amadey | 26bb6890723cf918add7fa92c8224a6f697715e24847cd2570cd1f9068745e35

Analysis

max time kernel
115s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2023 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

282d9361c7b275001bd53290608f95e5.exe
Size

1.0MB
MD5

282d9361c7b275001bd53290608f95e5
SHA1

511dfa6cec15310fc40289900b1dabc5700431d7
SHA256

26bb6890723cf918add7fa92c8224a6f697715e24847cd2570cd1f9068745e35
SHA512

7c7b98229f51bd5d9615d55bb53fb549da3634240d5fff6a5b4c1591d55bd0dd27ab098dc26ea83650fefc7357eb659f0d10025a4f4afe45d22d9529678dbe44
SSDEEP

24576:MybRJDZjqZrMi2aFSy7N7i6uHJplqQwZ9Mxxa:7bRJlW9Mingy7N5uPcQi

Score

10^/10

amadey redline duna rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

duna

176.113.115.145:4125

Attributes

auth_value
8879c60b4740ac2d7fb8831d4d3c396f

Extracted

Family

amadey

Version

3.68

62.204.41.87/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

v1681jf.exetz8213.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v1681jf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz8213.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz8213.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz8213.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz8213.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v1681jf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v1681jf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz8213.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz8213.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v1681jf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v1681jf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v1681jf.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2804-212-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral2/memory/2804-213-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral2/memory/2804-215-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral2/memory/2804-218-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral2/memory/2804-221-0x00000000072C0000-0x00000000072D0000-memory.dmp	family_redline
behavioral2/memory/2804-222-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral2/memory/2804-224-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral2/memory/2804-226-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral2/memory/2804-228-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral2/memory/2804-230-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral2/memory/2804-232-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral2/memory/2804-234-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral2/memory/2804-236-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral2/memory/2804-238-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral2/memory/2804-240-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral2/memory/2804-242-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral2/memory/2804-244-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline
behavioral2/memory/2804-246-0x0000000004BE0000-0x0000000004C1F000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y37qO07.exelegenda.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	y37qO07.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	legenda.exe

Executes dropped EXE 10 IoCs

Processes:

zap1769.exezap5445.exezap4723.exetz8213.exev1681jf.exew96Pz89.exexndsa30.exey37qO07.exelegenda.exelegenda.exe

pid	process
1240	zap1769.exe
4928	zap5445.exe
3768	zap4723.exe
4456	tz8213.exe
3232	v1681jf.exe
2804	w96Pz89.exe
3088	xndsa30.exe
1312	y37qO07.exe
2832	legenda.exe
1516	legenda.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4648 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4648	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tz8213.exev1681jf.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz8213.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v1681jf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v1681jf.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap5445.exezap4723.exe282d9361c7b275001bd53290608f95e5.exezap1769.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap5445.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap4723.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap4723.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	282d9361c7b275001bd53290608f95e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	282d9361c7b275001bd53290608f95e5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap1769.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap1769.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap5445.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1984 3232 WerFault.exe v1681jf.exe
5072 2804 WerFault.exe w96Pz89.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3544 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz8213.exev1681jf.exew96Pz89.exexndsa30.exe

pid process

4456 tz8213.exe
4456 tz8213.exe
3232 v1681jf.exe
3232 v1681jf.exe
2804 w96Pz89.exe
2804 w96Pz89.exe
3088 xndsa30.exe
3088 xndsa30.exe

pid	pid_target	process	target process
1984	3232	WerFault.exe	v1681jf.exe
5072	2804	WerFault.exe	w96Pz89.exe

pid	process
3544	schtasks.exe

pid	process
4456	tz8213.exe
4456	tz8213.exe
3232	v1681jf.exe
3232	v1681jf.exe
2804	w96Pz89.exe
2804	w96Pz89.exe
3088	xndsa30.exe
3088	xndsa30.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz8213.exev1681jf.exew96Pz89.exexndsa30.exe

description	pid	process
Token: SeDebugPrivilege	4456	tz8213.exe
Token: SeDebugPrivilege	3232	v1681jf.exe
Token: SeDebugPrivilege	2804	w96Pz89.exe
Token: SeDebugPrivilege	3088	xndsa30.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

