amadey | 1ef0525048f5170853764b4d46f63b57c89ab26b14610f16bc9506a44fd9eb25

Analysis

max time kernel
137s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ef0525048f5170853764b4d46f63b57c89ab26b14610f16bc9506a44fd9eb25.exe
Size

1.3MB
MD5

24093f53ce85a07f5e242cc36338405b
SHA1

4d6b0f296b7f1f767cb06d2bd14d132dde53af65
SHA256

1ef0525048f5170853764b4d46f63b57c89ab26b14610f16bc9506a44fd9eb25
SHA512

f0b2f3f188a43c0d52a82e159aa9c7d443d7c11c59c9fa103877bf0a0444af8669581f769697278e1c0718592079569049568c06e82ce9e52a34e6a5d8fae173
SSDEEP

24576:yyzHjZLai+xzIk6pcEGZeookeDyYf5xfOf1IZNzxximQn7ewt64hYc9+o1J:ZzHjshxzOpcE8ffe5IINdximQn7/t6wD

Score

10^/10

amadey healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3396-43-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3396-44-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3396-45-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/3396-47-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2620-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

t0995080.exeexplonde.exeu3046785.exelegota.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	t0995080.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	u3046785.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	legota.exe

Executes dropped EXE 14 IoCs

Processes:

z4145161.exez8008338.exez0112339.exez3637490.exeq9806813.exer1461291.exes4242394.exet0995080.exeexplonde.exeu3046785.exelegota.exew3671454.exelegota.exeexplonde.exe

pid	process
3268	z4145161.exe
996	z8008338.exe
732	z0112339.exe
1972	z3637490.exe
3592	q9806813.exe
1884	r1461291.exe
4752	s4242394.exe
4332	t0995080.exe
632	explonde.exe
3816	u3046785.exe
2852	legota.exe
4776	w3671454.exe
4588	legota.exe
1968	explonde.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

z3637490.exe1ef0525048f5170853764b4d46f63b57c89ab26b14610f16bc9506a44fd9eb25.exez4145161.exez8008338.exez0112339.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z3637490.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1ef0525048f5170853764b4d46f63b57c89ab26b14610f16bc9506a44fd9eb25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4145161.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8008338.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z0112339.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

q9806813.exer1461291.exes4242394.exe

description	pid	process	target process
PID 3592 set thread context of 2620	3592	q9806813.exe	AppLaunch.exe
PID 1884 set thread context of 3396	1884	r1461291.exe	AppLaunch.exe
PID 4752 set thread context of 4864	4752	s4242394.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1520	3592	WerFault.exe	q9806813.exe
5092	1884	WerFault.exe	r1461291.exe
2056	3396	WerFault.exe	AppLaunch.exe
1868	4752	WerFault.exe	s4242394.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2804 schtasks.exe
3616 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2620 AppLaunch.exe
2620 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2620 AppLaunch.exe

pid	process
2804	schtasks.exe
3616	schtasks.exe

pid	process
2620	AppLaunch.exe
2620	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2620	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1ef0525048f5170853764b4d46f63b57c89ab26b14610f16bc9506a44fd9eb25.exez4145161.exez8008338.exez0112339.exez3637490.exeq9806813.exer1461291.exes4242394.exet0995080.exeexplonde.exe

