amadey | 4c1110047b4471795797876eecc52839e2000d621dcfaef71050806c5cfb031f

Analysis

max time kernel
131s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2023 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c1110047b4471795797876eecc52839e2000d621dcfaef71050806c5cfb031f.exe
Size

1.0MB
MD5

730348511d8b680d840e907e2707840a
SHA1

b10984048fb009a045ae3f54ea8d6b8f69b8aa76
SHA256

4c1110047b4471795797876eecc52839e2000d621dcfaef71050806c5cfb031f
SHA512

853afca3b1f61455ab508b07278440d16267e7bd2a02b2a99e697f50b21c1db2fc2eaf4dc43fe67257d030e0afd1e8579489162b58fcbab825dd7b994b579e0b
SSDEEP

24576:syHOpyntggzHB0/UyPoFfjLf9+wZufYfPW0kvJW/:bHOpeggT8fPKz8waYW0kg

Score

10^/10

amadey redline boris netu discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Extracted

Family

redline

Botnet

netu

193.233.20.32:4125

Attributes

auth_value
9641925ae487005582b5cf30476dd305

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v8231Vu.exetz2221.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v8231Vu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v8231Vu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v8231Vu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v8231Vu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v8231Vu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz2221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz2221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz2221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v8231Vu.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz2221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz2221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz2221.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4080-210-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-211-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-215-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-213-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-217-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-219-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-221-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-223-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-225-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-227-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-229-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-231-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-233-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-235-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-237-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-239-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-243-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-245-0x0000000007290000-0x00000000072A0000-memory.dmp	family_redline
behavioral1/memory/4080-247-0x0000000007130000-0x000000000716F000-memory.dmp	family_redline
behavioral1/memory/4080-1128-0x0000000007290000-0x00000000072A0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y01JX36.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	y01JX36.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 11 IoCs

Processes:

zap1294.exezap1965.exezap8250.exetz2221.exev8231Vu.exew68NS16.exexcXNy04.exey01JX36.exelegenda.exelegenda.exelegenda.exe

pid	process
5028	zap1294.exe
3740	zap1965.exe
3228	zap8250.exe
2416	tz2221.exe
2396	v8231Vu.exe
4080	w68NS16.exe
2152	xcXNy04.exe
3456	y01JX36.exe
4224	legenda.exe
4484	legenda.exe
4408	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3912 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3912	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz2221.exev8231Vu.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz2221.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v8231Vu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v8231Vu.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap1965.exezap8250.exe4c1110047b4471795797876eecc52839e2000d621dcfaef71050806c5cfb031f.exezap1294.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1965.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap1965.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap8250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap8250.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	4c1110047b4471795797876eecc52839e2000d621dcfaef71050806c5cfb031f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4c1110047b4471795797876eecc52839e2000d621dcfaef71050806c5cfb031f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1294.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap1294.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3760 4080 WerFault.exe w68NS16.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4812 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz2221.exev8231Vu.exew68NS16.exexcXNy04.exe

pid process

2416 tz2221.exe
2416 tz2221.exe
2396 v8231Vu.exe
2396 v8231Vu.exe
4080 w68NS16.exe
4080 w68NS16.exe
2152 xcXNy04.exe
2152 xcXNy04.exe

pid	pid_target	process	target process
3760	4080	WerFault.exe	w68NS16.exe

pid	process
4812	schtasks.exe

pid	process
2416	tz2221.exe
2416	tz2221.exe
2396	v8231Vu.exe
2396	v8231Vu.exe
4080	w68NS16.exe
4080	w68NS16.exe
2152	xcXNy04.exe
2152	xcXNy04.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz2221.exev8231Vu.exew68NS16.exexcXNy04.exe

description	pid	process
Token: SeDebugPrivilege	2416	tz2221.exe
Token: SeDebugPrivilege	2396	v8231Vu.exe
Token: SeDebugPrivilege	4080	w68NS16.exe
Token: SeDebugPrivilege	2152	xcXNy04.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

