amadey | 74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20220414-en
submitted
23-05-2022 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe
Size

336KB
MD5

53f54f7688b7becf3f68ca1ac3cb3565
SHA1

b99a8ee9253186f3a19e750e4b9a7cecedb30136
SHA256

74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b
SHA512

a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Score

10^/10

amadey suricata trojan

Malware Config

Extracted

Family

amadey

Version

3.10

185.215.113.35/d2VxjasuwS_old/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

orxds.exeorxds.exeorxds.exeorxds.exeorxds.exe

pid process

1680 orxds.exe
668 orxds.exe
2000 orxds.exe
992 orxds.exe
1288 orxds.exe

pid	process
1680	orxds.exe
668	orxds.exe
2000	orxds.exe
992	orxds.exe
1288	orxds.exe

Loads dropped DLL 3 IoCs

Processes:

74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exeorxds.exe

pid	process
1744	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe
1744	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe
1680	orxds.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

orxds.exe

description pid process target process

PID 1680 set thread context of 2000 1680 orxds.exe orxds.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

876 schtasks.exe

description	pid	process	target process
PID 1680 set thread context of 2000	1680	orxds.exe	orxds.exe

pid	process
876	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "360043222"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{758949C1-DA4C-11EC-838E-726C518001C0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec0000000000200000000001066000000010000200000008214a8562bdc7943202a3b295a3c51bcaa4fe10c3de6194d06d4bf149141baa4000000000e80000000020000200000007827c8696a3a4c3753ad7c1134cafef1c237c49a8fa974017a375753457fe36090000000d55569d62293dcd17b2b132a47f130fa52d5497da5e395cb4fdf9e9af0044cb39f070fbf85e36d70753269501398b1e38c7b8d691252a9d049c0c72146f8b9356a2e184c18135062192bc6ab308bd23744602f1c7b264b6504c5ed0b061d0a0f43a2965d76331d57a5b9dffe8b4287c365787af29fd9d2273c511e9d38e85c73ed92a16d9edc2e26375db6834c68194f400000004c70f40a9cbdcbc9874d0363508dce8bee009918069eb485f789260dcb8ffe314164fc40f4b6d4d93632c9fa94889c26bcf5ef74a831870a610c266dc12ebb05	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2065275c596ed801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec000000000020000000000106600000001000020000000f29dac950062d676961436549e004adf9651caefa82d21d5ad280f3ecaa1c9ef000000000e80000000020000200000003f5306d5a211dc3d272f6ad2c37bae270d9f6d379f29522a3212fae217821444200000000d7816d6dff93fe6bbaf1e2f8a853d94643a22345b559c0f599e0705130bb78a4000000044bbca9d073320edfdea4d55293fb1018a95701f989522d4be2fb6a8c0b4559231b6608ad8ef3fc335ad97b22c362aa67949b94b93c8b556739cff131d349c76	iexplore.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

orxds.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	orxds.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	orxds.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	orxds.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	orxds.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	orxds.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

956 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

956 iexplore.exe
956 iexplore.exe
1640 IEXPLORE.EXE
1640 IEXPLORE.EXE
1640 IEXPLORE.EXE
1640 IEXPLORE.EXE

pid	process
956	iexplore.exe

pid	process
956	iexplore.exe
956	iexplore.exe
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exeorxds.execmd.exetaskeng.exeorxds.exeiexplore.exe