description	pid	process	target process
PID 756 wrote to memory of 3268	756	1ef0525048f5170853764b4d46f63b57c89ab26b14610f16bc9506a44fd9eb25.exe	z4145161.exe
PID 756 wrote to memory of 3268	756	1ef0525048f5170853764b4d46f63b57c89ab26b14610f16bc9506a44fd9eb25.exe	z4145161.exe
PID 756 wrote to memory of 3268	756	1ef0525048f5170853764b4d46f63b57c89ab26b14610f16bc9506a44fd9eb25.exe	z4145161.exe
PID 3268 wrote to memory of 996	3268	z4145161.exe	z8008338.exe
PID 3268 wrote to memory of 996	3268	z4145161.exe	z8008338.exe
PID 3268 wrote to memory of 996	3268	z4145161.exe	z8008338.exe
PID 996 wrote to memory of 732	996	z8008338.exe	z0112339.exe
PID 996 wrote to memory of 732	996	z8008338.exe	z0112339.exe
PID 996 wrote to memory of 732	996	z8008338.exe	z0112339.exe
PID 732 wrote to memory of 1972	732	z0112339.exe	z3637490.exe
PID 732 wrote to memory of 1972	732	z0112339.exe	z3637490.exe
PID 732 wrote to memory of 1972	732	z0112339.exe	z3637490.exe
PID 1972 wrote to memory of 3592	1972	z3637490.exe	q9806813.exe
PID 1972 wrote to memory of 3592	1972	z3637490.exe	q9806813.exe
PID 1972 wrote to memory of 3592	1972	z3637490.exe	q9806813.exe
PID 3592 wrote to memory of 2620	3592	q9806813.exe	AppLaunch.exe
PID 3592 wrote to memory of 2620	3592	q9806813.exe	AppLaunch.exe
PID 3592 wrote to memory of 2620	3592	q9806813.exe	AppLaunch.exe
PID 3592 wrote to memory of 2620	3592	q9806813.exe	AppLaunch.exe
PID 3592 wrote to memory of 2620	3592	q9806813.exe	AppLaunch.exe
PID 3592 wrote to memory of 2620	3592	q9806813.exe	AppLaunch.exe
PID 3592 wrote to memory of 2620	3592	q9806813.exe	AppLaunch.exe
PID 3592 wrote to memory of 2620	3592	q9806813.exe	AppLaunch.exe
PID 1972 wrote to memory of 1884	1972	z3637490.exe	r1461291.exe
PID 1972 wrote to memory of 1884	1972	z3637490.exe	r1461291.exe
PID 1972 wrote to memory of 1884	1972	z3637490.exe	r1461291.exe
PID 1884 wrote to memory of 3396	1884	r1461291.exe	AppLaunch.exe
PID 1884 wrote to memory of 3396	1884	r1461291.exe	AppLaunch.exe
PID 1884 wrote to memory of 3396	1884	r1461291.exe	AppLaunch.exe
PID 1884 wrote to memory of 3396	1884	r1461291.exe	AppLaunch.exe
PID 1884 wrote to memory of 3396	1884	r1461291.exe	AppLaunch.exe
PID 1884 wrote to memory of 3396	1884	r1461291.exe	AppLaunch.exe
PID 1884 wrote to memory of 3396	1884	r1461291.exe	AppLaunch.exe
PID 1884 wrote to memory of 3396	1884	r1461291.exe	AppLaunch.exe
PID 1884 wrote to memory of 3396	1884	r1461291.exe	AppLaunch.exe
PID 1884 wrote to memory of 3396	1884	r1461291.exe	AppLaunch.exe
PID 732 wrote to memory of 4752	732	z0112339.exe	s4242394.exe
PID 732 wrote to memory of 4752	732	z0112339.exe	s4242394.exe
PID 732 wrote to memory of 4752	732	z0112339.exe	s4242394.exe
PID 4752 wrote to memory of 2284	4752	s4242394.exe	AppLaunch.exe
PID 4752 wrote to memory of 2284	4752	s4242394.exe	AppLaunch.exe
PID 4752 wrote to memory of 2284	4752	s4242394.exe	AppLaunch.exe
PID 4752 wrote to memory of 4760	4752	s4242394.exe	AppLaunch.exe
PID 4752 wrote to memory of 4760	4752	s4242394.exe	AppLaunch.exe
PID 4752 wrote to memory of 4760	4752	s4242394.exe	AppLaunch.exe
PID 4752 wrote to memory of 4864	4752	s4242394.exe	AppLaunch.exe
PID 4752 wrote to memory of 4864	4752	s4242394.exe	AppLaunch.exe
PID 4752 wrote to memory of 4864	4752	s4242394.exe	AppLaunch.exe
PID 4752 wrote to memory of 4864	4752	s4242394.exe	AppLaunch.exe
PID 4752 wrote to memory of 4864	4752	s4242394.exe	AppLaunch.exe
PID 4752 wrote to memory of 4864	4752	s4242394.exe	AppLaunch.exe
PID 4752 wrote to memory of 4864	4752	s4242394.exe	AppLaunch.exe
PID 4752 wrote to memory of 4864	4752	s4242394.exe	AppLaunch.exe
PID 996 wrote to memory of 4332	996	z8008338.exe	t0995080.exe
PID 996 wrote to memory of 4332	996	z8008338.exe	t0995080.exe
PID 996 wrote to memory of 4332	996	z8008338.exe	t0995080.exe
PID 4332 wrote to memory of 632	4332	t0995080.exe	explonde.exe
PID 4332 wrote to memory of 632	4332	t0995080.exe	explonde.exe
PID 4332 wrote to memory of 632	4332	t0995080.exe	explonde.exe
PID 3268 wrote to memory of 3816	3268	z4145161.exe	u3046785.exe
PID 3268 wrote to memory of 3816	3268	z4145161.exe	u3046785.exe
PID 3268 wrote to memory of 3816	3268	z4145161.exe	u3046785.exe
PID 632 wrote to memory of 2804	632	explonde.exe	schtasks.exe
PID 632 wrote to memory of 2804	632	explonde.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\1ef0525048f5170853764b4d46f63b57c89ab26b14610f16bc9506a44fd9eb25.exe
"C:\Users\Admin\AppData\Local\Temp\1ef0525048f5170853764b4d46f63b57c89ab26b14610f16bc9506a44fd9eb25.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4145161.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4145161.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3268

