amadey | 7c6dca2422ed1b8de931eb1a25459b4f919832f897b227b14c08cd8c97673477

Analysis

max time kernel
135s
max time network
187s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 10:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SoftwareSetupFile/SoftwareSetupFile.exe
Size

555.0MB
MD5

333b7deed15376b0a605c2ab033e7fda
SHA1

8b38e9ee0711207d3281f0bc0e3ef1ff8c0b155c
SHA256

142647df2b4e3dcf256dee7618b86a4d205bc7196147c3e6cb9b653bb00aa74f
SHA512

02ede71f39dec29203ab563abc4b67f6119ec3de6287b2083ec15984f181e38ae00acd250b28f7218fd2d80b7fffd12793ae3c9ae724b5223593b87d91099787
SSDEEP

98304:lp/262qMObXa0z2WLEO1gcdB9w2CAPHyVuTFz:lpFau2SE8h9nnTZ

Score

10^/10

amadey laplas persistence stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

31.41.244.158/Mb1sDv3/index.php

Extracted

Family

laplas

clipper.guru

Attributes

api_key
b208717c54146010ab89e628591e2a7b11493ef1c593e7b3f15b1c06b1778d59

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Laplas Clipper
Laplas is a crypto wallet stealer with two variants written in Golang and C#.
stealer laplas
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1384	Decoder.exe
1952	rovwer.exe
1940	rovwer.exe
1720	3333.exe