description	pid	process	target process
PID 1744 wrote to memory of 1680	1744	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe	orxds.exe
PID 1744 wrote to memory of 1680	1744	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe	orxds.exe
PID 1744 wrote to memory of 1680	1744	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe	orxds.exe
PID 1744 wrote to memory of 1680	1744	74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe	orxds.exe
PID 1680 wrote to memory of 948	1680	orxds.exe	cmd.exe
PID 1680 wrote to memory of 948	1680	orxds.exe	cmd.exe
PID 1680 wrote to memory of 948	1680	orxds.exe	cmd.exe
PID 1680 wrote to memory of 948	1680	orxds.exe	cmd.exe
PID 1680 wrote to memory of 876	1680	orxds.exe	schtasks.exe
PID 1680 wrote to memory of 876	1680	orxds.exe	schtasks.exe
PID 1680 wrote to memory of 876	1680	orxds.exe	schtasks.exe
PID 1680 wrote to memory of 876	1680	orxds.exe	schtasks.exe
PID 948 wrote to memory of 2036	948	cmd.exe	reg.exe
PID 948 wrote to memory of 2036	948	cmd.exe	reg.exe
PID 948 wrote to memory of 2036	948	cmd.exe	reg.exe
PID 948 wrote to memory of 2036	948	cmd.exe	reg.exe
PID 1908 wrote to memory of 668	1908	taskeng.exe	orxds.exe
PID 1908 wrote to memory of 668	1908	taskeng.exe	orxds.exe
PID 1908 wrote to memory of 668	1908	taskeng.exe	orxds.exe
PID 1908 wrote to memory of 668	1908	taskeng.exe	orxds.exe
PID 1680 wrote to memory of 2000	1680	orxds.exe	orxds.exe
PID 1680 wrote to memory of 2000	1680	orxds.exe	orxds.exe
PID 1680 wrote to memory of 2000	1680	orxds.exe	orxds.exe
PID 1680 wrote to memory of 2000	1680	orxds.exe	orxds.exe
PID 1680 wrote to memory of 2000	1680	orxds.exe	orxds.exe
PID 1680 wrote to memory of 2000	1680	orxds.exe	orxds.exe
PID 1680 wrote to memory of 2000	1680	orxds.exe	orxds.exe
PID 1680 wrote to memory of 2000	1680	orxds.exe	orxds.exe
PID 1680 wrote to memory of 2000	1680	orxds.exe	orxds.exe
PID 2000 wrote to memory of 956	2000	orxds.exe	iexplore.exe
PID 2000 wrote to memory of 956	2000	orxds.exe	iexplore.exe
PID 2000 wrote to memory of 956	2000	orxds.exe	iexplore.exe
PID 2000 wrote to memory of 956	2000	orxds.exe	iexplore.exe
PID 956 wrote to memory of 1640	956	iexplore.exe	IEXPLORE.EXE
PID 956 wrote to memory of 1640	956	iexplore.exe	IEXPLORE.EXE
PID 956 wrote to memory of 1640	956	iexplore.exe	IEXPLORE.EXE
PID 956 wrote to memory of 1640	956	iexplore.exe	IEXPLORE.EXE
PID 1908 wrote to memory of 992	1908	taskeng.exe	orxds.exe
PID 1908 wrote to memory of 992	1908	taskeng.exe	orxds.exe
PID 1908 wrote to memory of 992	1908	taskeng.exe	orxds.exe
PID 1908 wrote to memory of 992	1908	taskeng.exe	orxds.exe
PID 1908 wrote to memory of 1288	1908	taskeng.exe	orxds.exe
PID 1908 wrote to memory of 1288	1908	taskeng.exe	orxds.exe
PID 1908 wrote to memory of 1288	1908	taskeng.exe	orxds.exe
PID 1908 wrote to memory of 1288	1908	taskeng.exe	orxds.exe

C:\Users\Admin\AppData\Local\Temp\74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe
"C:\Users\Admin\AppData\Local\Temp\74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\d273120da5\
3⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\d273120da5\
4⤵
PID:2036

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN orxds.exe /TR "C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe" /F
3⤵
- Creates scheduled task(s)
PID:876

C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
"C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=orxds.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:956 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Windows\system32\taskeng.exe
taskeng.exe {E703D1B0-8A43-4B24-9ECF-A47F968D476A} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
2⤵
- Executes dropped EXE
PID:668

C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
2⤵
- Executes dropped EXE
PID:992

C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
2⤵
- Executes dropped EXE
PID:1288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0ab14058341e1d7bd83426dbd51b27c7

SHA1
2f8808907a5617800623ef39128dc6af6a225f38

SHA256
d91b8474080a901883d6befa627869c903d65fad84b17e8560377482b874318c

SHA512
01ff7409c03ee52920a7f593c89eebec25dcce14023c0c52e33cf62b6b2c0add79db48313b509c1cd6599944eae2bf3433f5ef8148b8cb8437630defc6b19dc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e6d910157a2d8794923f796a6adf42a9

