amadey | c241af3fd9eba3f52028a34a84ce8654a8240779dee7a6579c6e658391379dab

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c241af3fd9eba3f52028a34a84ce8654a8240779dee7a6579c6e658391379dab_JC.exe
Size

1.1MB
MD5

26274fe67b8533068c77b7ab5af38976
SHA1

0d26933a593c4329006e5e3b7685f747f87c6e3f
SHA256

c241af3fd9eba3f52028a34a84ce8654a8240779dee7a6579c6e658391379dab
SHA512

33d48cb553fb022316e7bb7c42b0298f43c0f1c6c9a40550d9ba87050137d5b706397cbc31ad52ec8fdee2a90da2e71cfc94091d44f6b0bc908f9a17f5a529fe
SSDEEP

24576:qyrGGvIIhhYElXPjNecSYbp33HdnMSeAOtyGPr9MEQj68epVVHzuln4:xrbvIah3VPjNmYNHHdnNLO1MNj68eJSh

Score

10^/10

amadey healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4040-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4040-42-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4040-43-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4040-45-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/772-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

t7355292.exeexplonde.exeu7289484.exelegota.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	t7355292.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	u7289484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	legota.exe

Executes dropped EXE 14 IoCs

Processes:

z6040409.exez5855806.exez0665409.exez8199432.exeq6931783.exer3983525.exes7602435.exet7355292.exeexplonde.exeu7289484.exelegota.exew8461566.exeexplonde.exelegota.exe

pid	process
4776	z6040409.exe
4296	z5855806.exe
4788	z0665409.exe
4272	z8199432.exe
4508	q6931783.exe
4724	r3983525.exe
2564	s7602435.exe
4596	t7355292.exe
2616	explonde.exe
3396	u7289484.exe
3952	legota.exe
876	w8461566.exe
3216	explonde.exe
3444	legota.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c241af3fd9eba3f52028a34a84ce8654a8240779dee7a6579c6e658391379dab_JC.exez6040409.exez5855806.exez0665409.exez8199432.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c241af3fd9eba3f52028a34a84ce8654a8240779dee7a6579c6e658391379dab_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6040409.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5855806.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z0665409.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z8199432.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

q6931783.exer3983525.exes7602435.exe

description	pid	process	target process
PID 4508 set thread context of 772	4508	q6931783.exe	AppLaunch.exe
PID 4724 set thread context of 4040	4724	r3983525.exe	AppLaunch.exe
PID 2564 set thread context of 2064	2564	s7602435.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3404	4508	WerFault.exe	q6931783.exe
2388	4724	WerFault.exe	r3983525.exe
2120	4040	WerFault.exe	AppLaunch.exe
3944	2564	WerFault.exe	s7602435.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5008 schtasks.exe
4560 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

772 AppLaunch.exe
772 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 772 AppLaunch.exe

pid	process
5008	schtasks.exe
4560	schtasks.exe

pid	process
772	AppLaunch.exe
772	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	772	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c241af3fd9eba3f52028a34a84ce8654a8240779dee7a6579c6e658391379dab_JC.exez6040409.exez5855806.exez0665409.exez8199432.exeq6931783.exer3983525.exes7602435.exet7355292.exeexplonde.exe

