amadey | 63cc018bd69c2c9f028ecebbc2752a368f6f8f12b246e2c2526b3b7f95709b61

Analysis

max time kernel
113s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
17/01/2023, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

235KB
MD5

b7eb637a789d70642d903d6fe31c23d7
SHA1

03834c1c6022eecb6fe4410e4ae912fafba53dd0
SHA256

63cc018bd69c2c9f028ecebbc2752a368f6f8f12b246e2c2526b3b7f95709b61
SHA512

02d4921fb419d12de1244be331f5012b57e3811b05d6266272cb228e7636e1f0149bfe31efefbc915798f22207834b3e68101ce6ef083aa7829f1b7404a4a10e
SSDEEP

6144:6fSsOzqs7nAV3QN2tW0J3SluVy3VYT/gXqgkX:HbN6J4uVy3Vega

Score

10^/10

amadey redline 1 norm puls discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.66

62.204.41.111/jb9sZZZbv7/index.php

Extracted

Family

redline

Botnet

puls

62.204.41.211:4065

Attributes

auth_value
7cc67b888152f8a80db488ff6fde5a74

Extracted

Family

redline

Botnet

norm

62.204.41.211:4065

Attributes

auth_value
d0af85918e0b1e8a84ea33cee2471ff5

Extracted

Family

redline

Botnet

librchichelpai.shop:81

rniwondunuifac.shop:81

Attributes

auth_value
b6c86adb7106e9ee7247628f59e06830

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/1336-98-0x0000000004840000-0x0000000004886000-memory.dmp	family_redline
behavioral1/memory/1336-102-0x0000000006F10000-0x0000000006F54000-memory.dmp	family_redline
behavioral1/memory/1840-133-0x0000000002BC0000-0x0000000002C06000-memory.dmp	family_redline
behavioral1/memory/1840-134-0x0000000002C00000-0x0000000002C44000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
316	nbveek.exe
2020	puls.exe
1648	nbveek.exe
1336	brost.exe
1840	nbveek.exe
1720	brown1.exe
2324	nbveek.exe
2712	nbveek.exe

Loads dropped DLL 11 IoCs

pid	Process
976	tmp.exe
316	nbveek.exe
316	nbveek.exe
316	nbveek.exe
316	nbveek.exe
316	nbveek.exe
316	nbveek.exe
316	nbveek.exe
1016	WerFault.exe
1016	WerFault.exe
1016	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\puls.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000001051\\puls.exe"	nbveek.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\brost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000004051\\brost.exe"	nbveek.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 316 set thread context of 1648	316	nbveek.exe	42
PID 316 set thread context of 1840	316	nbveek.exe	46
PID 1720 set thread context of 1236	1720	brown1.exe	52