SHA1
1084edb48d9e87325b6d9ecad75d18dd9c7e73cc

SHA256
be3b7c8d36de28fcacba1a3b609afe110a301c752bb8ea6ba5597921cd7e9e76

SHA512
4ef49b6d22936a0f9c40c73e8e3dd9cf2c16c853852b5d7d684c9fdb5ecb481fa111947559a262f90626ca338cd79a3599cef54b36677969c9355d73e00eabf4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
f54bae12895a9ed6b4e734b798ca94fd

SHA1
4d87bd7ec30f6014221bcd47b0f59ca2ca0e1492

SHA256
72b4fec3d2d0bbe3997f1fae8427252ca8abc09d036527e9f404a995b1c07cb2

SHA512
805bcd25f2dff0e30e0e3bb1c36981a18b97a0bc939d48f94f609d12073b33b117adb8ff62af5bc967ece553c908d043e1d3f7e566f2fe3ad9369934690a344a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9os4y76\imagestore.dat
Filesize
21KB

MD5
365730a0d4fb46964bfaab1b38049c7d

SHA1
bf927f9f216b0fb88eddab97268208736d6d23f2

SHA256
89aab1950b2657f7aa16eecc7f97402ec07c53762d08c1d9f1bb5361bdff12e4

SHA512
cc0f07ae77bab5bfa2ca0a61d13ce44c7a74a956514377ac3ea827082adb9fef440dce99d5519aa90b9697190953040ebd029fa497857d754f26a3b5ff2a15b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZQNU9PFW.txt
Filesize
600B

MD5
85389cec2a2412290d8237c9eda018e7

SHA1
1f8685ded12418c0461ea2731270f828e5038190

SHA256
046954d22ded27dbf26cf54c0f863a232154bba1c8274fe1ef995fc1b817efd8

SHA512
523344333af47827b6beac992540e4e45b8e777107beff8be11a7b6d3416ffcaf8f85121a861ebadfee4428a33446c999f8ae7633c5d7fb4c22feced233d3b73

Download Submit
\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
\Users\Admin\AppData\Local\Temp\d273120da5\orxds.exe
Filesize
336KB

MD5
53f54f7688b7becf3f68ca1ac3cb3565

SHA1
b99a8ee9253186f3a19e750e4b9a7cecedb30136

SHA256
74e1d92213c0f1cad8c5387f8ec54f7c901a76596afb9e88c30fdd6bca4f005b

SHA512
a94b97891ae3e7c202746e13912737e9047ba0f5e344ad22c6eba54e15178935db2b3e9b94eb2759294de171588a6cd42ade38dc1bdb98fd16ddafccec6591ad

Download Submit
memory/668-69-0x0000000000000000-mapping.dmp

Download
memory/668-73-0x0000000000400000-0x0000000002B70000-memory.dmp

Filesize
39.4MB

Download
memory/876-65-0x0000000000000000-mapping.dmp

Download
memory/948-64-0x0000000000000000-mapping.dmp

Download
memory/992-91-0x0000000000000000-mapping.dmp

Download
memory/992-94-0x0000000002D0E000-0x0000000002D2C000-memory.dmp

Filesize
120KB

Download
memory/992-95-0x0000000000400000-0x0000000002B70000-memory.dmp

Filesize
39.4MB

Download
memory/1288-100-0x0000000000000000-mapping.dmp

Download
memory/1680-67-0x0000000000400000-0x0000000002B70000-memory.dmp

Filesize
39.4MB

Download
memory/1680-63-0x0000000002CCF000-0x0000000002CED000-memory.dmp

Filesize
120KB

Download
memory/1680-57-0x0000000000000000-mapping.dmp

Download
memory/1744-59-0x0000000002C4E000-0x0000000002C6C000-memory.dmp

Filesize
120KB

Download
memory/1744-60-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/1744-61-0x0000000000400000-0x0000000002B70000-memory.dmp

Filesize
39.4MB

Download
memory/1744-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/2000-75-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2000-78-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2000-82-0x00000000004637AE-mapping.dmp

Download
memory/2000-80-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2000-85-0x0000000000402000-0x0000000000463800-memory.dmp

Filesize
390KB

Download
memory/2000-76-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2000-81-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2000-86-0x0000000000402000-0x0000000000463800-memory.dmp

Filesize
390KB

Download
memory/2036-66-0x0000000000000000-mapping.dmp

Download