amadey | 51cd9b8c6ab2dc4a790d5cbfde09e24c19b1c73e48348d3f11edbb4ddd99905e

Analysis

max time kernel
107s
max time network
137s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
28-03-2023 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51cd9b8c6ab2dc4a790d5cbfde09e24c19b1c73e48348d3f11edbb4ddd99905e.exe
Size

1.0MB
MD5

b23b53ca8b84d42663b26e443f230f77
SHA1

444291c4afc8aed011d86ac5f0dad018d0b952bd
SHA256

51cd9b8c6ab2dc4a790d5cbfde09e24c19b1c73e48348d3f11edbb4ddd99905e
SHA512

115d2dbab5173dab8ec6fef5fb889d21d77fffc987f4b5dd7c7d033bf93437c4b539372aef58eeb29a179c9a4d2eafe4d2186856559724996ffe80265f7252b1
SSDEEP

24576:9yP4XVZc8wjC9FsSIzVK+m2xyHQa2tIbiuOmgU:YP4XVZc8wjlrzVKZ27a2tGvTg

Score

10^/10

amadey aurora redline nado rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

nado

176.113.115.145:4125

Attributes

auth_value
a648e365d8e0df895a84152ad68ffc56

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Extracted

Family

aurora

212.87.204.93:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz2760.exev5682Wn.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz2760.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz2760.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz2760.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v5682Wn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v5682Wn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz2760.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz2760.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v5682Wn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v5682Wn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v5682Wn.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 23 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3136-200-0x0000000002E90000-0x0000000002ED6000-memory.dmp	family_redline
behavioral1/memory/3136-201-0x0000000004AC0000-0x0000000004B04000-memory.dmp	family_redline
behavioral1/memory/3136-203-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-202-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-205-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-207-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-209-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-211-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-213-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-215-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-217-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-219-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-221-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-223-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-225-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-227-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-229-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-231-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-233-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-235-0x0000000004AC0000-0x0000000004AFF000-memory.dmp	family_redline
behavioral1/memory/3136-1122-0x0000000007460000-0x0000000007470000-memory.dmp	family_redline
behavioral1/memory/3136-1123-0x0000000007460000-0x0000000007470000-memory.dmp	family_redline
behavioral1/memory/3136-1124-0x0000000007460000-0x0000000007470000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

zap7350.exezap4997.exezap6052.exetz2760.exev5682Wn.exew42El96.exexYJDN57.exey49as65.exelegenda.exe2023.exelegenda.exe

pid	process
3276	zap7350.exe
4168	zap4997.exe
4140	zap6052.exe
4196	tz2760.exe
2084	v5682Wn.exe
3136	w42El96.exe
3580	xYJDN57.exe
4876	y49as65.exe
3848	legenda.exe
3264	2023.exe
5044	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4292 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4292	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz2760.exev5682Wn.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz2760.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v5682Wn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v5682Wn.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap6052.exe51cd9b8c6ab2dc4a790d5cbfde09e24c19b1c73e48348d3f11edbb4ddd99905e.exezap7350.exezap4997.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap6052.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap6052.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	51cd9b8c6ab2dc4a790d5cbfde09e24c19b1c73e48348d3f11edbb4ddd99905e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	51cd9b8c6ab2dc4a790d5cbfde09e24c19b1c73e48348d3f11edbb4ddd99905e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap7350.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4997.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap4997.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4384 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz2760.exev5682Wn.exew42El96.exexYJDN57.exe

pid process

4196 tz2760.exe
4196 tz2760.exe
2084 v5682Wn.exe
2084 v5682Wn.exe
3136 w42El96.exe
3136 w42El96.exe
3580 xYJDN57.exe
3580 xYJDN57.exe

pid	process
4384	schtasks.exe

pid	process
4196	tz2760.exe
4196	tz2760.exe
2084	v5682Wn.exe
2084	v5682Wn.exe
3136	w42El96.exe
3136	w42El96.exe
3580	xYJDN57.exe
3580	xYJDN57.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz2760.exev5682Wn.exew42El96.exexYJDN57.exe

description	pid	process
Token: SeDebugPrivilege	4196	tz2760.exe
Token: SeDebugPrivilege	2084	v5682Wn.exe
Token: SeDebugPrivilege	3136	w42El96.exe
Token: SeDebugPrivilege	3580	xYJDN57.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

