amadey | b924015bd915b095874c8b514c0c6da46eaad54b2fb9ef263b74df992691b7d7

Analysis

max time kernel
189s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b924015bd915b095874c8b514c0c6da46eaad54b2fb9ef263b74df992691b7d7.exe
Size

1.0MB
MD5

7728d85c3179c1c528e3b7a1f0fcc951
SHA1

3c8584ade399efd68f61a750918e98bf36065b8f
SHA256

b924015bd915b095874c8b514c0c6da46eaad54b2fb9ef263b74df992691b7d7
SHA512

9750077bdb06897d8d8879437a9553ff4b6cc2e0909d55180296f5d66d26470347164e05466e1eeb7cae0348b9206d4ed746739042fcea94b48d0472114d8a3d
SSDEEP

24576:by7cFFGy4ejnch3cq51wlMFJxfXycI2lUKUDJwEM:OAM7ejns3cqHfXyT2OK8

Score

10^/10

amadey healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1568-43-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1568-44-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1568-45-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/1568-47-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4851053.exe	healer
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4851053.exe	healer
behavioral2/memory/3752-35-0x00000000001B0000-0x00000000001BA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

q4851053.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q4851053.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q4851053.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q4851053.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q4851053.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q4851053.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q4851053.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u6268589.exelegota.exet0354810.exeexplothe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	u6268589.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	t0354810.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	explothe.exe

Executes dropped EXE 14 IoCs

Processes:

z6117068.exez4072428.exez2361223.exez4586195.exeq4851053.exer4979395.exes6066985.exet0354810.exeexplothe.exeu6268589.exelegota.exew7961147.exelegota.exeexplothe.exe

pid	process
4504	z6117068.exe
4152	z4072428.exe
2396	z2361223.exe
4884	z4586195.exe
3752	q4851053.exe
3720	r4979395.exe
3804	s6066985.exe
2716	t0354810.exe
1848	explothe.exe
3376	u6268589.exe
5032	legota.exe
1104	w7961147.exe
1484	legota.exe
5108	explothe.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

q4851053.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q4851053.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q4851053.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b924015bd915b095874c8b514c0c6da46eaad54b2fb9ef263b74df992691b7d7.exez6117068.exez4072428.exez2361223.exez4586195.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b924015bd915b095874c8b514c0c6da46eaad54b2fb9ef263b74df992691b7d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6117068.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4072428.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z2361223.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z4586195.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

r4979395.exes6066985.exe

description	pid	process	target process
PID 3720 set thread context of 1568	3720	r4979395.exe	AppLaunch.exe
PID 3804 set thread context of 1560	3804	s6066985.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1476 1568 WerFault.exe AppLaunch.exe
5064 3720 WerFault.exe r4979395.exe
4920 3804 WerFault.exe s6066985.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2020 schtasks.exe
3492 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

q4851053.exe

pid process

3752 q4851053.exe
3752 q4851053.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

q4851053.exe

description pid process

Token: SeDebugPrivilege 3752 q4851053.exe

pid	pid_target	process	target process
1476	1568	WerFault.exe	AppLaunch.exe
5064	3720	WerFault.exe	r4979395.exe
4920	3804	WerFault.exe	s6066985.exe

pid	process
2020	schtasks.exe
3492	schtasks.exe

pid	process
3752	q4851053.exe
3752	q4851053.exe

description	pid	process
Token: SeDebugPrivilege	3752	q4851053.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b924015bd915b095874c8b514c0c6da46eaad54b2fb9ef263b74df992691b7d7.exez6117068.exez4072428.exez2361223.exez4586195.exer4979395.exes6066985.exet0354810.exeexplothe.exeu6268589.execmd.exe

