amadey | 5885ce8a7e69f3700aec089569c1ae6e62d2661793dadd9053144a5e7906cbe3

Analysis

max time kernel
186s
max time network
189s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

251d5f6a40d82086de3323b9c6c4779a1d3309ef473fa9d0c4b1f26c1841486e.exe
Size

1.3MB
MD5

4c649f686dac6be08a89e45c6c00dce2
SHA1

23e07c6fc98c91f69e1a84ac3c259375c36496f7
SHA256

251d5f6a40d82086de3323b9c6c4779a1d3309ef473fa9d0c4b1f26c1841486e
SHA512

af4c4bef97b25a1d9e111859ddb340d170b85c2f4bc7098d97d005f8b0e80647e0c533b41b18b9e8aaa6ddd9dd025836a5ffae0947e00f4290e7db15290833ab
SSDEEP

24576:cyoRK3c7mE93pxAVAB8Mc76NsFllWsHS9SvrTrktzs7UzrVlHR+:LCkamE938ijcZx4tnHZ

Score

10^/10

amadey healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4856-43-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4856-47-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4856-45-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4856-44-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1824-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

t4886084.exeu9100317.exelegota.exeexplonde.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	t4886084.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	u9100317.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	explonde.exe

Executes dropped EXE 12 IoCs

Processes:

z8757013.exez3640969.exez7563611.exez7452049.exeq5241181.exer9086018.exes8345427.exet4886084.exeexplonde.exeu9100317.exelegota.exew5008372.exe

pid	process
4456	z8757013.exe
1908	z3640969.exe
416	z7563611.exe
4112	z7452049.exe
3804	q5241181.exe
3244	r9086018.exe
5012	s8345427.exe
3540	t4886084.exe
3276	explonde.exe
1672	u9100317.exe
4756	legota.exe
3080	w5008372.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

z7563611.exez7452049.exe251d5f6a40d82086de3323b9c6c4779a1d3309ef473fa9d0c4b1f26c1841486e.exez8757013.exez3640969.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z7563611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z7452049.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	251d5f6a40d82086de3323b9c6c4779a1d3309ef473fa9d0c4b1f26c1841486e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8757013.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z3640969.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

q5241181.exer9086018.exes8345427.exe

description	pid	process	target process
PID 3804 set thread context of 1824	3804	q5241181.exe	AppLaunch.exe
PID 3244 set thread context of 4856	3244	r9086018.exe	AppLaunch.exe
PID 5012 set thread context of 1048	5012	s8345427.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3716	3804	WerFault.exe	q5241181.exe
4736	3244	WerFault.exe	r9086018.exe
3352	4856	WerFault.exe	AppLaunch.exe
316	5012	WerFault.exe	s8345427.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4632 schtasks.exe
3104 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

1824 AppLaunch.exe
1824 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1824 AppLaunch.exe

pid	process
4632	schtasks.exe
3104	schtasks.exe

pid	process
1824	AppLaunch.exe
1824	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1824	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

251d5f6a40d82086de3323b9c6c4779a1d3309ef473fa9d0c4b1f26c1841486e.exez8757013.exez3640969.exez7563611.exez7452049.exeq5241181.exer9086018.exes8345427.exet4886084.exeu9100317.exelegota.exe