4c1110047b4471795797876eecc52839e2000d621dcfaef71050806c5cfb031f.exezap1294.exezap1965.exezap8250.exey01JX36.exelegenda.execmd.exe

description	pid	process	target process
PID 4360 wrote to memory of 5028	4360	4c1110047b4471795797876eecc52839e2000d621dcfaef71050806c5cfb031f.exe	zap1294.exe
PID 4360 wrote to memory of 5028	4360	4c1110047b4471795797876eecc52839e2000d621dcfaef71050806c5cfb031f.exe	zap1294.exe
PID 4360 wrote to memory of 5028	4360	4c1110047b4471795797876eecc52839e2000d621dcfaef71050806c5cfb031f.exe	zap1294.exe
PID 5028 wrote to memory of 3740	5028	zap1294.exe	zap1965.exe
PID 5028 wrote to memory of 3740	5028	zap1294.exe	zap1965.exe
PID 5028 wrote to memory of 3740	5028	zap1294.exe	zap1965.exe
PID 3740 wrote to memory of 3228	3740	zap1965.exe	zap8250.exe
PID 3740 wrote to memory of 3228	3740	zap1965.exe	zap8250.exe
PID 3740 wrote to memory of 3228	3740	zap1965.exe	zap8250.exe
PID 3228 wrote to memory of 2416	3228	zap8250.exe	tz2221.exe
PID 3228 wrote to memory of 2416	3228	zap8250.exe	tz2221.exe
PID 3228 wrote to memory of 2396	3228	zap8250.exe	v8231Vu.exe
PID 3228 wrote to memory of 2396	3228	zap8250.exe	v8231Vu.exe
PID 3228 wrote to memory of 2396	3228	zap8250.exe	v8231Vu.exe
PID 3740 wrote to memory of 4080	3740	zap1965.exe	w68NS16.exe
PID 3740 wrote to memory of 4080	3740	zap1965.exe	w68NS16.exe
PID 3740 wrote to memory of 4080	3740	zap1965.exe	w68NS16.exe
PID 5028 wrote to memory of 2152	5028	zap1294.exe	xcXNy04.exe
PID 5028 wrote to memory of 2152	5028	zap1294.exe	xcXNy04.exe
PID 5028 wrote to memory of 2152	5028	zap1294.exe	xcXNy04.exe
PID 4360 wrote to memory of 3456	4360	4c1110047b4471795797876eecc52839e2000d621dcfaef71050806c5cfb031f.exe	y01JX36.exe
PID 4360 wrote to memory of 3456	4360	4c1110047b4471795797876eecc52839e2000d621dcfaef71050806c5cfb031f.exe	y01JX36.exe
PID 4360 wrote to memory of 3456	4360	4c1110047b4471795797876eecc52839e2000d621dcfaef71050806c5cfb031f.exe	y01JX36.exe
PID 3456 wrote to memory of 4224	3456	y01JX36.exe	legenda.exe
PID 3456 wrote to memory of 4224	3456	y01JX36.exe	legenda.exe
PID 3456 wrote to memory of 4224	3456	y01JX36.exe	legenda.exe
PID 4224 wrote to memory of 4812	4224	legenda.exe	schtasks.exe
PID 4224 wrote to memory of 4812	4224	legenda.exe	schtasks.exe
PID 4224 wrote to memory of 4812	4224	legenda.exe	schtasks.exe
PID 4224 wrote to memory of 2252	4224	legenda.exe	cmd.exe
PID 4224 wrote to memory of 2252	4224	legenda.exe	cmd.exe
PID 4224 wrote to memory of 2252	4224	legenda.exe	cmd.exe
PID 2252 wrote to memory of 4092	2252	cmd.exe	cmd.exe
PID 2252 wrote to memory of 4092	2252	cmd.exe	cmd.exe
PID 2252 wrote to memory of 4092	2252	cmd.exe	cmd.exe
PID 2252 wrote to memory of 4280	2252	cmd.exe	cacls.exe
PID 2252 wrote to memory of 4280	2252	cmd.exe	cacls.exe
PID 2252 wrote to memory of 4280	2252	cmd.exe	cacls.exe
PID 2252 wrote to memory of 1068	2252	cmd.exe	cacls.exe
PID 2252 wrote to memory of 1068	2252	cmd.exe	cacls.exe
PID 2252 wrote to memory of 1068	2252	cmd.exe	cacls.exe
PID 2252 wrote to memory of 3692	2252	cmd.exe	cmd.exe
PID 2252 wrote to memory of 3692	2252	cmd.exe	cmd.exe
PID 2252 wrote to memory of 3692	2252	cmd.exe	cmd.exe
PID 2252 wrote to memory of 3184	2252	cmd.exe	cacls.exe
PID 2252 wrote to memory of 3184	2252	cmd.exe	cacls.exe
PID 2252 wrote to memory of 3184	2252	cmd.exe	cacls.exe
PID 2252 wrote to memory of 3556	2252	cmd.exe	cacls.exe
PID 2252 wrote to memory of 3556	2252	cmd.exe	cacls.exe
PID 2252 wrote to memory of 3556	2252	cmd.exe	cacls.exe
PID 4224 wrote to memory of 3912	4224	legenda.exe	rundll32.exe
PID 4224 wrote to memory of 3912	4224	legenda.exe	rundll32.exe
PID 4224 wrote to memory of 3912	4224	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\4c1110047b4471795797876eecc52839e2000d621dcfaef71050806c5cfb031f.exe
"C:\Users\Admin\AppData\Local\Temp\4c1110047b4471795797876eecc52839e2000d621dcfaef71050806c5cfb031f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4360