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1016	316	WerFault.exe	28

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
676	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4CB229F1-9675-11ED-882B-42F1C931D1AB} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000038fef3738cc9b6468402944824c32479a7b8e347319e51113e630b3437731b0c000000000e8000000002000020000000eff233aba2b345a807a55da2758dde2bfca4f67cf54738f21feae3b160b6c06120000000aa7ac70bd99616d0c41a151dc2af19f0b7dc405b08d8e2c1a36948a5231aace4400000002ed55403aa2fd8a11c350ae0f259f4d8988711e1929ad5955d4120f17c6b0050eea3da69df013c6d49d24a448dd794bdb89931a523aaa45578362c0f402aa749	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "380731582"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b079ec25822ad901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000a6e0cceab4c31ffeece848bc91be8ff5d6ba08999421b819cc8dcb52e24ab770000000000e80000000020000200000005a144fd91d5b8ea1cd5c5f59608e6a6e236fd56e227a5bff7db0c05d1c95e85990000000230967726027b9b190076b5473c3bf9888d4c2d10be92e9d5378021c502de82ec5bc84be1ab32fddc72f0ac5b255b4e25796b355727181c59362244013a2715ab761db3d0c45d546489dfa395ac788d5be56fa6d4b450f5836ec0d4e36eea01657491ead4fa5908ba3092270feb1abcddcab6771e3bdc23b91c154161e8c2738956c81d91a0cef773c3ae23e01e93ec940000000b3ae7157e8d84de8c315e1db3fdfb9498a71c57c675595423976c53440be5b31c405f2baca8ffe2c7ebae74b9c647afe108beddb5d42cf4502fedd66cccb95c1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2020	puls.exe
1336	brost.exe
2020	puls.exe
1840	nbveek.exe
1336	brost.exe
1840	nbveek.exe
1236	AppLaunch.exe
1236	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	brost.exe
Token: SeDebugPrivilege	1840	nbveek.exe
Token: SeDebugPrivilege	2020	puls.exe
Token: SeDebugPrivilege	1236	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
864	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
864	iexplore.exe
864	iexplore.exe
588	IEXPLORE.EXE
588	IEXPLORE.EXE
588	IEXPLORE.EXE
588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 316	976	tmp.exe	28
PID 976 wrote to memory of 316	976	tmp.exe	28
PID 976 wrote to memory of 316	976	tmp.exe	28
PID 976 wrote to memory of 316	976	tmp.exe	28
PID 316 wrote to memory of 676	316	nbveek.exe	29
PID 316 wrote to memory of 676	316	nbveek.exe	29
PID 316 wrote to memory of 676	316	nbveek.exe	29
PID 316 wrote to memory of 676	316	nbveek.exe	29
PID 316 wrote to memory of 784	316	nbveek.exe	31
PID 316 wrote to memory of 784	316	nbveek.exe	31
PID 316 wrote to memory of 784	316	nbveek.exe	31
PID 316 wrote to memory of 784	316	nbveek.exe	31
PID 784 wrote to memory of 1940	784	cmd.exe	33
PID 784 wrote to memory of 1940	784	cmd.exe	33
PID 784 wrote to memory of 1940	784	cmd.exe	33
PID 784 wrote to memory of 1940	784	cmd.exe	33
PID 784 wrote to memory of 904	784	cmd.exe	34
PID 784 wrote to memory of 904	784	cmd.exe	34
PID 784 wrote to memory of 904	784	cmd.exe	34
PID 784 wrote to memory of 904	784	cmd.exe	34
PID 784 wrote to memory of 1600	784	cmd.exe	35
PID 784 wrote to memory of 1600	784	cmd.exe	35
PID 784 wrote to memory of 1600	784	cmd.exe	35
PID 784 wrote to memory of 1600	784	cmd.exe	35
PID 784 wrote to memory of 1768	784	cmd.exe	36
PID 784 wrote to memory of 1768	784	cmd.exe	36
PID 784 wrote to memory of 1768	784	cmd.exe	36
PID 784 wrote to memory of 1768	784	cmd.exe	36
PID 784 wrote to memory of 1772	784	cmd.exe	37
PID 784 wrote to memory of 1772	784	cmd.exe	37
PID 784 wrote to memory of 1772	784	cmd.exe	37
PID 784 wrote to memory of 1772	784	cmd.exe	37
PID 784 wrote to memory of 1564	784	cmd.exe	38
PID 784 wrote to memory of 1564	784	cmd.exe	38
PID 784 wrote to memory of 1564	784	cmd.exe	38
PID 784 wrote to memory of 1564	784	cmd.exe	38
PID 316 wrote to memory of 2020	316	nbveek.exe	41
PID 316 wrote to memory of 2020	316	nbveek.exe	41
PID 316 wrote to memory of 2020	316	nbveek.exe	41
PID 316 wrote to memory of 2020	316	nbveek.exe	41
PID 316 wrote to memory of 1648	316	nbveek.exe	42
PID 316 wrote to memory of 1648	316	nbveek.exe	42
PID 316 wrote to memory of 1648	316	nbveek.exe	42
PID 316 wrote to memory of 1648	316	nbveek.exe	42
PID 316 wrote to memory of 1648	316	nbveek.exe	42
PID 316 wrote to memory of 1648	316	nbveek.exe	42
PID 316 wrote to memory of 1648	316	nbveek.exe	42
PID 316 wrote to memory of 1648	316	nbveek.exe	42
PID 316 wrote to memory of 1648	316	nbveek.exe	42
PID 316 wrote to memory of 1336	316	nbveek.exe	43
PID 316 wrote to memory of 1336	316	nbveek.exe	43
PID 316 wrote to memory of 1336	316	nbveek.exe	43
PID 316 wrote to memory of 1336	316	nbveek.exe	43
PID 1648 wrote to memory of 864	1648	nbveek.exe	44
PID 1648 wrote to memory of 864	1648	nbveek.exe	44
PID 1648 wrote to memory of 864	1648	nbveek.exe	44
PID 1648 wrote to memory of 864	1648	nbveek.exe	44
PID 864 wrote to memory of 588	864	iexplore.exe	45
PID 864 wrote to memory of 588	864	iexplore.exe	45
PID 864 wrote to memory of 588	864	iexplore.exe	45
PID 864 wrote to memory of 588	864	iexplore.exe	45
PID 316 wrote to memory of 1840	316	nbveek.exe	46
PID 316 wrote to memory of 1840	316	nbveek.exe	46
PID 316 wrote to memory of 1840	316	nbveek.exe	46