51cd9b8c6ab2dc4a790d5cbfde09e24c19b1c73e48348d3f11edbb4ddd99905e.exezap7350.exezap4997.exezap6052.exey49as65.exelegenda.execmd.exe

description	pid	process	target process
PID 3076 wrote to memory of 3276	3076	51cd9b8c6ab2dc4a790d5cbfde09e24c19b1c73e48348d3f11edbb4ddd99905e.exe	zap7350.exe
PID 3076 wrote to memory of 3276	3076	51cd9b8c6ab2dc4a790d5cbfde09e24c19b1c73e48348d3f11edbb4ddd99905e.exe	zap7350.exe
PID 3076 wrote to memory of 3276	3076	51cd9b8c6ab2dc4a790d5cbfde09e24c19b1c73e48348d3f11edbb4ddd99905e.exe	zap7350.exe
PID 3276 wrote to memory of 4168	3276	zap7350.exe	zap4997.exe
PID 3276 wrote to memory of 4168	3276	zap7350.exe	zap4997.exe
PID 3276 wrote to memory of 4168	3276	zap7350.exe	zap4997.exe
PID 4168 wrote to memory of 4140	4168	zap4997.exe	zap6052.exe
PID 4168 wrote to memory of 4140	4168	zap4997.exe	zap6052.exe
PID 4168 wrote to memory of 4140	4168	zap4997.exe	zap6052.exe
PID 4140 wrote to memory of 4196	4140	zap6052.exe	tz2760.exe
PID 4140 wrote to memory of 4196	4140	zap6052.exe	tz2760.exe
PID 4140 wrote to memory of 2084	4140	zap6052.exe	v5682Wn.exe
PID 4140 wrote to memory of 2084	4140	zap6052.exe	v5682Wn.exe
PID 4140 wrote to memory of 2084	4140	zap6052.exe	v5682Wn.exe
PID 4168 wrote to memory of 3136	4168	zap4997.exe	w42El96.exe
PID 4168 wrote to memory of 3136	4168	zap4997.exe	w42El96.exe
PID 4168 wrote to memory of 3136	4168	zap4997.exe	w42El96.exe
PID 3276 wrote to memory of 3580	3276	zap7350.exe	xYJDN57.exe
PID 3276 wrote to memory of 3580	3276	zap7350.exe	xYJDN57.exe
PID 3276 wrote to memory of 3580	3276	zap7350.exe	xYJDN57.exe
PID 3076 wrote to memory of 4876	3076	51cd9b8c6ab2dc4a790d5cbfde09e24c19b1c73e48348d3f11edbb4ddd99905e.exe	y49as65.exe
PID 3076 wrote to memory of 4876	3076	51cd9b8c6ab2dc4a790d5cbfde09e24c19b1c73e48348d3f11edbb4ddd99905e.exe	y49as65.exe
PID 3076 wrote to memory of 4876	3076	51cd9b8c6ab2dc4a790d5cbfde09e24c19b1c73e48348d3f11edbb4ddd99905e.exe	y49as65.exe
PID 4876 wrote to memory of 3848	4876	y49as65.exe	legenda.exe
PID 4876 wrote to memory of 3848	4876	y49as65.exe	legenda.exe
PID 4876 wrote to memory of 3848	4876	y49as65.exe	legenda.exe
PID 3848 wrote to memory of 4384	3848	legenda.exe	schtasks.exe
PID 3848 wrote to memory of 4384	3848	legenda.exe	schtasks.exe
PID 3848 wrote to memory of 4384	3848	legenda.exe	schtasks.exe
PID 3848 wrote to memory of 4492	3848	legenda.exe	cmd.exe
PID 3848 wrote to memory of 4492	3848	legenda.exe	cmd.exe
PID 3848 wrote to memory of 4492	3848	legenda.exe	cmd.exe
PID 4492 wrote to memory of 4996	4492	cmd.exe	cmd.exe
PID 4492 wrote to memory of 4996	4492	cmd.exe	cmd.exe
PID 4492 wrote to memory of 4996	4492	cmd.exe	cmd.exe
PID 4492 wrote to memory of 4940	4492	cmd.exe	cacls.exe
PID 4492 wrote to memory of 4940	4492	cmd.exe	cacls.exe
PID 4492 wrote to memory of 4940	4492	cmd.exe	cacls.exe
PID 4492 wrote to memory of 4120	4492	cmd.exe	cacls.exe
PID 4492 wrote to memory of 4120	4492	cmd.exe	cacls.exe
PID 4492 wrote to memory of 4120	4492	cmd.exe	cacls.exe
PID 4492 wrote to memory of 4968	4492	cmd.exe	cmd.exe
PID 4492 wrote to memory of 4968	4492	cmd.exe	cmd.exe
PID 4492 wrote to memory of 4968	4492	cmd.exe	cmd.exe
PID 4492 wrote to memory of 4952	4492	cmd.exe	cacls.exe
PID 4492 wrote to memory of 4952	4492	cmd.exe	cacls.exe
PID 4492 wrote to memory of 4952	4492	cmd.exe	cacls.exe
PID 4492 wrote to memory of 4960	4492	cmd.exe	cacls.exe
PID 4492 wrote to memory of 4960	4492	cmd.exe	cacls.exe
PID 4492 wrote to memory of 4960	4492	cmd.exe	cacls.exe
PID 3848 wrote to memory of 3264	3848	legenda.exe	2023.exe
PID 3848 wrote to memory of 3264	3848	legenda.exe	2023.exe
PID 3848 wrote to memory of 3264	3848	legenda.exe	2023.exe
PID 3848 wrote to memory of 4292	3848	legenda.exe	rundll32.exe
PID 3848 wrote to memory of 4292	3848	legenda.exe	rundll32.exe
PID 3848 wrote to memory of 4292	3848	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\51cd9b8c6ab2dc4a790d5cbfde09e24c19b1c73e48348d3f11edbb4ddd99905e.exe
"C:\Users\Admin\AppData\Local\Temp\51cd9b8c6ab2dc4a790d5cbfde09e24c19b1c73e48348d3f11edbb4ddd99905e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3076

