amadey | d33a9158aeca558fafdc78e6bf5b750a993d7e398d11253101346add95d6dfdb

Analysis

max time kernel
151s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2022 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

233KB
MD5

5c5b990373930e4d740f65aa2d786770
SHA1

9de3d0004db486756c8e66d2e187a2ca4d1cd2c9
SHA256

d33a9158aeca558fafdc78e6bf5b750a993d7e398d11253101346add95d6dfdb
SHA512

422c3bb0bb106a6cf318d7ab5531e317acce5ae2a9cc49a9b69d4e6a481c5b8e719711fcc53926d58628c107a00ecaa6f4cdd9045e0f6c18b154e603c8c9e4ea
SSDEEP

3072:5XOqgb2N/LTUIPbjGJl1nGwm6bP3YkQqjl3Y4wWJmIwN/wBlP:dngq/LTjbjeBb/YdqxHwWJmnwH

Score

10^/10

amadey redline smokeloader rozena1114 backdoor collection discovery infostealer persistence spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

rozena1114

jalocliche.xyz:81

chardhesha.xyz:81

Attributes

auth_value
9fefd743a3b62bcd7c3e17a70fbdb3a8

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3376-133-0x0000000000840000-0x0000000000849000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3904-207-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

111 3568 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

2B46.exe6B1F.exe6DC0.exe6FA5.exerovwer.exelinda5.exehgiufherovwer.exe

pid process

4076 2B46.exe
4080 6B1F.exe
3032 6DC0.exe
4328 6FA5.exe
1816 rovwer.exe
3060 linda5.exe
856 hgiufhe
4816 rovwer.exe

flow	pid	process
111	3568	rundll32.exe

pid	process
4076	2B46.exe
4080	6B1F.exe
3032	6DC0.exe
4328	6FA5.exe
1816	rovwer.exe
3060	linda5.exe
856	hgiufhe
4816	rovwer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3416-249-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral2/memory/3416-251-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral2/memory/3416-252-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral2/memory/3416-253-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx
behavioral2/memory/3416-254-0x0000000000400000-0x0000000000BEB000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6FA5.exerovwer.exelinda5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	6FA5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	rovwer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	linda5.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe6DC0.exerundll32.exerundll32.exe

pid process

2256 rundll32.exe
3032 6DC0.exe
2832 rundll32.exe
3568 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2256	rundll32.exe
3032	6DC0.exe
2832	rundll32.exe
3568	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rovwer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000089001\\linda5.exe"	rovwer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

6DC0.exe6B1F.exe

description	pid	process	target process
PID 3032 set thread context of 3904	3032	6DC0.exe	ngentask.exe
PID 4080 set thread context of 3416	4080	6B1F.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2440 4076 WerFault.exe 2B46.exe
4964 4328 WerFault.exe 6FA5.exe
704 4816 WerFault.exe rovwer.exe

pid	pid_target	process	target process
2440	4076	WerFault.exe	2B46.exe
4964	4328	WerFault.exe	6FA5.exe
704	4816	WerFault.exe	rovwer.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exehgiufhe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hgiufhe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hgiufhe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hgiufhe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1772 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 109 Go-http-client/1.1

pid	process
1772	schtasks.exe

description	flow	ioc
HTTP User-Agent header	109	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
3376	file.exe
3376	file.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3064
Suspicious behavior: MapViewOfSection 20 IoCs

Processes:

file.exehgiufhe

pid process

3376 file.exe
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
3064
856 hgiufhe

pid	process
3064

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

2B46.exengentask.exe

description	pid	process
Token: SeDebugPrivilege	4076	2B46.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeDebugPrivilege	3904	ngentask.exe
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064
Token: SeShutdownPrivilege	3064
Token: SeCreatePagefilePrivilege	3064