Loads dropped DLL 4 IoCs

pid	Process
1384	Decoder.exe
1952	rovwer.exe
1952	rovwer.exe
1952	rovwer.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	SoftwareSetupFile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	SoftwareSetupFile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\3333.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000005001\\3333.exe"	rovwer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1384	Decoder.exe
1952	rovwer.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2032 set thread context of 1180	2032	SoftwareSetupFile.exe	28
PID 1952 set thread context of 1940	1952	rovwer.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
944	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3FBF48D1-6E49-11ED-9C90-C6457FCBF3CF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	rovwer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	rovwer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	rovwer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	rovwer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	rovwer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	rovwer.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1356	powershell.exe
2032	SoftwareSetupFile.exe
2032	SoftwareSetupFile.exe
1384	Decoder.exe
1952	rovwer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	SoftwareSetupFile.exe
Token: SeDebugPrivilege	1356	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
948	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
948	iexplore.exe
948	iexplore.exe
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1356	2032	SoftwareSetupFile.exe	26
PID 2032 wrote to memory of 1356	2032	SoftwareSetupFile.exe	26
PID 2032 wrote to memory of 1356	2032	SoftwareSetupFile.exe	26
PID 2032 wrote to memory of 1180	2032	SoftwareSetupFile.exe	28
PID 2032 wrote to memory of 1180	2032	SoftwareSetupFile.exe	28
PID 2032 wrote to memory of 1180	2032	SoftwareSetupFile.exe	28
PID 2032 wrote to memory of 1180	2032	SoftwareSetupFile.exe	28
PID 2032 wrote to memory of 1180	2032	SoftwareSetupFile.exe	28
PID 2032 wrote to memory of 1180	2032	SoftwareSetupFile.exe	28
PID 2032 wrote to memory of 1180	2032	SoftwareSetupFile.exe	28
PID 2032 wrote to memory of 1180	2032	SoftwareSetupFile.exe	28
PID 2032 wrote to memory of 1180	2032	SoftwareSetupFile.exe	28
PID 2032 wrote to memory of 1180	2032	SoftwareSetupFile.exe	28
PID 2032 wrote to memory of 1180	2032	SoftwareSetupFile.exe	28
PID 1180 wrote to memory of 1384	1180	SoftwareSetupFile.exe	29
PID 1180 wrote to memory of 1384	1180	SoftwareSetupFile.exe	29
PID 1180 wrote to memory of 1384	1180	SoftwareSetupFile.exe	29
PID 1180 wrote to memory of 1384	1180	SoftwareSetupFile.exe	29
PID 1180 wrote to memory of 1384	1180	SoftwareSetupFile.exe	29
PID 1180 wrote to memory of 1384	1180	SoftwareSetupFile.exe	29
PID 1180 wrote to memory of 1384	1180	SoftwareSetupFile.exe	29
PID 1384 wrote to memory of 1952	1384	Decoder.exe	30
PID 1384 wrote to memory of 1952	1384	Decoder.exe	30
PID 1384 wrote to memory of 1952	1384	Decoder.exe	30
PID 1384 wrote to memory of 1952	1384	Decoder.exe	30
PID 1384 wrote to memory of 1952	1384	Decoder.exe	30
PID 1384 wrote to memory of 1952	1384	Decoder.exe	30
PID 1384 wrote to memory of 1952	1384	Decoder.exe	30
PID 1952 wrote to memory of 944	1952	rovwer.exe	31
PID 1952 wrote to memory of 944	1952	rovwer.exe	31
PID 1952 wrote to memory of 944	1952	rovwer.exe	31
PID 1952 wrote to memory of 944	1952	rovwer.exe	31
PID 1952 wrote to memory of 1940	1952	rovwer.exe	35
PID 1952 wrote to memory of 1940	1952	rovwer.exe	35
PID 1952 wrote to memory of 1940	1952	rovwer.exe	35
PID 1952 wrote to memory of 1940	1952	rovwer.exe	35
PID 1952 wrote to memory of 1940	1952	rovwer.exe	35
PID 1952 wrote to memory of 1940	1952	rovwer.exe	35
PID 1952 wrote to memory of 1940	1952	rovwer.exe	35
PID 1952 wrote to memory of 1940	1952	rovwer.exe	35
PID 1952 wrote to memory of 1940	1952	rovwer.exe	35
PID 1952 wrote to memory of 1940	1952	rovwer.exe	35
PID 1952 wrote to memory of 1940	1952	rovwer.exe	35
PID 1952 wrote to memory of 1940	1952	rovwer.exe	35
PID 1952 wrote to memory of 1720	1952	rovwer.exe	36
PID 1952 wrote to memory of 1720	1952	rovwer.exe	36
PID 1952 wrote to memory of 1720	1952	rovwer.exe	36
PID 1952 wrote to memory of 1720	1952	rovwer.exe	36
PID 1940 wrote to memory of 948	1940	rovwer.exe	37
PID 1940 wrote to memory of 948	1940	rovwer.exe	37
PID 1940 wrote to memory of 948	1940	rovwer.exe	37
PID 1940 wrote to memory of 948	1940	rovwer.exe	37
PID 948 wrote to memory of 2004	948	iexplore.exe	38
PID 948 wrote to memory of 2004	948	iexplore.exe	38
PID 948 wrote to memory of 2004	948	iexplore.exe	38
PID 948 wrote to memory of 2004	948	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\SoftwareSetupFile\SoftwareSetupFile.exe
"C:\Users\Admin\AppData\Local\Temp\SoftwareSetupFile\SoftwareSetupFile.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Users\Admin\AppData\Local\Temp\SoftwareSetupFile\SoftwareSetupFile.exe
  C:\Users\Admin\AppData\Local\Temp\SoftwareSetupFile\SoftwareSetupFile.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\f03fb0fdc0\rovwer.exe
      "C:\Users\Admin\AppData\Local\Temp\f03fb0fdc0\rovwer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\f03fb0fdc0\rovwer.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:944
    - - C:\Users\Admin\AppData\Local\Temp\f03fb0fdc0\rovwer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\f03fb0fdc0\rovwer.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=rovwer.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:275457 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\1000005001\3333.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000005001\3333.exe"
        5⤵
        Executes dropped EXE
        
        PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000005001\3333.exe

Filesize
4.6MB

MD5
10c4eb50adca0b5e5c38ae0fdfa422fc

SHA1
204fa092bd55f6c999733807115dbc5817fd2fa8

SHA256
4fb85146079a6ad27e94e913e2302d6a47f8f5409f55f174aecdd8c99ab372ed

SHA512
552fd54a83ba2bb2b64d25890aa1336ca397669fd3dbdf8bc64a3edc2bb4e71aa4207b54b09e3ca050acaf2d4cb4b56740b22152abd047e1627874a8ec968636

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\3333.exe

Filesize
4.6MB

MD5
10c4eb50adca0b5e5c38ae0fdfa422fc

SHA1
204fa092bd55f6c999733807115dbc5817fd2fa8

SHA256
4fb85146079a6ad27e94e913e2302d6a47f8f5409f55f174aecdd8c99ab372ed

SHA512
552fd54a83ba2bb2b64d25890aa1336ca397669fd3dbdf8bc64a3edc2bb4e71aa4207b54b09e3ca050acaf2d4cb4b56740b22152abd047e1627874a8ec968636