282d9361c7b275001bd53290608f95e5.exezap1769.exezap5445.exezap4723.exey37qO07.exelegenda.execmd.exe

description	pid	process	target process
PID 4632 wrote to memory of 1240	4632	282d9361c7b275001bd53290608f95e5.exe	zap1769.exe
PID 4632 wrote to memory of 1240	4632	282d9361c7b275001bd53290608f95e5.exe	zap1769.exe
PID 4632 wrote to memory of 1240	4632	282d9361c7b275001bd53290608f95e5.exe	zap1769.exe
PID 1240 wrote to memory of 4928	1240	zap1769.exe	zap5445.exe
PID 1240 wrote to memory of 4928	1240	zap1769.exe	zap5445.exe
PID 1240 wrote to memory of 4928	1240	zap1769.exe	zap5445.exe
PID 4928 wrote to memory of 3768	4928	zap5445.exe	zap4723.exe
PID 4928 wrote to memory of 3768	4928	zap5445.exe	zap4723.exe
PID 4928 wrote to memory of 3768	4928	zap5445.exe	zap4723.exe
PID 3768 wrote to memory of 4456	3768	zap4723.exe	tz8213.exe
PID 3768 wrote to memory of 4456	3768	zap4723.exe	tz8213.exe
PID 3768 wrote to memory of 3232	3768	zap4723.exe	v1681jf.exe
PID 3768 wrote to memory of 3232	3768	zap4723.exe	v1681jf.exe
PID 3768 wrote to memory of 3232	3768	zap4723.exe	v1681jf.exe
PID 4928 wrote to memory of 2804	4928	zap5445.exe	w96Pz89.exe
PID 4928 wrote to memory of 2804	4928	zap5445.exe	w96Pz89.exe
PID 4928 wrote to memory of 2804	4928	zap5445.exe	w96Pz89.exe
PID 1240 wrote to memory of 3088	1240	zap1769.exe	xndsa30.exe
PID 1240 wrote to memory of 3088	1240	zap1769.exe	xndsa30.exe
PID 1240 wrote to memory of 3088	1240	zap1769.exe	xndsa30.exe
PID 4632 wrote to memory of 1312	4632	282d9361c7b275001bd53290608f95e5.exe	y37qO07.exe
PID 4632 wrote to memory of 1312	4632	282d9361c7b275001bd53290608f95e5.exe	y37qO07.exe
PID 4632 wrote to memory of 1312	4632	282d9361c7b275001bd53290608f95e5.exe	y37qO07.exe
PID 1312 wrote to memory of 2832	1312	y37qO07.exe	legenda.exe
PID 1312 wrote to memory of 2832	1312	y37qO07.exe	legenda.exe
PID 1312 wrote to memory of 2832	1312	y37qO07.exe	legenda.exe
PID 2832 wrote to memory of 3544	2832	legenda.exe	schtasks.exe
PID 2832 wrote to memory of 3544	2832	legenda.exe	schtasks.exe
PID 2832 wrote to memory of 3544	2832	legenda.exe	schtasks.exe
PID 2832 wrote to memory of 1276	2832	legenda.exe	cmd.exe
PID 2832 wrote to memory of 1276	2832	legenda.exe	cmd.exe
PID 2832 wrote to memory of 1276	2832	legenda.exe	cmd.exe
PID 1276 wrote to memory of 560	1276	cmd.exe	cmd.exe
PID 1276 wrote to memory of 560	1276	cmd.exe	cmd.exe
PID 1276 wrote to memory of 560	1276	cmd.exe	cmd.exe
PID 1276 wrote to memory of 1728	1276	cmd.exe	cacls.exe
PID 1276 wrote to memory of 1728	1276	cmd.exe	cacls.exe
PID 1276 wrote to memory of 1728	1276	cmd.exe	cacls.exe
PID 1276 wrote to memory of 3712	1276	cmd.exe	cacls.exe
PID 1276 wrote to memory of 3712	1276	cmd.exe	cacls.exe
PID 1276 wrote to memory of 3712	1276	cmd.exe	cacls.exe
PID 1276 wrote to memory of 2320	1276	cmd.exe	cmd.exe
PID 1276 wrote to memory of 2320	1276	cmd.exe	cmd.exe
PID 1276 wrote to memory of 2320	1276	cmd.exe	cmd.exe
PID 1276 wrote to memory of 4484	1276	cmd.exe	cacls.exe
PID 1276 wrote to memory of 4484	1276	cmd.exe	cacls.exe
PID 1276 wrote to memory of 4484	1276	cmd.exe	cacls.exe
PID 1276 wrote to memory of 2140	1276	cmd.exe	cacls.exe
PID 1276 wrote to memory of 2140	1276	cmd.exe	cacls.exe
PID 1276 wrote to memory of 2140	1276	cmd.exe	cacls.exe
PID 2832 wrote to memory of 4648	2832	legenda.exe	rundll32.exe
PID 2832 wrote to memory of 4648	2832	legenda.exe	rundll32.exe
PID 2832 wrote to memory of 4648	2832	legenda.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\282d9361c7b275001bd53290608f95e5.exe
"C:\Users\Admin\AppData\Local\Temp\282d9361c7b275001bd53290608f95e5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4632

