amadey | a5ebf3f3762dc01bca3696993961927ec6aa376c7246b88089eba88f039d69d5

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2023 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a66552b951bcac1100cbd7e7af6cd14.exe
Size

1.8MB
MD5

3a66552b951bcac1100cbd7e7af6cd14
SHA1

372acaaacf60624d612dec2bc02786963154777d
SHA256

a5ebf3f3762dc01bca3696993961927ec6aa376c7246b88089eba88f039d69d5
SHA512

d0f3baf9c3fa145bb69d3e36400c403c328905ad3b4ce79314f8c054c82e415be64f579758a9cd5c7fec8f235447e51ed95810f1133327c246ad3824ecd83d30
SSDEEP

24576:2ZfW54hpvs/dLb1ubIyzUY1waiQ4dDoMYWuxU/P3ZzbB3Mm1/vDrheqDqTGQVqF1:2ZfWSqbCKaiFdIWusvpbB3j/ZeqDcZA

Score

10^/10

amadey lumma sectoprat systembc discovery evasion persistence rat spyware stealer themida trojan vmprotect

Malware Config

Extracted

Family

amadey

Version

3.85

45.9.74.166/b7djSDcPcZ/index.php

45.9.74.141/b7djSDcPcZ/index.php

Extracted

Family

systembc

5.42.65.67:4298

localhost.exchange:4298

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2044-237-0x0000000000400000-0x0000000000B26000-memory.dmp	family_sectoprat
behavioral2/memory/4256-257-0x0000000000400000-0x0000000000B26000-memory.dmp	family_sectoprat

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

BR.exeBR.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BR.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BR.exe
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

124 3888 rundll32.exe
125 3824 rundll32.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BR.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BR.exe

flow	pid	process
124	3888	rundll32.exe
125	3824	rundll32.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BR.exeBR.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BR.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fmiepnwtdpvxfjq.exebstyoops.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	fmiepnwtdpvxfjq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	bstyoops.exe

Executes dropped EXE 6 IoCs

Processes:

fmiepnwtdpvxfjq.exebstyoops.exebstyoops.exeBR.exeBR.exebstyoops.exe

pid process

1960 fmiepnwtdpvxfjq.exe
1908 bstyoops.exe
5104 bstyoops.exe
2044 BR.exe
4256 BR.exe
4952 bstyoops.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

5004 rundll32.exe
3888 rundll32.exe
4032 rundll32.exe
3824 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1960	fmiepnwtdpvxfjq.exe
1908	bstyoops.exe
5104	bstyoops.exe
2044	BR.exe
4256	BR.exe
4952	bstyoops.exe

pid	process
5004	rundll32.exe
3888	rundll32.exe
4032	rundll32.exe
3824	rundll32.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe	themida
behavioral2/memory/2044-237-0x0000000000400000-0x0000000000B26000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe	themida
behavioral2/memory/4256-257-0x0000000000400000-0x0000000000B26000-memory.dmp	themida

VMProtect packed file 20 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\fmiepnwtdpvxfjq.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\fmiepnwtdpvxfjq.exe	vmprotect
behavioral2/memory/1960-177-0x00000000008C0000-0x0000000001359000-memory.dmp	vmprotect
behavioral2/memory/1960-178-0x00000000008C0000-0x0000000001359000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/1960-194-0x00000000008C0000-0x0000000001359000-memory.dmp	vmprotect
behavioral2/memory/1908-198-0x0000000000440000-0x0000000000ED9000-memory.dmp	vmprotect
behavioral2/memory/1908-195-0x0000000000440000-0x0000000000ED9000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/5104-205-0x0000000000440000-0x0000000000ED9000-memory.dmp	vmprotect
behavioral2/memory/5104-203-0x0000000000440000-0x0000000000ED9000-memory.dmp	vmprotect
behavioral2/memory/1908-218-0x0000000000440000-0x0000000000ED9000-memory.dmp	vmprotect
behavioral2/memory/1908-228-0x0000000000440000-0x0000000000ED9000-memory.dmp	vmprotect
behavioral2/memory/5104-240-0x0000000000440000-0x0000000000ED9000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/4952-314-0x0000000000440000-0x0000000000ED9000-memory.dmp	vmprotect
behavioral2/memory/4952-313-0x0000000000440000-0x0000000000ED9000-memory.dmp	vmprotect
behavioral2/memory/4952-317-0x0000000000440000-0x0000000000ED9000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bstyoops.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BR.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000057051\\BR.exe"	bstyoops.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sv64.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000058061\\sv64.dll, rundll"	bstyoops.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BR.exeBR.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BR.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BR.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