description	pid	process	target process
PID 4036 wrote to memory of 4504	4036	b924015bd915b095874c8b514c0c6da46eaad54b2fb9ef263b74df992691b7d7.exe	z6117068.exe
PID 4036 wrote to memory of 4504	4036	b924015bd915b095874c8b514c0c6da46eaad54b2fb9ef263b74df992691b7d7.exe	z6117068.exe
PID 4036 wrote to memory of 4504	4036	b924015bd915b095874c8b514c0c6da46eaad54b2fb9ef263b74df992691b7d7.exe	z6117068.exe
PID 4504 wrote to memory of 4152	4504	z6117068.exe	z4072428.exe
PID 4504 wrote to memory of 4152	4504	z6117068.exe	z4072428.exe
PID 4504 wrote to memory of 4152	4504	z6117068.exe	z4072428.exe
PID 4152 wrote to memory of 2396	4152	z4072428.exe	z2361223.exe
PID 4152 wrote to memory of 2396	4152	z4072428.exe	z2361223.exe
PID 4152 wrote to memory of 2396	4152	z4072428.exe	z2361223.exe
PID 2396 wrote to memory of 4884	2396	z2361223.exe	z4586195.exe
PID 2396 wrote to memory of 4884	2396	z2361223.exe	z4586195.exe
PID 2396 wrote to memory of 4884	2396	z2361223.exe	z4586195.exe
PID 4884 wrote to memory of 3752	4884	z4586195.exe	q4851053.exe
PID 4884 wrote to memory of 3752	4884	z4586195.exe	q4851053.exe
PID 4884 wrote to memory of 3720	4884	z4586195.exe	r4979395.exe
PID 4884 wrote to memory of 3720	4884	z4586195.exe	r4979395.exe
PID 4884 wrote to memory of 3720	4884	z4586195.exe	r4979395.exe
PID 3720 wrote to memory of 1568	3720	r4979395.exe	AppLaunch.exe
PID 3720 wrote to memory of 1568	3720	r4979395.exe	AppLaunch.exe
PID 3720 wrote to memory of 1568	3720	r4979395.exe	AppLaunch.exe
PID 3720 wrote to memory of 1568	3720	r4979395.exe	AppLaunch.exe
PID 3720 wrote to memory of 1568	3720	r4979395.exe	AppLaunch.exe
PID 3720 wrote to memory of 1568	3720	r4979395.exe	AppLaunch.exe
PID 3720 wrote to memory of 1568	3720	r4979395.exe	AppLaunch.exe
PID 3720 wrote to memory of 1568	3720	r4979395.exe	AppLaunch.exe
PID 3720 wrote to memory of 1568	3720	r4979395.exe	AppLaunch.exe
PID 3720 wrote to memory of 1568	3720	r4979395.exe	AppLaunch.exe
PID 2396 wrote to memory of 3804	2396	z2361223.exe	s6066985.exe
PID 2396 wrote to memory of 3804	2396	z2361223.exe	s6066985.exe
PID 2396 wrote to memory of 3804	2396	z2361223.exe	s6066985.exe
PID 3804 wrote to memory of 3100	3804	s6066985.exe	AppLaunch.exe
PID 3804 wrote to memory of 3100	3804	s6066985.exe	AppLaunch.exe
PID 3804 wrote to memory of 3100	3804	s6066985.exe	AppLaunch.exe
PID 3804 wrote to memory of 1560	3804	s6066985.exe	AppLaunch.exe
PID 3804 wrote to memory of 1560	3804	s6066985.exe	AppLaunch.exe
PID 3804 wrote to memory of 1560	3804	s6066985.exe	AppLaunch.exe
PID 3804 wrote to memory of 1560	3804	s6066985.exe	AppLaunch.exe
PID 3804 wrote to memory of 1560	3804	s6066985.exe	AppLaunch.exe
PID 3804 wrote to memory of 1560	3804	s6066985.exe	AppLaunch.exe
PID 3804 wrote to memory of 1560	3804	s6066985.exe	AppLaunch.exe
PID 3804 wrote to memory of 1560	3804	s6066985.exe	AppLaunch.exe
PID 4152 wrote to memory of 2716	4152	z4072428.exe	t0354810.exe
PID 4152 wrote to memory of 2716	4152	z4072428.exe	t0354810.exe
PID 4152 wrote to memory of 2716	4152	z4072428.exe	t0354810.exe
PID 2716 wrote to memory of 1848	2716	t0354810.exe	explothe.exe
PID 2716 wrote to memory of 1848	2716	t0354810.exe	explothe.exe
PID 2716 wrote to memory of 1848	2716	t0354810.exe	explothe.exe
PID 4504 wrote to memory of 3376	4504	z6117068.exe	u6268589.exe
PID 4504 wrote to memory of 3376	4504	z6117068.exe	u6268589.exe
PID 4504 wrote to memory of 3376	4504	z6117068.exe	u6268589.exe
PID 1848 wrote to memory of 2020	1848	explothe.exe	schtasks.exe
PID 1848 wrote to memory of 2020	1848	explothe.exe	schtasks.exe
PID 1848 wrote to memory of 2020	1848	explothe.exe	schtasks.exe
PID 1848 wrote to memory of 2068	1848	explothe.exe	cmd.exe
PID 1848 wrote to memory of 2068	1848	explothe.exe	cmd.exe
PID 1848 wrote to memory of 2068	1848	explothe.exe	cmd.exe
PID 3376 wrote to memory of 5032	3376	u6268589.exe	legota.exe
PID 3376 wrote to memory of 5032	3376	u6268589.exe	legota.exe
PID 3376 wrote to memory of 5032	3376	u6268589.exe	legota.exe
PID 2068 wrote to memory of 2092	2068	cmd.exe	cmd.exe
PID 2068 wrote to memory of 2092	2068	cmd.exe	cmd.exe
PID 2068 wrote to memory of 2092	2068	cmd.exe	cmd.exe
PID 4036 wrote to memory of 1104	4036	b924015bd915b095874c8b514c0c6da46eaad54b2fb9ef263b74df992691b7d7.exe	w7961147.exe
PID 4036 wrote to memory of 1104	4036	b924015bd915b095874c8b514c0c6da46eaad54b2fb9ef263b74df992691b7d7.exe	w7961147.exe

