amadey | 90c0d478be8fcbd302388636ee0095355bf2b42b0505e73b9f66b7431e6f777e

Analysis

max time kernel
298s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29-07-2023 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup+Crack+Keygen.exe
Size

4.8MB
MD5

9b22550dbf9d6c659d818ed5f6597347
SHA1

c8e2c16675a72cc73fb0de1246d0fb5c74b703e8
SHA256

90c0d478be8fcbd302388636ee0095355bf2b42b0505e73b9f66b7431e6f777e
SHA512

fdae73f6601d00d64548eac7740fbaa5e954d78628c89bd7264071c4f206296106ca829733962d795bcdd7fa9f1ecf0a6448096a388f021901e96d6710b18012
SSDEEP

98304:j1bPn9bdcp5b4gMReIneNbp8SEP6vyT4gbTx:BbfW5kgMReInui8Wj5

Score

10^/10

amadey lumma sectoprat systembc discovery evasion persistence rat spyware stealer themida trojan vmprotect

Malware Config

Extracted

Family

amadey

Version

3.85

45.9.74.166/b7djSDcPcZ/index.php

45.9.74.141/b7djSDcPcZ/index.php

Extracted

Family

systembc

5.42.65.67:4298

localhost.exchange:4298

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4264-232-0x0000000076130000-0x0000000076220000-memory.dmp	family_sectoprat
behavioral2/memory/3756-234-0x0000000000400000-0x0000000000B26000-memory.dmp	family_sectoprat
behavioral2/memory/4264-247-0x0000000000400000-0x0000000000B26000-memory.dmp	family_sectoprat

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

BR.exeBR.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BR.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ BR.exe
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

106 2684 rundll32.exe
108 4516 rundll32.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BR.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BR.exe

flow	pid	process
106	2684	rundll32.exe
108	4516	rundll32.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/2824-134-0x0000000000070000-0x000000000054A000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BR.exeBR.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BR.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BR.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rpxeeqtckqaqcvirh.exebstyoops.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	rpxeeqtckqaqcvirh.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	bstyoops.exe

Executes dropped EXE 8 IoCs

Processes:

rpxeeqtckqaqcvirh.exebstyoops.exeBR.exeBR.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exe

pid process

1712 rpxeeqtckqaqcvirh.exe
4760 bstyoops.exe
3756 BR.exe
4264 BR.exe
2628 bstyoops.exe
3620 bstyoops.exe
4844 bstyoops.exe
4780 bstyoops.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

4212 rundll32.exe
2684 rundll32.exe
3936 rundll32.exe
4516 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1712	rpxeeqtckqaqcvirh.exe
4760	bstyoops.exe
3756	BR.exe
4264	BR.exe
2628	bstyoops.exe
3620	bstyoops.exe
4844	bstyoops.exe
4780	bstyoops.exe

pid	process
4212	rundll32.exe
2684	rundll32.exe
3936	rundll32.exe
4516	rundll32.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe	themida
C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe	themida
behavioral2/memory/3756-234-0x0000000000400000-0x0000000000B26000-memory.dmp	themida
behavioral2/memory/4264-247-0x0000000000400000-0x0000000000B26000-memory.dmp	themida