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7350.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7350.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3276

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4997.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4997.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4168

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6052.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6052.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4140

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2760.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2760.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5682Wn.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5682Wn.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w42El96.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w42El96.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xYJDN57.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xYJDN57.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y49as65.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y49as65.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:4384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4996

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:4940

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4968

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4952

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
"C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe"
4⤵
- Executes dropped EXE
PID:3264

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4292

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:5044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000213001\2023.exe
Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y49as65.exe
Filesize
235KB

MD5
b266729ec06c487845fe3af18c575d9c

SHA1
108abe97ba7b406a6bd7dda933f6ef778994cd73

SHA256
6f08f72cb73a9ea40013df51c23576bf45f1e4d5496f063601339af310460738

SHA512
5c642a42f6078ff79f46fc61838cd0b055d12842f8f4ecbb9c208ac6222498ea9adb9cbed4bab6a9c62b5769da1e0807e028180aa68381148810409122bee3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y49as65.exe
Filesize
235KB

MD5
b266729ec06c487845fe3af18c575d9c

SHA1
108abe97ba7b406a6bd7dda933f6ef778994cd73

SHA256
6f08f72cb73a9ea40013df51c23576bf45f1e4d5496f063601339af310460738

SHA512
5c642a42f6078ff79f46fc61838cd0b055d12842f8f4ecbb9c208ac6222498ea9adb9cbed4bab6a9c62b5769da1e0807e028180aa68381148810409122bee3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7350.exe
Filesize
873KB

MD5
b24fda7021545cb4e7e647c9ac103cd9

SHA1
eca57e026e19f77be56e62fb7d1b8e10badbd075

SHA256
4d92b90c4a9ddd334db233b35fa972037b93f303fe1f34ea75ba9eceaff98286

SHA512
0ee64a8930aed434a7d598a7207eabb0d565985fa97305839cabb2b087781b4a18ccc19c0ff64703cb064e6473f93e0327de65f61f5d5e21831ab44a1bb2d794