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976
- C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe
  "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:676
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4b9a106e76" /P "Admin:N"&&CACLS "..\4b9a106e76" /P "Admin:R" /E&&Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1940
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "nbveek.exe" /P "Admin:N"
      4⤵
      PID:904
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "nbveek.exe" /P "Admin:R" /E
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\4b9a106e76" /P "Admin:N"
      4⤵
      PID:1772
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\4b9a106e76" /P "Admin:R" /E
      4⤵
      PID:1564
- - C:\Users\Admin\AppData\Local\Temp\1000001051\puls.exe
    "C:\Users\Admin\AppData\Local\Temp\1000001051\puls.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe
    "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=nbveek.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:864 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:588
- - C:\Users\Admin\AppData\Local\Temp\1000004051\brost.exe
    "C:\Users\Admin\AppData\Local\Temp\1000004051\brost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe
    "C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- - C:\Users\Admin\AppData\Local\Temp\1000007001\brown1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000007001\brown1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1720
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 1012
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1016

C:\Windows\system32\taskeng.exe
taskeng.exe {85CFCCCA-C72A-4F8C-9145-B517B477FCC7} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]
1⤵
PID:2240
- C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe
  C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe
  C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe
  2⤵
  - Executes dropped EXE
  PID:2712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f54d28f1926f84a8751b6ebf72a3347

SHA1
492caed855b3249901a4a8e6b7ce2c2df1aa6228

SHA256
47abd47de571f81d785887e0fb879271fdcf77518fba862827a54097be8d895d

SHA512
6a542a5e7670cad8c4e43a12e806cb7384d570c870e5a656f5736f4fffa5c8e25dec35944abcb71fd8ae80cc3506c0b160e62a4706a21e7ef1dbabd3c4f0e6c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
221d0c79c9319d261f024a579d8ac350

SHA1
3be2a51f6e206b3c6fe8f31d0ed208c6686f461e

SHA256
429616b061354038d9f9a796fcbaea4669b77ec0ce626a117000a6ab1245f0c0

SHA512
3c1202a5807ab4cf0ccadbb8d97754788bfb06b50b35a635648e1d7cc5941e9f2e757b8293ae7bdf3290810a7d18ded12842cc82d7f73e8272e3edab1a24a9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001051\puls.exe

Filesize
175KB

MD5
168b8ba40c524df86af678b06e0b539e

SHA1
d9bef310267259c1f5d54a4ca3d2fdeb2a54f706

SHA256
e5361d36b7f82f0566bdfeaaf2b6c98a4b17e2c80a6c62ab74762deef9aa1745

SHA512
7da633979f74a255b33d021a21ad30a56dccea9eeffc1eef240e039ab81a0d18ee676b4513e4ecb68f66fe926996c6e0ab9f4f3e640e18ff4b7d78ae53eb4270

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001051\puls.exe

Filesize
175KB

MD5
168b8ba40c524df86af678b06e0b539e

SHA1
d9bef310267259c1f5d54a4ca3d2fdeb2a54f706

SHA256
e5361d36b7f82f0566bdfeaaf2b6c98a4b17e2c80a6c62ab74762deef9aa1745

SHA512
7da633979f74a255b33d021a21ad30a56dccea9eeffc1eef240e039ab81a0d18ee676b4513e4ecb68f66fe926996c6e0ab9f4f3e640e18ff4b7d78ae53eb4270

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004051\brost.exe

Filesize
332KB

MD5
1cace47dae85c824db114f36bb23fedc

SHA1
398e059b2d5133cd6349e4ead34adcff54baad57

SHA256
29a63c00cdd05cc72723e4a111ac7156b90b1697c8f48ce80d711b1a6a6f0e2c

SHA512
65fb30b3df905fdd127ca7808fc2596df31ed89375d007ec0e580885a34b3fb3055a7875e70a3fa5af60e87a055dbe9f3b33d0105f6d4c1d85db90c432851d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000007001\brown1.exe