VMProtect packed file 26 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rpxeeqtckqaqcvirh.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\rpxeeqtckqaqcvirh.exe	vmprotect
behavioral2/memory/1712-179-0x00000000002C0000-0x0000000000CC0000-memory.dmp	vmprotect
behavioral2/memory/1712-178-0x00000000002C0000-0x0000000000CC0000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/1712-195-0x00000000002C0000-0x0000000000CC0000-memory.dmp	vmprotect
behavioral2/memory/4760-198-0x0000000000360000-0x0000000000D60000-memory.dmp	vmprotect
behavioral2/memory/4760-197-0x0000000000360000-0x0000000000D60000-memory.dmp	vmprotect
behavioral2/memory/4760-227-0x0000000000360000-0x0000000000D60000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/2628-298-0x0000000000360000-0x0000000000D60000-memory.dmp	vmprotect
behavioral2/memory/2628-299-0x0000000000360000-0x0000000000D60000-memory.dmp	vmprotect
behavioral2/memory/2628-302-0x0000000000360000-0x0000000000D60000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/3620-317-0x0000000000360000-0x0000000000D60000-memory.dmp	vmprotect
behavioral2/memory/3620-318-0x0000000000360000-0x0000000000D60000-memory.dmp	vmprotect
behavioral2/memory/3620-321-0x0000000000360000-0x0000000000D60000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/4844-337-0x0000000000360000-0x0000000000D60000-memory.dmp	vmprotect
behavioral2/memory/4844-336-0x0000000000360000-0x0000000000D60000-memory.dmp	vmprotect
behavioral2/memory/4844-340-0x0000000000360000-0x0000000000D60000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe	vmprotect
behavioral2/memory/4780-354-0x0000000000360000-0x0000000000D60000-memory.dmp	vmprotect
behavioral2/memory/4780-359-0x0000000000360000-0x0000000000D60000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

bstyoops.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BR.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000057051\\BR.exe"	bstyoops.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sv64.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000058061\\sv64.dll, rundll"	bstyoops.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

BR.exeBR.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BR.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BR.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

BR.exeBR.exe

pid process

3756 BR.exe
4264 BR.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup+Crack+Keygen.exe

description pid process target process

PID 2824 set thread context of 1256 2824 Setup+Crack+Keygen.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3876 schtasks.exe

pid	process
3756	BR.exe
4264	BR.exe

description	pid	process	target process
PID 2824 set thread context of 1256	2824	Setup+Crack+Keygen.exe	aspnet_compiler.exe

pid	process
3876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

aspnet_compiler.exerpxeeqtckqaqcvirh.exebstyoops.exeBR.exeBR.exerundll32.exerundll32.exebstyoops.exebstyoops.exebstyoops.exebstyoops.exe

pid	process
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1256	aspnet_compiler.exe
1712	rpxeeqtckqaqcvirh.exe
1712	rpxeeqtckqaqcvirh.exe
4760	bstyoops.exe
4760	bstyoops.exe
3756	BR.exe
3756	BR.exe
4264	BR.exe
4264	BR.exe
2684	rundll32.exe
2684	rundll32.exe
4516	rundll32.exe
4516	rundll32.exe
2628	bstyoops.exe
2628	bstyoops.exe
3620	bstyoops.exe
3620	bstyoops.exe
4844	bstyoops.exe
4844	bstyoops.exe
4780	bstyoops.exe
4780	bstyoops.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Setup+Crack+Keygen.exe

description pid process

Token: SeDebugPrivilege 2824 Setup+Crack+Keygen.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rpxeeqtckqaqcvirh.exe

pid process

1712 rpxeeqtckqaqcvirh.exe

description	pid	process
Token: SeDebugPrivilege	2824	Setup+Crack+Keygen.exe

pid	process
1712	rpxeeqtckqaqcvirh.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