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1769.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1769.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5445.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5445.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4723.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4723.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3768

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8213.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8213.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1681jf.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1681jf.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3232 -s 1084
6⤵
- Program crash
PID:1984

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w96Pz89.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w96Pz89.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1636
5⤵
- Program crash
PID:5072

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xndsa30.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xndsa30.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y37qO07.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y37qO07.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
"C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legenda.exe /TR "C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe" /F
4⤵
- Creates scheduled task(s)
PID:3544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legenda.exe" /P "Admin:N"&&CACLS "legenda.exe" /P "Admin:R" /E&&echo Y|CACLS "..\f22b669919" /P "Admin:N"&&CACLS "..\f22b669919" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:560

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:N"
5⤵
PID:1728

C:\Windows\SysWOW64\cacls.exe
CACLS "legenda.exe" /P "Admin:R" /E
5⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2320

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:N"
5⤵
PID:4484

C:\Windows\SysWOW64\cacls.exe
CACLS "..\f22b669919" /P "Admin:R" /E
5⤵
PID:2140

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3232 -ip 3232
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2804 -ip 2804
1⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
1⤵
- Executes dropped EXE
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y37qO07.exe
Filesize
237KB

MD5
58ffa503e308ad0d0650fc328e84560d

SHA1
9001c334d7da058224075468aa26a2f1c1d4b60e

SHA256
34c9970279a53ec2a9fc068e58577f50f42e3dd56e6b0f3c7b3eced0f7843891

SHA512
00469e3c14f111756040dac7f87f342576b8727e11580f699d80d3d3d35eaa2a5855906cb8daea6856a32b5d2e23b7f9808f9a147d1b4650e64fc6b61da43496

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y37qO07.exe
Filesize
237KB

MD5
58ffa503e308ad0d0650fc328e84560d

SHA1
9001c334d7da058224075468aa26a2f1c1d4b60e

SHA256
34c9970279a53ec2a9fc068e58577f50f42e3dd56e6b0f3c7b3eced0f7843891

SHA512
00469e3c14f111756040dac7f87f342576b8727e11580f699d80d3d3d35eaa2a5855906cb8daea6856a32b5d2e23b7f9808f9a147d1b4650e64fc6b61da43496

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1769.exe
Filesize
872KB

MD5
d7e699d5e57419ef79f1a79357212ce3

SHA1
50839173d89c047ea2c4c6c617daa2bd86dbcb32

SHA256
4c597953af1646fbed8466b96fd5933af0cb802a99abea2ef762fcb3fb556c3d

SHA512
8f947d1c8ffcfd86d1bbcc1151545b4f4944921b6c11a43cce7a8e3a60287d6c29d1e8d00d295ee5b23aa646f532a250d8465fb0c58f272a24d2523d5020376d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap1769.exe
Filesize
872KB

MD5
d7e699d5e57419ef79f1a79357212ce3

SHA1
50839173d89c047ea2c4c6c617daa2bd86dbcb32

SHA256
4c597953af1646fbed8466b96fd5933af0cb802a99abea2ef762fcb3fb556c3d

SHA512
8f947d1c8ffcfd86d1bbcc1151545b4f4944921b6c11a43cce7a8e3a60287d6c29d1e8d00d295ee5b23aa646f532a250d8465fb0c58f272a24d2523d5020376d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xndsa30.exe
Filesize
175KB

