amadey | 69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e

Analysis

max time kernel
135s
max time network
155s
platform
windows7_x64
resource
win7-20220414-en
submitted
18-05-2022 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe
Size

319KB
MD5

00abc3cdf40d724b3bbaf8cb2de12d95
SHA1

529cfe8010a6541a0c7accd33ae02a5237f58301
SHA256

69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e
SHA512

414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e

Score

10^/10

amadey vidar 1376 collection discovery persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.10

199.188.204.245/f8dfksdj3/index.php

Extracted

Family

vidar

Version

52.2

Botnet

1376

https://t.me/netflixaccsfree

https://mastodon.social/@ronxik12

Attributes

profile_id
1376

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1472-82-0x0000000000400000-0x00000000004B1000-memory.dmp	family_vidar
behavioral1/memory/1472-84-0x0000000000220000-0x000000000026E000-memory.dmp	family_vidar

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

23 1076 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

orxds.exeorxds.exemine3.exeorxds.exeIFMb39aGmCsqJcthXwNQEToq7.exeorxds.exe

pid process

1232 orxds.exe
1472 orxds.exe
1596 mine3.exe
1648 orxds.exe
1520 IFMb39aGmCsqJcthXwNQEToq7.exe
1508 orxds.exe

flow	pid	process
23	1076	rundll32.exe

pid	process
1232	orxds.exe
1472	orxds.exe
1596	mine3.exe
1648	orxds.exe
1520	IFMb39aGmCsqJcthXwNQEToq7.exe
1508	orxds.exe

Loads dropped DLL 11 IoCs

Processes:

69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exeorxds.exerundll32.exeorxds.exemine3.exe

pid	process
1920	69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe
1920	69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe
1232	orxds.exe
1232	orxds.exe
1076	rundll32.exe
1076	rundll32.exe
1076	rundll32.exe
1076	rundll32.exe
1472	orxds.exe
1472	orxds.exe
1596	mine3.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

orxds.exemine3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\mine3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000006001\\mine3.exe"	orxds.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TxMT8hHkO8fBB5FlBurdwljpn = "C:\\ProgramData\\4vFAHkNczECIXuLdvBZKuXofw\\IFMb39aGmCsqJcthXwNQEToq7.exe"	mine3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

orxds.exe

description pid process target process

PID 1232 set thread context of 1472 1232 orxds.exe orxds.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1232 set thread context of 1472	1232	orxds.exe	orxds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

orxds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	orxds.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	orxds.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1788 schtasks.exe
1388 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1684 timeout.exe

pid	process
1788	schtasks.exe
1388	schtasks.exe

pid	process
1684	timeout.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

orxds.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	orxds.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	orxds.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	orxds.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	orxds.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mine3.exe

pid	process
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe
1596	mine3.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

mine3.exeIFMb39aGmCsqJcthXwNQEToq7.exe

description	pid	process
Token: SeDebugPrivilege	1596	mine3.exe
Token: SeDebugPrivilege	1596	mine3.exe
Token: SeDebugPrivilege	1520	IFMb39aGmCsqJcthXwNQEToq7.exe
Token: SeDebugPrivilege	1520	IFMb39aGmCsqJcthXwNQEToq7.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exeorxds.execmd.exetaskeng.exemine3.execmd.exe