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe

Filesize
234.4MB

MD5
b44f1f3dfa2a2077cc093571ab062bd1

SHA1
e3b6a7a3c8744ef180bf08954efe8236c81674e6

SHA256
d3df39ac52686a8f8ccf3efeea6be4854a36dc52623e0c10ddf7a4740b8922e1

SHA512
168912fb5b0fb70718e5b99f1ea68054c7aa243b4e1d2264689cbf069ea75b4202ce3beb9c5e99d0793a5a01070c978818ecd78254f9a2c6dfd227a4bbc7ba73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe

Filesize
182.9MB

MD5
61ccdf1876e997f15d5df72192632c1b

SHA1
e8f6499a30ae7e09ee44c184a1d65d17bc6ceace

SHA256
83d077bce61a7e45aa260fa50c4bc46a706cf673ddb960031d06559bafc7d7b3

SHA512
332e653f51fec15b378bbabd908bc7b33c6424233f9c4638674cbcd6ae7906460098021f5b991056a9963159b9912d74bb77d4cc37ee77d562eb9dd6600422dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\f03fb0fdc0\rovwer.exe

Filesize
66.2MB

MD5
d30baaab5fc92ccfda51c63c7179dec3

SHA1
5efb3b208fd0fca5067324a5b3033a7b4d3be81b

SHA256
2c10a088f55206c3d8fbbf8fe5fa43a03d3cc6d423f36c635a0a63cecff3ad23

SHA512
52b71359b8c552fd3110437a42d71ea510a4377528b5e1ea7fe50a06db793589dff73a437267795c4b9e110febc9a463947a02988dbfad41fc4f700e41f04e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f03fb0fdc0\rovwer.exe

Filesize
101.1MB

MD5
d6b712e32696126cea099ef06bba4b2a

SHA1
8e029d40c0c3956c8929639889c30e7b0363ce7d

SHA256
c5ac44569a77760c7adfbc597a9dea2e7f142c7964d130925719bb92da915510

SHA512
eaa7765fe9ec5e230bc9d71e3c04946d404feb7ce8a6e13d2d0911e480381e6bf48f616b41c1a36a75ff3cf75dc17cc5bdeb91d7876c1d4400cad493c40f11de

Download Submit
C:\Users\Admin\AppData\Local\Temp\f03fb0fdc0\rovwer.exe

Filesize
102.1MB

MD5
d03a481af39a55aee22b086d3019bcae

SHA1
cbed7b329357dd94d47df917420d93c3756626df

SHA256
4c3a449c4134f50083d6b5e3474044cce4be3230ed4b49681ea116ae5a1d2b66

SHA512
254cfb5db81fe7c0a873ce366fca6bc01d3afc69262305e79d094a5eeddcfb83eaa105eac447fa3be61f459d6b2c68cd0a0a55dad0b97e5a5a096463c8250f74

Download Submit
\Users\Admin\AppData\Local\Temp\1000005001\3333.exe

Filesize
4.6MB

MD5
10c4eb50adca0b5e5c38ae0fdfa422fc

SHA1
204fa092bd55f6c999733807115dbc5817fd2fa8

SHA256
4fb85146079a6ad27e94e913e2302d6a47f8f5409f55f174aecdd8c99ab372ed

SHA512
552fd54a83ba2bb2b64d25890aa1336ca397669fd3dbdf8bc64a3edc2bb4e71aa4207b54b09e3ca050acaf2d4cb4b56740b22152abd047e1627874a8ec968636

Download Submit
\Users\Admin\AppData\Local\Temp\1000005001\3333.exe

Filesize
4.6MB

MD5
10c4eb50adca0b5e5c38ae0fdfa422fc

SHA1
204fa092bd55f6c999733807115dbc5817fd2fa8

SHA256
4fb85146079a6ad27e94e913e2302d6a47f8f5409f55f174aecdd8c99ab372ed

SHA512
552fd54a83ba2bb2b64d25890aa1336ca397669fd3dbdf8bc64a3edc2bb4e71aa4207b54b09e3ca050acaf2d4cb4b56740b22152abd047e1627874a8ec968636

Download Submit
\Users\Admin\AppData\Local\Temp\f03fb0fdc0\rovwer.exe

Filesize
63.9MB

MD5
88ad3ba2af8f5d1e183dee916829872c

SHA1
da924090852800d1e41bb120685af99290a61e25

SHA256
09a06048963dbb11e05f5205887282c14773a9812e7aedc02dc6b62e962ac550

SHA512
da20d9e5c546c3556cdbb48a492eed9f5ecb14a1bcd33c62c2a67d77bc76a4836fb62a7a6cd77e0733795e871a1d132611c146aa3a262641d15f3c730f0249a1