BR.exeBR.exe

pid process

2044 BR.exe
4256 BR.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

3a66552b951bcac1100cbd7e7af6cd14.exe

description pid process target process

PID 2052 set thread context of 1500 2052 3a66552b951bcac1100cbd7e7af6cd14.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1784 schtasks.exe

pid	process
2044	BR.exe
4256	BR.exe

description	pid	process	target process
PID 2052 set thread context of 1500	2052	3a66552b951bcac1100cbd7e7af6cd14.exe	RegSvcs.exe

pid	process
1784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

RegSvcs.exefmiepnwtdpvxfjq.exebstyoops.exebstyoops.exeBR.exeBR.exerundll32.exerundll32.exebstyoops.exe

pid	process
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1500	RegSvcs.exe
1960	fmiepnwtdpvxfjq.exe
1960	fmiepnwtdpvxfjq.exe
1908	bstyoops.exe
1908	bstyoops.exe
5104	bstyoops.exe
5104	bstyoops.exe
2044	BR.exe
2044	BR.exe
4256	BR.exe
4256	BR.exe
3888	rundll32.exe
3888	rundll32.exe
3824	rundll32.exe
3824	rundll32.exe
4952	bstyoops.exe
4952	bstyoops.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3a66552b951bcac1100cbd7e7af6cd14.exe

description pid process

Token: SeDebugPrivilege 2052 3a66552b951bcac1100cbd7e7af6cd14.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

fmiepnwtdpvxfjq.exe

pid process

1960 fmiepnwtdpvxfjq.exe

description	pid	process
Token: SeDebugPrivilege	2052	3a66552b951bcac1100cbd7e7af6cd14.exe

pid	process
1960	fmiepnwtdpvxfjq.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