C:\Users\Admin\AppData\Local\Temp\b924015bd915b095874c8b514c0c6da46eaad54b2fb9ef263b74df992691b7d7.exe
"C:\Users\Admin\AppData\Local\Temp\b924015bd915b095874c8b514c0c6da46eaad54b2fb9ef263b74df992691b7d7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6117068.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6117068.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4504

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4072428.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4072428.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4152

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2361223.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2361223.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2396

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4586195.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4586195.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4851053.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4851053.exe
6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4979395.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4979395.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 540
8⤵
- Program crash
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 588
7⤵
- Program crash
PID:5064

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6066985.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6066985.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:1560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 584
6⤵
- Program crash
PID:4920

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0354810.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0354810.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
6⤵
- Creates scheduled task(s)
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:2092

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
7⤵
PID:2356

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
7⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1248

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:5012

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6268589.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6268589.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3376

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:5032

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
5⤵
- Creates scheduled task(s)
PID:3492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
5⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4656

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
6⤵
PID:3772

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
6⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1684

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
6⤵
PID:2392

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
6⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7961147.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7961147.exe
2⤵
- Executes dropped EXE
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3720 -ip 3720
1⤵
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1568 -ip 1568
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3804 -ip 3804
1⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:1484

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7961147.exe
Filesize
23KB

MD5
e0d57ca8430d7a01576ed6d0428027ae

SHA1
581a31a60f469ac1a11956e0f9288935b5e434bc

SHA256
cbe0ecd3a5f267db9548455f04a6187d30891f648065a255f91f1553a09034ba

SHA512
ae2580d740d207eac49f93ce9e113a20e6e1233c85f514ce1f3fb7f844a10bdd1221a8cb1fa9ea718327d6d919cb1b744f7d980da2a32378a2a0375f65e8dc05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7961147.exe
Filesize
23KB

MD5
e0d57ca8430d7a01576ed6d0428027ae

SHA1
581a31a60f469ac1a11956e0f9288935b5e434bc

SHA256
cbe0ecd3a5f267db9548455f04a6187d30891f648065a255f91f1553a09034ba

SHA512
ae2580d740d207eac49f93ce9e113a20e6e1233c85f514ce1f3fb7f844a10bdd1221a8cb1fa9ea718327d6d919cb1b744f7d980da2a32378a2a0375f65e8dc05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6117068.exe
Filesize
971KB

MD5
979dd1bc70ab151ca2c1f7a594684af4

SHA1
40b5569f5c6532b029eb5574cf420a17680c450e

SHA256
a8412533d968fa5e1c3cbaf7206443d0957718bfe3d4586d584d26bb2791724c

SHA512
98a44eaa5443724a772fe73c99962a646cbd128d57262cc3602c9d0062992ddb95fa96b441e960764cf82b601027266c59b4b423705a5dc0e082618dd32fb4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6117068.exe
Filesize
971KB

