amadey | ce5e75077840abb3d32d35eb8889f85e9aa2833c59288db001a0eac27dc07049

Analysis

max time kernel
141s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2023 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cf6b1d778d8e768db95c09e6896c63c.exe
Size

1.2MB
MD5

7cf6b1d778d8e768db95c09e6896c63c
SHA1

40696162fb8fde6c40b0974589eb567287382252
SHA256

ce5e75077840abb3d32d35eb8889f85e9aa2833c59288db001a0eac27dc07049
SHA512

e967aef8f53c0091125d86a070826d2f045b3b56f6f98e6baba6862317086899575521096076b1af166cb48cc02e94d37c970761573000fd36bc5c767c187763
SSDEEP

24576:DisFzwUeGh3ygDw0cRGhIFfbXRl7qOP36P0mvVOHVXQ9i1P:DTMUmP0ZhUfbXRl1PiJSXQ9i

Score

10^/10

amadey redline mango ruka discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

mango

193.233.20.28:4125

Attributes

auth_value
ecf79d7f5227d998a3501c972d915d23

Extracted

Family

redline

Botnet

ruka

193.233.20.28:4125

Attributes

auth_value
5d1d0e51ebe1e3f16cca573ff651c43c

Extracted

Family

amadey

Version

3.68

62.204.41.59/wordpress/console2/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

luk3843.exemos7267.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	luk3843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	mos7267.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	mos7267.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	mos7267.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	mos7267.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	luk3843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	luk3843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	luk3843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	mos7267.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	luk3843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	luk3843.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	mos7267.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1296-210-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline
behavioral2/memory/1296-211-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline
behavioral2/memory/1296-213-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline
behavioral2/memory/1296-215-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline
behavioral2/memory/1296-217-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline
behavioral2/memory/1296-219-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline
behavioral2/memory/1296-221-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline
behavioral2/memory/1296-223-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline
behavioral2/memory/1296-225-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline
behavioral2/memory/1296-227-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline
behavioral2/memory/1296-229-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline
behavioral2/memory/1296-232-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline
behavioral2/memory/1296-236-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline
behavioral2/memory/1296-237-0x0000000007380000-0x0000000007390000-memory.dmp	family_redline
behavioral2/memory/1296-241-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline
behavioral2/memory/1296-239-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline
behavioral2/memory/1296-243-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline
behavioral2/memory/1296-245-0x0000000004AD0000-0x0000000004B0E000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sg194567.exewordpress.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	sg194567.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	wordpress.exe

Executes dropped EXE 10 IoCs

Processes:

tore4946.exetore9901.exetore9080.exeluk3843.exemos7267.exenLm98s83.exeod872539.exesg194567.exewordpress.exewordpress.exe

pid	process
3296	tore4946.exe
4368	tore9901.exe
2684	tore9080.exe
228	luk3843.exe
1756	mos7267.exe
1296	nLm98s83.exe
644	od872539.exe
3124	sg194567.exe
4088	wordpress.exe
4328	wordpress.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1648 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1648	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

mos7267.exeluk3843.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	mos7267.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	luk3843.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	mos7267.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tore9901.exetore9080.exe7cf6b1d778d8e768db95c09e6896c63c.exetore4946.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tore9901.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	tore9901.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tore9080.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	tore9080.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7cf6b1d778d8e768db95c09e6896c63c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7cf6b1d778d8e768db95c09e6896c63c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tore4946.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	tore4946.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1300 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1300	sc.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1508	1756	WerFault.exe	mos7267.exe
4396	1296	WerFault.exe	nLm98s83.exe
3312	2104	WerFault.exe	7cf6b1d778d8e768db95c09e6896c63c.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4800 schtasks.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

luk3843.exemos7267.exenLm98s83.exeod872539.exe

pid process

228 luk3843.exe
228 luk3843.exe
1756 mos7267.exe
1756 mos7267.exe
1296 nLm98s83.exe
1296 nLm98s83.exe
1296 nLm98s83.exe
644 od872539.exe
644 od872539.exe

pid	process
4800	schtasks.exe

pid	process
228	luk3843.exe
228	luk3843.exe
1756	mos7267.exe
1756	mos7267.exe
1296	nLm98s83.exe
1296	nLm98s83.exe
1296	nLm98s83.exe
644	od872539.exe
644	od872539.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

luk3843.exemos7267.exenLm98s83.exeod872539.exe

description	pid	process
Token: SeDebugPrivilege	228	luk3843.exe
Token: SeDebugPrivilege	1756	mos7267.exe
Token: SeDebugPrivilege	1296	nLm98s83.exe
Token: SeDebugPrivilege	644	od872539.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