Download Submit
\Users\Admin\AppData\Local\Temp\f03fb0fdc0\rovwer.exe

Filesize
99.9MB

MD5
61aa20ac2d09128f3435f69822e7858b

SHA1
c2a1111ea20b97b67388754747c3b3bcd28cda00

SHA256
e761198ba66348fbdb5e50d1dfcc5fa7053300c9b69ddbe5ba12cb5c4c5a3292

SHA512
39df36990a5eb9af5bc9aff5db7f1d35083a8bd29ae739b78b1ec6f0faba24dc7a5d997abdfda66d0a32ee36c3a339fdea5db9baabd0e7a53914e357cdde03fa

Download Submit
memory/1180-71-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1180-81-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1180-68-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1180-70-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1180-93-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1180-72-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1180-74-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1180-76-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1180-77-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1180-80-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1180-67-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1180-101-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1356-65-0x00000000025A4000-0x00000000025A7000-memory.dmp

Filesize
12KB

Download
memory/1356-63-0x00000000025AB000-0x00000000025CA000-memory.dmp

Filesize
124KB

Download
memory/1356-62-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/1356-60-0x000007FEEA3A0000-0x000007FEEAEFD000-memory.dmp

Filesize
11.4MB

Download
memory/1356-61-0x00000000025A4000-0x00000000025A7000-memory.dmp

Filesize
12KB

Download
memory/1356-66-0x00000000025AB000-0x00000000025CA000-memory.dmp

Filesize
124KB

Download
memory/1356-59-0x000007FEEAF00000-0x000007FEEB923000-memory.dmp

Filesize
10.1MB

Download
memory/1356-57-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download
memory/1384-91-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1384-87-0x00000000012E0000-0x00000000013B8000-memory.dmp

Filesize
864KB

Download
memory/1384-90-0x00000000012E0000-0x00000000013B8000-memory.dmp

Filesize
864KB

Download
memory/1384-99-0x0000000000240000-0x0000000000283000-memory.dmp

Filesize
268KB

Download
memory/1384-89-0x00000000012E0000-0x00000000013B8000-memory.dmp

Filesize
864KB

Download
memory/1384-97-0x00000000012E0000-0x00000000013B8000-memory.dmp

Filesize
864KB

Download
memory/1384-88-0x00000000012E0000-0x00000000013B8000-memory.dmp

Filesize
864KB

Download
memory/1384-92-0x00000000012E0000-0x00000000013B8000-memory.dmp

Filesize
864KB

Download
memory/1384-84-0x00000000012E0000-0x00000000013B8000-memory.dmp

Filesize
864KB

Download
memory/1384-86-0x0000000000240000-0x0000000000283000-memory.dmp

Filesize
268KB

Download
memory/1940-123-0x0000000000810000-0x00000000008E8000-memory.dmp

Filesize
864KB

Download
memory/1940-121-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1940-119-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1940-109-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1940-115-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1940-110-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1940-114-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1940-112-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1952-124-0x0000000000810000-0x00000000008E8000-memory.dmp

Filesize
864KB

Download
memory/1952-125-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/1952-106-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/1952-105-0x0000000000810000-0x00000000008E8000-memory.dmp

Filesize
864KB

Download
memory/1952-102-0x0000000000810000-0x00000000008E8000-memory.dmp

Filesize
864KB

Download
memory/1952-122-0x00000000081D0000-0x00000000082A8000-memory.dmp

Filesize
864KB

Download
memory/1952-100-0x0000000000810000-0x00000000008E8000-memory.dmp

Filesize
864KB

Download
memory/1952-103-0x0000000000810000-0x00000000008E8000-memory.dmp

Filesize
864KB

Download
memory/1952-132-0x00000000081D0000-0x00000000082A8000-memory.dmp

Filesize
864KB

Download
memory/2032-55-0x000000001E820000-0x000000001EAB2000-memory.dmp

Filesize
2.6MB

Download
memory/2032-58-0x00000000006C0000-0x0000000000740000-memory.dmp

Filesize
512KB

Download
memory/2032-54-0x0000000000840000-0x0000000000B5E000-memory.dmp

Filesize
3.1MB

Download
memory/2032-64-0x00000000006C0000-0x0000000000740000-memory.dmp

Filesize
512KB

Download