MD5
979dd1bc70ab151ca2c1f7a594684af4

SHA1
40b5569f5c6532b029eb5574cf420a17680c450e

SHA256
a8412533d968fa5e1c3cbaf7206443d0957718bfe3d4586d584d26bb2791724c

SHA512
98a44eaa5443724a772fe73c99962a646cbd128d57262cc3602c9d0062992ddb95fa96b441e960764cf82b601027266c59b4b423705a5dc0e082618dd32fb4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6268589.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u6268589.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4072428.exe
Filesize
788KB

MD5
5c48635d34c92b91292bb3be72ecca7e

SHA1
fe63e69a487b4284fbe252ad7ba06b349988f065

SHA256
1490f4d666b7df8b9355ad04cf77a7c6614ee8f5ee73bf50e8f4c5de7be36c54

SHA512
741598865283aed5459cf84fe2769174e545449ca7a1a5c54b5f116f7386c00f41dbc0246098fdcff9c8952c94c06b337ba4156fa88c3a839a2a0ff623b42b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4072428.exe
Filesize
788KB

MD5
5c48635d34c92b91292bb3be72ecca7e

SHA1
fe63e69a487b4284fbe252ad7ba06b349988f065

SHA256
1490f4d666b7df8b9355ad04cf77a7c6614ee8f5ee73bf50e8f4c5de7be36c54

SHA512
741598865283aed5459cf84fe2769174e545449ca7a1a5c54b5f116f7386c00f41dbc0246098fdcff9c8952c94c06b337ba4156fa88c3a839a2a0ff623b42b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0354810.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0354810.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2361223.exe
Filesize
606KB

MD5
801265ef08603afc68a3d33f68b06067

SHA1
1aae42cd56952b03d56f06c55acc7eb7df7e0a00

SHA256
8835fed171e308b912ecf1a28fb71ce351597b78d2b236bec88e79f5d4c53d63

SHA512
60865d3712b108a423bd6ce9249d894d88da751ceb792b93cc8a52cf9a6039aea96b5fe9f5ab03beca299b3441c52ec3902729ed90ae44a40cf409bd8e8bd9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2361223.exe
Filesize
606KB

MD5
801265ef08603afc68a3d33f68b06067

SHA1
1aae42cd56952b03d56f06c55acc7eb7df7e0a00

SHA256
8835fed171e308b912ecf1a28fb71ce351597b78d2b236bec88e79f5d4c53d63

SHA512
60865d3712b108a423bd6ce9249d894d88da751ceb792b93cc8a52cf9a6039aea96b5fe9f5ab03beca299b3441c52ec3902729ed90ae44a40cf409bd8e8bd9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6066985.exe
Filesize
390KB

MD5
59d97fbb422e22a032b2f2bf87725ee4

SHA1
29815aaf57a077ad5235f055b29344ef57061290

SHA256
c30afb63caaa5ee80a19be32a2276635431ec356c3c5a65cb055da07c4c9a35d

SHA512
9d1075143370b83ceb51d831914e4e180cdd932332cfc700b7f38983a2489248f303746857887e7a029fb1d12928cddefde0e8ffe8220684eb5d6f186e42fcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6066985.exe
Filesize
390KB

MD5
59d97fbb422e22a032b2f2bf87725ee4

SHA1
29815aaf57a077ad5235f055b29344ef57061290

SHA256
c30afb63caaa5ee80a19be32a2276635431ec356c3c5a65cb055da07c4c9a35d

SHA512
9d1075143370b83ceb51d831914e4e180cdd932332cfc700b7f38983a2489248f303746857887e7a029fb1d12928cddefde0e8ffe8220684eb5d6f186e42fcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4586195.exe
Filesize
335KB

MD5
430b21c353c17e99bf8f16b012e3b8b5

SHA1
8cd5df5e88243df0895aa04f28bd94d938380526

SHA256
c1f4a9e5175b5d6649e2df6d3386bcb9519675fae85f78669d8a1e02f805d86f

SHA512
6dcef76b6ce7a93fd3a3190e4a2308982d08b9b0e5c64cdf3e8208812d740ff9318ff0dec4b3b0c652e0dbad91cc103df819e11dd6d14c61e8d30b727b12ed35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4586195.exe
Filesize
335KB