description	pid	process	target process
PID 3376 wrote to memory of 4456	3376	251d5f6a40d82086de3323b9c6c4779a1d3309ef473fa9d0c4b1f26c1841486e.exe	z8757013.exe
PID 3376 wrote to memory of 4456	3376	251d5f6a40d82086de3323b9c6c4779a1d3309ef473fa9d0c4b1f26c1841486e.exe	z8757013.exe
PID 3376 wrote to memory of 4456	3376	251d5f6a40d82086de3323b9c6c4779a1d3309ef473fa9d0c4b1f26c1841486e.exe	z8757013.exe
PID 4456 wrote to memory of 1908	4456	z8757013.exe	z3640969.exe
PID 4456 wrote to memory of 1908	4456	z8757013.exe	z3640969.exe
PID 4456 wrote to memory of 1908	4456	z8757013.exe	z3640969.exe
PID 1908 wrote to memory of 416	1908	z3640969.exe	z7563611.exe
PID 1908 wrote to memory of 416	1908	z3640969.exe	z7563611.exe
PID 1908 wrote to memory of 416	1908	z3640969.exe	z7563611.exe
PID 416 wrote to memory of 4112	416	z7563611.exe	z7452049.exe
PID 416 wrote to memory of 4112	416	z7563611.exe	z7452049.exe
PID 416 wrote to memory of 4112	416	z7563611.exe	z7452049.exe
PID 4112 wrote to memory of 3804	4112	z7452049.exe	q5241181.exe
PID 4112 wrote to memory of 3804	4112	z7452049.exe	q5241181.exe
PID 4112 wrote to memory of 3804	4112	z7452049.exe	q5241181.exe
PID 3804 wrote to memory of 1824	3804	q5241181.exe	AppLaunch.exe
PID 3804 wrote to memory of 1824	3804	q5241181.exe	AppLaunch.exe
PID 3804 wrote to memory of 1824	3804	q5241181.exe	AppLaunch.exe
PID 3804 wrote to memory of 1824	3804	q5241181.exe	AppLaunch.exe
PID 3804 wrote to memory of 1824	3804	q5241181.exe	AppLaunch.exe
PID 3804 wrote to memory of 1824	3804	q5241181.exe	AppLaunch.exe
PID 3804 wrote to memory of 1824	3804	q5241181.exe	AppLaunch.exe
PID 3804 wrote to memory of 1824	3804	q5241181.exe	AppLaunch.exe
PID 4112 wrote to memory of 3244	4112	z7452049.exe	r9086018.exe
PID 4112 wrote to memory of 3244	4112	z7452049.exe	r9086018.exe
PID 4112 wrote to memory of 3244	4112	z7452049.exe	r9086018.exe
PID 3244 wrote to memory of 4856	3244	r9086018.exe	AppLaunch.exe
PID 3244 wrote to memory of 4856	3244	r9086018.exe	AppLaunch.exe
PID 3244 wrote to memory of 4856	3244	r9086018.exe	AppLaunch.exe
PID 3244 wrote to memory of 4856	3244	r9086018.exe	AppLaunch.exe
PID 3244 wrote to memory of 4856	3244	r9086018.exe	AppLaunch.exe
PID 3244 wrote to memory of 4856	3244	r9086018.exe	AppLaunch.exe
PID 3244 wrote to memory of 4856	3244	r9086018.exe	AppLaunch.exe
PID 3244 wrote to memory of 4856	3244	r9086018.exe	AppLaunch.exe
PID 3244 wrote to memory of 4856	3244	r9086018.exe	AppLaunch.exe
PID 3244 wrote to memory of 4856	3244	r9086018.exe	AppLaunch.exe
PID 416 wrote to memory of 5012	416	z7563611.exe	s8345427.exe
PID 416 wrote to memory of 5012	416	z7563611.exe	s8345427.exe
PID 416 wrote to memory of 5012	416	z7563611.exe	s8345427.exe
PID 5012 wrote to memory of 1048	5012	s8345427.exe	AppLaunch.exe
PID 5012 wrote to memory of 1048	5012	s8345427.exe	AppLaunch.exe
PID 5012 wrote to memory of 1048	5012	s8345427.exe	AppLaunch.exe
PID 5012 wrote to memory of 1048	5012	s8345427.exe	AppLaunch.exe
PID 5012 wrote to memory of 1048	5012	s8345427.exe	AppLaunch.exe
PID 5012 wrote to memory of 1048	5012	s8345427.exe	AppLaunch.exe
PID 5012 wrote to memory of 1048	5012	s8345427.exe	AppLaunch.exe
PID 5012 wrote to memory of 1048	5012	s8345427.exe	AppLaunch.exe
PID 1908 wrote to memory of 3540	1908	z3640969.exe	t4886084.exe
PID 1908 wrote to memory of 3540	1908	z3640969.exe	t4886084.exe
PID 1908 wrote to memory of 3540	1908	z3640969.exe	t4886084.exe
PID 3540 wrote to memory of 3276	3540	t4886084.exe	explonde.exe
PID 3540 wrote to memory of 3276	3540	t4886084.exe	explonde.exe
PID 3540 wrote to memory of 3276	3540	t4886084.exe	explonde.exe
PID 4456 wrote to memory of 1672	4456	z8757013.exe	u9100317.exe
PID 4456 wrote to memory of 1672	4456	z8757013.exe	u9100317.exe
PID 4456 wrote to memory of 1672	4456	z8757013.exe	u9100317.exe
PID 1672 wrote to memory of 4756	1672	u9100317.exe	legota.exe
PID 1672 wrote to memory of 4756	1672	u9100317.exe	legota.exe
PID 1672 wrote to memory of 4756	1672	u9100317.exe	legota.exe
PID 3376 wrote to memory of 3080	3376	251d5f6a40d82086de3323b9c6c4779a1d3309ef473fa9d0c4b1f26c1841486e.exe	w5008372.exe
PID 3376 wrote to memory of 3080	3376	251d5f6a40d82086de3323b9c6c4779a1d3309ef473fa9d0c4b1f26c1841486e.exe	w5008372.exe
PID 3376 wrote to memory of 3080	3376	251d5f6a40d82086de3323b9c6c4779a1d3309ef473fa9d0c4b1f26c1841486e.exe	w5008372.exe
PID 4756 wrote to memory of 3104	4756	legota.exe	schtasks.exe
PID 4756 wrote to memory of 3104	4756	legota.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\251d5f6a40d82086de3323b9c6c4779a1d3309ef473fa9d0c4b1f26c1841486e.exe
"C:\Users\Admin\AppData\Local\Temp\251d5f6a40d82086de3323b9c6c4779a1d3309ef473fa9d0c4b1f26c1841486e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8757013.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8757013.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3640969.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3640969.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7563611.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7563611.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:416