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8008338.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8008338.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:996

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0112339.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0112339.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:732

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3637490.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3637490.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9806813.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9806813.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 152
7⤵
- Program crash
PID:1520

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1461291.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1461291.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 540
8⤵
- Program crash
PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 148
7⤵
- Program crash
PID:5092

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4242394.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4242394.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 136
6⤵
- Program crash
PID:1868

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0995080.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0995080.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
PID:5068

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:N"
7⤵
PID:3236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:2780

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:R" /E
7⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:5028

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:2648

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:1484

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
6⤵
- Creates scheduled task(s)
PID:2804

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3046785.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3046785.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:3816

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:2852

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
5⤵
- Creates scheduled task(s)
PID:3616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
5⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4480

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
6⤵
PID:4016

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
6⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1908

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
6⤵
PID:3900

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
6⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3671454.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3671454.exe
2⤵
- Executes dropped EXE
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3592 -ip 3592
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1884 -ip 1884
1⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3396 -ip 3396
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4752 -ip 4752
1⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3671454.exe
Filesize
22KB

MD5
8bab3f03dccb65e8cca773e6e2e3fc97

SHA1
08644c0c1b32f04fb78957e3f31e625169815b4f

SHA256
c413302fb7d8bec3f64b6956b6cf2a2499b57a5e5486da2e6e7d6d73452071e4

SHA512
7fb18f6ca25d94bed389f64cc45bae0f8c9c63b762e7bae24cbdb1bbd233c4f75d8b224f0fd6e4ef9d57fa19559e33ca4ae9489a21bfd6eebad83275bac98c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3671454.exe
Filesize
22KB

MD5
8bab3f03dccb65e8cca773e6e2e3fc97

SHA1
08644c0c1b32f04fb78957e3f31e625169815b4f

SHA256
c413302fb7d8bec3f64b6956b6cf2a2499b57a5e5486da2e6e7d6d73452071e4

SHA512
7fb18f6ca25d94bed389f64cc45bae0f8c9c63b762e7bae24cbdb1bbd233c4f75d8b224f0fd6e4ef9d57fa19559e33ca4ae9489a21bfd6eebad83275bac98c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4145161.exe
Filesize
1.2MB

MD5
1f45e96ae8e458b6097dc80e2de76444

SHA1
f5403e5837a556b69ea0ef7b42f147642a4185c4

SHA256
6f1148c81defd747545e8a26b043955ce9b550f109a84c44ce4657930791e1a7

SHA512
46aafa84c47aa6cf81ae5278675017ee13cd76165cd54030ec34118fc4d71b309dfcbe7df1afd3779b302a0b42dec16dc2e118785d907ada5399f6b3badb8d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4145161.exe
Filesize
1.2MB

