amadey | 5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe
Size

186KB
MD5

98e9926dc94f2e19a162caa2f69c0923
SHA1

b5780ca5951d762f73b3df1ec77f6b0b13aeb970
SHA256

5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361
SHA512

c966e8f8502d8311e0f6b8c4d5fc14285a05f416889389cd1378e03ccf4118c1e39fdcfd018b7e8bec8204374201e31733d8bbdaff733c511302b1b448be2d1f
SSDEEP

3072:1lYYMWAkYsG5y3j6/XwSYcLpsGPqqi3zfSDAbEaqd:OkYsj3j6YSYcLKGPqrjf3Ea0

Score

10^/10

amadey redline smokeloader @redlinevip cloud (tg: @fatherofcarders)lege backdoor collection discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.50

62.204.41.252/nB8cWack3/index.php

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

151.80.89.233:13553

Attributes

auth_value
fbee175162920530e6bf470c8003fa1a

Extracted

Family

redline

Botnet

Lege

31.41.244.14:4694

Attributes

auth_value
096090aaf3ba0872338140cec5689868

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Amadey credential stealer module 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
behavioral1/memory/4448-239-0x0000000000630000-0x0000000000654000-memory.dmp	amadey_cred_module
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll	amadey_cred_module

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2736-133-0x00000000005B0000-0x00000000005B9000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000025001\40K.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000025001\40K.exe	family_redline
behavioral1/memory/5088-194-0x00000000003B0000-0x00000000003D8000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000026001\Lege.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000026001\Lege.exe	family_redline
behavioral1/memory/4084-207-0x0000000000660000-0x0000000000688000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

84 4448 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

51F8.exe59D9.exe619A.exegntuud.exe40K.exeLege.exelinda5.exegntuud.exegntuud.exe

pid process

4976 51F8.exe
2264 59D9.exe
3588 619A.exe
4900 gntuud.exe
5088 40K.exe
4084 Lege.exe
2180 linda5.exe
3812 gntuud.exe
3948 gntuud.exe

flow	pid	process
84	4448	rundll32.exe

pid	process
4976	51F8.exe
2264	59D9.exe
3588	619A.exe
4900	gntuud.exe
5088	40K.exe
4084	Lege.exe
2180	linda5.exe
3812	gntuud.exe
3948	gntuud.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

linda5.exe51F8.exegntuud.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	linda5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	51F8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	gntuud.exe

Loads dropped DLL 4 IoCs

Processes:

msiexec.exerundll32.exe

pid process

1244 msiexec.exe
1244 msiexec.exe
4448 rundll32.exe
4448 rundll32.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1244	msiexec.exe
1244	msiexec.exe
4448	rundll32.exe
4448	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gntuud.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40K.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000025001\\40K.exe"	gntuud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lege.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000026001\\Lege.exe"	gntuud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\linda5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000027001\\linda5.exe"	gntuud.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

59D9.exe

description pid process target process

PID 2264 set thread context of 5000 2264 59D9.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2264 set thread context of 5000	2264	59D9.exe	vbc.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3268	3588	WerFault.exe	619A.exe
4212	2264	WerFault.exe	59D9.exe
3000	4976	WerFault.exe	51F8.exe
4988	3812	WerFault.exe	gntuud.exe
1148	3948	WerFault.exe	gntuud.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3556 schtasks.exe

pid	process
3556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe

pid	process
2736	5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe
2736	5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3068

pid	process
3068

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe

pid	process
2736	5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

40K.exeLege.exe

description	pid	process
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeDebugPrivilege	5088	40K.exe
Token: SeDebugPrivilege	4084	Lege.exe
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