7cf6b1d778d8e768db95c09e6896c63c.exetore4946.exetore9901.exetore9080.exesg194567.exewordpress.execmd.exe

description	pid	process	target process
PID 2104 wrote to memory of 3296	2104	7cf6b1d778d8e768db95c09e6896c63c.exe	tore4946.exe
PID 2104 wrote to memory of 3296	2104	7cf6b1d778d8e768db95c09e6896c63c.exe	tore4946.exe
PID 2104 wrote to memory of 3296	2104	7cf6b1d778d8e768db95c09e6896c63c.exe	tore4946.exe
PID 3296 wrote to memory of 4368	3296	tore4946.exe	tore9901.exe
PID 3296 wrote to memory of 4368	3296	tore4946.exe	tore9901.exe
PID 3296 wrote to memory of 4368	3296	tore4946.exe	tore9901.exe
PID 4368 wrote to memory of 2684	4368	tore9901.exe	tore9080.exe
PID 4368 wrote to memory of 2684	4368	tore9901.exe	tore9080.exe
PID 4368 wrote to memory of 2684	4368	tore9901.exe	tore9080.exe
PID 2684 wrote to memory of 228	2684	tore9080.exe	luk3843.exe
PID 2684 wrote to memory of 228	2684	tore9080.exe	luk3843.exe
PID 2684 wrote to memory of 1756	2684	tore9080.exe	mos7267.exe
PID 2684 wrote to memory of 1756	2684	tore9080.exe	mos7267.exe
PID 2684 wrote to memory of 1756	2684	tore9080.exe	mos7267.exe
PID 4368 wrote to memory of 1296	4368	tore9901.exe	nLm98s83.exe
PID 4368 wrote to memory of 1296	4368	tore9901.exe	nLm98s83.exe
PID 4368 wrote to memory of 1296	4368	tore9901.exe	nLm98s83.exe
PID 3296 wrote to memory of 644	3296	tore4946.exe	od872539.exe
PID 3296 wrote to memory of 644	3296	tore4946.exe	od872539.exe
PID 3296 wrote to memory of 644	3296	tore4946.exe	od872539.exe
PID 2104 wrote to memory of 3124	2104	7cf6b1d778d8e768db95c09e6896c63c.exe	sg194567.exe
PID 2104 wrote to memory of 3124	2104	7cf6b1d778d8e768db95c09e6896c63c.exe	sg194567.exe
PID 2104 wrote to memory of 3124	2104	7cf6b1d778d8e768db95c09e6896c63c.exe	sg194567.exe
PID 3124 wrote to memory of 4088	3124	sg194567.exe	wordpress.exe
PID 3124 wrote to memory of 4088	3124	sg194567.exe	wordpress.exe
PID 3124 wrote to memory of 4088	3124	sg194567.exe	wordpress.exe
PID 4088 wrote to memory of 4800	4088	wordpress.exe	schtasks.exe
PID 4088 wrote to memory of 4800	4088	wordpress.exe	schtasks.exe
PID 4088 wrote to memory of 4800	4088	wordpress.exe	schtasks.exe
PID 4088 wrote to memory of 5028	4088	wordpress.exe	cmd.exe
PID 4088 wrote to memory of 5028	4088	wordpress.exe	cmd.exe
PID 4088 wrote to memory of 5028	4088	wordpress.exe	cmd.exe
PID 5028 wrote to memory of 4972	5028	cmd.exe	cmd.exe
PID 5028 wrote to memory of 4972	5028	cmd.exe	cmd.exe
PID 5028 wrote to memory of 4972	5028	cmd.exe	cmd.exe
PID 5028 wrote to memory of 3792	5028	cmd.exe	cacls.exe
PID 5028 wrote to memory of 3792	5028	cmd.exe	cacls.exe
PID 5028 wrote to memory of 3792	5028	cmd.exe	cacls.exe
PID 5028 wrote to memory of 2352	5028	cmd.exe	cacls.exe
PID 5028 wrote to memory of 2352	5028	cmd.exe	cacls.exe
PID 5028 wrote to memory of 2352	5028	cmd.exe	cacls.exe
PID 5028 wrote to memory of 4272	5028	cmd.exe	cmd.exe
PID 5028 wrote to memory of 4272	5028	cmd.exe	cmd.exe
PID 5028 wrote to memory of 4272	5028	cmd.exe	cmd.exe
PID 5028 wrote to memory of 3420	5028	cmd.exe	cacls.exe
PID 5028 wrote to memory of 3420	5028	cmd.exe	cacls.exe
PID 5028 wrote to memory of 3420	5028	cmd.exe	cacls.exe
PID 5028 wrote to memory of 3060	5028	cmd.exe	cacls.exe
PID 5028 wrote to memory of 3060	5028	cmd.exe	cacls.exe
PID 5028 wrote to memory of 3060	5028	cmd.exe	cacls.exe
PID 4088 wrote to memory of 1648	4088	wordpress.exe	rundll32.exe
PID 4088 wrote to memory of 1648	4088	wordpress.exe	rundll32.exe
PID 4088 wrote to memory of 1648	4088	wordpress.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\7cf6b1d778d8e768db95c09e6896c63c.exe
"C:\Users\Admin\AppData\Local\Temp\7cf6b1d778d8e768db95c09e6896c63c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tore4946.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tore4946.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3296