Setup+Crack+Keygen.exeaspnet_compiler.exerpxeeqtckqaqcvirh.exebstyoops.execmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 2824 wrote to memory of 1256	2824	Setup+Crack+Keygen.exe	aspnet_compiler.exe
PID 2824 wrote to memory of 1256	2824	Setup+Crack+Keygen.exe	aspnet_compiler.exe
PID 2824 wrote to memory of 1256	2824	Setup+Crack+Keygen.exe	aspnet_compiler.exe
PID 2824 wrote to memory of 1256	2824	Setup+Crack+Keygen.exe	aspnet_compiler.exe
PID 2824 wrote to memory of 1256	2824	Setup+Crack+Keygen.exe	aspnet_compiler.exe
PID 2824 wrote to memory of 1256	2824	Setup+Crack+Keygen.exe	aspnet_compiler.exe
PID 2824 wrote to memory of 1256	2824	Setup+Crack+Keygen.exe	aspnet_compiler.exe
PID 2824 wrote to memory of 1256	2824	Setup+Crack+Keygen.exe	aspnet_compiler.exe
PID 2824 wrote to memory of 1256	2824	Setup+Crack+Keygen.exe	aspnet_compiler.exe
PID 1256 wrote to memory of 1712	1256	aspnet_compiler.exe	rpxeeqtckqaqcvirh.exe
PID 1256 wrote to memory of 1712	1256	aspnet_compiler.exe	rpxeeqtckqaqcvirh.exe
PID 1256 wrote to memory of 1712	1256	aspnet_compiler.exe	rpxeeqtckqaqcvirh.exe
PID 1712 wrote to memory of 4760	1712	rpxeeqtckqaqcvirh.exe	bstyoops.exe
PID 1712 wrote to memory of 4760	1712	rpxeeqtckqaqcvirh.exe	bstyoops.exe
PID 1712 wrote to memory of 4760	1712	rpxeeqtckqaqcvirh.exe	bstyoops.exe
PID 4760 wrote to memory of 3876	4760	bstyoops.exe	schtasks.exe
PID 4760 wrote to memory of 3876	4760	bstyoops.exe	schtasks.exe
PID 4760 wrote to memory of 3876	4760	bstyoops.exe	schtasks.exe
PID 4760 wrote to memory of 3248	4760	bstyoops.exe	cmd.exe
PID 4760 wrote to memory of 3248	4760	bstyoops.exe	cmd.exe
PID 4760 wrote to memory of 3248	4760	bstyoops.exe	cmd.exe
PID 3248 wrote to memory of 4640	3248	cmd.exe	cmd.exe
PID 3248 wrote to memory of 4640	3248	cmd.exe	cmd.exe
PID 3248 wrote to memory of 4640	3248	cmd.exe	cmd.exe
PID 3248 wrote to memory of 4728	3248	cmd.exe	cacls.exe
PID 3248 wrote to memory of 4728	3248	cmd.exe	cacls.exe
PID 3248 wrote to memory of 4728	3248	cmd.exe	cacls.exe
PID 3248 wrote to memory of 4512	3248	cmd.exe	cacls.exe
PID 3248 wrote to memory of 4512	3248	cmd.exe	cacls.exe
PID 3248 wrote to memory of 4512	3248	cmd.exe	cacls.exe
PID 3248 wrote to memory of 2316	3248	cmd.exe	cmd.exe
PID 3248 wrote to memory of 2316	3248	cmd.exe	cmd.exe
PID 3248 wrote to memory of 2316	3248	cmd.exe	cmd.exe
PID 3248 wrote to memory of 3588	3248	cmd.exe	cacls.exe
PID 3248 wrote to memory of 3588	3248	cmd.exe	cacls.exe
PID 3248 wrote to memory of 3588	3248	cmd.exe	cacls.exe
PID 3248 wrote to memory of 3600	3248	cmd.exe	cacls.exe
PID 3248 wrote to memory of 3600	3248	cmd.exe	cacls.exe
PID 3248 wrote to memory of 3600	3248	cmd.exe	cacls.exe
PID 4760 wrote to memory of 3756	4760	bstyoops.exe	BR.exe
PID 4760 wrote to memory of 3756	4760	bstyoops.exe	BR.exe
PID 4760 wrote to memory of 3756	4760	bstyoops.exe	BR.exe
PID 4760 wrote to memory of 4264	4760	bstyoops.exe	BR.exe
PID 4760 wrote to memory of 4264	4760	bstyoops.exe	BR.exe
PID 4760 wrote to memory of 4264	4760	bstyoops.exe	BR.exe
PID 4760 wrote to memory of 4212	4760	bstyoops.exe	rundll32.exe
PID 4760 wrote to memory of 4212	4760	bstyoops.exe	rundll32.exe
PID 4760 wrote to memory of 4212	4760	bstyoops.exe	rundll32.exe
PID 4212 wrote to memory of 2684	4212	rundll32.exe	rundll32.exe
PID 4212 wrote to memory of 2684	4212	rundll32.exe	rundll32.exe
PID 4760 wrote to memory of 3936	4760	bstyoops.exe	rundll32.exe
PID 4760 wrote to memory of 3936	4760	bstyoops.exe	rundll32.exe
PID 4760 wrote to memory of 3936	4760	bstyoops.exe	rundll32.exe
PID 3936 wrote to memory of 4516	3936	rundll32.exe	rundll32.exe
PID 3936 wrote to memory of 4516	3936	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\Setup+Crack+Keygen.exe
"C:\Users\Admin\AppData\Local\Temp\Setup+Crack+Keygen.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\rpxeeqtckqaqcvirh.exe
"C:\Users\Admin\AppData\Local\Temp\rpxeeqtckqaqcvirh.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
"C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F
5⤵
- Creates scheduled task(s)
PID:3876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "bstyoops.exe" /P "Admin:N"&&CACLS "bstyoops.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c2868ed41c" /P "Admin:N"&&CACLS "..\c2868ed41c" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4640