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap7350.exe
Filesize
873KB

MD5
b24fda7021545cb4e7e647c9ac103cd9

SHA1
eca57e026e19f77be56e62fb7d1b8e10badbd075

SHA256
4d92b90c4a9ddd334db233b35fa972037b93f303fe1f34ea75ba9eceaff98286

SHA512
0ee64a8930aed434a7d598a7207eabb0d565985fa97305839cabb2b087781b4a18ccc19c0ff64703cb064e6473f93e0327de65f61f5d5e21831ab44a1bb2d794

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xYJDN57.exe
Filesize
175KB

MD5
75820604409f5f828d8af32f3018ea23

SHA1
7f1f0e821624c7adaa4dac6b8cb426a975c81a3b

SHA256
a6be621461324a7e10d67ea3bfee3a2313a3269bc7ce6e3451f9878727242612

SHA512
9a4352eb29a6d0134d59ea5ccc5ed8c775079717a1cf5e0ed06ad6add86adb1b24e14884822b3baed4eedfd3bc527bdc50417a9d746d0bec880ee1b957604cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xYJDN57.exe
Filesize
175KB

MD5
75820604409f5f828d8af32f3018ea23

SHA1
7f1f0e821624c7adaa4dac6b8cb426a975c81a3b

SHA256
a6be621461324a7e10d67ea3bfee3a2313a3269bc7ce6e3451f9878727242612

SHA512
9a4352eb29a6d0134d59ea5ccc5ed8c775079717a1cf5e0ed06ad6add86adb1b24e14884822b3baed4eedfd3bc527bdc50417a9d746d0bec880ee1b957604cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4997.exe
Filesize
731KB

MD5
eabc4146ed60451c557719aa5e3988f8

SHA1
5ac2793e4ecf30102208140e051b95f15418d2f1

SHA256
b5d92af52b40916ea66595b8736a010f007b2178e7e07a645c5785ff3195f976

SHA512
51d788bdb888f9deb0e99e6d155f2deecaa0a5a71e0b37306a2d82a3166b65195f7f7db793631168b82271f8e4e517ae8a5270a412084dc54597a28b39c09b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap4997.exe
Filesize
731KB

MD5
eabc4146ed60451c557719aa5e3988f8

SHA1
5ac2793e4ecf30102208140e051b95f15418d2f1

SHA256
b5d92af52b40916ea66595b8736a010f007b2178e7e07a645c5785ff3195f976

SHA512
51d788bdb888f9deb0e99e6d155f2deecaa0a5a71e0b37306a2d82a3166b65195f7f7db793631168b82271f8e4e517ae8a5270a412084dc54597a28b39c09b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w42El96.exe
Filesize
403KB

MD5
87f7deb11c8a25fe036db7b520bacbcf

SHA1
0a64c0c35d28b6b05c5a496c74e1396547fead0a

SHA256
a4448761f57d41fff8fdc41474af7fcb4d5aa1b398a94d903daf6bf4381f4474

SHA512
67df8adc096004be45aab024c973f119c58b5d6ad6e6523d97087a932665424dbd3aec201b0a52d8b600e3ba0335d4f1b8ed4d089638f08ba3fb454148ce66e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w42El96.exe
Filesize
403KB

MD5
87f7deb11c8a25fe036db7b520bacbcf

SHA1
0a64c0c35d28b6b05c5a496c74e1396547fead0a

SHA256
a4448761f57d41fff8fdc41474af7fcb4d5aa1b398a94d903daf6bf4381f4474

SHA512
67df8adc096004be45aab024c973f119c58b5d6ad6e6523d97087a932665424dbd3aec201b0a52d8b600e3ba0335d4f1b8ed4d089638f08ba3fb454148ce66e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6052.exe
Filesize
362KB