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tore9901.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tore9901.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4368

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tore9080.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tore9080.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\luk3843.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\luk3843.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mos7267.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mos7267.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 1080
6⤵
- Program crash
PID:1508

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nLm98s83.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nLm98s83.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1296
5⤵
- Program crash
PID:4396

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\od872539.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\od872539.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sg194567.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sg194567.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3124

C:\Users\Admin\AppData\Local\Temp\46aee2aca4\wordpress.exe
"C:\Users\Admin\AppData\Local\Temp\46aee2aca4\wordpress.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN wordpress.exe /TR "C:\Users\Admin\AppData\Local\Temp\46aee2aca4\wordpress.exe" /F
4⤵
- Creates scheduled task(s)
PID:4800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "wordpress.exe" /P "Admin:N"&&CACLS "wordpress.exe" /P "Admin:R" /E&&echo Y|CACLS "..\46aee2aca4" /P "Admin:N"&&CACLS "..\46aee2aca4" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4972

C:\Windows\SysWOW64\cacls.exe
CACLS "wordpress.exe" /P "Admin:N"
5⤵
PID:3792

C:\Windows\SysWOW64\cacls.exe
CACLS "wordpress.exe" /P "Admin:R" /E
5⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4272

C:\Windows\SysWOW64\cacls.exe
CACLS "..\46aee2aca4" /P "Admin:N"
5⤵
PID:3420

C:\Windows\SysWOW64\cacls.exe
CACLS "..\46aee2aca4" /P "Admin:R" /E
5⤵
PID:3060

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 480
2⤵
- Program crash
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1756 -ip 1756
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1296 -ip 1296
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2104 -ip 2104
1⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\46aee2aca4\wordpress.exe
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\wordpress.exe
1⤵
- Executes dropped EXE
PID:4328

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\46aee2aca4\wordpress.exe
Filesize
235KB

MD5
45a52c031a49cfc0ce7d83cf85c9810a

SHA1
d41bb20dcab894e4558eddce1fd1e7d45ba1f92d

SHA256
bd71e03e2c0b5b324f02a1cfc38428f6764a58a9217d52d8cd15efe755db39be

SHA512
7fa294fab489b38a08bcd186c5d49e7fcd437647a0a1c3b498d86be8dfc1320e84ada52b24de07c88bca4c253a0dfbb7a31d5fc48b82720f8695bac99c536c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\wordpress.exe
Filesize
235KB

MD5
45a52c031a49cfc0ce7d83cf85c9810a

SHA1
d41bb20dcab894e4558eddce1fd1e7d45ba1f92d

SHA256
bd71e03e2c0b5b324f02a1cfc38428f6764a58a9217d52d8cd15efe755db39be

SHA512
7fa294fab489b38a08bcd186c5d49e7fcd437647a0a1c3b498d86be8dfc1320e84ada52b24de07c88bca4c253a0dfbb7a31d5fc48b82720f8695bac99c536c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\wordpress.exe
Filesize
235KB

MD5
45a52c031a49cfc0ce7d83cf85c9810a

SHA1
d41bb20dcab894e4558eddce1fd1e7d45ba1f92d

SHA256
bd71e03e2c0b5b324f02a1cfc38428f6764a58a9217d52d8cd15efe755db39be

SHA512
7fa294fab489b38a08bcd186c5d49e7fcd437647a0a1c3b498d86be8dfc1320e84ada52b24de07c88bca4c253a0dfbb7a31d5fc48b82720f8695bac99c536c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\46aee2aca4\wordpress.exe
Filesize
235KB