description	pid	process	target process
PID 2700 wrote to memory of 4776	2700	c241af3fd9eba3f52028a34a84ce8654a8240779dee7a6579c6e658391379dab_JC.exe	z6040409.exe
PID 2700 wrote to memory of 4776	2700	c241af3fd9eba3f52028a34a84ce8654a8240779dee7a6579c6e658391379dab_JC.exe	z6040409.exe
PID 2700 wrote to memory of 4776	2700	c241af3fd9eba3f52028a34a84ce8654a8240779dee7a6579c6e658391379dab_JC.exe	z6040409.exe
PID 4776 wrote to memory of 4296	4776	z6040409.exe	z5855806.exe
PID 4776 wrote to memory of 4296	4776	z6040409.exe	z5855806.exe
PID 4776 wrote to memory of 4296	4776	z6040409.exe	z5855806.exe
PID 4296 wrote to memory of 4788	4296	z5855806.exe	z0665409.exe
PID 4296 wrote to memory of 4788	4296	z5855806.exe	z0665409.exe
PID 4296 wrote to memory of 4788	4296	z5855806.exe	z0665409.exe
PID 4788 wrote to memory of 4272	4788	z0665409.exe	z8199432.exe
PID 4788 wrote to memory of 4272	4788	z0665409.exe	z8199432.exe
PID 4788 wrote to memory of 4272	4788	z0665409.exe	z8199432.exe
PID 4272 wrote to memory of 4508	4272	z8199432.exe	q6931783.exe
PID 4272 wrote to memory of 4508	4272	z8199432.exe	q6931783.exe
PID 4272 wrote to memory of 4508	4272	z8199432.exe	q6931783.exe
PID 4508 wrote to memory of 772	4508	q6931783.exe	AppLaunch.exe
PID 4508 wrote to memory of 772	4508	q6931783.exe	AppLaunch.exe
PID 4508 wrote to memory of 772	4508	q6931783.exe	AppLaunch.exe
PID 4508 wrote to memory of 772	4508	q6931783.exe	AppLaunch.exe
PID 4508 wrote to memory of 772	4508	q6931783.exe	AppLaunch.exe
PID 4508 wrote to memory of 772	4508	q6931783.exe	AppLaunch.exe
PID 4508 wrote to memory of 772	4508	q6931783.exe	AppLaunch.exe
PID 4508 wrote to memory of 772	4508	q6931783.exe	AppLaunch.exe
PID 4272 wrote to memory of 4724	4272	z8199432.exe	r3983525.exe
PID 4272 wrote to memory of 4724	4272	z8199432.exe	r3983525.exe
PID 4272 wrote to memory of 4724	4272	z8199432.exe	r3983525.exe
PID 4724 wrote to memory of 4040	4724	r3983525.exe	AppLaunch.exe
PID 4724 wrote to memory of 4040	4724	r3983525.exe	AppLaunch.exe
PID 4724 wrote to memory of 4040	4724	r3983525.exe	AppLaunch.exe
PID 4724 wrote to memory of 4040	4724	r3983525.exe	AppLaunch.exe
PID 4724 wrote to memory of 4040	4724	r3983525.exe	AppLaunch.exe
PID 4724 wrote to memory of 4040	4724	r3983525.exe	AppLaunch.exe
PID 4724 wrote to memory of 4040	4724	r3983525.exe	AppLaunch.exe
PID 4724 wrote to memory of 4040	4724	r3983525.exe	AppLaunch.exe
PID 4724 wrote to memory of 4040	4724	r3983525.exe	AppLaunch.exe
PID 4724 wrote to memory of 4040	4724	r3983525.exe	AppLaunch.exe
PID 4788 wrote to memory of 2564	4788	z0665409.exe	s7602435.exe
PID 4788 wrote to memory of 2564	4788	z0665409.exe	s7602435.exe
PID 4788 wrote to memory of 2564	4788	z0665409.exe	s7602435.exe
PID 2564 wrote to memory of 3444	2564	s7602435.exe	AppLaunch.exe
PID 2564 wrote to memory of 3444	2564	s7602435.exe	AppLaunch.exe
PID 2564 wrote to memory of 3444	2564	s7602435.exe	AppLaunch.exe
PID 2564 wrote to memory of 3856	2564	s7602435.exe	AppLaunch.exe
PID 2564 wrote to memory of 3856	2564	s7602435.exe	AppLaunch.exe
PID 2564 wrote to memory of 3856	2564	s7602435.exe	AppLaunch.exe
PID 2564 wrote to memory of 2064	2564	s7602435.exe	AppLaunch.exe
PID 2564 wrote to memory of 2064	2564	s7602435.exe	AppLaunch.exe
PID 2564 wrote to memory of 2064	2564	s7602435.exe	AppLaunch.exe
PID 2564 wrote to memory of 2064	2564	s7602435.exe	AppLaunch.exe
PID 2564 wrote to memory of 2064	2564	s7602435.exe	AppLaunch.exe
PID 2564 wrote to memory of 2064	2564	s7602435.exe	AppLaunch.exe
PID 2564 wrote to memory of 2064	2564	s7602435.exe	AppLaunch.exe
PID 2564 wrote to memory of 2064	2564	s7602435.exe	AppLaunch.exe
PID 4296 wrote to memory of 4596	4296	z5855806.exe	t7355292.exe
PID 4296 wrote to memory of 4596	4296	z5855806.exe	t7355292.exe
PID 4296 wrote to memory of 4596	4296	z5855806.exe	t7355292.exe
PID 4596 wrote to memory of 2616	4596	t7355292.exe	explonde.exe
PID 4596 wrote to memory of 2616	4596	t7355292.exe	explonde.exe
PID 4596 wrote to memory of 2616	4596	t7355292.exe	explonde.exe
PID 4776 wrote to memory of 3396	4776	z6040409.exe	u7289484.exe
PID 4776 wrote to memory of 3396	4776	z6040409.exe	u7289484.exe
PID 4776 wrote to memory of 3396	4776	z6040409.exe	u7289484.exe
PID 2616 wrote to memory of 4560	2616	explonde.exe	schtasks.exe
PID 2616 wrote to memory of 4560	2616	explonde.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c241af3fd9eba3f52028a34a84ce8654a8240779dee7a6579c6e658391379dab_JC.exe
"C:\Users\Admin\AppData\Local\Temp\c241af3fd9eba3f52028a34a84ce8654a8240779dee7a6579c6e658391379dab_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6040409.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6040409.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5855806.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5855806.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0665409.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0665409.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8199432.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8199432.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4272
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6931783.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6931783.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 572
        7⤵
        Program crash
        