MD5
deb366c546e005e32503931d958589db

SHA1
e7c3e1d0981cf21881f98b982d1592dbc05d5f56

SHA256
d4a06f0e355a48fdcda68b0dbab077a56c5a1f7ef3b065e29f3b450dd30f457d

SHA512
652d3cf76cd1d9a9bf0f6f6c93dd6f6c217672182cb6fda1ab048d0e2601d01f1e934d3a6257bfb04a81246793f5bf08419c9c91e9e57972d18c44ee57f5c7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xndsa30.exe
Filesize
175KB

MD5
deb366c546e005e32503931d958589db

SHA1
e7c3e1d0981cf21881f98b982d1592dbc05d5f56

SHA256
d4a06f0e355a48fdcda68b0dbab077a56c5a1f7ef3b065e29f3b450dd30f457d

SHA512
652d3cf76cd1d9a9bf0f6f6c93dd6f6c217672182cb6fda1ab048d0e2601d01f1e934d3a6257bfb04a81246793f5bf08419c9c91e9e57972d18c44ee57f5c7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5445.exe
Filesize
729KB

MD5
0ce40dad5694cf69612e64b4299492b2

SHA1
1d6b78919556f837556f4f4c07b4d713414210dc

SHA256
18dcc9dd87f9e297d446fb6862f0d62afe437ca38e5c6dc000dd4419f3b72f60

SHA512
e3858dcc76a2a06cf2a37dedfc8055da3d1c353476c78367d8ad07c58ae77ddba273b16cfb4cf28a374c2e853ba34df76481f829e52f20a676ed43373562c8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap5445.exe
Filesize
729KB

MD5
0ce40dad5694cf69612e64b4299492b2

SHA1
1d6b78919556f837556f4f4c07b4d713414210dc

SHA256
18dcc9dd87f9e297d446fb6862f0d62afe437ca38e5c6dc000dd4419f3b72f60

SHA512
e3858dcc76a2a06cf2a37dedfc8055da3d1c353476c78367d8ad07c58ae77ddba273b16cfb4cf28a374c2e853ba34df76481f829e52f20a676ed43373562c8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w96Pz89.exe
Filesize
403KB

MD5
64673a5ba9275c6bd5747b01f9730dd0

SHA1
c17830f4c7086736af6f51c45a43840e641adc53

SHA256
cf5f96485058ce3cfc2a0d57f588cff6f36fdbda2a1edad18e7faee1ad579fba

SHA512
c4e7f6e08ded7ad635d31d4467314d375393f5aa52cc7c6cb8f35e881f9e923d4faf1d9daebf7765b8a97fcd2afc31f098099c71a66002f741571ebe03a98f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w96Pz89.exe
Filesize
403KB

MD5
64673a5ba9275c6bd5747b01f9730dd0

SHA1
c17830f4c7086736af6f51c45a43840e641adc53

SHA256
cf5f96485058ce3cfc2a0d57f588cff6f36fdbda2a1edad18e7faee1ad579fba

SHA512
c4e7f6e08ded7ad635d31d4467314d375393f5aa52cc7c6cb8f35e881f9e923d4faf1d9daebf7765b8a97fcd2afc31f098099c71a66002f741571ebe03a98f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4723.exe
Filesize
362KB

MD5
7fa86f9eff100b75af202df54001f068

SHA1
eb3dbcfab1bb385c08997524deb3ac53fc57b784

SHA256
a5f40eab225c611d6f7d203c5de6df58f9e38588fa1a94cc6ee1a4a916770899

SHA512
468195dda4677e454b761e446341e1cafcf0f0e5e3f88b5989b7311a861a49f199872a53a1d42648f09d3b0ae1b7cf4049300d0ad832f358cc07aaf48d3776d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap4723.exe
Filesize
362KB

MD5
7fa86f9eff100b75af202df54001f068

SHA1
eb3dbcfab1bb385c08997524deb3ac53fc57b784

SHA256
a5f40eab225c611d6f7d203c5de6df58f9e38588fa1a94cc6ee1a4a916770899

SHA512
468195dda4677e454b761e446341e1cafcf0f0e5e3f88b5989b7311a861a49f199872a53a1d42648f09d3b0ae1b7cf4049300d0ad832f358cc07aaf48d3776d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8213.exe
Filesize
11KB

