amadey | 0a53aedcdb1cdb2e73e49e55cc48d82cd2df0e3793de9fb0baaeacb547644fc1

Analysis

max time kernel
191s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a53aedcdb1cdb2e73e49e55cc48d82cd2df0e3793de9fb0baaeacb547644fc1.exe
Size

1.3MB
MD5

7054287f737e7e2535962acb9621dd34
SHA1

61392395a25951483df76a5fb0fc5520b9c42ada
SHA256

0a53aedcdb1cdb2e73e49e55cc48d82cd2df0e3793de9fb0baaeacb547644fc1
SHA512

4de505b52920fef26852a996721cce194f77c195741f118bae5dc84fdb9820e4cfc57ddcd953b0a114b26f9dea95344784b115f8356e566953cad502b34b1930
SSDEEP

24576:jyLJl0X1Yi6QeBFWc6h0khlVHJJYFjOBAC/zXjKi4lp2CRPiEoJhc:2Lg1F6QgFWc6h0slt/BBfrjjl8yJh

Score

10^/10

amadey healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/820-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/820-43-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/820-45-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/820-42-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5044-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explonde.exeu8489733.exelegota.exet1089188.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	u8489733.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	t1089188.exe

Executes dropped EXE 12 IoCs

Processes:

z7299675.exez6397376.exez7227121.exez5231932.exeq3728816.exer5209601.exes8188066.exet1089188.exeexplonde.exeu8489733.exelegota.exew2662109.exe

pid	process
4188	z7299675.exe
4840	z6397376.exe
5024	z7227121.exe
3316	z5231932.exe
4272	q3728816.exe
1412	r5209601.exe
368	s8188066.exe
1416	t1089188.exe
1656	explonde.exe
4296	u8489733.exe
3016	legota.exe
3628	w2662109.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

z7227121.exez5231932.exe0a53aedcdb1cdb2e73e49e55cc48d82cd2df0e3793de9fb0baaeacb547644fc1.exez7299675.exez6397376.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z7227121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z5231932.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0a53aedcdb1cdb2e73e49e55cc48d82cd2df0e3793de9fb0baaeacb547644fc1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7299675.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6397376.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

q3728816.exer5209601.exes8188066.exe

description	pid	process	target process
PID 4272 set thread context of 5044	4272	q3728816.exe	AppLaunch.exe
PID 1412 set thread context of 820	1412	r5209601.exe	AppLaunch.exe
PID 368 set thread context of 2528	368	s8188066.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
932	4272	WerFault.exe	q3728816.exe
2552	1412	WerFault.exe	r5209601.exe
4904	820	WerFault.exe	AppLaunch.exe
4384	368	WerFault.exe	s8188066.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4460 schtasks.exe
1212 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

5044 AppLaunch.exe
5044 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 5044 AppLaunch.exe

pid	process
4460	schtasks.exe
1212	schtasks.exe

pid	process
5044	AppLaunch.exe
5044	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	5044	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0a53aedcdb1cdb2e73e49e55cc48d82cd2df0e3793de9fb0baaeacb547644fc1.exez7299675.exez6397376.exez7227121.exez5231932.exeq3728816.exer5209601.exes8188066.exet1089188.exeexplonde.exe