MD5
45a52c031a49cfc0ce7d83cf85c9810a

SHA1
d41bb20dcab894e4558eddce1fd1e7d45ba1f92d

SHA256
bd71e03e2c0b5b324f02a1cfc38428f6764a58a9217d52d8cd15efe755db39be

SHA512
7fa294fab489b38a08bcd186c5d49e7fcd437647a0a1c3b498d86be8dfc1320e84ada52b24de07c88bca4c253a0dfbb7a31d5fc48b82720f8695bac99c536c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sg194567.exe
Filesize
235KB

MD5
45a52c031a49cfc0ce7d83cf85c9810a

SHA1
d41bb20dcab894e4558eddce1fd1e7d45ba1f92d

SHA256
bd71e03e2c0b5b324f02a1cfc38428f6764a58a9217d52d8cd15efe755db39be

SHA512
7fa294fab489b38a08bcd186c5d49e7fcd437647a0a1c3b498d86be8dfc1320e84ada52b24de07c88bca4c253a0dfbb7a31d5fc48b82720f8695bac99c536c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sg194567.exe
Filesize
235KB

MD5
45a52c031a49cfc0ce7d83cf85c9810a

SHA1
d41bb20dcab894e4558eddce1fd1e7d45ba1f92d

SHA256
bd71e03e2c0b5b324f02a1cfc38428f6764a58a9217d52d8cd15efe755db39be

SHA512
7fa294fab489b38a08bcd186c5d49e7fcd437647a0a1c3b498d86be8dfc1320e84ada52b24de07c88bca4c253a0dfbb7a31d5fc48b82720f8695bac99c536c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tore4946.exe
Filesize
846KB

MD5
a505ecc557be28c290baad20cb3e3c66

SHA1
b7a5bf1d5029a685d62cb96d5a5e323cb5535385

SHA256
b583243178f409866a9817dc90979a5a0bfa22148bafcb6d79a81f7f8e23abf6

SHA512
e7f27c919ed0577b913ce9bf8e286e2b97c15dcf8c79354f4dd58a1c7c2852ae3c0a117755978f52835b420a7fa08be83dcc3f70fd475b68c9336bf3c4496335

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tore4946.exe
Filesize
846KB

MD5
a505ecc557be28c290baad20cb3e3c66

SHA1
b7a5bf1d5029a685d62cb96d5a5e323cb5535385

SHA256
b583243178f409866a9817dc90979a5a0bfa22148bafcb6d79a81f7f8e23abf6

SHA512
e7f27c919ed0577b913ce9bf8e286e2b97c15dcf8c79354f4dd58a1c7c2852ae3c0a117755978f52835b420a7fa08be83dcc3f70fd475b68c9336bf3c4496335

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\od872539.exe
Filesize
175KB

MD5
6c4c2a56d5dd785adbe4fe60fa3cc1f2

SHA1
f8bd4379310258f8e54c47b56f5eec7394adb9a2

SHA256
b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2

SHA512
f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\od872539.exe
Filesize
175KB

MD5
6c4c2a56d5dd785adbe4fe60fa3cc1f2

SHA1
f8bd4379310258f8e54c47b56f5eec7394adb9a2

SHA256
b182f2d3d49bdda2e29a0ed312deef4bee03983de54080c5e97ad6422de192d2

SHA512
f6958cab80e2f7736cea307b51be546e50acd5494b72db0343a09e6ef8c446114f51be6c9826fcb6e9f7190e4ec8415c0a403c3c1706183577c2604b877ff830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tore9901.exe
Filesize
703KB

MD5
2599b6be29de56428e75673f14588598

SHA1
de4cff703378abb8128e4578fac9232bf8c2f302

SHA256
9a0331ba638fad64fe7163e988dd18efe249df3a20a10103aa580cfde8abaa6d

SHA512
8e32bc1efb3f2f0be0864cbce5ce499325406d9ea3aa3dc4ade1946818f212ad0bbf067a0ffdedc8ec87de16146c65d3020d7439f061e636cc9f5df2f1377911