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7452049.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7452049.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4112

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5241181.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5241181.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3804 -s 140
7⤵
- Program crash
PID:3716

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9086018.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9086018.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 540
8⤵
- Program crash
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 584
7⤵
- Program crash
PID:4736

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8345427.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8345427.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 140
6⤵
- Program crash
PID:316

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4886084.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4886084.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:3276

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
6⤵
- Creates scheduled task(s)
PID:4632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3288

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:N"
7⤵
PID:4028

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:R" /E
7⤵
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3424

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:2996

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9100317.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9100317.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
5⤵
- Creates scheduled task(s)
PID:3104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
5⤵
PID:32

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2464

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
6⤵
PID:4328

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
6⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2652

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
6⤵
PID:3836

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
6⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5008372.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5008372.exe
2⤵
- Executes dropped EXE
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3804 -ip 3804
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3244 -ip 3244
1⤵
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4856 -ip 4856
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5012 -ip 5012
1⤵
PID:4504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5008372.exe
Filesize
22KB

MD5
d85851283c5d76cb95fb01690ed02980

SHA1
e8af3d44ce3c7f4371178924e64bb44a6a8fe2bd

SHA256
77084c134d7b52a97303affc80d8215d9418b4b9ceec6fc57d00f3b05a985a49

SHA512
3b42cf9dd5415c23b3e5e9678ab63c1a19942f2ce1ae4602cbb4ed35aea67d9745a939cd9032594da4da4f283e7331b315f99adb8672d701a4a699cf313204d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w5008372.exe
Filesize
22KB

MD5
d85851283c5d76cb95fb01690ed02980

SHA1
e8af3d44ce3c7f4371178924e64bb44a6a8fe2bd

SHA256
77084c134d7b52a97303affc80d8215d9418b4b9ceec6fc57d00f3b05a985a49

SHA512
3b42cf9dd5415c23b3e5e9678ab63c1a19942f2ce1ae4602cbb4ed35aea67d9745a939cd9032594da4da4f283e7331b315f99adb8672d701a4a699cf313204d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8757013.exe
Filesize
1.2MB

MD5
1e87c4d43a74cf6bbc599dbe4461da60

SHA1
fa794d82663d3d6f33667a2673b06ca187ca4ae3

SHA256
80bb1e58ad50c15cc13e0b5bb6a58b328451dbf2a46466e9c7a6019647a09590

SHA512
1272b3aed0f8617613ed65e1188d1b6f07e9fa18fb4b5d102f3a28cec60de834cb1ab16b2b08c77f091799622b174dc90647ac254d761e488d40e09b72dc59fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8757013.exe
Filesize
1.2MB