59D9.exe51F8.exegntuud.exelinda5.exe

description	pid	process	target process
PID 3068 wrote to memory of 4976	3068		51F8.exe
PID 3068 wrote to memory of 4976	3068		51F8.exe
PID 3068 wrote to memory of 4976	3068		51F8.exe
PID 3068 wrote to memory of 2264	3068		59D9.exe
PID 3068 wrote to memory of 2264	3068		59D9.exe
PID 3068 wrote to memory of 2264	3068		59D9.exe
PID 3068 wrote to memory of 3588	3068		619A.exe
PID 3068 wrote to memory of 3588	3068		619A.exe
PID 3068 wrote to memory of 3588	3068		619A.exe
PID 3068 wrote to memory of 4176	3068		explorer.exe
PID 3068 wrote to memory of 4176	3068		explorer.exe
PID 3068 wrote to memory of 4176	3068		explorer.exe
PID 3068 wrote to memory of 4176	3068		explorer.exe
PID 3068 wrote to memory of 2164	3068		explorer.exe
PID 3068 wrote to memory of 2164	3068		explorer.exe
PID 3068 wrote to memory of 2164	3068		explorer.exe
PID 2264 wrote to memory of 5000	2264	59D9.exe	vbc.exe
PID 2264 wrote to memory of 5000	2264	59D9.exe	vbc.exe
PID 2264 wrote to memory of 5000	2264	59D9.exe	vbc.exe
PID 2264 wrote to memory of 5000	2264	59D9.exe	vbc.exe
PID 3068 wrote to memory of 4780	3068		explorer.exe
PID 3068 wrote to memory of 4780	3068		explorer.exe
PID 3068 wrote to memory of 4780	3068		explorer.exe
PID 3068 wrote to memory of 4780	3068		explorer.exe
PID 2264 wrote to memory of 5000	2264	59D9.exe	vbc.exe
PID 3068 wrote to memory of 1788	3068		explorer.exe
PID 3068 wrote to memory of 1788	3068		explorer.exe
PID 3068 wrote to memory of 1788	3068		explorer.exe
PID 4976 wrote to memory of 4900	4976	51F8.exe	gntuud.exe
PID 4976 wrote to memory of 4900	4976	51F8.exe	gntuud.exe
PID 4976 wrote to memory of 4900	4976	51F8.exe	gntuud.exe
PID 3068 wrote to memory of 3804	3068		explorer.exe
PID 3068 wrote to memory of 3804	3068		explorer.exe
PID 3068 wrote to memory of 3804	3068		explorer.exe
PID 3068 wrote to memory of 3804	3068		explorer.exe
PID 4900 wrote to memory of 3556	4900	gntuud.exe	schtasks.exe
PID 4900 wrote to memory of 3556	4900	gntuud.exe	schtasks.exe
PID 4900 wrote to memory of 3556	4900	gntuud.exe	schtasks.exe
PID 3068 wrote to memory of 5024	3068		explorer.exe
PID 3068 wrote to memory of 5024	3068		explorer.exe
PID 3068 wrote to memory of 5024	3068		explorer.exe
PID 3068 wrote to memory of 5024	3068		explorer.exe
PID 3068 wrote to memory of 1808	3068		explorer.exe
PID 3068 wrote to memory of 1808	3068		explorer.exe
PID 3068 wrote to memory of 1808	3068		explorer.exe
PID 3068 wrote to memory of 1808	3068		explorer.exe
PID 4900 wrote to memory of 5088	4900	gntuud.exe	40K.exe
PID 4900 wrote to memory of 5088	4900	gntuud.exe	40K.exe
PID 4900 wrote to memory of 5088	4900	gntuud.exe	40K.exe
PID 3068 wrote to memory of 2124	3068		explorer.exe
PID 3068 wrote to memory of 2124	3068		explorer.exe
PID 3068 wrote to memory of 2124	3068		explorer.exe
PID 3068 wrote to memory of 2480	3068		explorer.exe
PID 3068 wrote to memory of 2480	3068		explorer.exe
PID 3068 wrote to memory of 2480	3068		explorer.exe
PID 3068 wrote to memory of 2480	3068		explorer.exe
PID 4900 wrote to memory of 4084	4900	gntuud.exe	Lege.exe
PID 4900 wrote to memory of 4084	4900	gntuud.exe	Lege.exe
PID 4900 wrote to memory of 4084	4900	gntuud.exe	Lege.exe
PID 4900 wrote to memory of 2180	4900	gntuud.exe	linda5.exe
PID 4900 wrote to memory of 2180	4900	gntuud.exe	linda5.exe
PID 4900 wrote to memory of 2180	4900	gntuud.exe	linda5.exe
PID 2180 wrote to memory of 1244	2180	linda5.exe	msiexec.exe
PID 2180 wrote to memory of 1244	2180	linda5.exe	msiexec.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe
"C:\Users\Admin\AppData\Local\Temp\5f90b3aca347e4beada04f9dc45ceedcc2bac19c942bcaa18e027b7643a56361.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2736