Filesize
242KB

MD5
e68ad3c41106a2a275dd11e49269f6c1

SHA1
f6b6e089a27f9d9776196be811f76646be7d93af

SHA256
0ed29305d80fb34256df5b728bc80584a6d51f4b62df353b4b89d6a5327e1968

SHA512
398ac7b44e2cf58ffe5cba9f0f3a9e7854c39e33134dc0c9f8546120072729636462bd78479516428951359426d66ce81c712d71e2fd471c5c747951eaf9fd4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
b7eb637a789d70642d903d6fe31c23d7

SHA1
03834c1c6022eecb6fe4410e4ae912fafba53dd0

SHA256
63cc018bd69c2c9f028ecebbc2752a368f6f8f12b246e2c2526b3b7f95709b61

SHA512
02d4921fb419d12de1244be331f5012b57e3811b05d6266272cb228e7636e1f0149bfe31efefbc915798f22207834b3e68101ce6ef083aa7829f1b7404a4a10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
b7eb637a789d70642d903d6fe31c23d7

SHA1
03834c1c6022eecb6fe4410e4ae912fafba53dd0

SHA256
63cc018bd69c2c9f028ecebbc2752a368f6f8f12b246e2c2526b3b7f95709b61

SHA512
02d4921fb419d12de1244be331f5012b57e3811b05d6266272cb228e7636e1f0149bfe31efefbc915798f22207834b3e68101ce6ef083aa7829f1b7404a4a10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
b7eb637a789d70642d903d6fe31c23d7

SHA1
03834c1c6022eecb6fe4410e4ae912fafba53dd0

SHA256
63cc018bd69c2c9f028ecebbc2752a368f6f8f12b246e2c2526b3b7f95709b61

SHA512
02d4921fb419d12de1244be331f5012b57e3811b05d6266272cb228e7636e1f0149bfe31efefbc915798f22207834b3e68101ce6ef083aa7829f1b7404a4a10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
b7eb637a789d70642d903d6fe31c23d7

SHA1
03834c1c6022eecb6fe4410e4ae912fafba53dd0

SHA256
63cc018bd69c2c9f028ecebbc2752a368f6f8f12b246e2c2526b3b7f95709b61

SHA512
02d4921fb419d12de1244be331f5012b57e3811b05d6266272cb228e7636e1f0149bfe31efefbc915798f22207834b3e68101ce6ef083aa7829f1b7404a4a10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
b7eb637a789d70642d903d6fe31c23d7

SHA1
03834c1c6022eecb6fe4410e4ae912fafba53dd0

SHA256
63cc018bd69c2c9f028ecebbc2752a368f6f8f12b246e2c2526b3b7f95709b61

SHA512
02d4921fb419d12de1244be331f5012b57e3811b05d6266272cb228e7636e1f0149bfe31efefbc915798f22207834b3e68101ce6ef083aa7829f1b7404a4a10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
b7eb637a789d70642d903d6fe31c23d7

SHA1
03834c1c6022eecb6fe4410e4ae912fafba53dd0

SHA256
63cc018bd69c2c9f028ecebbc2752a368f6f8f12b246e2c2526b3b7f95709b61

SHA512
02d4921fb419d12de1244be331f5012b57e3811b05d6266272cb228e7636e1f0149bfe31efefbc915798f22207834b3e68101ce6ef083aa7829f1b7404a4a10e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7ALHDP7T.txt

Filesize
601B

MD5
5a3c713e63756bbdc7824dcd8565bcd9

SHA1
786ce24573fac7c76008c1d3e5711931e9942e61

SHA256
e6be1b493467970b3ba4f5975bfc447b3a38fa5ec70c2b61a51623a139392f77

SHA512
5b680a1a80f4fde483342f88e5b3842b1da1df43b6f126b35bf864c1d74ee53cc6ee3a76153f065680355311b6907e3ccfee5291d67b43c8959a0b05f76884b8

Download Submit
\Users\Admin\AppData\Local\Temp\1000001051\puls.exe

Filesize
175KB

MD5
168b8ba40c524df86af678b06e0b539e

SHA1
d9bef310267259c1f5d54a4ca3d2fdeb2a54f706

SHA256
e5361d36b7f82f0566bdfeaaf2b6c98a4b17e2c80a6c62ab74762deef9aa1745

SHA512
7da633979f74a255b33d021a21ad30a56dccea9eeffc1eef240e039ab81a0d18ee676b4513e4ecb68f66fe926996c6e0ab9f4f3e640e18ff4b7d78ae53eb4270