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6FA5.exerovwer.execmd.exe6DC0.exe

description	pid	process	target process
PID 3064 wrote to memory of 4076	3064		2B46.exe
PID 3064 wrote to memory of 4076	3064		2B46.exe
PID 3064 wrote to memory of 4076	3064		2B46.exe
PID 3064 wrote to memory of 4080	3064		6B1F.exe
PID 3064 wrote to memory of 4080	3064		6B1F.exe
PID 3064 wrote to memory of 3032	3064		6DC0.exe
PID 3064 wrote to memory of 3032	3064		6DC0.exe
PID 3064 wrote to memory of 3032	3064		6DC0.exe
PID 3064 wrote to memory of 4328	3064		6FA5.exe
PID 3064 wrote to memory of 4328	3064		6FA5.exe
PID 3064 wrote to memory of 4328	3064		6FA5.exe
PID 3064 wrote to memory of 2088	3064		explorer.exe
PID 3064 wrote to memory of 2088	3064		explorer.exe
PID 3064 wrote to memory of 2088	3064		explorer.exe
PID 3064 wrote to memory of 2088	3064		explorer.exe
PID 3064 wrote to memory of 4372	3064		explorer.exe
PID 3064 wrote to memory of 4372	3064		explorer.exe
PID 3064 wrote to memory of 4372	3064		explorer.exe
PID 4328 wrote to memory of 1816	4328	6FA5.exe	rovwer.exe
PID 4328 wrote to memory of 1816	4328	6FA5.exe	rovwer.exe
PID 4328 wrote to memory of 1816	4328	6FA5.exe	rovwer.exe
PID 3064 wrote to memory of 4100	3064		explorer.exe
PID 3064 wrote to memory of 4100	3064		explorer.exe
PID 3064 wrote to memory of 4100	3064		explorer.exe
PID 3064 wrote to memory of 4100	3064		explorer.exe
PID 3064 wrote to memory of 4484	3064		explorer.exe
PID 3064 wrote to memory of 4484	3064		explorer.exe
PID 3064 wrote to memory of 4484	3064		explorer.exe
PID 1816 wrote to memory of 1772	1816	rovwer.exe	schtasks.exe
PID 1816 wrote to memory of 1772	1816	rovwer.exe	schtasks.exe
PID 1816 wrote to memory of 1772	1816	rovwer.exe	schtasks.exe
PID 1816 wrote to memory of 8	1816	rovwer.exe	cmd.exe
PID 1816 wrote to memory of 8	1816	rovwer.exe	cmd.exe
PID 1816 wrote to memory of 8	1816	rovwer.exe	cmd.exe
PID 8 wrote to memory of 1228	8	cmd.exe	cmd.exe
PID 8 wrote to memory of 1228	8	cmd.exe	cmd.exe
PID 8 wrote to memory of 1228	8	cmd.exe	cmd.exe
PID 8 wrote to memory of 1092	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 1092	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 1092	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 2748	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 2748	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 2748	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 3348	8	cmd.exe	cmd.exe
PID 8 wrote to memory of 3348	8	cmd.exe	cmd.exe
PID 8 wrote to memory of 3348	8	cmd.exe	cmd.exe
PID 8 wrote to memory of 1568	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 1568	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 1568	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 4136	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 4136	8	cmd.exe	cacls.exe
PID 8 wrote to memory of 4136	8	cmd.exe	cacls.exe
PID 3064 wrote to memory of 4572	3064		explorer.exe
PID 3064 wrote to memory of 4572	3064		explorer.exe
PID 3064 wrote to memory of 4572	3064		explorer.exe
PID 3064 wrote to memory of 4572	3064		explorer.exe
PID 3064 wrote to memory of 4956	3064		explorer.exe
PID 3064 wrote to memory of 4956	3064		explorer.exe
PID 3064 wrote to memory of 4956	3064		explorer.exe
PID 3064 wrote to memory of 4956	3064		explorer.exe
PID 1816 wrote to memory of 3060	1816	rovwer.exe	linda5.exe
PID 1816 wrote to memory of 3060	1816	rovwer.exe	linda5.exe
PID 1816 wrote to memory of 3060	1816	rovwer.exe	linda5.exe
PID 3032 wrote to memory of 3904	3032	6DC0.exe	ngentask.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3376

C:\Users\Admin\AppData\Local\Temp\2B46.exe
C:\Users\Admin\AppData\Local\Temp\2B46.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1264
2⤵
- Program crash
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4076 -ip 4076
1⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\6B1F.exe
C:\Users\Admin\AppData\Local\Temp\6B1F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4080

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
2⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\6DC0.exe
C:\Users\Admin\AppData\Local\Temp\6DC0.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Users\Admin\AppData\Local\Temp\6FA5.exe
C:\Users\Admin\AppData\Local\Temp\6FA5.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe" /F
3⤵
- Creates scheduled task(s)
PID:1772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "rovwer.exe" /P "Admin:N"&&CACLS "rovwer.exe" /P "Admin:R" /E&&echo Y|CACLS "..\99e342142d" /P "Admin:N"&&CACLS "..\99e342142d" /P "Admin:R" /E&&Exit
3⤵
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:1228