C:\Users\Admin\AppData\Local\Temp\51F8.exe
C:\Users\Admin\AppData\Local\Temp\51F8.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4976

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
"C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe" /F
3⤵
- Creates scheduled task(s)
PID:3556

C:\Users\Admin\AppData\Local\Temp\1000025001\40K.exe
"C:\Users\Admin\AppData\Local\Temp\1000025001\40K.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Users\Admin\AppData\Local\Temp\1000026001\Lege.exe
"C:\Users\Admin\AppData\Local\Temp\1000026001\Lege.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Users\Admin\AppData\Local\Temp\1000027001\linda5.exe
"C:\Users\Admin\AppData\Local\Temp\1000027001\linda5.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /y .\PtU1.AM
4⤵
- Loads dropped DLL
PID:1244

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- outlook_win_path
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 892
2⤵
- Program crash
PID:3000

C:\Users\Admin\AppData\Local\Temp\59D9.exe
C:\Users\Admin\AppData\Local\Temp\59D9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 240
2⤵
- Program crash
PID:4212

C:\Users\Admin\AppData\Local\Temp\619A.exe
C:\Users\Admin\AppData\Local\Temp\619A.exe
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 288
2⤵
- Program crash
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3588 -ip 3588
1⤵
PID:3316

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4176

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2164

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2264 -ip 2264
1⤵
PID:4596

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4976 -ip 4976
1⤵
PID:3468

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3804

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5024

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1808

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2124

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
1⤵
- Executes dropped EXE
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 416
2⤵
- Program crash
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3812 -ip 3812
1⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 416
2⤵
- Program crash
PID:1148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3948 -ip 3948
1⤵
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000025001\40K.exe
Filesize
137KB

MD5
87ef06885fd221a86bba9e5b86a7ea7d

SHA1
6644db86f2d557167f442a5fe72a82de3fe943ba

SHA256
ab5026bf6fe5d692faaf86752b4c9fa226ec49ba54cfb625579287b498eab20f

SHA512
c65b38856d4995b01454754044ae7373363a02b8e228c249fee3c1c2222f2348473f0bba5a5f2e4a280cd183e57dc13423bb09f86919ccb8968c8229310c5ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000025001\40K.exe
Filesize
137KB

MD5
87ef06885fd221a86bba9e5b86a7ea7d

SHA1
6644db86f2d557167f442a5fe72a82de3fe943ba

SHA256
ab5026bf6fe5d692faaf86752b4c9fa226ec49ba54cfb625579287b498eab20f

SHA512
c65b38856d4995b01454754044ae7373363a02b8e228c249fee3c1c2222f2348473f0bba5a5f2e4a280cd183e57dc13423bb09f86919ccb8968c8229310c5ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000026001\Lege.exe
Filesize
137KB

MD5
0a793a6b9941c49675a47a2bc91cb420

SHA1
ff051cc2d9cf081e863f5bb8c3d2449c28f12c7f

SHA256
3bb977fda504647a2f21a19b67c3edf91ea1eb35166258164eb89b8ae1603c60

SHA512
fd695f62ef32f79f3b4e5c57c68056b004355d5a16e6558bfb310f8ded03c837fe5f505f5a4f433a740fa0b980a71962571c3dd4ed86d95146a22f126850dc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000026001\Lege.exe
Filesize
137KB

MD5
0a793a6b9941c49675a47a2bc91cb420

SHA1
ff051cc2d9cf081e863f5bb8c3d2449c28f12c7f

SHA256
3bb977fda504647a2f21a19b67c3edf91ea1eb35166258164eb89b8ae1603c60

SHA512
fd695f62ef32f79f3b4e5c57c68056b004355d5a16e6558bfb310f8ded03c837fe5f505f5a4f433a740fa0b980a71962571c3dd4ed86d95146a22f126850dc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\linda5.exe
Filesize
1.6MB

MD5
bcf73a95d7cff6a563a899d1f7d8c0b0

SHA1
82bd1029a51a67d8b569cc48808ebb714a22748b

SHA256
ffee0c4fbb5e0dd85bed62198229736f95517dc3a72a307083a4d35b31e57ed4

SHA512
50c3499fd3bbebcb31f180f11fb8722114f6768be3ad688ae045f9e5e63ad78e99054f01df2865854087c2d2f432cb61598cd4bf816289eb82791c2a9dbde591