description	pid	process	target process
PID 1920 wrote to memory of 1232	1920	69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe	orxds.exe
PID 1920 wrote to memory of 1232	1920	69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe	orxds.exe
PID 1920 wrote to memory of 1232	1920	69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe	orxds.exe
PID 1920 wrote to memory of 1232	1920	69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe	orxds.exe
PID 1232 wrote to memory of 2036	1232	orxds.exe	cmd.exe
PID 1232 wrote to memory of 2036	1232	orxds.exe	cmd.exe
PID 1232 wrote to memory of 2036	1232	orxds.exe	cmd.exe
PID 1232 wrote to memory of 2036	1232	orxds.exe	cmd.exe
PID 1232 wrote to memory of 1788	1232	orxds.exe	schtasks.exe
PID 1232 wrote to memory of 1788	1232	orxds.exe	schtasks.exe
PID 1232 wrote to memory of 1788	1232	orxds.exe	schtasks.exe
PID 1232 wrote to memory of 1788	1232	orxds.exe	schtasks.exe
PID 2036 wrote to memory of 380	2036	cmd.exe	reg.exe
PID 2036 wrote to memory of 380	2036	cmd.exe	reg.exe
PID 2036 wrote to memory of 380	2036	cmd.exe	reg.exe
PID 2036 wrote to memory of 380	2036	cmd.exe	reg.exe
PID 1232 wrote to memory of 1472	1232	orxds.exe	orxds.exe
PID 1232 wrote to memory of 1472	1232	orxds.exe	orxds.exe
PID 1232 wrote to memory of 1472	1232	orxds.exe	orxds.exe
PID 1232 wrote to memory of 1472	1232	orxds.exe	orxds.exe
PID 1232 wrote to memory of 1472	1232	orxds.exe	orxds.exe
PID 1232 wrote to memory of 1472	1232	orxds.exe	orxds.exe
PID 1232 wrote to memory of 1472	1232	orxds.exe	orxds.exe
PID 1232 wrote to memory of 1472	1232	orxds.exe	orxds.exe
PID 1232 wrote to memory of 1472	1232	orxds.exe	orxds.exe
PID 1232 wrote to memory of 1596	1232	orxds.exe	mine3.exe
PID 1232 wrote to memory of 1596	1232	orxds.exe	mine3.exe
PID 1232 wrote to memory of 1596	1232	orxds.exe	mine3.exe
PID 1232 wrote to memory of 1596	1232	orxds.exe	mine3.exe
PID 1640 wrote to memory of 1648	1640	taskeng.exe	orxds.exe
PID 1640 wrote to memory of 1648	1640	taskeng.exe	orxds.exe
PID 1640 wrote to memory of 1648	1640	taskeng.exe	orxds.exe
PID 1640 wrote to memory of 1648	1640	taskeng.exe	orxds.exe
PID 1596 wrote to memory of 1388	1596	mine3.exe	schtasks.exe
PID 1596 wrote to memory of 1388	1596	mine3.exe	schtasks.exe
PID 1596 wrote to memory of 1388	1596	mine3.exe	schtasks.exe
PID 1232 wrote to memory of 1076	1232	orxds.exe	rundll32.exe
PID 1232 wrote to memory of 1076	1232	orxds.exe	rundll32.exe
PID 1232 wrote to memory of 1076	1232	orxds.exe	rundll32.exe
PID 1232 wrote to memory of 1076	1232	orxds.exe	rundll32.exe
PID 1232 wrote to memory of 1076	1232	orxds.exe	rundll32.exe
PID 1232 wrote to memory of 1076	1232	orxds.exe	rundll32.exe
PID 1232 wrote to memory of 1076	1232	orxds.exe	rundll32.exe
PID 1596 wrote to memory of 1520	1596	mine3.exe	IFMb39aGmCsqJcthXwNQEToq7.exe
PID 1596 wrote to memory of 1520	1596	mine3.exe	IFMb39aGmCsqJcthXwNQEToq7.exe
PID 1596 wrote to memory of 1520	1596	mine3.exe	IFMb39aGmCsqJcthXwNQEToq7.exe
PID 1596 wrote to memory of 1380	1596	mine3.exe	cmd.exe
PID 1596 wrote to memory of 1380	1596	mine3.exe	cmd.exe
PID 1596 wrote to memory of 1380	1596	mine3.exe	cmd.exe
PID 1380 wrote to memory of 1684	1380	cmd.exe	timeout.exe
PID 1380 wrote to memory of 1684	1380	cmd.exe	timeout.exe
PID 1380 wrote to memory of 1684	1380	cmd.exe	timeout.exe
PID 1640 wrote to memory of 1508	1640	taskeng.exe	orxds.exe
PID 1640 wrote to memory of 1508	1640	taskeng.exe	orxds.exe
PID 1640 wrote to memory of 1508	1640	taskeng.exe	orxds.exe
PID 1640 wrote to memory of 1508	1640	taskeng.exe	orxds.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe
"C:\Users\Admin\AppData\Local\Temp\69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\70d66d8271\
3⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\70d66d8271\
4⤵
PID:380

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe" /F
3⤵
- Creates scheduled task(s)
PID:1788

C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
PID:1472

C:\Users\Admin\AppData\Local\Temp\1000006001\mine3.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\mine3.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\schtasks.exe
"schtasks.exe" /create /tn TxMT8hHkO8fBB5FlBurdwljpn /tr "C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe" /st 16:02 /du 23:59 /sc daily /ri 1 /f
4⤵
- Creates scheduled task(s)
PID:1388