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:N"
4⤵
PID:1092

C:\Windows\SysWOW64\cacls.exe
CACLS "rovwer.exe" /P "Admin:R" /E
4⤵
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:3348

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:N"
4⤵
PID:1568

C:\Windows\SysWOW64\cacls.exe
CACLS "..\99e342142d" /P "Admin:R" /E
4⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\1000089001\linda5.exe
"C:\Users\Admin\AppData\Local\Temp\1000089001\linda5.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:3060

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" .\4C25Q0.Z0q
4⤵
PID:3656

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\4C25Q0.Z0q
5⤵
- Loads dropped DLL
PID:2256

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\4C25Q0.Z0q
6⤵
PID:4636

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\4C25Q0.Z0q
7⤵
- Loads dropped DLL
PID:2832

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1148
2⤵
- Program crash
PID:4964

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2088

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4328 -ip 4328
1⤵
PID:3304

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4100

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4484

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4572

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4956

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5108

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4768

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3116

C:\Users\Admin\AppData\Roaming\hgiufhe
C:\Users\Admin\AppData\Roaming\hgiufhe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:856

C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 424
2⤵
- Program crash
PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4816 -ip 4816
1⤵
PID:1872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000089001\linda5.exe
Filesize
2.0MB

MD5
6c8fda3ad7964e80950b5ed718b4ab35

SHA1
73a8f746982a2aee941e7fa7592e4a61e4e2ef41

SHA256
c28888cdbef5f53a8ea85ff3ae9181d31ddef29ee1cad48b87c45151ff0aa23b

SHA512
26e7da7c7101072f4003909260ff118bfde72b0d4895d1d50b9164f2f3d88a6d06d54413a4c8f469fc4c6af1102043715d180f7957bcfacbd60198afddc812fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000089001\linda5.exe
Filesize
2.0MB

MD5
6c8fda3ad7964e80950b5ed718b4ab35

SHA1
73a8f746982a2aee941e7fa7592e4a61e4e2ef41

SHA256
c28888cdbef5f53a8ea85ff3ae9181d31ddef29ee1cad48b87c45151ff0aa23b

SHA512
26e7da7c7101072f4003909260ff118bfde72b0d4895d1d50b9164f2f3d88a6d06d54413a4c8f469fc4c6af1102043715d180f7957bcfacbd60198afddc812fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B46.exe
Filesize
319KB

MD5
5a83a49d2d9f74bef7530717f9681d74

SHA1
9e8ce37b74bb6357b058e0bfd5bb4921f00180a5

SHA256
0bd1210663e4211813797523405b1c0a9d4a6999847f8aa0d490fa17aae0623d

SHA512
53bd3454a25cc807d48522afa4ae7755bc86cb5b9b569fe50c9bab938f5bdd74272690c00248259e05420f2f1279ab9d0261e69660245ad27093ffea1ac4d961

Download Submit
C:\Users\Admin\AppData\Local\Temp\2B46.exe
Filesize
319KB

MD5
5a83a49d2d9f74bef7530717f9681d74

SHA1
9e8ce37b74bb6357b058e0bfd5bb4921f00180a5

SHA256
0bd1210663e4211813797523405b1c0a9d4a6999847f8aa0d490fa17aae0623d

SHA512
53bd3454a25cc807d48522afa4ae7755bc86cb5b9b569fe50c9bab938f5bdd74272690c00248259e05420f2f1279ab9d0261e69660245ad27093ffea1ac4d961

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C25Q0.Z0q
Filesize
2.2MB

MD5
e00be4cacd2df548da9859332d3f44b2

SHA1
f411218934c55bf40355a49629dd09643fee8d58

SHA256
37344e09cac3b8e4fb76df2fffdfb1eea1c332dc6c270bf2a4c25112b59e18e7

SHA512
9da4494aa51bf53b30b4e255d39aaefc6a77fd870426f9a458a41c6708d6818ac8e6e129fd13f180e89491e9ea9085bf28343a37250d484fa2642da10367cadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C25Q0.Z0q
Filesize
2.2MB