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:N"
6⤵
PID:4728

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:R" /E
6⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2316

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:N"
6⤵
PID:3588

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:R" /E
6⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe
"C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3756

C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe
"C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4264

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll, rundll
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll, rundll
6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2684

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll, rundll
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll, rundll
6⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4516

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3620

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4844

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe
Filesize
2.7MB

MD5
c895da0796fc8d1b87c7212ef1e5b0b7

SHA1
fec2e8a4abb488becf72f53076c5f126859ce254

SHA256
38cea09d4c4dece3982e20ff62507dc63c20a5f76f9369156ab0faf0a12eb689

SHA512
4cf7d2cab0ca79e5aefa8f8c12d76c7e4f2312da157c90a53e2c3c03fe5381db40dc31226b5c9fa3b96d632d1ac4d65891f8a9f4bef5c85084781729ef8dea99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe
Filesize
2.7MB

MD5
c895da0796fc8d1b87c7212ef1e5b0b7

SHA1
fec2e8a4abb488becf72f53076c5f126859ce254

SHA256
38cea09d4c4dece3982e20ff62507dc63c20a5f76f9369156ab0faf0a12eb689

SHA512
4cf7d2cab0ca79e5aefa8f8c12d76c7e4f2312da157c90a53e2c3c03fe5381db40dc31226b5c9fa3b96d632d1ac4d65891f8a9f4bef5c85084781729ef8dea99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe
Filesize
2.7MB

MD5
c895da0796fc8d1b87c7212ef1e5b0b7

SHA1
fec2e8a4abb488becf72f53076c5f126859ce254

SHA256
38cea09d4c4dece3982e20ff62507dc63c20a5f76f9369156ab0faf0a12eb689

SHA512
4cf7d2cab0ca79e5aefa8f8c12d76c7e4f2312da157c90a53e2c3c03fe5381db40dc31226b5c9fa3b96d632d1ac4d65891f8a9f4bef5c85084781729ef8dea99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000057051\BR.exe
Filesize
2.7MB

MD5
c895da0796fc8d1b87c7212ef1e5b0b7

SHA1
fec2e8a4abb488becf72f53076c5f126859ce254

SHA256
38cea09d4c4dece3982e20ff62507dc63c20a5f76f9369156ab0faf0a12eb689

SHA512
4cf7d2cab0ca79e5aefa8f8c12d76c7e4f2312da157c90a53e2c3c03fe5381db40dc31226b5c9fa3b96d632d1ac4d65891f8a9f4bef5c85084781729ef8dea99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll
Filesize
6.3MB