MD5
cec1ad6c9bc4a6c883fe2e399712fb95

SHA1
f0217b927862b9000f59bfa239ecdb153968adf1

SHA256
5e8205a9f9a80f8abb5dfceb1f2ac4bb70ad4c86c0b06b6ff381dae3495f7970

SHA512
84f620364ca5117c440f76353e120bd597ea1c297e7d861de1b9df3c221a4859101b682d2e257891b6720f9b7e3e6cafb0f106023edef9d8cb01dea7587e9ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap6052.exe
Filesize
362KB

MD5
cec1ad6c9bc4a6c883fe2e399712fb95

SHA1
f0217b927862b9000f59bfa239ecdb153968adf1

SHA256
5e8205a9f9a80f8abb5dfceb1f2ac4bb70ad4c86c0b06b6ff381dae3495f7970

SHA512
84f620364ca5117c440f76353e120bd597ea1c297e7d861de1b9df3c221a4859101b682d2e257891b6720f9b7e3e6cafb0f106023edef9d8cb01dea7587e9ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2760.exe
Filesize
12KB

MD5
186ac05e06432031c1f8169fc0a8c8e9

SHA1
23f916d6c20927cf0afa7506ed98802f2b3a1a81

SHA256
0defa3c6767698b1ae0b4793b38711fb5daba0bc233a59f7aaedae89c22be589

SHA512
0e754facb58ff167ac589a8b00ce06822acb96c9c6abd77ff1aa60651183e7ca4ddc55c6cb94a8250d38af96485e8f5f3473e1f0641fa47649636e9e875307c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz2760.exe
Filesize
12KB

MD5
186ac05e06432031c1f8169fc0a8c8e9

SHA1
23f916d6c20927cf0afa7506ed98802f2b3a1a81

SHA256
0defa3c6767698b1ae0b4793b38711fb5daba0bc233a59f7aaedae89c22be589

SHA512
0e754facb58ff167ac589a8b00ce06822acb96c9c6abd77ff1aa60651183e7ca4ddc55c6cb94a8250d38af96485e8f5f3473e1f0641fa47649636e9e875307c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5682Wn.exe
Filesize
345KB

MD5
d23d24fdeebaa02944e3cd5cc2903bfa

SHA1
b07c07f5044312cf337be97b89948ac5cd150c67

SHA256
56b848e527919f992c9e272613c81b79e321c5649ee52f3c22da70b6bc946899

SHA512
d0f18e31e31a14e3857857dc8b44616f33aee34eacf5cf04d002e8a304562f89ccdf5a61ee702f0b51416d060105c809a2563991ed37bab2009d2a95092c61e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5682Wn.exe
Filesize
345KB

MD5
d23d24fdeebaa02944e3cd5cc2903bfa

SHA1
b07c07f5044312cf337be97b89948ac5cd150c67

SHA256
56b848e527919f992c9e272613c81b79e321c5649ee52f3c22da70b6bc946899

SHA512
d0f18e31e31a14e3857857dc8b44616f33aee34eacf5cf04d002e8a304562f89ccdf5a61ee702f0b51416d060105c809a2563991ed37bab2009d2a95092c61e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
b266729ec06c487845fe3af18c575d9c

SHA1
108abe97ba7b406a6bd7dda933f6ef778994cd73

SHA256
6f08f72cb73a9ea40013df51c23576bf45f1e4d5496f063601339af310460738

SHA512
5c642a42f6078ff79f46fc61838cd0b055d12842f8f4ecbb9c208ac6222498ea9adb9cbed4bab6a9c62b5769da1e0807e028180aa68381148810409122bee3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
b266729ec06c487845fe3af18c575d9c

SHA1
108abe97ba7b406a6bd7dda933f6ef778994cd73

SHA256
6f08f72cb73a9ea40013df51c23576bf45f1e4d5496f063601339af310460738

SHA512
5c642a42f6078ff79f46fc61838cd0b055d12842f8f4ecbb9c208ac6222498ea9adb9cbed4bab6a9c62b5769da1e0807e028180aa68381148810409122bee3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
b266729ec06c487845fe3af18c575d9c

SHA1
108abe97ba7b406a6bd7dda933f6ef778994cd73

SHA256
6f08f72cb73a9ea40013df51c23576bf45f1e4d5496f063601339af310460738

SHA512
5c642a42f6078ff79f46fc61838cd0b055d12842f8f4ecbb9c208ac6222498ea9adb9cbed4bab6a9c62b5769da1e0807e028180aa68381148810409122bee3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
235KB