MD5
22d8a3d8950f30ea85018e2dd863c2f9

SHA1
e716c21ff216e3d166cd0d8457a5d4f34762e658

SHA256
6fb28ae2b7df932f6d02e7881966505055eefd5b717f5802bb075707801f4dad

SHA512
24817cb3056a9f05448a0ea77e0463bcc45793f14511d98304a7994bb4167acc288aaca47ce57bae3ee015d04f5e027ed53ae0bb45aa79273dc83b979d0cc4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8213.exe
Filesize
11KB

MD5
22d8a3d8950f30ea85018e2dd863c2f9

SHA1
e716c21ff216e3d166cd0d8457a5d4f34762e658

SHA256
6fb28ae2b7df932f6d02e7881966505055eefd5b717f5802bb075707801f4dad

SHA512
24817cb3056a9f05448a0ea77e0463bcc45793f14511d98304a7994bb4167acc288aaca47ce57bae3ee015d04f5e027ed53ae0bb45aa79273dc83b979d0cc4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1681jf.exe
Filesize
345KB

MD5
2888aeb7da2b1b2a212e9d3bb42a6eca

SHA1
2ca045608ed2fcbdcc13c5cf2090e62853b85930

SHA256
c73ca7c24ff3f931cc2ffdfcad3d741386796bb04ed67bd4da832e7c33604e95

SHA512
7d4e3a3d5afccbc968c396e08948c476667c594f147a99b972238d83ce7a404befc5f81656fd60399833a9e1b0561990556f91868f987788c5048c7ddb4664fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1681jf.exe
Filesize
345KB

MD5
2888aeb7da2b1b2a212e9d3bb42a6eca

SHA1
2ca045608ed2fcbdcc13c5cf2090e62853b85930

SHA256
c73ca7c24ff3f931cc2ffdfcad3d741386796bb04ed67bd4da832e7c33604e95

SHA512
7d4e3a3d5afccbc968c396e08948c476667c594f147a99b972238d83ce7a404befc5f81656fd60399833a9e1b0561990556f91868f987788c5048c7ddb4664fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
237KB

MD5
58ffa503e308ad0d0650fc328e84560d

SHA1
9001c334d7da058224075468aa26a2f1c1d4b60e

SHA256
34c9970279a53ec2a9fc068e58577f50f42e3dd56e6b0f3c7b3eced0f7843891

SHA512
00469e3c14f111756040dac7f87f342576b8727e11580f699d80d3d3d35eaa2a5855906cb8daea6856a32b5d2e23b7f9808f9a147d1b4650e64fc6b61da43496

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
237KB

MD5
58ffa503e308ad0d0650fc328e84560d

SHA1
9001c334d7da058224075468aa26a2f1c1d4b60e

SHA256
34c9970279a53ec2a9fc068e58577f50f42e3dd56e6b0f3c7b3eced0f7843891

SHA512
00469e3c14f111756040dac7f87f342576b8727e11580f699d80d3d3d35eaa2a5855906cb8daea6856a32b5d2e23b7f9808f9a147d1b4650e64fc6b61da43496

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
237KB

MD5
58ffa503e308ad0d0650fc328e84560d

SHA1
9001c334d7da058224075468aa26a2f1c1d4b60e

SHA256
34c9970279a53ec2a9fc068e58577f50f42e3dd56e6b0f3c7b3eced0f7843891

SHA512
00469e3c14f111756040dac7f87f342576b8727e11580f699d80d3d3d35eaa2a5855906cb8daea6856a32b5d2e23b7f9808f9a147d1b4650e64fc6b61da43496

Download Submit
C:\Users\Admin\AppData\Local\Temp\f22b669919\legenda.exe
Filesize
237KB

MD5
58ffa503e308ad0d0650fc328e84560d

SHA1
9001c334d7da058224075468aa26a2f1c1d4b60e

SHA256
34c9970279a53ec2a9fc068e58577f50f42e3dd56e6b0f3c7b3eced0f7843891

SHA512
00469e3c14f111756040dac7f87f342576b8727e11580f699d80d3d3d35eaa2a5855906cb8daea6856a32b5d2e23b7f9808f9a147d1b4650e64fc6b61da43496