        PID:3404
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3983525.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3983525.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 552
        8⤵
        Program crash
        
        PID:2120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 564
        7⤵
        Program crash
        
        PID:2388
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7602435.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7602435.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3444
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3856
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2064
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 592
        6⤵
        Program crash
        
        PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7355292.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7355292.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:4560
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        7⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        7⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:2848
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7289484.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7289484.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3396
  - - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
      "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:3952
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:5008
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:1996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:1580
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        6⤵
        
        PID:1964
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        6⤵
        
        PID:1388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:264
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        6⤵
        
        PID:2728
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        6⤵
        
        PID:4832
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8461566.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8461566.exe
  2⤵
  - Executes dropped EXE
  PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4508 -ip 4508
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4724 -ip 4724
1⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4040 -ip 4040
1⤵
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2564 -ip 2564
1⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8461566.exe

Filesize
22KB

MD5
003b09fad5a4943d6772c68f79285f37

SHA1
888d60cc1301c1529873bd9acf2825215b6c3389

SHA256
89de4de103aff7919dfc69f38d4f9fef86ba5a531cb9d13f40ad86e13d8874c2

SHA512
3ec2ae21972c79e7e459373c12b716902b6efa1af3102321543bd3610105f38efd188ec4c0b2e093bf5f5d37497b7323a592d117a25f2d7df4b3633f8049991e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8461566.exe

Filesize
22KB

MD5
003b09fad5a4943d6772c68f79285f37

SHA1
888d60cc1301c1529873bd9acf2825215b6c3389

SHA256
89de4de103aff7919dfc69f38d4f9fef86ba5a531cb9d13f40ad86e13d8874c2

SHA512
3ec2ae21972c79e7e459373c12b716902b6efa1af3102321543bd3610105f38efd188ec4c0b2e093bf5f5d37497b7323a592d117a25f2d7df4b3633f8049991e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6040409.exe

Filesize
995KB

MD5
6f74ee41e3adc83375c91ce8ad937f64

SHA1
43cc9ef99c6c491d946091d10820de91cfa11c97

SHA256
6e44ef996a87d1c92fc071f150f28e97aa309b40bac2bfa9c1e3c6386b7c68bc

SHA512
1d8bb30ddd47e5b38d78e43e1bcabc8b5ba9077f8b01083cc67c9272f570b27d59f15e2c9c12bb6e41cf229dbbc67f2b64ac56783549980bf1859552bf17435b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6040409.exe