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1294.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1294.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5028

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1965.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1965.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3740

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8250.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8250.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3228

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2221.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2221.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8231Vu.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8231Vu.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w68NS16.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w68NS16.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1680
5⤵
- Program crash
PID:3760

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xcXNy04.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xcXNy04.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y01JX36.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y01JX36.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4092

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4280

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:3692

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:3184

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:3556

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4080 -ip 4080
1⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:4408

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y01JX36.exe
Filesize
235KB

MD5
1f45e62a0f67cfa81f07d1910e417039

SHA1
c1288182ff93ed0031f4743d0eeea1fd77f4a05c

SHA256
6960664933295be8d60b9e155c7fd86c410091e792609b327677d14eed00115a

SHA512
ad1e4ffc5c1d06880a94125b644986d68f1796d824945ef469d1a84858ea32ecaf2000316a10a28ef1a2e6c613f8eb0181b4144b79c0e6950b72323eaaad28f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y01JX36.exe
Filesize
235KB

MD5
1f45e62a0f67cfa81f07d1910e417039

SHA1
c1288182ff93ed0031f4743d0eeea1fd77f4a05c

SHA256
6960664933295be8d60b9e155c7fd86c410091e792609b327677d14eed00115a

SHA512
ad1e4ffc5c1d06880a94125b644986d68f1796d824945ef469d1a84858ea32ecaf2000316a10a28ef1a2e6c613f8eb0181b4144b79c0e6950b72323eaaad28f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1294.exe
Filesize
854KB

MD5
3a5c77acd5bdd6fb63cb0fec97e496e3

SHA1
5749f88a4db4942c3f550973cd6f416034201797

SHA256
98233e2dd5271ae92363cc59e38f5aac6d2f7d38b9f9114b08068d7c57cc241a

SHA512
7bd19f43cd0e0a3426462dc78480f47b9ba7105da5b2ed66bb86a9f3070628cf488e8c4c6ff141e87d02d3b37cf2b86edd405dbdd6d512eaa67c33d872b14c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1294.exe
Filesize
854KB