3a66552b951bcac1100cbd7e7af6cd14.exeRegSvcs.exefmiepnwtdpvxfjq.exebstyoops.execmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 2052 wrote to memory of 1500	2052	3a66552b951bcac1100cbd7e7af6cd14.exe	RegSvcs.exe
PID 2052 wrote to memory of 1500	2052	3a66552b951bcac1100cbd7e7af6cd14.exe	RegSvcs.exe
PID 2052 wrote to memory of 1500	2052	3a66552b951bcac1100cbd7e7af6cd14.exe	RegSvcs.exe
PID 2052 wrote to memory of 1500	2052	3a66552b951bcac1100cbd7e7af6cd14.exe	RegSvcs.exe
PID 2052 wrote to memory of 1500	2052	3a66552b951bcac1100cbd7e7af6cd14.exe	RegSvcs.exe
PID 2052 wrote to memory of 1500	2052	3a66552b951bcac1100cbd7e7af6cd14.exe	RegSvcs.exe
PID 2052 wrote to memory of 1500	2052	3a66552b951bcac1100cbd7e7af6cd14.exe	RegSvcs.exe
PID 2052 wrote to memory of 1500	2052	3a66552b951bcac1100cbd7e7af6cd14.exe	RegSvcs.exe
PID 2052 wrote to memory of 1500	2052	3a66552b951bcac1100cbd7e7af6cd14.exe	RegSvcs.exe
PID 1500 wrote to memory of 1960	1500	RegSvcs.exe	fmiepnwtdpvxfjq.exe
PID 1500 wrote to memory of 1960	1500	RegSvcs.exe	fmiepnwtdpvxfjq.exe
PID 1500 wrote to memory of 1960	1500	RegSvcs.exe	fmiepnwtdpvxfjq.exe
PID 1960 wrote to memory of 1908	1960	fmiepnwtdpvxfjq.exe	bstyoops.exe
PID 1960 wrote to memory of 1908	1960	fmiepnwtdpvxfjq.exe	bstyoops.exe
PID 1960 wrote to memory of 1908	1960	fmiepnwtdpvxfjq.exe	bstyoops.exe
PID 1908 wrote to memory of 1784	1908	bstyoops.exe	schtasks.exe
PID 1908 wrote to memory of 1784	1908	bstyoops.exe	schtasks.exe
PID 1908 wrote to memory of 1784	1908	bstyoops.exe	schtasks.exe
PID 1908 wrote to memory of 2012	1908	bstyoops.exe	cmd.exe
PID 1908 wrote to memory of 2012	1908	bstyoops.exe	cmd.exe
PID 1908 wrote to memory of 2012	1908	bstyoops.exe	cmd.exe
PID 2012 wrote to memory of 4228	2012	cmd.exe	cmd.exe
PID 2012 wrote to memory of 4228	2012	cmd.exe	cmd.exe
PID 2012 wrote to memory of 4228	2012	cmd.exe	cmd.exe
PID 2012 wrote to memory of 1740	2012	cmd.exe	cacls.exe
PID 2012 wrote to memory of 1740	2012	cmd.exe	cacls.exe
PID 2012 wrote to memory of 1740	2012	cmd.exe	cacls.exe
PID 2012 wrote to memory of 2396	2012	cmd.exe	cacls.exe
PID 2012 wrote to memory of 2396	2012	cmd.exe	cacls.exe
PID 2012 wrote to memory of 2396	2012	cmd.exe	cacls.exe
PID 2012 wrote to memory of 1692	2012	cmd.exe	cmd.exe
PID 2012 wrote to memory of 1692	2012	cmd.exe	cmd.exe
PID 2012 wrote to memory of 1692	2012	cmd.exe	cmd.exe
PID 2012 wrote to memory of 5000	2012	cmd.exe	cacls.exe
PID 2012 wrote to memory of 5000	2012	cmd.exe	cacls.exe
PID 2012 wrote to memory of 5000	2012	cmd.exe	cacls.exe
PID 2012 wrote to memory of 2036	2012	cmd.exe	cacls.exe
PID 2012 wrote to memory of 2036	2012	cmd.exe	cacls.exe
PID 2012 wrote to memory of 2036	2012	cmd.exe	cacls.exe
PID 1908 wrote to memory of 2044	1908	bstyoops.exe	BR.exe
PID 1908 wrote to memory of 2044	1908	bstyoops.exe	BR.exe
PID 1908 wrote to memory of 2044	1908	bstyoops.exe	BR.exe
PID 1908 wrote to memory of 4256	1908	bstyoops.exe	BR.exe
PID 1908 wrote to memory of 4256	1908	bstyoops.exe	BR.exe
PID 1908 wrote to memory of 4256	1908	bstyoops.exe	BR.exe
PID 1908 wrote to memory of 5004	1908	bstyoops.exe	rundll32.exe
PID 1908 wrote to memory of 5004	1908	bstyoops.exe	rundll32.exe
PID 1908 wrote to memory of 5004	1908	bstyoops.exe	rundll32.exe
PID 5004 wrote to memory of 3888	5004	rundll32.exe	rundll32.exe
PID 5004 wrote to memory of 3888	5004	rundll32.exe	rundll32.exe
PID 1908 wrote to memory of 4032	1908	bstyoops.exe	rundll32.exe
PID 1908 wrote to memory of 4032	1908	bstyoops.exe	rundll32.exe
PID 1908 wrote to memory of 4032	1908	bstyoops.exe	rundll32.exe
PID 4032 wrote to memory of 3824	4032	rundll32.exe	rundll32.exe
PID 4032 wrote to memory of 3824	4032	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3a66552b951bcac1100cbd7e7af6cd14.exe
"C:\Users\Admin\AppData\Local\Temp\3a66552b951bcac1100cbd7e7af6cd14.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\fmiepnwtdpvxfjq.exe
"C:\Users\Admin\AppData\Local\Temp\fmiepnwtdpvxfjq.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
"C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F
5⤵
- Creates scheduled task(s)
PID:1784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "bstyoops.exe" /P "Admin:N"&&CACLS "bstyoops.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c2868ed41c" /P "Admin:N"&&CACLS "..\c2868ed41c" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4228

