecurityPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeSecurityPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeSecurityPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeSecurityPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeSecurityPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeSecurityPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeSecurityPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeSecurityPrivilege	1740	Notepad.exe
Token: SeSecurityPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeSecurityPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeSecurityPrivilege	1740	Notepad.exe
Token: SeBackupPrivilege	1740	Notepad.exe
Token: SeDebugPrivilege	1616	Notepad.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exeNotepad.execmd.exe

description	pid	process	target process
PID 1980 wrote to memory of 1132	1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 1980 wrote to memory of 1132	1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 1980 wrote to memory of 1132	1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 1980 wrote to memory of 1132	1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 1980 wrote to memory of 1132	1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 1980 wrote to memory of 1132	1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 1980 wrote to memory of 1132	1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 1980 wrote to memory of 1132	1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 1980 wrote to memory of 1132	1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 1980 wrote to memory of 1132	1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 1980 wrote to memory of 1132	1980	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
PID 1132 wrote to memory of 1740	1132	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	Notepad.exe
PID 1132 wrote to memory of 1740	1132	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	Notepad.exe
PID 1132 wrote to memory of 1740	1132	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	Notepad.exe
PID 1132 wrote to memory of 1740	1132	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	Notepad.exe
PID 1740 wrote to memory of 1616	1740	Notepad.exe	Notepad.exe
PID 1740 wrote to memory of 1616	1740	Notepad.exe	Notepad.exe
PID 1740 wrote to memory of 1616	1740	Notepad.exe	Notepad.exe
PID 1740 wrote to memory of 1616	1740	Notepad.exe	Notepad.exe
PID 1740 wrote to memory of 932	1740	Notepad.exe	cmd.exe
PID 1740 wrote to memory of 932	1740	Notepad.exe	cmd.exe
PID 1740 wrote to memory of 932	1740	Notepad.exe	cmd.exe
PID 1740 wrote to memory of 932	1740	Notepad.exe	cmd.exe
PID 932 wrote to memory of 1724	932	cmd.exe	chcp.com
PID 932 wrote to memory of 1724	932	cmd.exe	chcp.com
PID 932 wrote to memory of 1724	932	cmd.exe	chcp.com
PID 932 wrote to memory of 1724	932	cmd.exe	chcp.com
PID 932 wrote to memory of 1588	932	cmd.exe	PING.EXE
PID 932 wrote to memory of 1588	932	cmd.exe	PING.EXE
PID 932 wrote to memory of 1588	932	cmd.exe	PING.EXE
PID 932 wrote to memory of 1588	932	cmd.exe	PING.EXE
PID 932 wrote to memory of 2016	932	cmd.exe	Notepad.exe
PID 932 wrote to memory of 2016	932	cmd.exe	Notepad.exe
PID 932 wrote to memory of 2016	932	cmd.exe	Notepad.exe
PID 932 wrote to memory of 2016	932	cmd.exe	Notepad.exe
PID 1132 wrote to memory of 1776	1132	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	rundll32.exe
PID 1132 wrote to memory of 1776	1132	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	rundll32.exe
PID 1132 wrote to memory of 1776	1132	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	rundll32.exe
PID 1132 wrote to memory of 1776	1132	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	rundll32.exe
PID 1132 wrote to memory of 1776	1132	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	rundll32.exe
PID 1132 wrote to memory of 1776	1132	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	rundll32.exe
PID 1132 wrote to memory of 1776	1132	983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
"C:\Users\Admin\AppData\Local\Temp\983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe
"C:\Users\Admin\AppData\Local\Temp\983fe88a155bdc1b17641ff91365b1fd5cb53654d113954d16c50aed9696cf26.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe
"C:\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Roaming\Notepad.exe
"C:\Users\Admin\AppData\Roaming\Notepad.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\尺ﾚ乇丂んひ丂乙刀Ｗムᄃ乙り乃ﾉ.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:1724