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000027001\linda5.exe
Filesize
1.6MB

MD5
bcf73a95d7cff6a563a899d1f7d8c0b0

SHA1
82bd1029a51a67d8b569cc48808ebb714a22748b

SHA256
ffee0c4fbb5e0dd85bed62198229736f95517dc3a72a307083a4d35b31e57ed4

SHA512
50c3499fd3bbebcb31f180f11fb8722114f6768be3ad688ae045f9e5e63ad78e99054f01df2865854087c2d2f432cb61598cd4bf816289eb82791c2a9dbde591

Download Submit
C:\Users\Admin\AppData\Local\Temp\51F8.exe
Filesize
244KB

MD5
0953f9309090c246bfebc27755e19196

SHA1
3fe53ec55cec66f59c27fc667bafe55fb84e9c2b

SHA256
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

SHA512
9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\51F8.exe
Filesize
244KB

MD5
0953f9309090c246bfebc27755e19196

SHA1
3fe53ec55cec66f59c27fc667bafe55fb84e9c2b

SHA256
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

SHA512
9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\59D9.exe
Filesize
4.6MB

MD5
c6ded8762cdd4b6dfd1786a86dd14527

SHA1
fad44e357fca7c944fef59f75ecb33f2a0737d53

SHA256
7b58f4a4d1f500506201a5e4c0f5842351caf8070863999d8166684786ffc0cb

SHA512
00e2a36bf88283f9c560e9c55e40ac2779922b02cb6dcfb84f3df56ff82f9a779fb1c04f3ad009a5049773d27e8baefa137bd653266461409ec3733483fe38dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\59D9.exe
Filesize
4.6MB

MD5
c6ded8762cdd4b6dfd1786a86dd14527

SHA1
fad44e357fca7c944fef59f75ecb33f2a0737d53

SHA256
7b58f4a4d1f500506201a5e4c0f5842351caf8070863999d8166684786ffc0cb

SHA512
00e2a36bf88283f9c560e9c55e40ac2779922b02cb6dcfb84f3df56ff82f9a779fb1c04f3ad009a5049773d27e8baefa137bd653266461409ec3733483fe38dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\619A.exe
Filesize
1.2MB

MD5
d21c0fcfdc6a04825225418b294160cc

SHA1
7566a4019ae9792de349c9b2482aa04091b48df4

SHA256
1eff9b58c3850c4e75b20b622255c04c994c11c2f4da649ec0815058e5bb765c

SHA512
1ee892f0eba2dd2a55b4bd4f80fd290ed9146306dd17d2e91165972a59870300d7ebfa73a445b8927c83730f86849889f978e7ac0497433aff896f1a5a62b97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
244KB

MD5
0953f9309090c246bfebc27755e19196

SHA1
3fe53ec55cec66f59c27fc667bafe55fb84e9c2b

SHA256
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

SHA512
9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
244KB

MD5
0953f9309090c246bfebc27755e19196

SHA1
3fe53ec55cec66f59c27fc667bafe55fb84e9c2b

SHA256
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

SHA512
9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
244KB

MD5
0953f9309090c246bfebc27755e19196

SHA1
3fe53ec55cec66f59c27fc667bafe55fb84e9c2b

SHA256
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

SHA512
9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\99e342142d\gntuud.exe
Filesize
244KB

MD5
0953f9309090c246bfebc27755e19196

SHA1
3fe53ec55cec66f59c27fc667bafe55fb84e9c2b

SHA256
5a718aa5546e7fa55fae4c1b3f7f99a276e6d572b8ce26a2fbcee6f2c1963568

SHA512
9fbba810bb0ad6c6f638b56b0d7f216461ec4f43fa57d26d52664c740a5b414865fd56d649dfb64702ee290ca7cf57be24f936b29d3f51c8a3f400fe40fd1c16

Download Submit
C:\Users\Admin\AppData\Local\Temp\PtU1.AM
Filesize
1.5MB

MD5
49ad213d3e2f304c2170118fab55cc54

SHA1
4c8ceac0d9bd32611ed8b3f5dca85f451911e7fb

SHA256
11c0c4f797a4a1459fc2bcf9d9dc55f1c0c3a0bb7d66738333d5132c1cf910ff

SHA512
562c420119c8c42d9d5590e2106b340a44279b6d0f07eb19573fa6e3d466d7824ba83eb8a34da6c1dc6912bd0f8350dcdd5fe88ffcef2a1ae8d319e76094ce43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ptu1.Am
Filesize
1.5MB