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:N"
6⤵
PID:1740

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:R" /E
6⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1692

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:N"
6⤵
PID:5000

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:R" /E
6⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe
"C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2044

C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe
"C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4256

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll, rundll
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll, rundll
6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3888

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll, rundll
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll, rundll
6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3824

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5104

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4952

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe
Filesize
2.7MB

MD5
c895da0796fc8d1b87c7212ef1e5b0b7

SHA1
fec2e8a4abb488becf72f53076c5f126859ce254

SHA256
38cea09d4c4dece3982e20ff62507dc63c20a5f76f9369156ab0faf0a12eb689

SHA512
4cf7d2cab0ca79e5aefa8f8c12d76c7e4f2312da157c90a53e2c3c03fe5381db40dc31226b5c9fa3b96d632d1ac4d65891f8a9f4bef5c85084781729ef8dea99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe
Filesize
2.7MB

MD5
c895da0796fc8d1b87c7212ef1e5b0b7

SHA1
fec2e8a4abb488becf72f53076c5f126859ce254

SHA256
38cea09d4c4dece3982e20ff62507dc63c20a5f76f9369156ab0faf0a12eb689

SHA512
4cf7d2cab0ca79e5aefa8f8c12d76c7e4f2312da157c90a53e2c3c03fe5381db40dc31226b5c9fa3b96d632d1ac4d65891f8a9f4bef5c85084781729ef8dea99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe
Filesize
2.7MB

MD5
c895da0796fc8d1b87c7212ef1e5b0b7

SHA1
fec2e8a4abb488becf72f53076c5f126859ce254

SHA256
38cea09d4c4dece3982e20ff62507dc63c20a5f76f9369156ab0faf0a12eb689

SHA512
4cf7d2cab0ca79e5aefa8f8c12d76c7e4f2312da157c90a53e2c3c03fe5381db40dc31226b5c9fa3b96d632d1ac4d65891f8a9f4bef5c85084781729ef8dea99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe
Filesize
2.7MB

MD5
c895da0796fc8d1b87c7212ef1e5b0b7

SHA1
fec2e8a4abb488becf72f53076c5f126859ce254

SHA256
38cea09d4c4dece3982e20ff62507dc63c20a5f76f9369156ab0faf0a12eb689

SHA512
4cf7d2cab0ca79e5aefa8f8c12d76c7e4f2312da157c90a53e2c3c03fe5381db40dc31226b5c9fa3b96d632d1ac4d65891f8a9f4bef5c85084781729ef8dea99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll
Filesize
6.3MB

MD5
8cf53c2e44bb0ef6483736ded6e4c93b

SHA1
911902a9efba718fb3261d0fd542b30d8b924999

SHA256
a2c10b5d95151fefb06479bdf202bbce96a8f0a2db6398b6d4a34d6d2a1784dc

SHA512
1fb38d945fa58affca97e715175961a3d4222614ceb7850323f3a86371d1fa5c874978eabee26239e1b1ed30ad0a6126fc2151cf135b046dd62d9b173cceb62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll
Filesize
6.3MB