C:\Windows\SysWOW64\PING.EXE
ping -\Common 10 localhost
5⤵
- Runs ping.exe
PID:1588

C:\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe
"C:\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe"
5⤵
- Executes dropped EXE
PID:2016

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\376fde80dfdc81\cred.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_win_path
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe
Filesize
1016KB

MD5
0fcdfcdb23ebfbdedacdcd6428ed7fd1

SHA1
a559212a2192eb375967af20afcc53e6470f4e9a

SHA256
de5cd04d98f447bcc313f638ea96140d3d636fd8498ca5c37def12cb19b920f5

SHA512
ed90f859c9f58f5f5b9882dafe7bde4b9631a9e81f02aa970fb721e50533d77a816989049febcd386b7e27a1d2dc49d68f6b8c2cc1fcaf108a43fc8a32e6ea9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe
Filesize
1016KB

MD5
0fcdfcdb23ebfbdedacdcd6428ed7fd1

SHA1
a559212a2192eb375967af20afcc53e6470f4e9a

SHA256
de5cd04d98f447bcc313f638ea96140d3d636fd8498ca5c37def12cb19b920f5

SHA512
ed90f859c9f58f5f5b9882dafe7bde4b9631a9e81f02aa970fb721e50533d77a816989049febcd386b7e27a1d2dc49d68f6b8c2cc1fcaf108a43fc8a32e6ea9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe
Filesize
1016KB

MD5
0fcdfcdb23ebfbdedacdcd6428ed7fd1

SHA1
a559212a2192eb375967af20afcc53e6470f4e9a

SHA256
de5cd04d98f447bcc313f638ea96140d3d636fd8498ca5c37def12cb19b920f5

SHA512
ed90f859c9f58f5f5b9882dafe7bde4b9631a9e81f02aa970fb721e50533d77a816989049febcd386b7e27a1d2dc49d68f6b8c2cc1fcaf108a43fc8a32e6ea9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\尺ﾚ乇丂んひ丂乙刀Ｗムᄃ乙り乃ﾉ.bat
Filesize
594B

MD5
7dcf8b3dfa306f0de9da7a855567fae3

SHA1
8392cf6603468d87d240ef5b25a021c69812fe28

SHA256
72dd50507604cf2cec39b433b2262bb0300d809162f6970cf5a5f79e8c0e9337

SHA512
c501b8f72ea35f27b91615416c7b5ee2a8ac16851e86c460c7ea99e74eede1cd1dc430c463c85d0b600005e33eb468f9f34a1e0992aa56b4dfb86c324bd03542

Download Submit
C:\Users\Admin\AppData\Roaming\376fde80dfdc81\cred.dll
Filesize
126KB

MD5
cab629e61884212c046e0147a3585f5f

SHA1
10265561adbdfb39dac01337468f183c336fcd71

SHA256
3dfdec90c5e2ebde218405a6f6283637c12dca1b4a7bc465c9b752b8f700c6e9

SHA512
fbdfb02cf61e510690742429168db1378d7c09df7441b09d771371833861c58d673913f93c20583d66891b3883b6ecce19313a966471c2f79c3e9482bdf5e9a9

Download Submit
C:\Users\Admin\AppData\Roaming\Notepad.exe
Filesize
1016KB

MD5
0fcdfcdb23ebfbdedacdcd6428ed7fd1

SHA1
a559212a2192eb375967af20afcc53e6470f4e9a

SHA256
de5cd04d98f447bcc313f638ea96140d3d636fd8498ca5c37def12cb19b920f5

SHA512
ed90f859c9f58f5f5b9882dafe7bde4b9631a9e81f02aa970fb721e50533d77a816989049febcd386b7e27a1d2dc49d68f6b8c2cc1fcaf108a43fc8a32e6ea9f