MD5
3a5c77acd5bdd6fb63cb0fec97e496e3

SHA1
5749f88a4db4942c3f550973cd6f416034201797

SHA256
98233e2dd5271ae92363cc59e38f5aac6d2f7d38b9f9114b08068d7c57cc241a

SHA512
7bd19f43cd0e0a3426462dc78480f47b9ba7105da5b2ed66bb86a9f3070628cf488e8c4c6ff141e87d02d3b37cf2b86edd405dbdd6d512eaa67c33d872b14c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xcXNy04.exe
Filesize
175KB

MD5
e25c1d380bdc76154729e5ebaf635bd4

SHA1
76c78129470ef6ced02c95ce7ff7b2eedc2bd666

SHA256
7c326d05696cfb3fe87be7a947a96eaaadcb0839079a672b19d8e783a8554658

SHA512
a1a362146253fd629c3e4c923708da126d79c75cac4fcd65b1224f9bcdc53e6627131011417d5da9cc275310da404dc1c1c31b414af84ac284f1bd006dc64693

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xcXNy04.exe
Filesize
175KB

MD5
e25c1d380bdc76154729e5ebaf635bd4

SHA1
76c78129470ef6ced02c95ce7ff7b2eedc2bd666

SHA256
7c326d05696cfb3fe87be7a947a96eaaadcb0839079a672b19d8e783a8554658

SHA512
a1a362146253fd629c3e4c923708da126d79c75cac4fcd65b1224f9bcdc53e6627131011417d5da9cc275310da404dc1c1c31b414af84ac284f1bd006dc64693

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1965.exe
Filesize
712KB

MD5
2a7836a3056c54875e1e7567d9bbfd10

SHA1
16e63b0d27c8fc3d0dfe93b1a982d8bee6982e54

SHA256
25dd185710ac89b0db8bafb11d402f95a69a9ca6dc541c40da863cb54a1f6412

SHA512
a702a3745508cca77094e3126910526d7dd12c5175d19bb921a446148c5cf7ee427b681adc6c7daced0d70fd7b564195b33f55844c993a8707b501d0f771ddc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap1965.exe
Filesize
712KB

MD5
2a7836a3056c54875e1e7567d9bbfd10

SHA1
16e63b0d27c8fc3d0dfe93b1a982d8bee6982e54

SHA256
25dd185710ac89b0db8bafb11d402f95a69a9ca6dc541c40da863cb54a1f6412

SHA512
a702a3745508cca77094e3126910526d7dd12c5175d19bb921a446148c5cf7ee427b681adc6c7daced0d70fd7b564195b33f55844c993a8707b501d0f771ddc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w68NS16.exe
Filesize
383KB

MD5
285da4f4eb9a1c18469474e4b3bf21da

SHA1
1282628fc0daa9b63d77534ec8decf2440ccaafd

SHA256
d6f5b43a36a68cacd8753c3258526bdce970344a476f7d1703c75152deb4961d

SHA512
f6f58aaa4d122247c04748000ab4f601d9c168180821890854f0b6c1c0bbf0041d7983933593acb2b2f2572f027ad554034c762cdbd7240b87d10d858fa7e306

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w68NS16.exe
Filesize
383KB

MD5
285da4f4eb9a1c18469474e4b3bf21da

SHA1
1282628fc0daa9b63d77534ec8decf2440ccaafd

SHA256
d6f5b43a36a68cacd8753c3258526bdce970344a476f7d1703c75152deb4961d

SHA512
f6f58aaa4d122247c04748000ab4f601d9c168180821890854f0b6c1c0bbf0041d7983933593acb2b2f2572f027ad554034c762cdbd7240b87d10d858fa7e306

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8250.exe
Filesize
352KB

MD5
7bf5e9fb2f79be77882e57a8d0eaccba

SHA1
74b6769a3f3915ac3099703c6752193873f4b0b2

SHA256
5065f3eaa62ad06a970044605203f6a12eafb174910b98ed016e21630b319659

SHA512
1188b44a67ea01cb1034f0d1654391d8dcb2adc074af01abc50f8ea583ba7ce096c0f80257ba58caf411b36b81bef4fb59e209824704618a48046bc9ac2874d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap8250.exe
Filesize
352KB

