amadey | 18ab77b46f43847e5544dca47ad24c7a241d3ddf20f9a4ed5f663c477a1420e7

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2023 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.5MB
MD5

94b07cea9a210e7bab966658b2dd1c86
SHA1

efa95afeaf9c75645b67b0814a555e086fe2bece
SHA256

18ab77b46f43847e5544dca47ad24c7a241d3ddf20f9a4ed5f663c477a1420e7
SHA512

60aa974435e264d682e9d5fc42812025337d485ab451aea004310b5e83cfa8c8bbe8f464f37646561c1344cae9b64b580a02c57a7647eae838f7046737d1af95
SSDEEP

12288:6FursW8SLl2NuGQwd8JiUn/5EwrTbgL5TtgC6fplh5ttiCja5pu/ouXYxEUc1FS9:ocB4uGMdhCE7liCUUzS1j

Score

10^/10

amadey discovery spyware stealer trojan vmprotect

Malware Config

Extracted

Family

amadey

Version

3.65

77.73.134.27/8bmdh3Slb2/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4404 4264 rundll32.exe
Downloads MZ/PE file

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	4264	rundll32.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exezhangy.exePlayer3.exenbveek.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	zhangy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	Player3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	nbveek.exe

Executes dropped EXE 8 IoCs

Processes:

zhangy.exess31.exePlayer3.exezhangy.exenbveek.exenbveek.exeSetupdmit.exenbveek.exe

pid process

3300 zhangy.exe
3880 ss31.exe
1872 Player3.exe
3140 zhangy.exe
4208 nbveek.exe
3044 nbveek.exe
3588 Setupdmit.exe
1576 nbveek.exe
Loads dropped DLL 7 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exeSetupdmit.exe

pid process

4936 rundll32.exe
4452 rundll32.exe
1820 rundll32.exe
2648 rundll32.exe
3588 Setupdmit.exe
3588 Setupdmit.exe
3588 Setupdmit.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3300	zhangy.exe
3880	ss31.exe
1872	Player3.exe
3140	zhangy.exe
4208	nbveek.exe
3044	nbveek.exe
3588	Setupdmit.exe
1576	nbveek.exe

pid	process
4936	rundll32.exe
4452	rundll32.exe
1820	rundll32.exe
2648	rundll32.exe
3588	Setupdmit.exe
3588	Setupdmit.exe
3588	Setupdmit.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000114001\Setupdmit.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\1000114001\Setupdmit.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\1000114001\Setupdmit.exe	vmprotect
behavioral2/memory/3588-234-0x0000000000400000-0x000000000091F000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

740 4936 WerFault.exe rundll32.exe
4280 2648 WerFault.exe rundll32.exe
4008 4436 WerFault.exe GU852FaN.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1516 schtasks.exe

pid	pid_target	process	target process
740	4936	WerFault.exe	rundll32.exe
4280	2648	WerFault.exe	rundll32.exe
4008	4436	WerFault.exe	GU852FaN.exe

pid	process
1516	schtasks.exe

Modifies registry class 44 IoCs

Processes:

zhangy.exezhangy.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}"	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zhangy.exe"	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest"	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID\ = "{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}"	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\ = "{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}"	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0"	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ = "sqltest.Application"	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zhangy.exe"	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR\	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\TypeLib\Version = "1.0"	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\CLSID	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32\ = "ole32.dll"	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\0	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sqltest.Application\ = "sqltest.Application"	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\HELPDIR	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ = "Isqltest"	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\InprocHandler32	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zhangy.exe"	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{069D06BB-F6A9-428D-9070-FCFF8F5BC5F4}\ProgID\ = "sqltest.Application"	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0	zhangy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BE54215-DFC6-4D78-BF1A-E1F869104825}	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\ = "sqltest"	zhangy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4BD8AC7-1474-45B9-87B4-845611FD1CAD}\1.0\FLAGS\ = "0"	zhangy.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 18 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

zhangy.exezhangy.exe

pid process

3300 zhangy.exe
3300 zhangy.exe
3140 zhangy.exe
3140 zhangy.exe

description	flow	ioc
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3300	zhangy.exe
3300	zhangy.exe
3140	zhangy.exe
3140	zhangy.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