Download Submit
C:\Users\Admin\AppData\Roaming\Notepad.exe
Filesize
1016KB

MD5
0fcdfcdb23ebfbdedacdcd6428ed7fd1

SHA1
a559212a2192eb375967af20afcc53e6470f4e9a

SHA256
de5cd04d98f447bcc313f638ea96140d3d636fd8498ca5c37def12cb19b920f5

SHA512
ed90f859c9f58f5f5b9882dafe7bde4b9631a9e81f02aa970fb721e50533d77a816989049febcd386b7e27a1d2dc49d68f6b8c2cc1fcaf108a43fc8a32e6ea9f

Download Submit
\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe
Filesize
1016KB

MD5
0fcdfcdb23ebfbdedacdcd6428ed7fd1

SHA1
a559212a2192eb375967af20afcc53e6470f4e9a

SHA256
de5cd04d98f447bcc313f638ea96140d3d636fd8498ca5c37def12cb19b920f5

SHA512
ed90f859c9f58f5f5b9882dafe7bde4b9631a9e81f02aa970fb721e50533d77a816989049febcd386b7e27a1d2dc49d68f6b8c2cc1fcaf108a43fc8a32e6ea9f

Download Submit
\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe
Filesize
1016KB

MD5
0fcdfcdb23ebfbdedacdcd6428ed7fd1

SHA1
a559212a2192eb375967af20afcc53e6470f4e9a

SHA256
de5cd04d98f447bcc313f638ea96140d3d636fd8498ca5c37def12cb19b920f5

SHA512
ed90f859c9f58f5f5b9882dafe7bde4b9631a9e81f02aa970fb721e50533d77a816989049febcd386b7e27a1d2dc49d68f6b8c2cc1fcaf108a43fc8a32e6ea9f

Download Submit
\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe
Filesize
1016KB

MD5
0fcdfcdb23ebfbdedacdcd6428ed7fd1

SHA1
a559212a2192eb375967af20afcc53e6470f4e9a

SHA256
de5cd04d98f447bcc313f638ea96140d3d636fd8498ca5c37def12cb19b920f5

SHA512
ed90f859c9f58f5f5b9882dafe7bde4b9631a9e81f02aa970fb721e50533d77a816989049febcd386b7e27a1d2dc49d68f6b8c2cc1fcaf108a43fc8a32e6ea9f

Download Submit
\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe
Filesize
1016KB

MD5
0fcdfcdb23ebfbdedacdcd6428ed7fd1

SHA1
a559212a2192eb375967af20afcc53e6470f4e9a

SHA256
de5cd04d98f447bcc313f638ea96140d3d636fd8498ca5c37def12cb19b920f5

SHA512
ed90f859c9f58f5f5b9882dafe7bde4b9631a9e81f02aa970fb721e50533d77a816989049febcd386b7e27a1d2dc49d68f6b8c2cc1fcaf108a43fc8a32e6ea9f

Download Submit
\Users\Admin\AppData\Local\Temp\1000114001\Notepad.exe
Filesize
1016KB

MD5
0fcdfcdb23ebfbdedacdcd6428ed7fd1

SHA1
a559212a2192eb375967af20afcc53e6470f4e9a

SHA256
de5cd04d98f447bcc313f638ea96140d3d636fd8498ca5c37def12cb19b920f5

SHA512
ed90f859c9f58f5f5b9882dafe7bde4b9631a9e81f02aa970fb721e50533d77a816989049febcd386b7e27a1d2dc49d68f6b8c2cc1fcaf108a43fc8a32e6ea9f

Download Submit
\Users\Admin\AppData\Roaming\376fde80dfdc81\cred.dll
Filesize
126KB

MD5
cab629e61884212c046e0147a3585f5f

SHA1
10265561adbdfb39dac01337468f183c336fcd71

SHA256
3dfdec90c5e2ebde218405a6f6283637c12dca1b4a7bc465c9b752b8f700c6e9

SHA512
fbdfb02cf61e510690742429168db1378d7c09df7441b09d771371833861c58d673913f93c20583d66891b3883b6ecce19313a966471c2f79c3e9482bdf5e9a9