Filesize
995KB

MD5
6f74ee41e3adc83375c91ce8ad937f64

SHA1
43cc9ef99c6c491d946091d10820de91cfa11c97

SHA256
6e44ef996a87d1c92fc071f150f28e97aa309b40bac2bfa9c1e3c6386b7c68bc

SHA512
1d8bb30ddd47e5b38d78e43e1bcabc8b5ba9077f8b01083cc67c9272f570b27d59f15e2c9c12bb6e41cf229dbbc67f2b64ac56783549980bf1859552bf17435b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7289484.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7289484.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5855806.exe

Filesize
815KB

MD5
8ec635529f533d78d1846b8199e658bc

SHA1
3add0981881a71b8976f44909e7cee9dee5ae963

SHA256
5ec43d96b29288c0388786794a673000069de2fcba85ff37a7c000fb4d020c54

SHA512
e0cd8b1505ea96405dc73b363da8704b028c7413686b4ec050ffb5f28957fd646555a4cc6462481d19e4818050114760dfb4519ae48166402fac9dfa185ab10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5855806.exe

Filesize
815KB

MD5
8ec635529f533d78d1846b8199e658bc

SHA1
3add0981881a71b8976f44909e7cee9dee5ae963

SHA256
5ec43d96b29288c0388786794a673000069de2fcba85ff37a7c000fb4d020c54

SHA512
e0cd8b1505ea96405dc73b363da8704b028c7413686b4ec050ffb5f28957fd646555a4cc6462481d19e4818050114760dfb4519ae48166402fac9dfa185ab10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7355292.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7355292.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0665409.exe

Filesize
631KB

MD5
01c7f8529f7c9d3318a78dc7fd6545be

SHA1
eb0d9c4231402a2af5703dbb67fd21220a0e0aea

SHA256
bfc6a39c9791410a234aee5b40bbaafd0878d313b50634465ca54c53c07fe204

SHA512
028e7623cb767927f5495b66f216c2a34cccd91e008a77baa897fcea490d9cd40e27b0903276257ef782682dc96b720ae37b54c4d17b69d32a900f7fd572ed79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0665409.exe

Filesize
631KB

MD5
01c7f8529f7c9d3318a78dc7fd6545be

SHA1
eb0d9c4231402a2af5703dbb67fd21220a0e0aea

SHA256
bfc6a39c9791410a234aee5b40bbaafd0878d313b50634465ca54c53c07fe204

SHA512
028e7623cb767927f5495b66f216c2a34cccd91e008a77baa897fcea490d9cd40e27b0903276257ef782682dc96b720ae37b54c4d17b69d32a900f7fd572ed79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7602435.exe

Filesize
413KB

MD5
2afdfb09b6313832ba6fe8f2b8bdc8b9

SHA1
85e21ae1808791c7f4844daa4d9ebbf2bfda6a4d

SHA256
75ec8d50e14b278c65fe9454a3fca5f72c92d191f58884a35e1daebf94d3cddc

SHA512
8ae125a6e428dd1f7ad2de50c5ab2f00e5fe0d5d6f585eefd5e0b0d85783551170a8a65111801eecf43f399eaea0dff2f2ac56c77c6e26c2d72dfb7ca16377e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7602435.exe

Filesize
413KB

MD5
2afdfb09b6313832ba6fe8f2b8bdc8b9

SHA1
85e21ae1808791c7f4844daa4d9ebbf2bfda6a4d

SHA256
75ec8d50e14b278c65fe9454a3fca5f72c92d191f58884a35e1daebf94d3cddc

SHA512
8ae125a6e428dd1f7ad2de50c5ab2f00e5fe0d5d6f585eefd5e0b0d85783551170a8a65111801eecf43f399eaea0dff2f2ac56c77c6e26c2d72dfb7ca16377e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8199432.exe