C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe
"C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7521.tmp.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\system32\timeout.exe
timeout 6
5⤵
- Delays execution with timeout.exe
PID:1684

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\95ae2649e6d72d\cred.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:1076

C:\Windows\system32\taskeng.exe
taskeng.exe {8E993B29-2FEB-4954-A5D5-32191950D067} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe
2⤵
- Executes dropped EXE
PID:1648

C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe
2⤵
- Executes dropped EXE
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe
Filesize
186.8MB

MD5
ea475912a10155462a3709ce7c6e5c68

SHA1
38a53e6dde894c9e8d6aa9ff5f11445c7a8643e6

SHA256
84cfd1fb71cba99f07159366b591a00845acac6d16f76a16b63a0fc05c3a27a8

SHA512
4d970a67550f91db91475740eb0006593646e18d26cb807291bd1a98a9c97ff1d27b3773c6cc3feb7fdd1ac8e71322f56bebe7765784cbe7ec0b8e479a3a1a45

Download Submit
C:\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe
Filesize
235.8MB

MD5
a77a74dd8dca55231334d70fdc76683b

SHA1
4184b2da9ab52c26a1c099594d286199051df752

SHA256
c8b65aec18924ff6b9192a97b4a45fe7e6814e45b7e5300e55fc1ffd2f3a3d5d

SHA512
f26831a574e04575d7a25e60aafc58dfe276b23eae584e05add3f5612d0cd14e5c098eb65c4c21883a9035e9fee1dcdd54109245a7fe9dc8594e74f637202a27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7bde20fe34a14da5db80242bce650157

SHA1
7536ca60c34a154a2945dad95d63ff414c8aab27

SHA256
55d2b62868bb2e7ae0a16aaaa7269f11e8926257332d5087ca0b61435a841cd7

SHA512
690cf8a89efa29d811f0c4f3544cd1a73a0336f07e1e4c35f6cc656fe129db97db54dd8d07b5d696888340481d4d0d3fb9a608ac24b3d85b6323dc5363399d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\mine3.exe
Filesize
809KB

MD5
ff72b295ded9889cee24320db368bcf1

SHA1
5d7991f8495d56088710dd558faba639ffd05292

SHA256
e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd

SHA512
37ab209741e90c78565d170ab48d7ee83c8633e93e646a4c8f639c305c8b6528841668b6aa7797870612d24e11e1ff1aaae0f5622e9a2195957f9142e93a7b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\mine3.exe
Filesize
809KB

MD5
ff72b295ded9889cee24320db368bcf1

SHA1
5d7991f8495d56088710dd558faba639ffd05292

SHA256
e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd

SHA512
37ab209741e90c78565d170ab48d7ee83c8633e93e646a4c8f639c305c8b6528841668b6aa7797870612d24e11e1ff1aaae0f5622e9a2195957f9142e93a7b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe
Filesize
319KB

MD5
00abc3cdf40d724b3bbaf8cb2de12d95

SHA1
529cfe8010a6541a0c7accd33ae02a5237f58301

SHA256
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e

SHA512
414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e

Download Submit
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe
Filesize
319KB

MD5
00abc3cdf40d724b3bbaf8cb2de12d95

SHA1
529cfe8010a6541a0c7accd33ae02a5237f58301

SHA256
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e

SHA512
414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e

Download Submit
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe
Filesize
319KB

MD5
00abc3cdf40d724b3bbaf8cb2de12d95

SHA1
529cfe8010a6541a0c7accd33ae02a5237f58301

SHA256
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e

SHA512
414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e

Download Submit
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe
Filesize
319KB

MD5
00abc3cdf40d724b3bbaf8cb2de12d95

SHA1
529cfe8010a6541a0c7accd33ae02a5237f58301

SHA256
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e

SHA512
414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e

Download Submit
C:\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe
Filesize
319KB

MD5
00abc3cdf40d724b3bbaf8cb2de12d95

SHA1
529cfe8010a6541a0c7accd33ae02a5237f58301

SHA256
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e

SHA512
414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7521.tmp.bat
Filesize
168B