MD5
8cf53c2e44bb0ef6483736ded6e4c93b

SHA1
911902a9efba718fb3261d0fd542b30d8b924999

SHA256
a2c10b5d95151fefb06479bdf202bbce96a8f0a2db6398b6d4a34d6d2a1784dc

SHA512
1fb38d945fa58affca97e715175961a3d4222614ceb7850323f3a86371d1fa5c874978eabee26239e1b1ed30ad0a6126fc2151cf135b046dd62d9b173cceb62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll
Filesize
6.3MB

MD5
8cf53c2e44bb0ef6483736ded6e4c93b

SHA1
911902a9efba718fb3261d0fd542b30d8b924999

SHA256
a2c10b5d95151fefb06479bdf202bbce96a8f0a2db6398b6d4a34d6d2a1784dc

SHA512
1fb38d945fa58affca97e715175961a3d4222614ceb7850323f3a86371d1fa5c874978eabee26239e1b1ed30ad0a6126fc2151cf135b046dd62d9b173cceb62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll
Filesize
6.3MB

MD5
8cf53c2e44bb0ef6483736ded6e4c93b

SHA1
911902a9efba718fb3261d0fd542b30d8b924999

SHA256
a2c10b5d95151fefb06479bdf202bbce96a8f0a2db6398b6d4a34d6d2a1784dc

SHA512
1fb38d945fa58affca97e715175961a3d4222614ceb7850323f3a86371d1fa5c874978eabee26239e1b1ed30ad0a6126fc2151cf135b046dd62d9b173cceb62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll
Filesize
6.3MB

MD5
8cf53c2e44bb0ef6483736ded6e4c93b

SHA1
911902a9efba718fb3261d0fd542b30d8b924999

SHA256
a2c10b5d95151fefb06479bdf202bbce96a8f0a2db6398b6d4a34d6d2a1784dc

SHA512
1fb38d945fa58affca97e715175961a3d4222614ceb7850323f3a86371d1fa5c874978eabee26239e1b1ed30ad0a6126fc2151cf135b046dd62d9b173cceb62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll
Filesize
6.3MB

MD5
8cf53c2e44bb0ef6483736ded6e4c93b

SHA1
911902a9efba718fb3261d0fd542b30d8b924999

SHA256
a2c10b5d95151fefb06479bdf202bbce96a8f0a2db6398b6d4a34d6d2a1784dc

SHA512
1fb38d945fa58affca97e715175961a3d4222614ceb7850323f3a86371d1fa5c874978eabee26239e1b1ed30ad0a6126fc2151cf135b046dd62d9b173cceb62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058061\sv64.dll
Filesize
6.3MB

MD5
8cf53c2e44bb0ef6483736ded6e4c93b

SHA1
911902a9efba718fb3261d0fd542b30d8b924999

SHA256
a2c10b5d95151fefb06479bdf202bbce96a8f0a2db6398b6d4a34d6d2a1784dc

SHA512
1fb38d945fa58affca97e715175961a3d4222614ceb7850323f3a86371d1fa5c874978eabee26239e1b1ed30ad0a6126fc2151cf135b046dd62d9b173cceb62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.5MB

MD5
7af7284a37272c65e64b2deb41f6aed9

SHA1
c82659430ea52e5c9950811ca5aeea129c1979cc

SHA256
0eb30e2c25357b3fec262f5dea83c92a7236337dd87dd3fe06ac8e8d5e205d04

SHA512
4522c233933c8287bb10807508e98be615025f9ec614ac1f4928822fcbb98e50a0b09f43f688333e61a7da00ab156cbd747a19aba580c91db5bc4a759c9dabcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.5MB

MD5
7af7284a37272c65e64b2deb41f6aed9

SHA1
c82659430ea52e5c9950811ca5aeea129c1979cc

SHA256
0eb30e2c25357b3fec262f5dea83c92a7236337dd87dd3fe06ac8e8d5e205d04

SHA512
4522c233933c8287bb10807508e98be615025f9ec614ac1f4928822fcbb98e50a0b09f43f688333e61a7da00ab156cbd747a19aba580c91db5bc4a759c9dabcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.5MB