Download Submit
\Users\Admin\AppData\Local\Temp\1000004051\brost.exe

Filesize
332KB

MD5
1cace47dae85c824db114f36bb23fedc

SHA1
398e059b2d5133cd6349e4ead34adcff54baad57

SHA256
29a63c00cdd05cc72723e4a111ac7156b90b1697c8f48ce80d711b1a6a6f0e2c

SHA512
65fb30b3df905fdd127ca7808fc2596df31ed89375d007ec0e580885a34b3fb3055a7875e70a3fa5af60e87a055dbe9f3b33d0105f6d4c1d85db90c432851d05

Download Submit
\Users\Admin\AppData\Local\Temp\1000004051\brost.exe

Filesize
332KB

MD5
1cace47dae85c824db114f36bb23fedc

SHA1
398e059b2d5133cd6349e4ead34adcff54baad57

SHA256
29a63c00cdd05cc72723e4a111ac7156b90b1697c8f48ce80d711b1a6a6f0e2c

SHA512
65fb30b3df905fdd127ca7808fc2596df31ed89375d007ec0e580885a34b3fb3055a7875e70a3fa5af60e87a055dbe9f3b33d0105f6d4c1d85db90c432851d05

Download Submit
\Users\Admin\AppData\Local\Temp\1000007001\brown1.exe

Filesize
242KB

MD5
e68ad3c41106a2a275dd11e49269f6c1

SHA1
f6b6e089a27f9d9776196be811f76646be7d93af

SHA256
0ed29305d80fb34256df5b728bc80584a6d51f4b62df353b4b89d6a5327e1968

SHA512
398ac7b44e2cf58ffe5cba9f0f3a9e7854c39e33134dc0c9f8546120072729636462bd78479516428951359426d66ce81c712d71e2fd471c5c747951eaf9fd4f

Download Submit
\Users\Admin\AppData\Local\Temp\1000007001\brown1.exe

Filesize
242KB

MD5
e68ad3c41106a2a275dd11e49269f6c1

SHA1
f6b6e089a27f9d9776196be811f76646be7d93af

SHA256
0ed29305d80fb34256df5b728bc80584a6d51f4b62df353b4b89d6a5327e1968

SHA512
398ac7b44e2cf58ffe5cba9f0f3a9e7854c39e33134dc0c9f8546120072729636462bd78479516428951359426d66ce81c712d71e2fd471c5c747951eaf9fd4f

Download Submit
\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
b7eb637a789d70642d903d6fe31c23d7

SHA1
03834c1c6022eecb6fe4410e4ae912fafba53dd0

SHA256
63cc018bd69c2c9f028ecebbc2752a368f6f8f12b246e2c2526b3b7f95709b61

SHA512
02d4921fb419d12de1244be331f5012b57e3811b05d6266272cb228e7636e1f0149bfe31efefbc915798f22207834b3e68101ce6ef083aa7829f1b7404a4a10e

Download Submit
\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
b7eb637a789d70642d903d6fe31c23d7

SHA1
03834c1c6022eecb6fe4410e4ae912fafba53dd0

SHA256
63cc018bd69c2c9f028ecebbc2752a368f6f8f12b246e2c2526b3b7f95709b61

SHA512
02d4921fb419d12de1244be331f5012b57e3811b05d6266272cb228e7636e1f0149bfe31efefbc915798f22207834b3e68101ce6ef083aa7829f1b7404a4a10e

Download Submit
\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
b7eb637a789d70642d903d6fe31c23d7

SHA1
03834c1c6022eecb6fe4410e4ae912fafba53dd0

SHA256
63cc018bd69c2c9f028ecebbc2752a368f6f8f12b246e2c2526b3b7f95709b61

SHA512
02d4921fb419d12de1244be331f5012b57e3811b05d6266272cb228e7636e1f0149bfe31efefbc915798f22207834b3e68101ce6ef083aa7829f1b7404a4a10e

Download Submit
\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
b7eb637a789d70642d903d6fe31c23d7