MD5
e00be4cacd2df548da9859332d3f44b2

SHA1
f411218934c55bf40355a49629dd09643fee8d58

SHA256
37344e09cac3b8e4fb76df2fffdfb1eea1c332dc6c270bf2a4c25112b59e18e7

SHA512
9da4494aa51bf53b30b4e255d39aaefc6a77fd870426f9a458a41c6708d6818ac8e6e129fd13f180e89491e9ea9085bf28343a37250d484fa2642da10367cadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4C25Q0.Z0q
Filesize
2.2MB

MD5
e00be4cacd2df548da9859332d3f44b2

SHA1
f411218934c55bf40355a49629dd09643fee8d58

SHA256
37344e09cac3b8e4fb76df2fffdfb1eea1c332dc6c270bf2a4c25112b59e18e7

SHA512
9da4494aa51bf53b30b4e255d39aaefc6a77fd870426f9a458a41c6708d6818ac8e6e129fd13f180e89491e9ea9085bf28343a37250d484fa2642da10367cadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B1F.exe
Filesize
3.0MB

MD5
72efc55b476245e5955a405c50c3574f

SHA1
82cc77bb5e47520209e6564513e45c7d39573115

SHA256
899d0f9e8343dab899e302fa6bda0ec1bc4133f00fbb6d9215eea4b79ccf4ecb

SHA512
01e2eec8c951815b0cd98904ad5758a6c7c73f8b3e4cb4fcaeb80d8cb4f68366d06b2a309b3349d2a22f8904ec815feaf33f7a599bf7d56b3ec38188071604b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B1F.exe
Filesize
3.0MB

MD5
72efc55b476245e5955a405c50c3574f

SHA1
82cc77bb5e47520209e6564513e45c7d39573115

SHA256
899d0f9e8343dab899e302fa6bda0ec1bc4133f00fbb6d9215eea4b79ccf4ecb

SHA512
01e2eec8c951815b0cd98904ad5758a6c7c73f8b3e4cb4fcaeb80d8cb4f68366d06b2a309b3349d2a22f8904ec815feaf33f7a599bf7d56b3ec38188071604b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DC0.exe
Filesize
1.1MB

MD5
5e7c07b9aa0668fa2971747bb4fade1e

SHA1
7fae544f73f2a8fb7a340a20ec47f76370fbd487

SHA256
431a1c4ceae3411f5476eed27fc30ebd55138afb4c4e9dac3db9d4b8addbb361

SHA512
5c9c65c99f0c8a5aaa2beac1a0c4304a1cb2ea808eeb6bbe11c2852d6e9fbad8bb68faa5f778848dade617e1c5ee1fb9dae566d7a064b05fdaa30a03019b868f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DC0.exe
Filesize
1.1MB

MD5
5e7c07b9aa0668fa2971747bb4fade1e

SHA1
7fae544f73f2a8fb7a340a20ec47f76370fbd487

SHA256
431a1c4ceae3411f5476eed27fc30ebd55138afb4c4e9dac3db9d4b8addbb361

SHA512
5c9c65c99f0c8a5aaa2beac1a0c4304a1cb2ea808eeb6bbe11c2852d6e9fbad8bb68faa5f778848dade617e1c5ee1fb9dae566d7a064b05fdaa30a03019b868f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FA5.exe
Filesize
271KB

MD5
265cfab61cacd364f9e89fdfa49f9bce

SHA1
e5e979db60332e5f11828ac4da6341441c068d2d

SHA256
a9330b5862c90c6043b95ed30bdc9e0420904fd7efd724dddb4a99827b79bbfc

SHA512
425a0dccb766d4413c82237aef9756d3718b802e522558cc19256fc3c18edeb6c22d6ad95b8fb6a1bb98682f6f02f5f959e4598843af265155dc73c9b6c4e3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FA5.exe
Filesize
271KB

MD5
265cfab61cacd364f9e89fdfa49f9bce

SHA1
e5e979db60332e5f11828ac4da6341441c068d2d

SHA256
a9330b5862c90c6043b95ed30bdc9e0420904fd7efd724dddb4a99827b79bbfc

SHA512
425a0dccb766d4413c82237aef9756d3718b802e522558cc19256fc3c18edeb6c22d6ad95b8fb6a1bb98682f6f02f5f959e4598843af265155dc73c9b6c4e3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
271KB