MD5
1e87c4d43a74cf6bbc599dbe4461da60

SHA1
fa794d82663d3d6f33667a2673b06ca187ca4ae3

SHA256
80bb1e58ad50c15cc13e0b5bb6a58b328451dbf2a46466e9c7a6019647a09590

SHA512
1272b3aed0f8617613ed65e1188d1b6f07e9fa18fb4b5d102f3a28cec60de834cb1ab16b2b08c77f091799622b174dc90647ac254d761e488d40e09b72dc59fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9100317.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9100317.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3640969.exe
Filesize
1.0MB

MD5
45a45be4cedbb178f17f553d72d2dc7b

SHA1
0123a12c9fad7333efe9a2ed28fd762ae996199d

SHA256
089c7018364f1ded06644a5c6c5cb177080936cd86477ea1784c6c4a8e48b856

SHA512
9d6b371f840e78b951c87a9c1d68fa98b6f36a25408d08717a290426620d8fc6d2ccda92ee52561823cd55543f308afb6bd9a4ec861ba781e1838ce6843348b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3640969.exe
Filesize
1.0MB

MD5
45a45be4cedbb178f17f553d72d2dc7b

SHA1
0123a12c9fad7333efe9a2ed28fd762ae996199d

SHA256
089c7018364f1ded06644a5c6c5cb177080936cd86477ea1784c6c4a8e48b856

SHA512
9d6b371f840e78b951c87a9c1d68fa98b6f36a25408d08717a290426620d8fc6d2ccda92ee52561823cd55543f308afb6bd9a4ec861ba781e1838ce6843348b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4886084.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4886084.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7563611.exe
Filesize
881KB

MD5
78ce3e6921daefae74fd2467ff0f85a2

SHA1
10f983aa2b2ade2b77b5147b9325f6ed4be223d0

SHA256
3e8987153546cfd9314bb70fd50a3e46610d729de42e4045fa8e00442a56c1f0

SHA512
fe91a97b070c66194f242b4b68da038cd8dccd9eecf4a41c50cae8cc190247af1294bb6366b026bf9df728cc9e28d1fd8bfd163d36bd59a014675c615b4d4256

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7563611.exe
Filesize
881KB

MD5
78ce3e6921daefae74fd2467ff0f85a2

SHA1
10f983aa2b2ade2b77b5147b9325f6ed4be223d0

SHA256
3e8987153546cfd9314bb70fd50a3e46610d729de42e4045fa8e00442a56c1f0

SHA512
fe91a97b070c66194f242b4b68da038cd8dccd9eecf4a41c50cae8cc190247af1294bb6366b026bf9df728cc9e28d1fd8bfd163d36bd59a014675c615b4d4256

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8345427.exe
Filesize
1.0MB

MD5
1dbad6572c57c7227c029961488865ca

SHA1
496e0882ebb18b4ab5205a2b6acfb474f07bc418

SHA256
5694d77e285583e6c8717e058fae9deee3de5a8ddaad4f755489edc97015b8c3

SHA512
593adf084c57a9e6a03243778f9730c1598df16b718c99b0f6008fc714e114eaf63bae801a0905f12ad8e4636af1c85d6be9083e0a64fd8d9d5f8897534d340c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8345427.exe
Filesize
1.0MB

MD5
1dbad6572c57c7227c029961488865ca

SHA1
496e0882ebb18b4ab5205a2b6acfb474f07bc418

SHA256
5694d77e285583e6c8717e058fae9deee3de5a8ddaad4f755489edc97015b8c3

SHA512
593adf084c57a9e6a03243778f9730c1598df16b718c99b0f6008fc714e114eaf63bae801a0905f12ad8e4636af1c85d6be9083e0a64fd8d9d5f8897534d340c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7452049.exe
Filesize
489KB