MD5
8cf53c2e44bb0ef6483736ded6e4c93b

SHA1
911902a9efba718fb3261d0fd542b30d8b924999

SHA256
a2c10b5d95151fefb06479bdf202bbce96a8f0a2db6398b6d4a34d6d2a1784dc

SHA512
1fb38d945fa58affca97e715175961a3d4222614ceb7850323f3a86371d1fa5c874978eabee26239e1b1ed30ad0a6126fc2151cf135b046dd62d9b173cceb62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll
Filesize
6.3MB

MD5
8cf53c2e44bb0ef6483736ded6e4c93b

SHA1
911902a9efba718fb3261d0fd542b30d8b924999

SHA256
a2c10b5d95151fefb06479bdf202bbce96a8f0a2db6398b6d4a34d6d2a1784dc

SHA512
1fb38d945fa58affca97e715175961a3d4222614ceb7850323f3a86371d1fa5c874978eabee26239e1b1ed30ad0a6126fc2151cf135b046dd62d9b173cceb62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll
Filesize
6.3MB

MD5
8cf53c2e44bb0ef6483736ded6e4c93b

SHA1
911902a9efba718fb3261d0fd542b30d8b924999

SHA256
a2c10b5d95151fefb06479bdf202bbce96a8f0a2db6398b6d4a34d6d2a1784dc

SHA512
1fb38d945fa58affca97e715175961a3d4222614ceb7850323f3a86371d1fa5c874978eabee26239e1b1ed30ad0a6126fc2151cf135b046dd62d9b173cceb62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll
Filesize
6.3MB

MD5
8cf53c2e44bb0ef6483736ded6e4c93b

SHA1
911902a9efba718fb3261d0fd542b30d8b924999

SHA256
a2c10b5d95151fefb06479bdf202bbce96a8f0a2db6398b6d4a34d6d2a1784dc

SHA512
1fb38d945fa58affca97e715175961a3d4222614ceb7850323f3a86371d1fa5c874978eabee26239e1b1ed30ad0a6126fc2151cf135b046dd62d9b173cceb62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll
Filesize
6.3MB

MD5
8cf53c2e44bb0ef6483736ded6e4c93b

SHA1
911902a9efba718fb3261d0fd542b30d8b924999

SHA256
a2c10b5d95151fefb06479bdf202bbce96a8f0a2db6398b6d4a34d6d2a1784dc

SHA512
1fb38d945fa58affca97e715175961a3d4222614ceb7850323f3a86371d1fa5c874978eabee26239e1b1ed30ad0a6126fc2151cf135b046dd62d9b173cceb62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.5MB

MD5
92031e02bc46932ace98fb8b54f261f4

SHA1
e4414033fedbaa9cb96660558748f36b5c0ae9d3

SHA256
15767660942cc7c75ff800cfeb1b759f8194d3a1332a9fb024abdf4b86cfc9df

SHA512
9407bb053c91482fa5426f3d11f5b271f42556905ba49ba0f50fd1f147c24d555086f5ffd11f36187a15ed2d9abc0c45e16c92c0b30f87849ad39a64186c1195

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.5MB

MD5
92031e02bc46932ace98fb8b54f261f4

SHA1
e4414033fedbaa9cb96660558748f36b5c0ae9d3

SHA256
15767660942cc7c75ff800cfeb1b759f8194d3a1332a9fb024abdf4b86cfc9df

SHA512
9407bb053c91482fa5426f3d11f5b271f42556905ba49ba0f50fd1f147c24d555086f5ffd11f36187a15ed2d9abc0c45e16c92c0b30f87849ad39a64186c1195