MD5
265cfab61cacd364f9e89fdfa49f9bce

SHA1
e5e979db60332e5f11828ac4da6341441c068d2d

SHA256
a9330b5862c90c6043b95ed30bdc9e0420904fd7efd724dddb4a99827b79bbfc

SHA512
425a0dccb766d4413c82237aef9756d3718b802e522558cc19256fc3c18edeb6c22d6ad95b8fb6a1bb98682f6f02f5f959e4598843af265155dc73c9b6c4e3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
271KB

MD5
265cfab61cacd364f9e89fdfa49f9bce

SHA1
e5e979db60332e5f11828ac4da6341441c068d2d

SHA256
a9330b5862c90c6043b95ed30bdc9e0420904fd7efd724dddb4a99827b79bbfc

SHA512
425a0dccb766d4413c82237aef9756d3718b802e522558cc19256fc3c18edeb6c22d6ad95b8fb6a1bb98682f6f02f5f959e4598843af265155dc73c9b6c4e3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\rovwer.exe
Filesize
271KB

MD5
265cfab61cacd364f9e89fdfa49f9bce

SHA1
e5e979db60332e5f11828ac4da6341441c068d2d

SHA256
a9330b5862c90c6043b95ed30bdc9e0420904fd7efd724dddb4a99827b79bbfc

SHA512
425a0dccb766d4413c82237aef9756d3718b802e522558cc19256fc3c18edeb6c22d6ad95b8fb6a1bb98682f6f02f5f959e4598843af265155dc73c9b6c4e3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\advapi32.dll
Filesize
1.1MB

MD5
486536825ff5e3219a8702319e064907

SHA1
34f7f9211e2fd9c166fb36ed1d4121ebd427bebd

SHA256
6ab2023a2bd76692a694a812bf86c341696810c61666586c09a343832f05dc01

SHA512
f77404db724b9f8e93d84f2f9f0cee10b05638bda4445facbfd262eca52f073e285c10f153133fc35f9a426eb84e87e8e0b320f2815b2405ca3ada7ac2fded4c

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
507e9dc7b9c42f535b6df96d79179835

SHA1
acf41fb549750023115f060071aa5ca8c33f249e

SHA256
3b82a0ea49d855327b64073872ebb6b63eee056e182be6b1935aa512628252af

SHA512
70907ec4c395b0d2219bfe98907ec130bfcbc6d4bec7bd73965a9b1e422553e27daaead3d6647620fcf5392d85a2e975bce0f7c79c0bc665dd33ce65f7d44302

Download Submit
C:\Users\Admin\AppData\Roaming\hgiufhe
Filesize
233KB

MD5
5c5b990373930e4d740f65aa2d786770

SHA1
9de3d0004db486756c8e66d2e187a2ca4d1cd2c9

SHA256
d33a9158aeca558fafdc78e6bf5b750a993d7e398d11253101346add95d6dfdb

SHA512
422c3bb0bb106a6cf318d7ab5531e317acce5ae2a9cc49a9b69d4e6a481c5b8e719711fcc53926d58628c107a00ecaa6f4cdd9045e0f6c18b154e603c8c9e4ea

Download Submit
C:\Users\Admin\AppData\Roaming\hgiufhe
Filesize
233KB

MD5
5c5b990373930e4d740f65aa2d786770

SHA1
9de3d0004db486756c8e66d2e187a2ca4d1cd2c9

SHA256
d33a9158aeca558fafdc78e6bf5b750a993d7e398d11253101346add95d6dfdb

SHA512
422c3bb0bb106a6cf318d7ab5531e317acce5ae2a9cc49a9b69d4e6a481c5b8e719711fcc53926d58628c107a00ecaa6f4cdd9045e0f6c18b154e603c8c9e4ea

Download Submit
memory/8-183-0x0000000000000000-mapping.dmp

Download
memory/1092-185-0x0000000000000000-mapping.dmp

Download
memory/1228-184-0x0000000000000000-mapping.dmp

Download
memory/1568-188-0x0000000000000000-mapping.dmp

Download
memory/1772-182-0x0000000000000000-mapping.dmp

Download
memory/1816-229-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/1816-168-0x0000000000000000-mapping.dmp

Download
memory/1816-228-0x000000000092D000-0x000000000094C000-memory.dmp

Filesize
124KB

Download
memory/1816-195-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/1816-193-0x000000000092D000-0x000000000094C000-memory.dmp