MD5
430b21c353c17e99bf8f16b012e3b8b5

SHA1
8cd5df5e88243df0895aa04f28bd94d938380526

SHA256
c1f4a9e5175b5d6649e2df6d3386bcb9519675fae85f78669d8a1e02f805d86f

SHA512
6dcef76b6ce7a93fd3a3190e4a2308982d08b9b0e5c64cdf3e8208812d740ff9318ff0dec4b3b0c652e0dbad91cc103df819e11dd6d14c61e8d30b727b12ed35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4851053.exe
Filesize
11KB

MD5
065fb3242b553a6e5080896d1a146c9d

SHA1
8e847e2b5ae78eb74a3fbeff90d2d1cd0eb093e1

SHA256
73a21ab58bd81bbbcda515fd96051f9e7beffb973ffbd1e450f8093b5ca089dd

SHA512
d52aa7d166cb6aed2bab1165fcda5f9fed1497ebe72f91a87181e8cd64762d367620af3642d6c889a3bb001c75ffcf6a74f8ef0ab0a8bf9ba1047b32049dc635

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4851053.exe
Filesize
11KB

MD5
065fb3242b553a6e5080896d1a146c9d

SHA1
8e847e2b5ae78eb74a3fbeff90d2d1cd0eb093e1

SHA256
73a21ab58bd81bbbcda515fd96051f9e7beffb973ffbd1e450f8093b5ca089dd

SHA512
d52aa7d166cb6aed2bab1165fcda5f9fed1497ebe72f91a87181e8cd64762d367620af3642d6c889a3bb001c75ffcf6a74f8ef0ab0a8bf9ba1047b32049dc635

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4979395.exe
Filesize
356KB

MD5
e374bc8ee89de0b46d1d865d0074d05c

SHA1
36579160a434af19cc7ac62933f959d51dd1abd0

SHA256
a2565a611ba8e9199ca10f72ffaaa85102b81c38d78298d4c710d179d9988355

SHA512
e5f8bd1bf864a97315582bcc9ea8c1b242e35c601c972f37e744e1d8bf9083b31e7f438df128963f084235b97ef21addcbe3e77893805afbf5d7c634031c3903

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r4979395.exe
Filesize
356KB

MD5
e374bc8ee89de0b46d1d865d0074d05c

SHA1
36579160a434af19cc7ac62933f959d51dd1abd0

SHA256
a2565a611ba8e9199ca10f72ffaaa85102b81c38d78298d4c710d179d9988355

SHA512
e5f8bd1bf864a97315582bcc9ea8c1b242e35c601c972f37e744e1d8bf9083b31e7f438df128963f084235b97ef21addcbe3e77893805afbf5d7c634031c3903

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
memory/1560-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1560-84-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/1560-52-0x0000000073820000-0x0000000073FD0000-memory.dmp

Filesize
7.7MB

Download
memory/1560-88-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/1560-87-0x0000000005670000-0x00000000056BC000-memory.dmp

Filesize
304KB

Download
memory/1560-86-0x0000000005630000-0x000000000566C000-memory.dmp

Filesize
240KB

Download
memory/1560-58-0x0000000001470000-0x0000000001476000-memory.dmp

Filesize
24KB

Download
memory/1560-85-0x00000000055D0000-0x00000000055E2000-memory.dmp

Filesize
72KB

Download
memory/1560-80-0x0000000073820000-0x0000000073FD0000-memory.dmp

Filesize
7.7MB

Download
memory/1560-81-0x0000000005BF0000-0x0000000006208000-memory.dmp

Filesize
6.1MB

Download
memory/1560-82-0x00000000056E0000-0x00000000057EA000-memory.dmp

Filesize
1.0MB

Download
memory/1568-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1568-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1568-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1568-47-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3752-37-0x00007FFE21350000-0x00007FFE21E11000-memory.dmp

Filesize
10.8MB

Download
memory/3752-39-0x00007FFE21350000-0x00007FFE21E11000-memory.dmp

Filesize
10.8MB

Download
memory/3752-36-0x00007FFE21350000-0x00007FFE21E11000-memory.dmp

Filesize
10.8MB

Download
memory/3752-35-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download