SHA1
03834c1c6022eecb6fe4410e4ae912fafba53dd0

SHA256
63cc018bd69c2c9f028ecebbc2752a368f6f8f12b246e2c2526b3b7f95709b61

SHA512
02d4921fb419d12de1244be331f5012b57e3811b05d6266272cb228e7636e1f0149bfe31efefbc915798f22207834b3e68101ce6ef083aa7829f1b7404a4a10e

Download Submit
\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
b7eb637a789d70642d903d6fe31c23d7

SHA1
03834c1c6022eecb6fe4410e4ae912fafba53dd0

SHA256
63cc018bd69c2c9f028ecebbc2752a368f6f8f12b246e2c2526b3b7f95709b61

SHA512
02d4921fb419d12de1244be331f5012b57e3811b05d6266272cb228e7636e1f0149bfe31efefbc915798f22207834b3e68101ce6ef083aa7829f1b7404a4a10e

Download Submit
\Users\Admin\AppData\Local\Temp\4b9a106e76\nbveek.exe

Filesize
235KB

MD5
b7eb637a789d70642d903d6fe31c23d7

SHA1
03834c1c6022eecb6fe4410e4ae912fafba53dd0

SHA256
63cc018bd69c2c9f028ecebbc2752a368f6f8f12b246e2c2526b3b7f95709b61

SHA512
02d4921fb419d12de1244be331f5012b57e3811b05d6266272cb228e7636e1f0149bfe31efefbc915798f22207834b3e68101ce6ef083aa7829f1b7404a4a10e

Download Submit
memory/976-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/1236-123-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1236-130-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1236-131-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1336-102-0x0000000006F10000-0x0000000006F54000-memory.dmp

Filesize
272KB

Download
memory/1336-100-0x0000000002DAB000-0x0000000002DDA000-memory.dmp

Filesize
188KB

Download
memory/1336-101-0x0000000000220000-0x000000000026B000-memory.dmp

Filesize
300KB

Download
memory/1336-98-0x0000000004840000-0x0000000004886000-memory.dmp

Filesize
280KB

Download
memory/1336-104-0x0000000000400000-0x0000000002BBB000-memory.dmp

Filesize
39.7MB

Download
memory/1336-138-0x0000000002DAB000-0x0000000002DDA000-memory.dmp

Filesize
188KB

Download
memory/1336-145-0x0000000000400000-0x0000000002BBB000-memory.dmp

Filesize
39.7MB

Download
memory/1336-144-0x0000000002DAB000-0x0000000002DDA000-memory.dmp

Filesize
188KB

Download
memory/1648-85-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1648-87-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1648-75-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1648-81-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1648-80-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1648-78-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1648-76-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1840-94-0x0000000000400000-0x0000000002BBB000-memory.dmp

Filesize
39.7MB

Download
memory/1840-107-0x0000000000400000-0x0000000002BBB000-memory.dmp

Filesize
39.7MB

Download
memory/1840-97-0x0000000000400000-0x0000000002BBB000-memory.dmp

Filesize
39.7MB

Download
memory/1840-133-0x0000000002BC0000-0x0000000002C06000-memory.dmp

Filesize
280KB

Download
memory/1840-134-0x0000000002C00000-0x0000000002C44000-memory.dmp

Filesize
272KB

Download
memory/1840-136-0x0000000002EBB000-0x0000000002EEA000-memory.dmp

Filesize
188KB

Download
memory/1840-137-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1840-116-0x0000000000400000-0x0000000002BBB000-memory.dmp

Filesize
39.7MB

Download
memory/1840-103-0x0000000000400000-0x0000000002BBB000-memory.dmp

Filesize
39.7MB

Download
memory/1840-149-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1840-111-0x0000000000400000-0x0000000002BBB000-memory.dmp

Filesize
39.7MB

Download
memory/1840-129-0x0000000000400000-0x0000000002BBB000-memory.dmp

Filesize
39.7MB

Download
memory/1840-95-0x0000000000400000-0x0000000002BBB000-memory.dmp

Filesize
39.7MB

Download
memory/1840-146-0x0000000000400000-0x0000000002BBB000-memory.dmp

Filesize
39.7MB

Download
memory/1840-147-0x0000000000400000-0x0000000002BBB000-memory.dmp

Filesize
39.7MB

Download
memory/1840-148-0x0000000002EBB000-0x0000000002EEA000-memory.dmp

Filesize
188KB

Download
memory/2020-72-0x0000000001100000-0x0000000001132000-memory.dmp

Filesize
200KB

Download