Filesize
354KB

MD5
92a5fbdcaf01e05d8f82907a78df632b

SHA1
1e0672d5f85636d5a7fd7b7467f70f01ca6aade9

SHA256
6dcbf4738524c2240f3ea8fd6e31de0cb77827e66ed7b27638f8bca8de5d79f4

SHA512
03606af800346e8708016b7779c22e576cc1f5f7f5c8dca217e6fb2a1cd89a93e4fc6a176ba30e5f25e3a0a643833622bb796003bc44508a0a2b8e0cb1c57685

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8199432.exe

Filesize
354KB

MD5
92a5fbdcaf01e05d8f82907a78df632b

SHA1
1e0672d5f85636d5a7fd7b7467f70f01ca6aade9

SHA256
6dcbf4738524c2240f3ea8fd6e31de0cb77827e66ed7b27638f8bca8de5d79f4

SHA512
03606af800346e8708016b7779c22e576cc1f5f7f5c8dca217e6fb2a1cd89a93e4fc6a176ba30e5f25e3a0a643833622bb796003bc44508a0a2b8e0cb1c57685

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6931783.exe

Filesize
250KB

MD5
db3ee2dac8a6245e3e8209b11409cc97

SHA1
41d193bbc36ffe7ba3faefe18e58de6ec9995285

SHA256
54b654d4cab523977ce6e161855b2997989b8aa0ba27a0db48d084935af1ba6b

SHA512
61c14f494ba8b0441300520ca5e759ac2148b021e2e25103e2c3363e1a1dad4b2612f0a7867df8ecfe419fddc2cf9c1a632cb68e15d3f038ec28df8f41802878

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6931783.exe

Filesize
250KB

MD5
db3ee2dac8a6245e3e8209b11409cc97

SHA1
41d193bbc36ffe7ba3faefe18e58de6ec9995285

SHA256
54b654d4cab523977ce6e161855b2997989b8aa0ba27a0db48d084935af1ba6b

SHA512
61c14f494ba8b0441300520ca5e759ac2148b021e2e25103e2c3363e1a1dad4b2612f0a7867df8ecfe419fddc2cf9c1a632cb68e15d3f038ec28df8f41802878

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3983525.exe

Filesize
379KB

MD5
77bad37317c4766966624e95c96eca4a

SHA1
b3b1eeb8f9850d92aa53ca06020270614d8d4387

SHA256
c88df113bfdae154ad5024aa43acc5f3bcf4c68aa16c309f704da6671e6b7e5a

SHA512
610e18ccaf0762cbb437df940b432706477e4506a997a5428ddb6c8562a932c2e3341d9c8fa3c69b497bfc279c79600cd7bcdbf0a52eacf3cd02b41f47d0d6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3983525.exe

Filesize
379KB

MD5
77bad37317c4766966624e95c96eca4a

SHA1
b3b1eeb8f9850d92aa53ca06020270614d8d4387

SHA256
c88df113bfdae154ad5024aa43acc5f3bcf4c68aa16c309f704da6671e6b7e5a

SHA512
610e18ccaf0762cbb437df940b432706477e4506a997a5428ddb6c8562a932c2e3341d9c8fa3c69b497bfc279c79600cd7bcdbf0a52eacf3cd02b41f47d0d6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
memory/772-37-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/772-47-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/772-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/772-36-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/2064-86-0x0000000004E40000-0x0000000004E7C000-memory.dmp

Filesize
240KB

Download
memory/2064-87-0x0000000004E80000-0x0000000004ECC000-memory.dmp

Filesize
304KB

Download
memory/2064-53-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/2064-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2064-89-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/2064-82-0x0000000005420000-0x0000000005A38000-memory.dmp

Filesize
6.1MB

Download
memory/2064-83-0x0000000004F10000-0x000000000501A000-memory.dmp

Filesize
1.0MB

Download
memory/2064-85-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/2064-84-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

Filesize
72KB

Download
memory/2064-54-0x0000000000AB0000-0x0000000000AB6000-memory.dmp

Filesize
24KB

Download
memory/2064-88-0x0000000074090000-0x0000000074840000-memory.dmp

Filesize
7.7MB

Download
memory/4040-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4040-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4040-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4040-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download