file.exezhangy.exePlayer3.exenbveek.execmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 1512 wrote to memory of 3300	1512	file.exe	zhangy.exe
PID 1512 wrote to memory of 3300	1512	file.exe	zhangy.exe
PID 1512 wrote to memory of 3300	1512	file.exe	zhangy.exe
PID 1512 wrote to memory of 3880	1512	file.exe	ss31.exe
PID 1512 wrote to memory of 3880	1512	file.exe	ss31.exe
PID 1512 wrote to memory of 1872	1512	file.exe	Player3.exe
PID 1512 wrote to memory of 1872	1512	file.exe	Player3.exe
PID 1512 wrote to memory of 1872	1512	file.exe	Player3.exe
PID 3300 wrote to memory of 3140	3300	zhangy.exe	zhangy.exe
PID 3300 wrote to memory of 3140	3300	zhangy.exe	zhangy.exe
PID 3300 wrote to memory of 3140	3300	zhangy.exe	zhangy.exe
PID 1872 wrote to memory of 4208	1872	Player3.exe	nbveek.exe
PID 1872 wrote to memory of 4208	1872	Player3.exe	nbveek.exe
PID 1872 wrote to memory of 4208	1872	Player3.exe	nbveek.exe
PID 4208 wrote to memory of 1516	4208	nbveek.exe	schtasks.exe
PID 4208 wrote to memory of 1516	4208	nbveek.exe	schtasks.exe
PID 4208 wrote to memory of 1516	4208	nbveek.exe	schtasks.exe
PID 4208 wrote to memory of 4324	4208	nbveek.exe	cmd.exe
PID 4208 wrote to memory of 4324	4208	nbveek.exe	cmd.exe
PID 4208 wrote to memory of 4324	4208	nbveek.exe	cmd.exe
PID 4324 wrote to memory of 3468	4324	cmd.exe	cmd.exe
PID 4324 wrote to memory of 3468	4324	cmd.exe	cmd.exe
PID 4324 wrote to memory of 3468	4324	cmd.exe	cmd.exe
PID 4324 wrote to memory of 1212	4324	cmd.exe	cacls.exe
PID 4324 wrote to memory of 1212	4324	cmd.exe	cacls.exe
PID 4324 wrote to memory of 1212	4324	cmd.exe	cacls.exe
PID 4324 wrote to memory of 3456	4324	cmd.exe	cacls.exe
PID 4324 wrote to memory of 3456	4324	cmd.exe	cacls.exe
PID 4324 wrote to memory of 3456	4324	cmd.exe	cacls.exe
PID 4324 wrote to memory of 4104	4324	cmd.exe	cmd.exe
PID 4324 wrote to memory of 4104	4324	cmd.exe	cmd.exe
PID 4324 wrote to memory of 4104	4324	cmd.exe	cmd.exe
PID 4324 wrote to memory of 4944	4324	cmd.exe	cacls.exe
PID 4324 wrote to memory of 4944	4324	cmd.exe	cacls.exe
PID 4324 wrote to memory of 4944	4324	cmd.exe	cacls.exe
PID 4324 wrote to memory of 2564	4324	cmd.exe	cacls.exe
PID 4324 wrote to memory of 2564	4324	cmd.exe	cacls.exe
PID 4324 wrote to memory of 2564	4324	cmd.exe	cacls.exe
PID 4404 wrote to memory of 4936	4404	rundll32.exe	rundll32.exe
PID 4404 wrote to memory of 4936	4404	rundll32.exe	rundll32.exe
PID 4404 wrote to memory of 4936	4404	rundll32.exe	rundll32.exe
PID 4208 wrote to memory of 1820	4208	nbveek.exe	rundll32.exe
PID 4208 wrote to memory of 1820	4208	nbveek.exe	rundll32.exe
PID 4208 wrote to memory of 1820	4208	nbveek.exe	rundll32.exe
PID 4208 wrote to memory of 4452	4208	nbveek.exe	rundll32.exe
PID 4208 wrote to memory of 4452	4208	nbveek.exe	rundll32.exe
PID 4208 wrote to memory of 4452	4208	nbveek.exe	rundll32.exe
PID 1820 wrote to memory of 2648	1820	rundll32.exe	rundll32.exe
PID 1820 wrote to memory of 2648	1820	rundll32.exe	rundll32.exe
PID 4208 wrote to memory of 3588	4208	nbveek.exe	Setupdmit.exe
PID 4208 wrote to memory of 3588	4208	nbveek.exe	Setupdmit.exe
PID 4208 wrote to memory of 3588	4208	nbveek.exe	Setupdmit.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\zhangy.exe
"C:\Users\Admin\AppData\Local\Temp\zhangy.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3300

C:\Users\Admin\AppData\Local\Temp\zhangy.exe
"C:\Users\Admin\AppData\Local\Temp\zhangy.exe" -h
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3140

C:\Users\Admin\AppData\Local\Temp\ss31.exe
"C:\Users\Admin\AppData\Local\Temp\ss31.exe"
2⤵
- Executes dropped EXE
PID:3880

C:\Users\Admin\AppData\Local\Temp\Player3.exe
"C:\Users\Admin\AppData\Local\Temp\Player3.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
4⤵
- Creates scheduled task(s)
PID:1516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3468

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
5⤵
PID:1212

C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
5⤵
PID:3456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4104

C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:N"
5⤵
PID:4944

C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:R" /E
5⤵
PID:2564

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
5⤵
- Loads dropped DLL
PID:2648