MD5
7bf5e9fb2f79be77882e57a8d0eaccba

SHA1
74b6769a3f3915ac3099703c6752193873f4b0b2

SHA256
5065f3eaa62ad06a970044605203f6a12eafb174910b98ed016e21630b319659

SHA512
1188b44a67ea01cb1034f0d1654391d8dcb2adc074af01abc50f8ea583ba7ce096c0f80257ba58caf411b36b81bef4fb59e209824704618a48046bc9ac2874d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2221.exe
Filesize
11KB

MD5
cb3f3a4d067169ce76c05db6de8ee8bd

SHA1
96ddcc0df2e979c6306c57689eddcc0dd5acbe10

SHA256
61fbd77ed4a94b1888a04324b477e70d8a347d361862f743921a0ab81ae3d802

SHA512
6f48dc353b47084c4c9a5b5d2d8a1dca41f497bc64b22c98fb9390998a39060258ffae154bb3e765e313475c7f6aef63226870b8f3407278cd71a59d8ea080c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2221.exe
Filesize
11KB

MD5
cb3f3a4d067169ce76c05db6de8ee8bd

SHA1
96ddcc0df2e979c6306c57689eddcc0dd5acbe10

SHA256
61fbd77ed4a94b1888a04324b477e70d8a347d361862f743921a0ab81ae3d802

SHA512
6f48dc353b47084c4c9a5b5d2d8a1dca41f497bc64b22c98fb9390998a39060258ffae154bb3e765e313475c7f6aef63226870b8f3407278cd71a59d8ea080c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8231Vu.exe
Filesize
325KB

MD5
6250273f0f466dd66b23f8b67afa30d2

SHA1
64735a6dd80e8038b75cd7ec3b2d3a2f9b69725c

SHA256
19402490c93050729a8b48367e7df049948ac0d98964ec286a24e5f82a993fd8

SHA512
061db027bb653d0a24b59251b4827bc814d589d365e611771c45ddb378e1a4c0adeb686fc802a3aa2dc4669e4ec9bceb2b2017c17490cfa383adabe6391eb382

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8231Vu.exe
Filesize
325KB

MD5
6250273f0f466dd66b23f8b67afa30d2

SHA1
64735a6dd80e8038b75cd7ec3b2d3a2f9b69725c

SHA256
19402490c93050729a8b48367e7df049948ac0d98964ec286a24e5f82a993fd8

SHA512
061db027bb653d0a24b59251b4827bc814d589d365e611771c45ddb378e1a4c0adeb686fc802a3aa2dc4669e4ec9bceb2b2017c17490cfa383adabe6391eb382

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1f45e62a0f67cfa81f07d1910e417039

SHA1
c1288182ff93ed0031f4743d0eeea1fd77f4a05c

SHA256
6960664933295be8d60b9e155c7fd86c410091e792609b327677d14eed00115a

SHA512
ad1e4ffc5c1d06880a94125b644986d68f1796d824945ef469d1a84858ea32ecaf2000316a10a28ef1a2e6c613f8eb0181b4144b79c0e6950b72323eaaad28f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1f45e62a0f67cfa81f07d1910e417039

SHA1
c1288182ff93ed0031f4743d0eeea1fd77f4a05c

SHA256
6960664933295be8d60b9e155c7fd86c410091e792609b327677d14eed00115a

SHA512
ad1e4ffc5c1d06880a94125b644986d68f1796d824945ef469d1a84858ea32ecaf2000316a10a28ef1a2e6c613f8eb0181b4144b79c0e6950b72323eaaad28f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1f45e62a0f67cfa81f07d1910e417039

SHA1
c1288182ff93ed0031f4743d0eeea1fd77f4a05c

SHA256
6960664933295be8d60b9e155c7fd86c410091e792609b327677d14eed00115a

SHA512
ad1e4ffc5c1d06880a94125b644986d68f1796d824945ef469d1a84858ea32ecaf2000316a10a28ef1a2e6c613f8eb0181b4144b79c0e6950b72323eaaad28f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1f45e62a0f67cfa81f07d1910e417039