MD5
7af7284a37272c65e64b2deb41f6aed9

SHA1
c82659430ea52e5c9950811ca5aeea129c1979cc

SHA256
0eb30e2c25357b3fec262f5dea83c92a7236337dd87dd3fe06ac8e8d5e205d04

SHA512
4522c233933c8287bb10807508e98be615025f9ec614ac1f4928822fcbb98e50a0b09f43f688333e61a7da00ab156cbd747a19aba580c91db5bc4a759c9dabcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.5MB

MD5
7af7284a37272c65e64b2deb41f6aed9

SHA1
c82659430ea52e5c9950811ca5aeea129c1979cc

SHA256
0eb30e2c25357b3fec262f5dea83c92a7236337dd87dd3fe06ac8e8d5e205d04

SHA512
4522c233933c8287bb10807508e98be615025f9ec614ac1f4928822fcbb98e50a0b09f43f688333e61a7da00ab156cbd747a19aba580c91db5bc4a759c9dabcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.5MB

MD5
7af7284a37272c65e64b2deb41f6aed9

SHA1
c82659430ea52e5c9950811ca5aeea129c1979cc

SHA256
0eb30e2c25357b3fec262f5dea83c92a7236337dd87dd3fe06ac8e8d5e205d04

SHA512
4522c233933c8287bb10807508e98be615025f9ec614ac1f4928822fcbb98e50a0b09f43f688333e61a7da00ab156cbd747a19aba580c91db5bc4a759c9dabcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.5MB

MD5
7af7284a37272c65e64b2deb41f6aed9

SHA1
c82659430ea52e5c9950811ca5aeea129c1979cc

SHA256
0eb30e2c25357b3fec262f5dea83c92a7236337dd87dd3fe06ac8e8d5e205d04

SHA512
4522c233933c8287bb10807508e98be615025f9ec614ac1f4928822fcbb98e50a0b09f43f688333e61a7da00ab156cbd747a19aba580c91db5bc4a759c9dabcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
Filesize
6.5MB

MD5
7af7284a37272c65e64b2deb41f6aed9

SHA1
c82659430ea52e5c9950811ca5aeea129c1979cc

SHA256
0eb30e2c25357b3fec262f5dea83c92a7236337dd87dd3fe06ac8e8d5e205d04

SHA512
4522c233933c8287bb10807508e98be615025f9ec614ac1f4928822fcbb98e50a0b09f43f688333e61a7da00ab156cbd747a19aba580c91db5bc4a759c9dabcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpxeeqtckqaqcvirh.exe
Filesize
6.5MB

MD5
7af7284a37272c65e64b2deb41f6aed9

SHA1
c82659430ea52e5c9950811ca5aeea129c1979cc

SHA256
0eb30e2c25357b3fec262f5dea83c92a7236337dd87dd3fe06ac8e8d5e205d04

SHA512
4522c233933c8287bb10807508e98be615025f9ec614ac1f4928822fcbb98e50a0b09f43f688333e61a7da00ab156cbd747a19aba580c91db5bc4a759c9dabcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpxeeqtckqaqcvirh.exe
Filesize
6.5MB

MD5
7af7284a37272c65e64b2deb41f6aed9

SHA1
c82659430ea52e5c9950811ca5aeea129c1979cc

SHA256
0eb30e2c25357b3fec262f5dea83c92a7236337dd87dd3fe06ac8e8d5e205d04

SHA512
4522c233933c8287bb10807508e98be615025f9ec614ac1f4928822fcbb98e50a0b09f43f688333e61a7da00ab156cbd747a19aba580c91db5bc4a759c9dabcc

Download Submit
memory/1256-166-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1256-171-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1256-165-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1256-176-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1256-167-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1256-168-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1712-195-0x00000000002C0000-0x0000000000CC0000-memory.dmp