MD5
fb6ab1c9f12966b79559a6f2ec7f4ec4

SHA1
7ef5d445b73dcad2ac292385ef6e16a13ccbc036

SHA256
1bcb73b3ecbe8c5b1660f08536762aaaa6991cbcc17b97fa8a4e8c0fe26a5319

SHA512
4f462f29a8abea88ae19ad2837ad8f46d4224956da65f898049e7d26b8e6f59011644805b1cb5c089fb772301c32d0f368db81b3923ec39633774f098e2889f0

Download Submit
C:\Users\Admin\AppData\Roaming\95ae2649e6d72d\cred.dll
Filesize
126KB

MD5
210d9d14509f0bc2c26c87ba5fef4108

SHA1
8f4443a8cdfe1ff2156c3a1abd3371e778a2806f

SHA256
993c8664fac2e9aefc6cd25b3b435d6358fccc98119faedadbd68679281c0b77

SHA512
68250b674fff40870d5102760b9064e3483850f91d64a2fe395bea0058559b79daa5ad867d7578fe875d7ead415801eb99b49718912799e69683df66036c8095

Download Submit
\ProgramData\4vFAHkNczECIXuLdvBZKuXofw\IFMb39aGmCsqJcthXwNQEToq7.exe
Filesize
183.7MB

MD5
fcc74d816dd5fc52fe85228cd77f3ac7

SHA1
d931d23e07b3ec83ef47ddaba64f4075f3649a3b

SHA256
6814eaf149853b657b4d783b5a96569939ba11b94d060ef80750c614de4c228f

SHA512
22d60c1fac761f1068adff6c212acd22d9d623de28a134bfbbf48293b4d76c2c77e8e6f47e967f205785589eff3145575a06c9a2e2f552e0f283c88c2fcf1ae0

Download Submit
\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\1000006001\mine3.exe
Filesize
809KB

MD5
ff72b295ded9889cee24320db368bcf1

SHA1
5d7991f8495d56088710dd558faba639ffd05292

SHA256
e54ccfd9a2ab15b4461eb38baec21eb828f7757ca3e67db3b7acb261be34adcd

SHA512
37ab209741e90c78565d170ab48d7ee83c8633e93e646a4c8f639c305c8b6528841668b6aa7797870612d24e11e1ff1aaae0f5622e9a2195957f9142e93a7b1b

Download Submit
\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe
Filesize
319KB

MD5
00abc3cdf40d724b3bbaf8cb2de12d95

SHA1
529cfe8010a6541a0c7accd33ae02a5237f58301

SHA256
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e

SHA512
414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e

Download Submit
\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe
Filesize
319KB

MD5
00abc3cdf40d724b3bbaf8cb2de12d95

SHA1
529cfe8010a6541a0c7accd33ae02a5237f58301

SHA256
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e

SHA512
414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e

Download Submit
\Users\Admin\AppData\Local\Temp\70d66d8271\orxds.exe
Filesize
319KB

MD5
00abc3cdf40d724b3bbaf8cb2de12d95

SHA1
529cfe8010a6541a0c7accd33ae02a5237f58301

SHA256
69db771b992adb89ed17465f8c448b1a44c5f99ef7e73fe1dae45982790cae5e

SHA512
414218603c46f6a8e0fe27dc8ec9c83979dd7be8ebc4c89cfd1d795dadaaf3466ef6d0ef953b3ce0d660dfa6b615b31e878ccd57c21aedb1b09f886e7dfb830e

Download Submit
\Users\Admin\AppData\Roaming\95ae2649e6d72d\cred.dll
Filesize
126KB

MD5
210d9d14509f0bc2c26c87ba5fef4108

SHA1
8f4443a8cdfe1ff2156c3a1abd3371e778a2806f

SHA256
993c8664fac2e9aefc6cd25b3b435d6358fccc98119faedadbd68679281c0b77

SHA512
68250b674fff40870d5102760b9064e3483850f91d64a2fe395bea0058559b79daa5ad867d7578fe875d7ead415801eb99b49718912799e69683df66036c8095

Download Submit
\Users\Admin\AppData\Roaming\95ae2649e6d72d\cred.dll
Filesize
126KB

MD5
210d9d14509f0bc2c26c87ba5fef4108

SHA1
8f4443a8cdfe1ff2156c3a1abd3371e778a2806f

SHA256
993c8664fac2e9aefc6cd25b3b435d6358fccc98119faedadbd68679281c0b77

SHA512
68250b674fff40870d5102760b9064e3483850f91d64a2fe395bea0058559b79daa5ad867d7578fe875d7ead415801eb99b49718912799e69683df66036c8095