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2648 -s 644
6⤵
- Program crash
PID:4280

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4452

C:\Users\Admin\AppData\Local\Temp\1000114001\Setupdmit.exe
"C:\Users\Admin\AppData\Local\Temp\1000114001\Setupdmit.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3588

C:\Users\Admin\AppData\Roaming\GU852FaN.exe
"C:\Users\Admin\AppData\Roaming\GU852FaN.exe"
5⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 148
6⤵
- Program crash
PID:4008

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 600
3⤵
- Program crash
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4936 -ip 4936
1⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:3044

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 384 -p 2648 -ip 2648
1⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4436 -ip 4436
1⤵
PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000114001\Setupdmit.exe

Filesize
353.7MB

MD5
a7896af587583ee38047aae2b85dc976

SHA1
2607da0062b03c99ea2a81c99f81d2ab3075ad59

SHA256
9058032af1be388869ae0dd4cc6b8fc808d44a9e93e1fb85a6636863020f46f7

SHA512
9b803f33b4e92b88d198d0476b9c76ce2a24e513f27c0c6b915277e3e9d924ac2aa0ad814f163de24fd91b2ecc5cbeb322c8a646737541022402a6b4c65f1849

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000114001\Setupdmit.exe

Filesize
281.2MB

MD5
0e176d752cef5166f3dc7dde8b10f921

SHA1
407e94d29ef874765009972dcff649ce6f308476

SHA256
fa47da5f77cbf1111a464f2069c1c93f22e2ed2ed10d7d0ea523c941efe49717

SHA512
54a8d3f359bbacd54f4c21cbcd9a78185fbdae3d45b77787080b5e5fd4c2d954c2579da3ffaef704f3bd95dde39dded9bdd1cfaa0dd328ddc3a79e31fb83aca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000114001\Setupdmit.exe

Filesize
259.3MB

MD5
d28042411fdf2e1bd9f2efe6901b8291

SHA1
329755e5c25aa1d6a5cb4860006aac578bddd69e

SHA256
d923da9b7300e8e80153507dafbb309602f9381feccc3785d0645fcc7d5056ae

SHA512
b37b70dd637f6312d7abca1115daf5c86f71e2bd401d33dc3f18f8290656e145a8bd2651358c10650830abe5e2d3468593859d9b92cbe9ae3caa63ca47b1b9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\238149048355

Filesize
86KB

MD5
c1c59cf7a9227f5a49e6309cb8c086f7

SHA1
b6226115c9938478e7014c6554c47fd866f5962d

SHA256
3d242fe4ad7bcac94d8540af2ba3f6181fc4e1065f751314190a2c6c9d73243d

SHA512
ebe850244a90be3ee48933b624fb4358d22c6d4313adbcf0cf773507d6fb0abfbdd55903d606a13afc03f5f043d44878049664efcaae127dc24a1847ab55a716

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Player3.exe

Filesize
244KB

MD5
43a3e1c9723e124a9b495cd474a05dcb

SHA1
d293f427eaa8efc18bb8929a9f54fb61e03bdd89

SHA256
619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab

SHA512
6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
ee5d452cc4ee71e1f544582bf6fca143

SHA1
a193952075b2b4a83759098754e814a931b8ba90

SHA256
f5cb9476e4b5576bb94eae1d278093b6470b0238226d4c05ec8c76747d57cbfe

SHA512
7a935ae3df65b949c5e7f1ed93bd2173165ef4e347ceb5879725fbb995aedeef853b5b1dc4c4155d423f34d004f8a0df59258cefdad5f49e617d0a74764c896b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
950KB

MD5
a04beb4dbbd9eb3f47555d99a8dade4e

SHA1
4eb47611da40f99a521cda4cf45627e98c764114

SHA256
042318b99c7ebcef10513e8e24ddd4aa0ec5ab0e8f2d6be1c549cc70fd1bf0a4

SHA512
e94b1cfd096355967fb26686834773241f04529ad6ba152030ba40fdbe0d5008fefd45159337cd88c3f461dc45c6ba93194627b070ca7a31c089b13c30aea0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
950KB

MD5
a04beb4dbbd9eb3f47555d99a8dade4e

SHA1
4eb47611da40f99a521cda4cf45627e98c764114

SHA256
042318b99c7ebcef10513e8e24ddd4aa0ec5ab0e8f2d6be1c549cc70fd1bf0a4

SHA512
e94b1cfd096355967fb26686834773241f04529ad6ba152030ba40fdbe0d5008fefd45159337cd88c3f461dc45c6ba93194627b070ca7a31c089b13c30aea0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss31.exe