Filesize
10.0MB

Download
memory/1712-177-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/1712-179-0x00000000002C0000-0x0000000000CC0000-memory.dmp

Filesize
10.0MB

Download
memory/1712-178-0x00000000002C0000-0x0000000000CC0000-memory.dmp

Filesize
10.0MB

Download
memory/2628-302-0x0000000000360000-0x0000000000D60000-memory.dmp

Filesize
10.0MB

Download
memory/2628-299-0x0000000000360000-0x0000000000D60000-memory.dmp

Filesize
10.0MB

Download
memory/2628-298-0x0000000000360000-0x0000000000D60000-memory.dmp

Filesize
10.0MB

Download
memory/2628-297-0x00000000013C0000-0x00000000013C1000-memory.dmp

Filesize
4KB

Download
memory/2684-274-0x00007FFD86CA0000-0x00007FFD876D9000-memory.dmp

Filesize
10.2MB

Download
memory/2684-282-0x00007FFD86CA0000-0x00007FFD876D9000-memory.dmp

Filesize
10.2MB

Download
memory/2684-275-0x00007FFDA5F50000-0x00007FFDA5F52000-memory.dmp

Filesize
8KB

Download
memory/2684-276-0x00007FFDA5F60000-0x00007FFDA5F62000-memory.dmp

Filesize
8KB

Download
memory/2684-277-0x00007FFDA5F70000-0x00007FFDA5F72000-memory.dmp

Filesize
8KB

Download
memory/2684-278-0x00007FFDA52C0000-0x00007FFDA52C2000-memory.dmp

Filesize
8KB

Download
memory/2684-279-0x00007FFDA52D0000-0x00007FFDA52D2000-memory.dmp

Filesize
8KB

Download
memory/2684-280-0x00007FFDA3DA0000-0x00007FFDA3DA2000-memory.dmp

Filesize
8KB

Download
memory/2684-281-0x00007FFDA3DB0000-0x00007FFDA3DB2000-memory.dmp

Filesize
8KB

Download
memory/2824-155-0x0000000004E40000-0x0000000004E55000-memory.dmp

Filesize
84KB

Download
memory/2824-133-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/2824-159-0x0000000004E40000-0x0000000004E55000-memory.dmp

Filesize
84KB

Download
memory/2824-161-0x0000000004E40000-0x0000000004E55000-memory.dmp

Filesize
84KB

Download
memory/2824-145-0x0000000004E40000-0x0000000004E55000-memory.dmp

Filesize
84KB

Download
memory/2824-135-0x0000000004EC0000-0x0000000004F5C000-memory.dmp

Filesize
624KB

Download
memory/2824-136-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/2824-143-0x0000000004E40000-0x0000000004E55000-memory.dmp

Filesize
84KB

Download
memory/2824-134-0x0000000000070000-0x000000000054A000-memory.dmp

Filesize
4.9MB

Download
memory/2824-163-0x0000000004E40000-0x0000000004E55000-memory.dmp

Filesize
84KB

Download
memory/2824-137-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/2824-157-0x0000000004E40000-0x0000000004E55000-memory.dmp

Filesize
84KB

Download
memory/2824-164-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/2824-147-0x0000000004E40000-0x0000000004E55000-memory.dmp

Filesize
84KB

Download
memory/2824-149-0x0000000004E40000-0x0000000004E55000-memory.dmp

Filesize
84KB

Download
memory/2824-151-0x0000000004E40000-0x0000000004E55000-memory.dmp

Filesize
84KB

Download
memory/2824-153-0x0000000004E40000-0x0000000004E55000-memory.dmp

Filesize
84KB

Download
memory/2824-141-0x0000000004E40000-0x0000000004E55000-memory.dmp

Filesize
84KB

Download
memory/2824-140-0x0000000004E40000-0x0000000004E55000-memory.dmp

Filesize
84KB

Download
memory/2824-139-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/2824-170-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/2824-138-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3620-318-0x0000000000360000-0x0000000000D60000-memory.dmp