MD5
b266729ec06c487845fe3af18c575d9c

SHA1
108abe97ba7b406a6bd7dda933f6ef778994cd73

SHA256
6f08f72cb73a9ea40013df51c23576bf45f1e4d5496f063601339af310460738

SHA512
5c642a42f6078ff79f46fc61838cd0b055d12842f8f4ecbb9c208ac6222498ea9adb9cbed4bab6a9c62b5769da1e0807e028180aa68381148810409122bee3eb

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
memory/2084-173-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/2084-177-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/2084-179-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/2084-181-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/2084-183-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/2084-185-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/2084-186-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/2084-187-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/2084-188-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/2084-189-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/2084-192-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/2084-193-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/2084-194-0x0000000007230000-0x0000000007240000-memory.dmp

Filesize
64KB

Download
memory/2084-191-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/2084-175-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/2084-171-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/2084-169-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/2084-167-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/2084-165-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/2084-163-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/2084-161-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/2084-159-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/2084-158-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/2084-157-0x00000000070B0000-0x00000000070C8000-memory.dmp

Filesize
96KB

Download
memory/2084-156-0x0000000007240000-0x000000000773E000-memory.dmp

Filesize
5.0MB

Download
memory/2084-155-0x0000000004B40000-0x0000000004B5A000-memory.dmp

Filesize
104KB

Download
memory/2084-154-0x0000000002B90000-0x0000000002BBD000-memory.dmp

Filesize
180KB

Download
memory/3136-209-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-1124-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/3136-225-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-227-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-229-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-231-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-233-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-235-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-582-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/3136-580-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/3136-584-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/3136-1111-0x0000000007F80000-0x0000000008586000-memory.dmp

Filesize
6.0MB

Download
memory/3136-1112-0x0000000007970000-0x0000000007A7A000-memory.dmp

Filesize
1.0MB

Download
memory/3136-1113-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/3136-1114-0x0000000004F60000-0x0000000004F9E000-memory.dmp

Filesize
248KB

Download
memory/3136-1115-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/3136-1116-0x0000000007B80000-0x0000000007BCB000-memory.dmp

Filesize
300KB

Download
memory/3136-1118-0x0000000007CB0000-0x0000000007D42000-memory.dmp

Filesize
584KB

Download
memory/3136-1119-0x0000000007D50000-0x0000000007DB6000-memory.dmp

Filesize
408KB

Download
memory/3136-1120-0x0000000008B70000-0x0000000008D32000-memory.dmp

Filesize
1.8MB

Download
memory/3136-1121-0x0000000008D40000-0x000000000926C000-memory.dmp

Filesize
5.2MB

Download
memory/3136-1122-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/3136-1123-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/3136-223-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-1125-0x00000000094E0000-0x0000000009556000-memory.dmp

Filesize
472KB

Download
memory/3136-1126-0x0000000009560000-0x00000000095B0000-memory.dmp

Filesize
320KB

Download
memory/3136-1127-0x0000000007460000-0x0000000007470000-memory.dmp

Filesize
64KB

Download
memory/3136-200-0x0000000002E90000-0x0000000002ED6000-memory.dmp

Filesize
280KB

Download
memory/3136-199-0x0000000002C70000-0x0000000002CBB000-memory.dmp

Filesize
300KB

Download
memory/3136-201-0x0000000004AC0000-0x0000000004B04000-memory.dmp

Filesize
272KB

Download
memory/3136-203-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-221-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-219-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-217-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-215-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-213-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-211-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-207-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-205-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3136-202-0x0000000004AC0000-0x0000000004AFF000-memory.dmp

Filesize
252KB

Download
memory/3580-1136-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/3580-1135-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/3580-1134-0x0000000005790000-0x00000000057DB000-memory.dmp

Filesize
300KB

Download
memory/3580-1133-0x0000000000D50000-0x0000000000D82000-memory.dmp

Filesize
200KB

Download
memory/4196-148-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download