Filesize
124KB

Download
memory/2088-164-0x0000000000000000-mapping.dmp

Download
memory/2088-225-0x0000000001320000-0x0000000001327000-memory.dmp

Filesize
28KB

Download
memory/2088-165-0x0000000001320000-0x0000000001327000-memory.dmp

Filesize
28KB

Download
memory/2088-166-0x0000000001310000-0x000000000131B000-memory.dmp

Filesize
44KB

Download
memory/2256-235-0x0000000003310000-0x00000000033C2000-memory.dmp

Filesize
712KB

Download
memory/2256-210-0x0000000000000000-mapping.dmp

Download
memory/2256-219-0x0000000002E40000-0x0000000002FD6000-memory.dmp

Filesize
1.6MB

Download
memory/2256-248-0x0000000003110000-0x000000000323B000-memory.dmp

Filesize
1.2MB

Download
memory/2256-220-0x0000000003110000-0x000000000323B000-memory.dmp

Filesize
1.2MB

Download
memory/2256-232-0x0000000003240000-0x0000000003307000-memory.dmp

Filesize
796KB

Download
memory/2748-186-0x0000000000000000-mapping.dmp

Download
memory/2832-247-0x00000000034F0000-0x000000000361B000-memory.dmp

Filesize
1.2MB

Download
memory/2832-244-0x00000000036F0000-0x00000000037A2000-memory.dmp

Filesize
712KB

Download
memory/2832-243-0x0000000003620000-0x00000000036E7000-memory.dmp

Filesize
796KB

Download
memory/2832-242-0x00000000034F0000-0x000000000361B000-memory.dmp

Filesize
1.2MB

Download
memory/2832-241-0x0000000003220000-0x00000000033B6000-memory.dmp

Filesize
1.6MB

Download
memory/2832-239-0x0000000000000000-mapping.dmp

Download
memory/3032-157-0x0000000000000000-mapping.dmp

Download
memory/3032-181-0x0000000011520000-0x000000001169F000-memory.dmp

Filesize
1.5MB

Download
memory/3032-224-0x0000000003179000-0x0000000003277000-memory.dmp

Filesize
1016KB

Download
memory/3032-177-0x0000000003179000-0x0000000003277000-memory.dmp

Filesize
1016KB

Download
memory/3032-192-0x0000000011520000-0x000000001169F000-memory.dmp

Filesize
1.5MB

Download
memory/3032-163-0x0000000002C57000-0x0000000003165000-memory.dmp

Filesize
5.1MB

Download
memory/3060-199-0x0000000000000000-mapping.dmp

Download
memory/3116-222-0x0000000001310000-0x000000000131B000-memory.dmp

Filesize
44KB

Download
memory/3116-221-0x0000000001320000-0x0000000001328000-memory.dmp

Filesize
32KB

Download
memory/3116-234-0x0000000001320000-0x0000000001328000-memory.dmp

Filesize
32KB

Download
memory/3116-217-0x0000000000000000-mapping.dmp

Download
memory/3348-187-0x0000000000000000-mapping.dmp

Download
memory/3376-134-0x0000000000400000-0x000000000083D000-memory.dmp

Filesize
4.2MB

Download
memory/3376-132-0x000000000086E000-0x0000000000883000-memory.dmp

Filesize
84KB

Download
memory/3376-135-0x0000000000400000-0x000000000083D000-memory.dmp

Filesize
4.2MB

Download
memory/3376-133-0x0000000000840000-0x0000000000849000-memory.dmp

Filesize
36KB

Download
memory/3416-249-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/3416-250-0x0000000000BE8EA0-mapping.dmp

Download
memory/3416-253-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/3416-251-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/3416-252-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/3416-254-0x0000000000400000-0x0000000000BEB000-memory.dmp

Filesize
7.9MB

Download
memory/3568-255-0x0000000000000000-mapping.dmp

Download
memory/3656-209-0x0000000000000000-mapping.dmp

Download
memory/3904-202-0x0000000000000000-mapping.dmp

Download
memory/3904-203-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3904-207-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4076-145-0x0000000005410000-0x000000000551A000-memory.dmp

Filesize
1.0MB

Download
memory/4076-151-0x0000000006850000-0x0000000006D7C000-memory.dmp

Filesize
5.2MB

Download
memory/4076-147-0x0000000005560000-0x000000000559C000-memory.dmp

Filesize
240KB

Download
memory/4076-141-0x0000000000720000-0x000000000075E000-memory.dmp

Filesize
248KB

Download
memory/4076-144-0x00000000055E0000-0x0000000005BF8000-memory.dmp

Filesize
6.1MB

Download
memory/4076-139-0x0000000004D40000-0x00000000052E4000-memory.dmp

Filesize
5.6MB

Download
memory/4076-136-0x0000000000000000-mapping.dmp

Download
memory/4076-148-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/4076-142-0x00000000052F0000-0x0000000005382000-memory.dmp