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.5MB

MD5
92031e02bc46932ace98fb8b54f261f4

SHA1
e4414033fedbaa9cb96660558748f36b5c0ae9d3

SHA256
15767660942cc7c75ff800cfeb1b759f8194d3a1332a9fb024abdf4b86cfc9df

SHA512
9407bb053c91482fa5426f3d11f5b271f42556905ba49ba0f50fd1f147c24d555086f5ffd11f36187a15ed2d9abc0c45e16c92c0b30f87849ad39a64186c1195

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.5MB

MD5
92031e02bc46932ace98fb8b54f261f4

SHA1
e4414033fedbaa9cb96660558748f36b5c0ae9d3

SHA256
15767660942cc7c75ff800cfeb1b759f8194d3a1332a9fb024abdf4b86cfc9df

SHA512
9407bb053c91482fa5426f3d11f5b271f42556905ba49ba0f50fd1f147c24d555086f5ffd11f36187a15ed2d9abc0c45e16c92c0b30f87849ad39a64186c1195

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.5MB

MD5
92031e02bc46932ace98fb8b54f261f4

SHA1
e4414033fedbaa9cb96660558748f36b5c0ae9d3

SHA256
15767660942cc7c75ff800cfeb1b759f8194d3a1332a9fb024abdf4b86cfc9df

SHA512
9407bb053c91482fa5426f3d11f5b271f42556905ba49ba0f50fd1f147c24d555086f5ffd11f36187a15ed2d9abc0c45e16c92c0b30f87849ad39a64186c1195

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmiepnwtdpvxfjq.exe
Filesize
6.5MB

MD5
92031e02bc46932ace98fb8b54f261f4

SHA1
e4414033fedbaa9cb96660558748f36b5c0ae9d3

SHA256
15767660942cc7c75ff800cfeb1b759f8194d3a1332a9fb024abdf4b86cfc9df

SHA512
9407bb053c91482fa5426f3d11f5b271f42556905ba49ba0f50fd1f147c24d555086f5ffd11f36187a15ed2d9abc0c45e16c92c0b30f87849ad39a64186c1195

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmiepnwtdpvxfjq.exe
Filesize
6.5MB

MD5
92031e02bc46932ace98fb8b54f261f4

SHA1
e4414033fedbaa9cb96660558748f36b5c0ae9d3

SHA256
15767660942cc7c75ff800cfeb1b759f8194d3a1332a9fb024abdf4b86cfc9df

SHA512
9407bb053c91482fa5426f3d11f5b271f42556905ba49ba0f50fd1f147c24d555086f5ffd11f36187a15ed2d9abc0c45e16c92c0b30f87849ad39a64186c1195

Download Submit
memory/1500-170-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1500-175-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1500-163-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1500-164-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1500-165-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1500-166-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1908-196-0x00000000015A0000-0x00000000015A1000-memory.dmp