MD5
49ad213d3e2f304c2170118fab55cc54

SHA1
4c8ceac0d9bd32611ed8b3f5dca85f451911e7fb

SHA256
11c0c4f797a4a1459fc2bcf9d9dc55f1c0c3a0bb7d66738333d5132c1cf910ff

SHA512
562c420119c8c42d9d5590e2106b340a44279b6d0f07eb19573fa6e3d466d7824ba83eb8a34da6c1dc6912bd0f8350dcdd5fe88ffcef2a1ae8d319e76094ce43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ptu1.Am
Filesize
1.5MB

MD5
49ad213d3e2f304c2170118fab55cc54

SHA1
4c8ceac0d9bd32611ed8b3f5dca85f451911e7fb

SHA256
11c0c4f797a4a1459fc2bcf9d9dc55f1c0c3a0bb7d66738333d5132c1cf910ff

SHA512
562c420119c8c42d9d5590e2106b340a44279b6d0f07eb19573fa6e3d466d7824ba83eb8a34da6c1dc6912bd0f8350dcdd5fe88ffcef2a1ae8d319e76094ce43

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
d3cb6267ee9076d5aef4a2dbe0d815c8

SHA1
840218680463914d50509ed6d7858e328fc8a54c

SHA256
fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689

SHA512
4c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
d3cb6267ee9076d5aef4a2dbe0d815c8

SHA1
840218680463914d50509ed6d7858e328fc8a54c

SHA256
fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689

SHA512
4c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
126KB

MD5
d3cb6267ee9076d5aef4a2dbe0d815c8

SHA1
840218680463914d50509ed6d7858e328fc8a54c

SHA256
fea6ecd2a63044cc6be256142021fc91564c2ae1705620efc2fe6a3f4e265689

SHA512
4c10709ae5288dae7d297beecca29b7700e2926787941139e81c61eb4ad0790152991d7447c4243891c51115f5a9dd43b4c0e7dd0f9dfdbe1cc466fbe9f3841a

Download Submit
memory/1244-227-0x0000000002A20000-0x0000000002BAC000-memory.dmp

Filesize
1.5MB

Download
memory/1244-222-0x0000000000000000-mapping.dmp

Download
memory/1788-210-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/1788-168-0x0000000000000000-mapping.dmp

Download
memory/1788-177-0x00000000006A0000-0x00000000006A6000-memory.dmp

Filesize
24KB

Download
memory/1788-172-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/1808-192-0x00000000003C0000-0x00000000003CB000-memory.dmp

Filesize
44KB

Download
memory/1808-191-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/1808-214-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/1808-187-0x0000000000000000-mapping.dmp

Download
memory/2124-218-0x0000000000830000-0x0000000000837000-memory.dmp

Filesize
28KB

Download
memory/2124-193-0x0000000000000000-mapping.dmp

Download
memory/2124-195-0x0000000000830000-0x0000000000837000-memory.dmp

Filesize
28KB

Download
memory/2124-196-0x0000000000820000-0x000000000082D000-memory.dmp

Filesize
52KB

Download
memory/2164-160-0x0000000000D20000-0x0000000000D2F000-memory.dmp

Filesize
60KB

Download
memory/2164-149-0x0000000000000000-mapping.dmp

Download
memory/2164-208-0x0000000000D30000-0x0000000000D39000-memory.dmp

Filesize
36KB

Download
memory/2164-159-0x0000000000D30000-0x0000000000D39000-memory.dmp

Filesize
36KB

Download
memory/2180-215-0x0000000000000000-mapping.dmp

Download
memory/2264-143-0x0000000000000000-mapping.dmp

Download
memory/2480-197-0x0000000000000000-mapping.dmp

Download
memory/2480-198-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/2480-199-0x0000000000780000-0x000000000078B000-memory.dmp

Filesize
44KB

Download
memory/2480-224-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/2736-135-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/2736-133-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/2736-132-0x0000000000808000-0x0000000000819000-memory.dmp

Filesize
68KB

Download
memory/2736-134-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/3556-181-0x0000000000000000-mapping.dmp