MD5
1f45e96ae8e458b6097dc80e2de76444

SHA1
f5403e5837a556b69ea0ef7b42f147642a4185c4

SHA256
6f1148c81defd747545e8a26b043955ce9b550f109a84c44ce4657930791e1a7

SHA512
46aafa84c47aa6cf81ae5278675017ee13cd76165cd54030ec34118fc4d71b309dfcbe7df1afd3779b302a0b42dec16dc2e118785d907ada5399f6b3badb8d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3046785.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3046785.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8008338.exe
Filesize
1.0MB

MD5
b9fced5c62a9a582b4754b61a89d9219

SHA1
b9349deba0ed75910823b710d6a6ec8e1a5271c3

SHA256
a71c1da36defa5e5889924d057631667588dcf4518280d716e146bd6615ff38f

SHA512
a49f5b515a201690ef08f1628951727dbcb5104f1ed1fd1773149853eaeee335704b0e5d33752afa46514d71a1479d284c70560ab27bf597cac5a9402e234288

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8008338.exe
Filesize
1.0MB

MD5
b9fced5c62a9a582b4754b61a89d9219

SHA1
b9349deba0ed75910823b710d6a6ec8e1a5271c3

SHA256
a71c1da36defa5e5889924d057631667588dcf4518280d716e146bd6615ff38f

SHA512
a49f5b515a201690ef08f1628951727dbcb5104f1ed1fd1773149853eaeee335704b0e5d33752afa46514d71a1479d284c70560ab27bf597cac5a9402e234288

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0995080.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0995080.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0112339.exe
Filesize
882KB

MD5
38650a4b0e6f7dbe6a5725b14ffeb139

SHA1
7361f79a48ea84de40c880354a12f4b3d89b9013

SHA256
f2a6590cee1fd41efaab897cf484de490bf7bd9bd4e3ea86cd42e027b6b3e9c1

SHA512
4f6cf83b010f88e46e898b1729b84a8530b4ab364cecae18d61eba7646a5b37778a472b700807360d404a8e3f4dc8e7022cabdb5b58475409db650e213c4438c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0112339.exe
Filesize
882KB

MD5
38650a4b0e6f7dbe6a5725b14ffeb139

SHA1
7361f79a48ea84de40c880354a12f4b3d89b9013

SHA256
f2a6590cee1fd41efaab897cf484de490bf7bd9bd4e3ea86cd42e027b6b3e9c1

SHA512
4f6cf83b010f88e46e898b1729b84a8530b4ab364cecae18d61eba7646a5b37778a472b700807360d404a8e3f4dc8e7022cabdb5b58475409db650e213c4438c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4242394.exe
Filesize
1.0MB

MD5
fa91eee881c00442556e95be2a5b7631

SHA1
6f9adba0f068c738dec278d24bad24b4b3719c07

SHA256
be18c521d481148215bb10fdb97484f2cde721feb03f6c297cf998ad8b45eabf

SHA512
fe5f3227d5629d426658a06a6abb2b397cfc1c2e3ff6711be350471768248d00650d7c5ce6072de4598c09a55da20c3e93bde46eb66d3e5ddd072a105867e1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4242394.exe
Filesize
1.0MB

MD5
fa91eee881c00442556e95be2a5b7631

SHA1
6f9adba0f068c738dec278d24bad24b4b3719c07

SHA256
be18c521d481148215bb10fdb97484f2cde721feb03f6c297cf998ad8b45eabf

SHA512
fe5f3227d5629d426658a06a6abb2b397cfc1c2e3ff6711be350471768248d00650d7c5ce6072de4598c09a55da20c3e93bde46eb66d3e5ddd072a105867e1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3637490.exe
Filesize
491KB