Filesize
4KB

Download
memory/1908-218-0x0000000000440000-0x0000000000ED9000-memory.dmp

Filesize
10.6MB

Download
memory/1908-198-0x0000000000440000-0x0000000000ED9000-memory.dmp

Filesize
10.6MB

Download
memory/1908-195-0x0000000000440000-0x0000000000ED9000-memory.dmp

Filesize
10.6MB

Download
memory/1908-228-0x0000000000440000-0x0000000000ED9000-memory.dmp

Filesize
10.6MB

Download
memory/1960-194-0x00000000008C0000-0x0000000001359000-memory.dmp

Filesize
10.6MB

Download
memory/1960-177-0x00000000008C0000-0x0000000001359000-memory.dmp

Filesize
10.6MB

Download
memory/1960-176-0x0000000001A80000-0x0000000001A81000-memory.dmp

Filesize
4KB

Download
memory/1960-178-0x00000000008C0000-0x0000000001359000-memory.dmp

Filesize
10.6MB

Download
memory/2044-232-0x00000000766F0000-0x00000000767E0000-memory.dmp

Filesize
960KB

Download
memory/2044-238-0x0000000005260000-0x0000000005804000-memory.dmp

Filesize
5.6MB

Download
memory/2044-270-0x00000000766F0000-0x00000000767E0000-memory.dmp

Filesize
960KB

Download
memory/2044-269-0x00000000766F0000-0x00000000767E0000-memory.dmp

Filesize
960KB

Download
memory/2044-258-0x0000000000400000-0x0000000000B26000-memory.dmp

Filesize
7.1MB

Download
memory/2044-271-0x00000000766F0000-0x00000000767E0000-memory.dmp

Filesize
960KB

Download
memory/2044-278-0x00000000766F0000-0x00000000767E0000-memory.dmp

Filesize
960KB

Download
memory/2044-248-0x0000000006D00000-0x0000000006D1E000-memory.dmp

Filesize
120KB

Download
memory/2044-247-0x00000000066D0000-0x0000000006BFC000-memory.dmp

Filesize
5.2MB

Download
memory/2044-246-0x0000000006240000-0x0000000006278000-memory.dmp

Filesize
224KB

Download
memory/2044-245-0x0000000006210000-0x000000000623E000-memory.dmp

Filesize
184KB

Download
memory/2044-244-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/2044-243-0x00000000059E0000-0x0000000005A30000-memory.dmp

Filesize
320KB

Download
memory/2044-242-0x0000000005160000-0x00000000051D6000-memory.dmp

Filesize
472KB

Download
memory/2044-241-0x0000000005810000-0x00000000059D2000-memory.dmp

Filesize
1.8MB

Download
memory/2044-229-0x0000000000400000-0x0000000000B26000-memory.dmp

Filesize
7.1MB

Download
memory/2044-230-0x00000000766F0000-0x00000000767E0000-memory.dmp

Filesize
960KB

Download
memory/2044-231-0x00000000766F0000-0x00000000767E0000-memory.dmp

Filesize
960KB

Download
memory/2044-239-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/2044-233-0x00000000766F0000-0x00000000767E0000-memory.dmp

Filesize
960KB

Download
memory/2044-234-0x0000000077DC4000-0x0000000077DC6000-memory.dmp

Filesize
8KB

Download
memory/2044-237-0x0000000000400000-0x0000000000B26000-memory.dmp

Filesize
7.1MB

Download
memory/2052-149-0x00000000053B0000-0x00000000053C5000-memory.dmp

Filesize
84KB

Download
memory/2052-137-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/2052-145-0x00000000053B0000-0x00000000053C5000-memory.dmp

Filesize
84KB

Download
memory/2052-147-0x00000000053B0000-0x00000000053C5000-memory.dmp

Filesize
84KB

Download
memory/2052-138-0x00000000053B0000-0x00000000053C5000-memory.dmp

Filesize
84KB

Download
memory/2052-151-0x00000000053B0000-0x00000000053C5000-memory.dmp

Filesize
84KB

Download
memory/2052-139-0x00000000053B0000-0x00000000053C5000-memory.dmp

Filesize
84KB

Download
memory/2052-153-0x00000000053B0000-0x00000000053C5000-memory.dmp

Filesize
84KB

Download
memory/2052-167-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/2052-134-0x00000000008F0000-0x0000000000AB6000-memory.dmp