Download
memory/3588-146-0x0000000000000000-mapping.dmp

Download
memory/3804-176-0x0000000000000000-mapping.dmp

Download
memory/3804-211-0x0000000001460000-0x0000000001482000-memory.dmp

Filesize
136KB

Download
memory/3804-179-0x0000000001430000-0x0000000001457000-memory.dmp

Filesize
156KB

Download
memory/3804-178-0x0000000001460000-0x0000000001482000-memory.dmp

Filesize
136KB

Download
memory/3812-233-0x00000000005FC000-0x000000000061B000-memory.dmp

Filesize
124KB

Download
memory/3812-234-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3948-242-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3948-241-0x000000000051C000-0x000000000053B000-memory.dmp

Filesize
124KB

Download
memory/4084-207-0x0000000000660000-0x0000000000688000-memory.dmp

Filesize
160KB

Download
memory/4084-228-0x00000000065D0000-0x0000000006646000-memory.dmp

Filesize
472KB

Download
memory/4084-204-0x0000000000000000-mapping.dmp

Download
memory/4084-221-0x0000000005380000-0x00000000053E6000-memory.dmp

Filesize
408KB

Download
memory/4084-230-0x0000000006870000-0x0000000006A32000-memory.dmp

Filesize
1.8MB

Download
memory/4084-231-0x0000000006F70000-0x000000000749C000-memory.dmp

Filesize
5.2MB

Download
memory/4176-148-0x0000000000000000-mapping.dmp

Download
memory/4176-170-0x0000000000320000-0x000000000032B000-memory.dmp

Filesize
44KB

Download
memory/4176-162-0x0000000000330000-0x0000000000337000-memory.dmp

Filesize
28KB

Download
memory/4448-239-0x0000000000630000-0x0000000000654000-memory.dmp

Filesize
144KB

Download
memory/4448-235-0x0000000000000000-mapping.dmp

Download
memory/4780-209-0x0000000000A80000-0x0000000000A85000-memory.dmp

Filesize
20KB

Download
memory/4780-163-0x0000000000000000-mapping.dmp

Download
memory/4780-171-0x0000000000A70000-0x0000000000A79000-memory.dmp

Filesize
36KB

Download
memory/4780-169-0x0000000000A80000-0x0000000000A85000-memory.dmp

Filesize
20KB

Download
memory/4900-186-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4900-173-0x0000000000000000-mapping.dmp

Download
memory/4900-213-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4900-185-0x00000000006F8000-0x0000000000717000-memory.dmp

Filesize
124KB

Download
memory/4976-136-0x0000000000000000-mapping.dmp

Download
memory/4976-141-0x0000000001F90000-0x0000000001FCE000-memory.dmp

Filesize
248KB

Download
memory/4976-142-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4976-180-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4976-140-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/5000-153-0x0000000000700000-0x0000000000B0F000-memory.dmp

Filesize
4.1MB

Download
memory/5000-150-0x0000000000000000-mapping.dmp

Download
memory/5000-167-0x0000000000700000-0x0000000000B0F000-memory.dmp

Filesize
4.1MB

Download
memory/5000-152-0x0000000000701000-0x0000000000ADF000-memory.dmp

Filesize
3.9MB

Download
memory/5024-212-0x00000000005D0000-0x00000000005D5000-memory.dmp

Filesize
20KB

Download
memory/5024-182-0x0000000000000000-mapping.dmp

Download
memory/5024-183-0x00000000005D0000-0x00000000005D5000-memory.dmp

Filesize
20KB

Download
memory/5024-184-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/5088-202-0x00000000072D0000-0x00000000072E2000-memory.dmp

Filesize
72KB

Download
memory/5088-188-0x0000000000000000-mapping.dmp

Download
memory/5088-194-0x00000000003B0000-0x00000000003D8000-memory.dmp

Filesize
160KB

Download
memory/5088-229-0x0000000008080000-0x00000000080D0000-memory.dmp

Filesize
320KB

Download
memory/5088-200-0x0000000005A20000-0x0000000006038000-memory.dmp

Filesize
6.1MB

Download
memory/5088-201-0x00000000073B0000-0x00000000074BA000-memory.dmp

Filesize
1.0MB

Download
memory/5088-203-0x0000000007330000-0x000000000736C000-memory.dmp

Filesize
240KB

Download
memory/5088-220-0x0000000008630000-0x0000000008BD4000-memory.dmp

Filesize
5.6MB

Download
memory/5088-219-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download