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tore9901.exe
Filesize
703KB

MD5
2599b6be29de56428e75673f14588598

SHA1
de4cff703378abb8128e4578fac9232bf8c2f302

SHA256
9a0331ba638fad64fe7163e988dd18efe249df3a20a10103aa580cfde8abaa6d

SHA512
8e32bc1efb3f2f0be0864cbce5ce499325406d9ea3aa3dc4ade1946818f212ad0bbf067a0ffdedc8ec87de16146c65d3020d7439f061e636cc9f5df2f1377911

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nLm98s83.exe
Filesize
399KB

MD5
89916ac2c863e9f659a6dd015589ea2b

SHA1
3c7fbdb4e5fc5ea829a2d1a5b48f0f15f847925c

SHA256
6342a996be80b201106c3ce1c8103c0fc2fa7788cc046401be45263d7a00c51f

SHA512
89af7bed359af7992736ea85526ef80135a3f83dbb1a3573749411425b03eb5090e507c72d0f850324f25a7b45cba24702ed1075fa1e71eed3cb727c22e1f665

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nLm98s83.exe
Filesize
399KB

MD5
89916ac2c863e9f659a6dd015589ea2b

SHA1
3c7fbdb4e5fc5ea829a2d1a5b48f0f15f847925c

SHA256
6342a996be80b201106c3ce1c8103c0fc2fa7788cc046401be45263d7a00c51f

SHA512
89af7bed359af7992736ea85526ef80135a3f83dbb1a3573749411425b03eb5090e507c72d0f850324f25a7b45cba24702ed1075fa1e71eed3cb727c22e1f665

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tore9080.exe
Filesize
349KB

MD5
952c79a30baa709c8094d530afb8fa05

SHA1
a92d7304eda2b8567031f10bd16defbae452afe6

SHA256
bb49409ebabf2d4f013f04832af753ed8fc203ef5890e65711b996eacb9a9853

SHA512
5a5d080cf6820d9bff6db946200d2142e6e1cdcafd18fcfb1bc969694dcb309bf3695c0eb3b7ffdb4185f1ec1040f2087b058265a7050a0bb35a4648cdad0838

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\tore9080.exe
Filesize
349KB

MD5
952c79a30baa709c8094d530afb8fa05

SHA1
a92d7304eda2b8567031f10bd16defbae452afe6

SHA256
bb49409ebabf2d4f013f04832af753ed8fc203ef5890e65711b996eacb9a9853

SHA512
5a5d080cf6820d9bff6db946200d2142e6e1cdcafd18fcfb1bc969694dcb309bf3695c0eb3b7ffdb4185f1ec1040f2087b058265a7050a0bb35a4648cdad0838

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\luk3843.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\luk3843.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mos7267.exe
Filesize
342KB

MD5
0290552bb23ba9be3b47dc15ed81fff2

SHA1
a646268888905155234935244229164e79c38b48

SHA256
0d3ea393aeaa121377dd1673a80ba0d80cc9adad02356e6a1a612ad9c92d52f1

SHA512
694b10648bd193841a97a6af060fa5179c6862e527a887cc90d65a581bac45944dd534e8d4048a681df18d15dedbc21bde731c33a083fc913bd5b7c5e0c20767

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mos7267.exe
Filesize
342KB

MD5
0290552bb23ba9be3b47dc15ed81fff2

SHA1
a646268888905155234935244229164e79c38b48

SHA256
0d3ea393aeaa121377dd1673a80ba0d80cc9adad02356e6a1a612ad9c92d52f1

SHA512
694b10648bd193841a97a6af060fa5179c6862e527a887cc90d65a581bac45944dd534e8d4048a681df18d15dedbc21bde731c33a083fc913bd5b7c5e0c20767

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
Filesize
89KB

MD5
a55d0c5be5767946dadbc41ff81edfe4

SHA1
e61fa4151224e9946aaa9b80c04a4124584e6eda

SHA256
3650a22b9f187270ce7007c04a2af35ba8d5239067f90901ee4ffa96fae3e67e

SHA512
a88654a6f39ce1ee30358118bc7f18db048e13efbe9022b0c57c7fa2304944e64ec14113af56fb11b7d782402f71f8000b2f2d5dd345408e950eae8f37431c8b

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
Filesize
89KB

MD5
a55d0c5be5767946dadbc41ff81edfe4

SHA1
e61fa4151224e9946aaa9b80c04a4124584e6eda

SHA256
3650a22b9f187270ce7007c04a2af35ba8d5239067f90901ee4ffa96fae3e67e

SHA512
a88654a6f39ce1ee30358118bc7f18db048e13efbe9022b0c57c7fa2304944e64ec14113af56fb11b7d782402f71f8000b2f2d5dd345408e950eae8f37431c8b