Filesize
10.0MB

Download
memory/3620-316-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3620-321-0x0000000000360000-0x0000000000D60000-memory.dmp

Filesize
10.0MB

Download
memory/3620-317-0x0000000000360000-0x0000000000D60000-memory.dmp

Filesize
10.0MB

Download
memory/3756-245-0x00000000066D0000-0x0000000006BFC000-memory.dmp

Filesize
5.2MB

Download
memory/3756-237-0x00000000051D0000-0x0000000005774000-memory.dmp

Filesize
5.6MB

Download
memory/3756-254-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/3756-246-0x0000000006D00000-0x0000000006D1E000-memory.dmp

Filesize
120KB

Download
memory/3756-244-0x0000000006240000-0x0000000006278000-memory.dmp

Filesize
224KB

Download
memory/3756-243-0x0000000006210000-0x000000000623E000-memory.dmp

Filesize
184KB

Download
memory/3756-242-0x00000000059C0000-0x0000000005A26000-memory.dmp

Filesize
408KB

Download
memory/3756-241-0x0000000005950000-0x00000000059A0000-memory.dmp

Filesize
320KB

Download
memory/3756-240-0x0000000005120000-0x0000000005196000-memory.dmp

Filesize
472KB

Download
memory/3756-239-0x0000000005780000-0x0000000005942000-memory.dmp

Filesize
1.8MB

Download
memory/3756-238-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/3756-253-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/3756-234-0x0000000000400000-0x0000000000B26000-memory.dmp

Filesize
7.1MB

Download
memory/3756-233-0x0000000077444000-0x0000000077446000-memory.dmp

Filesize
8KB

Download
memory/3756-251-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/3756-250-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/3756-225-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/3756-224-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/3756-223-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/3756-222-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/3756-220-0x0000000000400000-0x0000000000B26000-memory.dmp

Filesize
7.1MB

Download
memory/3756-249-0x0000000000400000-0x0000000000B26000-memory.dmp

Filesize
7.1MB

Download
memory/4264-257-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/4264-261-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/4264-259-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/4264-258-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/4264-256-0x0000000000400000-0x0000000000B26000-memory.dmp

Filesize
7.1MB

Download
memory/4264-247-0x0000000000400000-0x0000000000B26000-memory.dmp

Filesize
7.1MB

Download
memory/4264-232-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/4264-230-0x0000000076130000-0x0000000076220000-memory.dmp

Filesize
960KB

Download
memory/4264-228-0x0000000000400000-0x0000000000B26000-memory.dmp

Filesize
7.1MB

Download
memory/4516-285-0x00007FFD86CA0000-0x00007FFD876D9000-memory.dmp

Filesize
10.2MB

Download
memory/4516-293-0x00007FFD86CA0000-0x00007FFD876D9000-memory.dmp

Filesize
10.2MB

Download
memory/4760-227-0x0000000000360000-0x0000000000D60000-memory.dmp

Filesize
10.0MB

Download
memory/4760-197-0x0000000000360000-0x0000000000D60000-memory.dmp

Filesize
10.0MB

Download
memory/4760-198-0x0000000000360000-0x0000000000D60000-memory.dmp

Filesize
10.0MB

Download
memory/4760-196-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/4780-354-0x0000000000360000-0x0000000000D60000-memory.dmp

Filesize
10.0MB

Download
memory/4780-355-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/4780-359-0x0000000000360000-0x0000000000D60000-memory.dmp

Filesize
10.0MB

Download
memory/4844-337-0x0000000000360000-0x0000000000D60000-memory.dmp

Filesize
10.0MB

Download
memory/4844-336-0x0000000000360000-0x0000000000D60000-memory.dmp

Filesize
10.0MB

Download
memory/4844-340-0x0000000000360000-0x0000000000D60000-memory.dmp

Filesize
10.0MB

Download