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
16cf28ebb6d37dbaba93f18320c6086e

SHA1
eae7d4b7a9636329065877aabe8d4f721a26ab25

SHA256
c0603ed73299e59dc890ae194c552acd9d8a2aef2e1a9e76346ca672e3b14106

SHA512
f8eee1d4142483de223ddbefec43023fd167e41e358bf8994140e2dcc1712f49228dc92e4e237d1df4ffa6c948097a8309c84d60788a03babed668532c438fc2

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
223B

MD5
94cbeec5d4343918fd0e48760e40539c

SHA1
a049266c5c1131f692f306c8710d7e72586ae79d

SHA256
48eb3ca078da2f5e9fd581197ae1b4dfbac6d86040addbb305e305c014741279

SHA512
4e92450333d60b1977f75c240157a8589cfb1c80a979fbe0793cc641e13556004e554bc6f9f4853487dbcfcdc2ca93afe610649e9712e91415ed3f2a60d4fec0

Download Submit
memory/2804-1128-0x0000000002BA0000-0x0000000002BEB000-memory.dmp

Filesize
300KB

Download
memory/2804-242-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2804-1136-0x0000000009890000-0x00000000098E0000-memory.dmp

Filesize
320KB

Download
memory/2804-1135-0x0000000009810000-0x0000000009886000-memory.dmp

Filesize
472KB

Download
memory/2804-1134-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2804-1133-0x0000000008D60000-0x000000000928C000-memory.dmp

Filesize
5.2MB

Download
memory/2804-1132-0x0000000008B90000-0x0000000008D52000-memory.dmp

Filesize
1.8MB

Download
memory/2804-1131-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2804-1130-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2804-1129-0x0000000008A90000-0x0000000008B22000-memory.dmp

Filesize
584KB

Download
memory/2804-1127-0x00000000083D0000-0x0000000008436000-memory.dmp

Filesize
408KB

Download
memory/2804-1125-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/2804-1124-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2804-1123-0x00000000080C0000-0x00000000080D2000-memory.dmp

Filesize
72KB

Download
memory/2804-1122-0x0000000007FA0000-0x00000000080AA000-memory.dmp

Filesize
1.0MB

Download
memory/2804-211-0x0000000002BA0000-0x0000000002BEB000-memory.dmp

Filesize
300KB

Download
memory/2804-212-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2804-213-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2804-215-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2804-218-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2804-221-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2804-219-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2804-217-0x00000000072C0000-0x00000000072D0000-memory.dmp

Filesize
64KB

Download
memory/2804-222-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2804-224-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2804-226-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2804-228-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2804-230-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2804-232-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2804-234-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2804-236-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2804-238-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2804-240-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2804-1121-0x0000000007980000-0x0000000007F98000-memory.dmp

Filesize
6.1MB

Download
memory/2804-244-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/2804-246-0x0000000004BE0000-0x0000000004C1F000-memory.dmp

Filesize
252KB

Download
memory/3088-1142-0x0000000000F70000-0x0000000000FA2000-memory.dmp

Filesize
200KB

Download
memory/3088-1143-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/3232-190-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3232-173-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3232-188-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3232-204-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3232-182-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3232-202-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3232-201-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/3232-200-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3232-198-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3232-196-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3232-194-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3232-192-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3232-205-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3232-180-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3232-171-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3232-186-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3232-184-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3232-176-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3232-174-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3232-206-0x0000000000400000-0x0000000002B83000-memory.dmp

Filesize
39.5MB

Download
memory/3232-172-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3232-178-0x0000000004DF0000-0x0000000004E02000-memory.dmp

Filesize
72KB

Download
memory/3232-170-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/3232-169-0x0000000002C80000-0x0000000002CAD000-memory.dmp

Filesize
180KB

Download
memory/3232-168-0x00000000072C0000-0x0000000007864000-memory.dmp

Filesize
5.6MB

Download
memory/4456-163-0x000000001BA70000-0x000000001BBBE000-memory.dmp

Filesize
1.3MB

Download
memory/4456-161-0x0000000000FD0000-0x0000000000FDA000-memory.dmp

Filesize
40KB

Download