Filesize
584KB

Download
memory/4076-150-0x0000000006680000-0x0000000006842000-memory.dmp

Filesize
1.8MB

Download
memory/4076-149-0x0000000000778000-0x00000000007A9000-memory.dmp

Filesize
196KB

Download
memory/4076-146-0x0000000005540000-0x0000000005552000-memory.dmp

Filesize
72KB

Download
memory/4076-156-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/4076-140-0x0000000000778000-0x00000000007A9000-memory.dmp

Filesize
196KB

Download
memory/4076-155-0x0000000000778000-0x00000000007A9000-memory.dmp

Filesize
196KB

Download
memory/4076-143-0x0000000000400000-0x00000000005A8000-memory.dmp

Filesize
1.7MB

Download
memory/4080-152-0x0000000000000000-mapping.dmp

Download
memory/4100-176-0x0000000000000000-mapping.dmp

Download
memory/4100-226-0x00000000003B0000-0x00000000003B5000-memory.dmp

Filesize
20KB

Download
memory/4100-179-0x00000000003A0000-0x00000000003A9000-memory.dmp

Filesize
36KB

Download
memory/4100-178-0x00000000003B0000-0x00000000003B5000-memory.dmp

Filesize
20KB

Download
memory/4136-191-0x0000000000000000-mapping.dmp

Download
memory/4328-171-0x00000000009ED000-0x0000000000A0C000-memory.dmp

Filesize
124KB

Download
memory/4328-173-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/4328-160-0x0000000000000000-mapping.dmp

Download
memory/4328-172-0x00000000023B0000-0x00000000023EE000-memory.dmp

Filesize
248KB

Download
memory/4372-174-0x00000000009E0000-0x00000000009E9000-memory.dmp

Filesize
36KB

Download
memory/4372-175-0x00000000009D0000-0x00000000009DF000-memory.dmp

Filesize
60KB

Download
memory/4372-167-0x0000000000000000-mapping.dmp

Download
memory/4484-180-0x0000000000000000-mapping.dmp

Download
memory/4484-189-0x0000000001290000-0x0000000001296000-memory.dmp

Filesize
24KB

Download
memory/4484-227-0x0000000001290000-0x0000000001296000-memory.dmp

Filesize
24KB

Download
memory/4484-190-0x0000000001280000-0x000000000128C000-memory.dmp

Filesize
48KB

Download
memory/4572-198-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/4572-197-0x0000000000140000-0x0000000000162000-memory.dmp

Filesize
136KB

Download
memory/4572-194-0x0000000000000000-mapping.dmp

Download
memory/4572-230-0x0000000000140000-0x0000000000162000-memory.dmp

Filesize
136KB

Download
memory/4636-238-0x0000000000000000-mapping.dmp

Download
memory/4768-218-0x0000000001280000-0x0000000001287000-memory.dmp

Filesize
28KB

Download
memory/4768-213-0x0000000000000000-mapping.dmp

Download
memory/4768-216-0x0000000000FF0000-0x0000000000FFD000-memory.dmp

Filesize
52KB

Download
memory/4768-233-0x0000000001280000-0x0000000001287000-memory.dmp

Filesize
28KB

Download
memory/4816-261-0x0000000000B01000-0x0000000000B1F000-memory.dmp

Filesize
120KB

Download
memory/4816-262-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/4956-208-0x0000000001310000-0x0000000001319000-memory.dmp

Filesize
36KB

Download
memory/4956-205-0x0000000001320000-0x0000000001325000-memory.dmp

Filesize
20KB

Download
memory/4956-231-0x0000000001320000-0x0000000001325000-memory.dmp

Filesize
20KB

Download
memory/4956-196-0x0000000000000000-mapping.dmp

Download
memory/5108-214-0x0000000001320000-0x0000000001326000-memory.dmp

Filesize
24KB

Download
memory/5108-206-0x0000000000000000-mapping.dmp

Download
memory/5108-215-0x0000000001310000-0x000000000131B000-memory.dmp

Filesize
44KB

Download