MD5
7dec462033d31d429d39030332e0118d

SHA1
c0512d27d6bdf859e2e2f42c53b3584c7912a16e

SHA256
86486833da2794b2809313d78fc4bacceeb9db2f534d379347d46830403178c1

SHA512
55b4c12335970af636764259d50ff3197a12d475e00feca0c96cad7f6290e682cbdd55546500a782ee0bb7497a189636fc79cebb6592c556a2a895a1d7b08c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7452049.exe
Filesize
489KB

MD5
7dec462033d31d429d39030332e0118d

SHA1
c0512d27d6bdf859e2e2f42c53b3584c7912a16e

SHA256
86486833da2794b2809313d78fc4bacceeb9db2f534d379347d46830403178c1

SHA512
55b4c12335970af636764259d50ff3197a12d475e00feca0c96cad7f6290e682cbdd55546500a782ee0bb7497a189636fc79cebb6592c556a2a895a1d7b08c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5241181.exe
Filesize
860KB

MD5
72e1edb06f05912f3db3977a7b871620

SHA1
60926d9010053cd107a33c74cd5e06e96f77ad89

SHA256
807655945c76a0a4e5288e53e7f7827e5b6d06ed8afccc15f6e9de75f22372f2

SHA512
90fa4ee6aec8d699761d73f5b328f76ea07782ae1d59e32d08137e9aa6a9e8ce5c498e3cb9684a740089c6c654875d51dc98dc765872519ee8936988ef6b1871

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5241181.exe
Filesize
860KB

MD5
72e1edb06f05912f3db3977a7b871620

SHA1
60926d9010053cd107a33c74cd5e06e96f77ad89

SHA256
807655945c76a0a4e5288e53e7f7827e5b6d06ed8afccc15f6e9de75f22372f2

SHA512
90fa4ee6aec8d699761d73f5b328f76ea07782ae1d59e32d08137e9aa6a9e8ce5c498e3cb9684a740089c6c654875d51dc98dc765872519ee8936988ef6b1871

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9086018.exe
Filesize
1016KB

MD5
04c747a76e2e9b4a3b52ebbc5c98652c

SHA1
b0a7ce37d86d2f622d6948a25d5ea19db6c9e0b0

SHA256
e7c03e4ac4b50ece98c94d17eabb70c6d9659ffb8c0b0eb1c38ba7a6b7163a55

SHA512
3c6d1741b285aaabcf69b645809a9e5bf7d61947dfea4308d39bdd55208bbfd33a1ac3672d31d7f3557eb3fa5f2f2fa6c4df4d1b0ff5ee02f2bb0b201bfd964b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9086018.exe
Filesize
1016KB

MD5
04c747a76e2e9b4a3b52ebbc5c98652c

SHA1
b0a7ce37d86d2f622d6948a25d5ea19db6c9e0b0

SHA256
e7c03e4ac4b50ece98c94d17eabb70c6d9659ffb8c0b0eb1c38ba7a6b7163a55

SHA512
3c6d1741b285aaabcf69b645809a9e5bf7d61947dfea4308d39bdd55208bbfd33a1ac3672d31d7f3557eb3fa5f2f2fa6c4df4d1b0ff5ee02f2bb0b201bfd964b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
memory/1048-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1048-83-0x0000000005490000-0x000000000559A000-memory.dmp

Filesize
1.0MB

Download
memory/1048-54-0x0000000074260000-0x0000000074A10000-memory.dmp

Filesize
7.7MB

Download
memory/1048-53-0x0000000074260000-0x0000000074A10000-memory.dmp

Filesize
7.7MB

Download
memory/1048-87-0x0000000005420000-0x000000000545C000-memory.dmp

Filesize
240KB

Download
memory/1048-86-0x0000000002C70000-0x0000000002C80000-memory.dmp

Filesize
64KB

Download
memory/1048-85-0x00000000053C0000-0x00000000053D2000-memory.dmp

Filesize
72KB

Download
memory/1048-73-0x0000000005950000-0x0000000005F68000-memory.dmp

Filesize
6.1MB

Download
memory/1048-55-0x0000000002C50000-0x0000000002C56000-memory.dmp

Filesize
24KB

Download
memory/1824-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1824-37-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1824-36-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/1824-39-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4856-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4856-47-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4856-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4856-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download