MD5
4bca1f03b5bd367052142aa2d26000fd

SHA1
3e65041d552b2dceddf7873665d1472f8b6e0873

SHA256
85794efb61a40c7393c247cf779f4fa8f5fb600ac51be31ab8e0dbcf92c80eda

SHA512
48c275c4b900c94e0d7c8cd19b28e1e7ae52986eabdcc5926e38983aeaabe855850b0d6895e73e4cec1bc6affd7211249e4327fed17be4e5eb54d05470a49489

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3637490.exe
Filesize
491KB

MD5
4bca1f03b5bd367052142aa2d26000fd

SHA1
3e65041d552b2dceddf7873665d1472f8b6e0873

SHA256
85794efb61a40c7393c247cf779f4fa8f5fb600ac51be31ab8e0dbcf92c80eda

SHA512
48c275c4b900c94e0d7c8cd19b28e1e7ae52986eabdcc5926e38983aeaabe855850b0d6895e73e4cec1bc6affd7211249e4327fed17be4e5eb54d05470a49489

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9806813.exe
Filesize
860KB

MD5
5e527267c53e56377dd8455261c88241

SHA1
efff66af7e84759ca42b443931a32b986c0cf75e

SHA256
f56267d411e510a80ca44e01a76f5a6ec868999b589eed3c67f86b216562241e

SHA512
68fbf3b6d68c1b289fe2e823f5ddf2f85cc8ba7faf0eb41d1b0ec538b688bf04fcbc11a1c185c1b7d9558bd5bed798ee0fc6dda3bb2447da8444230db0a1380f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9806813.exe
Filesize
860KB

MD5
5e527267c53e56377dd8455261c88241

SHA1
efff66af7e84759ca42b443931a32b986c0cf75e

SHA256
f56267d411e510a80ca44e01a76f5a6ec868999b589eed3c67f86b216562241e

SHA512
68fbf3b6d68c1b289fe2e823f5ddf2f85cc8ba7faf0eb41d1b0ec538b688bf04fcbc11a1c185c1b7d9558bd5bed798ee0fc6dda3bb2447da8444230db0a1380f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1461291.exe
Filesize
1016KB

MD5
d0071ba0e26da9b8df02c2e433c83a5d

SHA1
dc881f47a248324b5dbed4daf0f84a71964de88f

SHA256
fbb7b501c0675f39675d6b41479bfe9bc6968451b6981fe575bde0cf592e1daf

SHA512
01d2be879ea20a011c9f75791c047caca101f8d2efd343270a1d3081144d61d2774689d071375007d9c95cdbb970ba4c384ff647a3668c1cef9794bc525de9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1461291.exe
Filesize
1016KB

MD5
d0071ba0e26da9b8df02c2e433c83a5d

SHA1
dc881f47a248324b5dbed4daf0f84a71964de88f

SHA256
fbb7b501c0675f39675d6b41479bfe9bc6968451b6981fe575bde0cf592e1daf

SHA512
01d2be879ea20a011c9f75791c047caca101f8d2efd343270a1d3081144d61d2774689d071375007d9c95cdbb970ba4c384ff647a3668c1cef9794bc525de9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
memory/2620-37-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/2620-39-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/2620-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2620-36-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/3396-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3396-47-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3396-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3396-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4864-73-0x0000000005060000-0x000000000509C000-memory.dmp

Filesize
240KB

Download
memory/4864-66-0x0000000005040000-0x0000000005052000-memory.dmp

Filesize
72KB

Download
memory/4864-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4864-53-0x0000000073C50000-0x0000000074400000-memory.dmp

Filesize
7.7MB

Download
memory/4864-86-0x000000000A4B0000-0x000000000A4FC000-memory.dmp

Filesize
304KB

Download
memory/4864-65-0x000000000A5C0000-0x000000000A6CA000-memory.dmp

Filesize
1.0MB

Download
memory/4864-54-0x0000000000E10000-0x0000000000E16000-memory.dmp

Filesize
24KB

Download
memory/4864-88-0x0000000073C50000-0x0000000074400000-memory.dmp

Filesize
7.7MB

Download
memory/4864-89-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/4864-61-0x000000000AAD0000-0x000000000B0E8000-memory.dmp

Filesize
6.1MB

Download
memory/4864-67-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download