Filesize
1.8MB

Download
memory/2052-155-0x00000000053B0000-0x00000000053C5000-memory.dmp

Filesize
84KB

Download
memory/2052-143-0x00000000053B0000-0x00000000053C5000-memory.dmp

Filesize
84KB

Download
memory/2052-169-0x00000000752B0000-0x0000000075A60000-memory.dmp

Filesize
7.7MB

Download
memory/2052-157-0x00000000053B0000-0x00000000053C5000-memory.dmp

Filesize
84KB

Download
memory/2052-135-0x00000000054E0000-0x000000000557C000-memory.dmp

Filesize
624KB

Download
memory/2052-136-0x00000000752B0000-0x0000000075A60000-memory.dmp

Filesize
7.7MB

Download
memory/2052-133-0x00000000752B0000-0x0000000075A60000-memory.dmp

Filesize
7.7MB

Download
memory/2052-159-0x00000000053B0000-0x00000000053C5000-memory.dmp

Filesize
84KB

Download
memory/2052-161-0x00000000053B0000-0x00000000053C5000-memory.dmp

Filesize
84KB

Download
memory/2052-141-0x00000000053B0000-0x00000000053C5000-memory.dmp

Filesize
84KB

Download
memory/2052-162-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/3824-298-0x00007FFA09680000-0x00007FFA0A0B9000-memory.dmp

Filesize
10.2MB

Download
memory/3824-285-0x00007FFA09680000-0x00007FFA0A0B9000-memory.dmp

Filesize
10.2MB

Download
memory/3888-280-0x00007FFA28EA0000-0x00007FFA28EA2000-memory.dmp

Filesize
8KB

Download
memory/3888-281-0x00007FFA09680000-0x00007FFA0A0B9000-memory.dmp

Filesize
10.2MB

Download
memory/3888-286-0x00007FFA284A0000-0x00007FFA284A2000-memory.dmp

Filesize
8KB

Download
memory/3888-290-0x00007FFA26AE0000-0x00007FFA26AE2000-memory.dmp

Filesize
8KB

Download
memory/3888-288-0x00007FFA26AD0000-0x00007FFA26AD2000-memory.dmp

Filesize
8KB

Download
memory/3888-283-0x00007FFA28490000-0x00007FFA28492000-memory.dmp

Filesize
8KB

Download
memory/3888-279-0x00007FFA28E90000-0x00007FFA28E92000-memory.dmp

Filesize
8KB

Download
memory/3888-282-0x00007FFA28EB0000-0x00007FFA28EB2000-memory.dmp

Filesize
8KB

Download
memory/4256-291-0x0000000000400000-0x0000000000B26000-memory.dmp

Filesize
7.1MB

Download
memory/4256-254-0x00000000766F0000-0x00000000767E0000-memory.dmp

Filesize
960KB

Download
memory/4256-251-0x00000000766F0000-0x00000000767E0000-memory.dmp

Filesize
960KB

Download
memory/4256-301-0x00000000766F0000-0x00000000767E0000-memory.dmp

Filesize
960KB

Download
memory/4256-252-0x00000000766F0000-0x00000000767E0000-memory.dmp

Filesize
960KB

Download
memory/4256-257-0x0000000000400000-0x0000000000B26000-memory.dmp

Filesize
7.1MB

Download
memory/4256-253-0x00000000766F0000-0x00000000767E0000-memory.dmp

Filesize
960KB

Download
memory/4256-300-0x00000000766F0000-0x00000000767E0000-memory.dmp

Filesize
960KB

Download
memory/4256-293-0x00000000766F0000-0x00000000767E0000-memory.dmp

Filesize
960KB

Download
memory/4256-250-0x0000000000400000-0x0000000000B26000-memory.dmp

Filesize
7.1MB

Download
memory/4256-299-0x00000000766F0000-0x00000000767E0000-memory.dmp

Filesize
960KB

Download
memory/4952-314-0x0000000000440000-0x0000000000ED9000-memory.dmp

Filesize
10.6MB

Download
memory/4952-317-0x0000000000440000-0x0000000000ED9000-memory.dmp

Filesize
10.6MB

Download
memory/4952-313-0x0000000000440000-0x0000000000ED9000-memory.dmp

Filesize
10.6MB

Download
memory/4952-312-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/5104-203-0x0000000000440000-0x0000000000ED9000-memory.dmp

Filesize
10.6MB

Download
memory/5104-205-0x0000000000440000-0x0000000000ED9000-memory.dmp

Filesize
10.6MB

Download
memory/5104-240-0x0000000000440000-0x0000000000ED9000-memory.dmp

Filesize
10.6MB

Download