SHA1
c1288182ff93ed0031f4743d0eeea1fd77f4a05c

SHA256
6960664933295be8d60b9e155c7fd86c410091e792609b327677d14eed00115a

SHA512
ad1e4ffc5c1d06880a94125b644986d68f1796d824945ef469d1a84858ea32ecaf2000316a10a28ef1a2e6c613f8eb0181b4144b79c0e6950b72323eaaad28f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
1f45e62a0f67cfa81f07d1910e417039

SHA1
c1288182ff93ed0031f4743d0eeea1fd77f4a05c

SHA256
6960664933295be8d60b9e155c7fd86c410091e792609b327677d14eed00115a

SHA512
ad1e4ffc5c1d06880a94125b644986d68f1796d824945ef469d1a84858ea32ecaf2000316a10a28ef1a2e6c613f8eb0181b4144b79c0e6950b72323eaaad28f2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/2152-1142-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/2152-1141-0x0000000000780000-0x00000000007B2000-memory.dmp

Filesize
200KB

Download
memory/2396-185-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/2396-197-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/2396-199-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/2396-193-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/2396-191-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/2396-189-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/2396-187-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/2396-200-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/2396-202-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/2396-203-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/2396-204-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/2396-205-0x0000000000400000-0x0000000002B7E000-memory.dmp

Filesize
39.5MB

Download
memory/2396-167-0x0000000007130000-0x00000000076D4000-memory.dmp

Filesize
5.6MB

Download
memory/2396-195-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/2396-183-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/2396-181-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/2396-179-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/2396-173-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/2396-177-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/2396-175-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/2396-172-0x0000000004AF0000-0x0000000004B02000-memory.dmp

Filesize
72KB

Download
memory/2396-171-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/2396-168-0x0000000002B80000-0x0000000002BAD000-memory.dmp

Filesize
180KB

Download
memory/2396-170-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/2396-169-0x00000000048F0000-0x0000000004900000-memory.dmp

Filesize
64KB

Download
memory/2416-161-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download
memory/4080-217-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-237-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-239-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-241-0x0000000002B90000-0x0000000002BDB000-memory.dmp

Filesize
300KB

Download
memory/4080-243-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-245-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/4080-242-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/4080-247-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-246-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/4080-1120-0x0000000007950000-0x0000000007F68000-memory.dmp

Filesize
6.1MB

Download
memory/4080-1121-0x0000000007F70000-0x000000000807A000-memory.dmp

Filesize
1.0MB

Download
memory/4080-1122-0x00000000080B0000-0x00000000080C2000-memory.dmp

Filesize
72KB

Download
memory/4080-1123-0x00000000080D0000-0x000000000810C000-memory.dmp

Filesize
240KB

Download
memory/4080-1124-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/4080-1126-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/4080-1127-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/4080-1128-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download
memory/4080-1129-0x00000000083C0000-0x0000000008426000-memory.dmp

Filesize
408KB

Download
memory/4080-1130-0x0000000008A70000-0x0000000008B02000-memory.dmp

Filesize
584KB

Download
memory/4080-1131-0x0000000008B60000-0x0000000008BD6000-memory.dmp

Filesize
472KB

Download
memory/4080-1132-0x0000000008BF0000-0x0000000008C40000-memory.dmp

Filesize
320KB

Download
memory/4080-1133-0x0000000008D60000-0x0000000008F22000-memory.dmp

Filesize
1.8MB

Download
memory/4080-235-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-233-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-231-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-229-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-227-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-225-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-223-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-221-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-219-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-213-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-215-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-211-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-210-0x0000000007130000-0x000000000716F000-memory.dmp

Filesize
252KB

Download
memory/4080-1134-0x0000000008F40000-0x000000000946C000-memory.dmp

Filesize
5.2MB

Download
memory/4080-1136-0x0000000007290000-0x00000000072A0000-memory.dmp

Filesize
64KB

Download