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
Filesize
89KB

MD5
a55d0c5be5767946dadbc41ff81edfe4

SHA1
e61fa4151224e9946aaa9b80c04a4124584e6eda

SHA256
3650a22b9f187270ce7007c04a2af35ba8d5239067f90901ee4ffa96fae3e67e

SHA512
a88654a6f39ce1ee30358118bc7f18db048e13efbe9022b0c57c7fa2304944e64ec14113af56fb11b7d782402f71f8000b2f2d5dd345408e950eae8f37431c8b

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
Filesize
235B

MD5
1e61052576779ddd7c5918a53b2e9899

SHA1
ef05d4029741fb126efe45b9ec1562e47e7985f4

SHA256
028f7bab62b6576a2bbed8759af3875bfbdd415c710bd14f67a2cb52b8f231c4

SHA512
d0b450663aa23c437ffca63fcf1fba5603da6d9e0a691db8dd027c690afc7003731e924b8a08d9b852160e748431e553ff88451cf2fb048e6952fdd7ddba1202

Download Submit
memory/228-162-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/644-1144-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/644-1143-0x0000000000C80000-0x0000000000CB2000-memory.dmp

Filesize
200KB

Download
memory/1296-1129-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/1296-245-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-1137-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/1296-1136-0x0000000009290000-0x00000000092E0000-memory.dmp

Filesize
320KB

Download
memory/1296-1135-0x0000000009200000-0x0000000009276000-memory.dmp

Filesize
472KB

Download
memory/1296-1134-0x0000000008BA0000-0x00000000090CC000-memory.dmp

Filesize
5.2MB

Download
memory/1296-1133-0x00000000089D0000-0x0000000008B92000-memory.dmp

Filesize
1.8MB

Download
memory/1296-1132-0x00000000088D0000-0x0000000008962000-memory.dmp

Filesize
584KB

Download
memory/1296-1131-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/1296-210-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-211-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-213-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-215-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-217-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-219-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-221-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-223-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-225-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-227-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-229-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-232-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-236-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-235-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/1296-237-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/1296-241-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-239-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-233-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/1296-231-0x0000000002BF0000-0x0000000002C3B000-memory.dmp

Filesize
300KB

Download
memory/1296-243-0x0000000004AD0000-0x0000000004B0E000-memory.dmp

Filesize
248KB

Download
memory/1296-1130-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/1296-1121-0x0000000007940000-0x0000000007F58000-memory.dmp

Filesize
6.1MB

Download
memory/1296-1122-0x00000000071E0000-0x00000000072EA000-memory.dmp

Filesize
1.0MB

Download
memory/1296-1123-0x0000000007320000-0x0000000007332000-memory.dmp

Filesize
72KB

Download
memory/1296-1124-0x0000000007380000-0x0000000007390000-memory.dmp

Filesize
64KB

Download
memory/1296-1125-0x0000000007340000-0x000000000737C000-memory.dmp

Filesize
240KB

Download
memory/1296-1128-0x0000000008210000-0x0000000008276000-memory.dmp

Filesize
408KB

Download
memory/1756-185-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/1756-175-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/1756-189-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/1756-193-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/1756-205-0x0000000000400000-0x0000000002B05000-memory.dmp

Filesize
39.0MB

Download
memory/1756-203-0x0000000000400000-0x0000000002B05000-memory.dmp

Filesize
39.0MB

Download
memory/1756-201-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/1756-199-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/1756-197-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/1756-181-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/1756-191-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/1756-183-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/1756-187-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/1756-179-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/1756-177-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/1756-174-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/1756-195-0x0000000004B40000-0x0000000004B52000-memory.dmp

Filesize
72KB

Download
memory/1756-173-0x0000000007150000-0x00000000076F4000-memory.dmp

Filesize
5.6MB

Download
memory/1756-172-0x0000000007140000-0x0000000007150000-memory.dmp

Filesize
64KB

Download
memory/1756-171-0x0000000007140000-0x0000000007150000-memory.dmp

Filesize
64KB

Download
memory/1756-170-0x0000000002B10000-0x0000000002B3D000-memory.dmp

Filesize
180KB

Download
memory/2104-164-0x0000000000400000-0x0000000002BDF000-memory.dmp

Filesize
39.9MB

Download
memory/2104-163-0x0000000004AE0000-0x0000000004BE3000-memory.dmp

Filesize
1.0MB

Download