Download Submit
\Users\Admin\AppData\Roaming\376fde80dfdc81\cred.dll
Filesize
126KB

MD5
cab629e61884212c046e0147a3585f5f

SHA1
10265561adbdfb39dac01337468f183c336fcd71

SHA256
3dfdec90c5e2ebde218405a6f6283637c12dca1b4a7bc465c9b752b8f700c6e9

SHA512
fbdfb02cf61e510690742429168db1378d7c09df7441b09d771371833861c58d673913f93c20583d66891b3883b6ecce19313a966471c2f79c3e9482bdf5e9a9

Download Submit
\Users\Admin\AppData\Roaming\376fde80dfdc81\cred.dll
Filesize
126KB

MD5
cab629e61884212c046e0147a3585f5f

SHA1
10265561adbdfb39dac01337468f183c336fcd71

SHA256
3dfdec90c5e2ebde218405a6f6283637c12dca1b4a7bc465c9b752b8f700c6e9

SHA512
fbdfb02cf61e510690742429168db1378d7c09df7441b09d771371833861c58d673913f93c20583d66891b3883b6ecce19313a966471c2f79c3e9482bdf5e9a9

Download Submit
\Users\Admin\AppData\Roaming\376fde80dfdc81\cred.dll
Filesize
126KB

MD5
cab629e61884212c046e0147a3585f5f

SHA1
10265561adbdfb39dac01337468f183c336fcd71

SHA256
3dfdec90c5e2ebde218405a6f6283637c12dca1b4a7bc465c9b752b8f700c6e9

SHA512
fbdfb02cf61e510690742429168db1378d7c09df7441b09d771371833861c58d673913f93c20583d66891b3883b6ecce19313a966471c2f79c3e9482bdf5e9a9

Download Submit
\Users\Admin\AppData\Roaming\Notepad.exe
Filesize
1016KB

MD5
0fcdfcdb23ebfbdedacdcd6428ed7fd1

SHA1
a559212a2192eb375967af20afcc53e6470f4e9a

SHA256
de5cd04d98f447bcc313f638ea96140d3d636fd8498ca5c37def12cb19b920f5

SHA512
ed90f859c9f58f5f5b9882dafe7bde4b9631a9e81f02aa970fb721e50533d77a816989049febcd386b7e27a1d2dc49d68f6b8c2cc1fcaf108a43fc8a32e6ea9f

Download Submit
memory/932-90-0x0000000000000000-mapping.dmp

Download
memory/1132-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-59-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-74-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-60-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-70-0x000000000041344C-mapping.dmp

Download
memory/1132-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-67-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-62-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1588-93-0x0000000000000000-mapping.dmp

Download
memory/1616-85-0x0000000000000000-mapping.dmp

Download
memory/1616-88-0x00000000009D0000-0x0000000000AD4000-memory.dmp

Filesize
1.0MB

Download
memory/1724-92-0x0000000000000000-mapping.dmp

Download
memory/1740-82-0x0000000001040000-0x0000000001144000-memory.dmp

Filesize
1.0MB

Download
memory/1740-79-0x0000000000000000-mapping.dmp

Download
memory/1776-98-0x0000000000000000-mapping.dmp

Download
memory/1776-105-0x0000000000170000-0x0000000000194000-memory.dmp

Filesize
144KB

Download
memory/1980-54-0x0000000000F50000-0x0000000000F5A000-memory.dmp

Filesize
40KB

Download
memory/1980-55-0x00000000768D1000-0x00000000768D3000-memory.dmp

Filesize
8KB

Download
memory/1980-58-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download
memory/1980-57-0x0000000000C00000-0x0000000000C44000-memory.dmp

Filesize
272KB

Download
memory/1980-56-0x0000000004DF5000-0x0000000004E06000-memory.dmp

Filesize
68KB

Download
memory/2016-95-0x0000000000000000-mapping.dmp

Download