Filesize
950KB

MD5
a04beb4dbbd9eb3f47555d99a8dade4e

SHA1
4eb47611da40f99a521cda4cf45627e98c764114

SHA256
042318b99c7ebcef10513e8e24ddd4aa0ec5ab0e8f2d6be1c549cc70fd1bf0a4

SHA512
e94b1cfd096355967fb26686834773241f04529ad6ba152030ba40fdbe0d5008fefd45159337cd88c3f461dc45c6ba93194627b070ca7a31c089b13c30aea0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhangy.exe

Filesize
328KB

MD5
bbaa394e6b0ecb7808722986b90d290c

SHA1
682e835d7ea19c9aa3d464436d673e5c89ab2bb6

SHA256
baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

SHA512
2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhangy.exe

Filesize
328KB

MD5
bbaa394e6b0ecb7808722986b90d290c

SHA1
682e835d7ea19c9aa3d464436d673e5c89ab2bb6

SHA256
baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

SHA512
2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhangy.exe

Filesize
328KB

MD5
bbaa394e6b0ecb7808722986b90d290c

SHA1
682e835d7ea19c9aa3d464436d673e5c89ab2bb6

SHA256
baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

SHA512
2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zhangy.exe

Filesize
328KB

MD5
bbaa394e6b0ecb7808722986b90d290c

SHA1
682e835d7ea19c9aa3d464436d673e5c89ab2bb6

SHA256
baa3acf778b3bcf4b7be932384799e8c95a5dc56c0faea8cbf7a33195ab47e73

SHA512
2f3ef8921f36beaedf364d72f01af70aaa16acd3804343a1c5ff4f72b91333b4489d15c33c08b05695b216cbd024fc8783676dd98a907be3af8cb8a56c075f4f

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
89KB

MD5
d3074d3a19629c3c6a533c86733e044e

SHA1
5b15823311f97036dbaf4a3418c6f50ffade0eb9

SHA256
b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401

SHA512
7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
89KB

MD5
d3074d3a19629c3c6a533c86733e044e

SHA1
5b15823311f97036dbaf4a3418c6f50ffade0eb9

SHA256
b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401

SHA512
7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
89KB

MD5
d3074d3a19629c3c6a533c86733e044e

SHA1
5b15823311f97036dbaf4a3418c6f50ffade0eb9

SHA256
b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401

SHA512
7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
2c4e958144bd089aa93a564721ed28bb

SHA1
38ef85f66b7fdc293661e91ba69f31598c5b5919

SHA256
b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855

SHA512
a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6

Download Submit
C:\Users\Admin\AppData\Roaming\GU852FaN.exe

Filesize
3.4MB

MD5
800048405a049c3b4e9af613caa03f21

SHA1
1b1f41df64c90b08c5bbb3ab4d849126e4b30794

SHA256
6428f042a95b442049e0f235a3b5e30032a4e407a29a6d7f6832c007ada8dc91

SHA512
47990943378dba5d2f96fbd2a946958057ee23d802dbe19c2ac1d2d9ab9a52988d29676243e08b112021c4cd65dfd4848408d76ce43080b2d85e795fc3e908d5

Download Submit
C:\Users\Admin\AppData\Roaming\GU852FaN.exe

Filesize
3.4MB

MD5
800048405a049c3b4e9af613caa03f21

SHA1
1b1f41df64c90b08c5bbb3ab4d849126e4b30794

SHA256
6428f042a95b442049e0f235a3b5e30032a4e407a29a6d7f6832c007ada8dc91

SHA512
47990943378dba5d2f96fbd2a946958057ee23d802dbe19c2ac1d2d9ab9a52988d29676243e08b112021c4cd65dfd4848408d76ce43080b2d85e795fc3e908d5

Download Submit
C:\Users\Admin\AppData\Roaming\GU852FaN.exe

Filesize
3.4MB

MD5
800048405a049c3b4e9af613caa03f21

SHA1
1b1f41df64c90b08c5bbb3ab4d849126e4b30794

SHA256
6428f042a95b442049e0f235a3b5e30032a4e407a29a6d7f6832c007ada8dc91

SHA512
47990943378dba5d2f96fbd2a946958057ee23d802dbe19c2ac1d2d9ab9a52988d29676243e08b112021c4cd65dfd4848408d76ce43080b2d85e795fc3e908d5

Download Submit
memory/1512-133-0x0000000000860000-0x00000000009E6000-memory.dmp

Filesize
1.5MB

Download
memory/3588-234-0x0000000000400000-0x000000000091F000-memory.dmp

Filesize
5.1MB

Download
memory/3588-281-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/3880-190-0x00000165D7C20000-0x00000165D7D54000-memory.dmp

Filesize
1.2MB

Download
memory/3880-179-0x00000165D7C20000-0x00000165D7D54000-memory.dmp

Filesize
1.2MB

Download
memory/3880-178-0x00000165D7AA0000-0x00000165D7C13000-memory.dmp

Filesize
1.4MB

Download