Download Submit
\Users\Admin\AppData\Roaming\95ae2649e6d72d\cred.dll
Filesize
126KB

MD5
210d9d14509f0bc2c26c87ba5fef4108

SHA1
8f4443a8cdfe1ff2156c3a1abd3371e778a2806f

SHA256
993c8664fac2e9aefc6cd25b3b435d6358fccc98119faedadbd68679281c0b77

SHA512
68250b674fff40870d5102760b9064e3483850f91d64a2fe395bea0058559b79daa5ad867d7578fe875d7ead415801eb99b49718912799e69683df66036c8095

Download Submit
\Users\Admin\AppData\Roaming\95ae2649e6d72d\cred.dll
Filesize
126KB

MD5
210d9d14509f0bc2c26c87ba5fef4108

SHA1
8f4443a8cdfe1ff2156c3a1abd3371e778a2806f

SHA256
993c8664fac2e9aefc6cd25b3b435d6358fccc98119faedadbd68679281c0b77

SHA512
68250b674fff40870d5102760b9064e3483850f91d64a2fe395bea0058559b79daa5ad867d7578fe875d7ead415801eb99b49718912799e69683df66036c8095

Download Submit
memory/380-65-0x0000000000000000-mapping.dmp

Download
memory/1076-108-0x0000000000161000-0x000000000017B000-memory.dmp

Filesize
104KB

Download
memory/1076-100-0x0000000000000000-mapping.dmp

Download
memory/1232-67-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1232-57-0x0000000000000000-mapping.dmp

Download
memory/1232-66-0x00000000005FE000-0x000000000061C000-memory.dmp

Filesize
120KB

Download
memory/1380-134-0x0000000000000000-mapping.dmp

Download
memory/1388-95-0x0000000000000000-mapping.dmp

Download
memory/1472-71-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1472-73-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1472-70-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1472-75-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1472-78-0x0000000000410640-mapping.dmp

Download
memory/1472-77-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1472-81-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1472-82-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/1472-83-0x00000000006AA000-0x00000000006D7000-memory.dmp

Filesize
180KB

Download
memory/1472-107-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/1472-84-0x0000000000220000-0x000000000026E000-memory.dmp

Filesize
312KB

Download
memory/1508-137-0x0000000000000000-mapping.dmp

Download
memory/1508-144-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1508-143-0x000000000065E000-0x000000000067C000-memory.dmp

Filesize
120KB

Download
memory/1520-133-0x000000013FF40000-0x000000014000E000-memory.dmp

Filesize
824KB

Download
memory/1520-139-0x000000001BAE0000-0x000000001BBAA000-memory.dmp

Filesize
808KB

Download
memory/1520-145-0x0000000002316000-0x0000000002335000-memory.dmp

Filesize
124KB

Download
memory/1520-146-0x0000000002335000-0x000000000233A000-memory.dmp

Filesize
20KB

Download
memory/1520-130-0x0000000000000000-mapping.dmp

Download
memory/1520-147-0x0000000002344000-0x000000000234D000-memory.dmp

Filesize
36KB

Download
memory/1596-96-0x0000000000690000-0x0000000000710000-memory.dmp

Filesize
512KB

Download
memory/1596-92-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download
memory/1596-86-0x0000000000000000-mapping.dmp

Download
memory/1596-91-0x000000001ACB0000-0x000000001AD86000-memory.dmp

Filesize
856KB

Download
memory/1596-90-0x000000013FC40000-0x000000013FD0E000-memory.dmp

Filesize
824KB

Download
memory/1648-93-0x0000000000000000-mapping.dmp

Download
memory/1648-98-0x00000000005CE000-0x00000000005EC000-memory.dmp

Filesize
120KB

Download
memory/1648-99-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1684-136-0x0000000000000000-mapping.dmp

Download
memory/1788-64-0x0000000000000000-mapping.dmp

Download
memory/1920-59-0x00000000002AE000-0x00000000002CC000-memory.dmp

Filesize
120KB

Download
memory/1920-60-0x0000000001C80000-0x0000000001CB8000-memory.dmp

Filesize
224KB

Download
memory/1920-61-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/1920-54-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download
memory/2036-63-0x0000000000000000-mapping.dmp

Download