description	pid	process	target process
PID 5060 wrote to memory of 4188	5060	0a53aedcdb1cdb2e73e49e55cc48d82cd2df0e3793de9fb0baaeacb547644fc1.exe	z7299675.exe
PID 5060 wrote to memory of 4188	5060	0a53aedcdb1cdb2e73e49e55cc48d82cd2df0e3793de9fb0baaeacb547644fc1.exe	z7299675.exe
PID 5060 wrote to memory of 4188	5060	0a53aedcdb1cdb2e73e49e55cc48d82cd2df0e3793de9fb0baaeacb547644fc1.exe	z7299675.exe
PID 4188 wrote to memory of 4840	4188	z7299675.exe	z6397376.exe
PID 4188 wrote to memory of 4840	4188	z7299675.exe	z6397376.exe
PID 4188 wrote to memory of 4840	4188	z7299675.exe	z6397376.exe
PID 4840 wrote to memory of 5024	4840	z6397376.exe	z7227121.exe
PID 4840 wrote to memory of 5024	4840	z6397376.exe	z7227121.exe
PID 4840 wrote to memory of 5024	4840	z6397376.exe	z7227121.exe
PID 5024 wrote to memory of 3316	5024	z7227121.exe	z5231932.exe
PID 5024 wrote to memory of 3316	5024	z7227121.exe	z5231932.exe
PID 5024 wrote to memory of 3316	5024	z7227121.exe	z5231932.exe
PID 3316 wrote to memory of 4272	3316	z5231932.exe	q3728816.exe
PID 3316 wrote to memory of 4272	3316	z5231932.exe	q3728816.exe
PID 3316 wrote to memory of 4272	3316	z5231932.exe	q3728816.exe
PID 4272 wrote to memory of 5044	4272	q3728816.exe	AppLaunch.exe
PID 4272 wrote to memory of 5044	4272	q3728816.exe	AppLaunch.exe
PID 4272 wrote to memory of 5044	4272	q3728816.exe	AppLaunch.exe
PID 4272 wrote to memory of 5044	4272	q3728816.exe	AppLaunch.exe
PID 4272 wrote to memory of 5044	4272	q3728816.exe	AppLaunch.exe
PID 4272 wrote to memory of 5044	4272	q3728816.exe	AppLaunch.exe
PID 4272 wrote to memory of 5044	4272	q3728816.exe	AppLaunch.exe
PID 4272 wrote to memory of 5044	4272	q3728816.exe	AppLaunch.exe
PID 3316 wrote to memory of 1412	3316	z5231932.exe	r5209601.exe
PID 3316 wrote to memory of 1412	3316	z5231932.exe	r5209601.exe
PID 3316 wrote to memory of 1412	3316	z5231932.exe	r5209601.exe
PID 1412 wrote to memory of 4740	1412	r5209601.exe	AppLaunch.exe
PID 1412 wrote to memory of 4740	1412	r5209601.exe	AppLaunch.exe
PID 1412 wrote to memory of 4740	1412	r5209601.exe	AppLaunch.exe
PID 1412 wrote to memory of 820	1412	r5209601.exe	AppLaunch.exe
PID 1412 wrote to memory of 820	1412	r5209601.exe	AppLaunch.exe
PID 1412 wrote to memory of 820	1412	r5209601.exe	AppLaunch.exe
PID 1412 wrote to memory of 820	1412	r5209601.exe	AppLaunch.exe
PID 1412 wrote to memory of 820	1412	r5209601.exe	AppLaunch.exe
PID 1412 wrote to memory of 820	1412	r5209601.exe	AppLaunch.exe
PID 1412 wrote to memory of 820	1412	r5209601.exe	AppLaunch.exe
PID 1412 wrote to memory of 820	1412	r5209601.exe	AppLaunch.exe
PID 1412 wrote to memory of 820	1412	r5209601.exe	AppLaunch.exe
PID 1412 wrote to memory of 820	1412	r5209601.exe	AppLaunch.exe
PID 5024 wrote to memory of 368	5024	z7227121.exe	s8188066.exe
PID 5024 wrote to memory of 368	5024	z7227121.exe	s8188066.exe
PID 5024 wrote to memory of 368	5024	z7227121.exe	s8188066.exe
PID 368 wrote to memory of 2528	368	s8188066.exe	AppLaunch.exe
PID 368 wrote to memory of 2528	368	s8188066.exe	AppLaunch.exe
PID 368 wrote to memory of 2528	368	s8188066.exe	AppLaunch.exe
PID 368 wrote to memory of 2528	368	s8188066.exe	AppLaunch.exe
PID 368 wrote to memory of 2528	368	s8188066.exe	AppLaunch.exe
PID 368 wrote to memory of 2528	368	s8188066.exe	AppLaunch.exe
PID 368 wrote to memory of 2528	368	s8188066.exe	AppLaunch.exe
PID 368 wrote to memory of 2528	368	s8188066.exe	AppLaunch.exe
PID 4840 wrote to memory of 1416	4840	z6397376.exe	t1089188.exe
PID 4840 wrote to memory of 1416	4840	z6397376.exe	t1089188.exe
PID 4840 wrote to memory of 1416	4840	z6397376.exe	t1089188.exe
PID 1416 wrote to memory of 1656	1416	t1089188.exe	explonde.exe
PID 1416 wrote to memory of 1656	1416	t1089188.exe	explonde.exe
PID 1416 wrote to memory of 1656	1416	t1089188.exe	explonde.exe
PID 4188 wrote to memory of 4296	4188	z7299675.exe	u8489733.exe
PID 4188 wrote to memory of 4296	4188	z7299675.exe	u8489733.exe
PID 4188 wrote to memory of 4296	4188	z7299675.exe	u8489733.exe
PID 1656 wrote to memory of 4460	1656	explonde.exe	schtasks.exe
PID 1656 wrote to memory of 4460	1656	explonde.exe	schtasks.exe
PID 1656 wrote to memory of 4460	1656	explonde.exe	schtasks.exe
PID 1656 wrote to memory of 4928	1656	explonde.exe	cmd.exe
PID 1656 wrote to memory of 4928	1656	explonde.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0a53aedcdb1cdb2e73e49e55cc48d82cd2df0e3793de9fb0baaeacb547644fc1.exe
"C:\Users\Admin\AppData\Local\Temp\0a53aedcdb1cdb2e73e49e55cc48d82cd2df0e3793de9fb0baaeacb547644fc1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5060

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7299675.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7299675.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4188

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6397376.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6397376.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4840

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7227121.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7227121.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5024

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5231932.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5231932.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3316

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3728816.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3728816.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 608
7⤵
- Program crash
PID:932

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5209601.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5209601.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 196
8⤵
- Program crash
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 584
7⤵
- Program crash
PID:2552

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8188066.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8188066.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 148
6⤵
- Program crash
PID:4384

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1089188.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1089188.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
6⤵
- Creates scheduled task(s)
PID:4460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:2200

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:N"
7⤵
PID:1964

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:R" /E
7⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3960

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:376

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u8489733.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u8489733.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:4296

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:3016

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
5⤵
- Creates scheduled task(s)
PID:1212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
5⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1916

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
6⤵
PID:1576

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
6⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4708

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
6⤵
PID:2548

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
6⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2662109.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2662109.exe
2⤵
- Executes dropped EXE
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4272 -ip 4272
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1412 -ip 1412
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 820 -ip 820
1⤵
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 368 -ip 368
1⤵
PID:876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2662109.exe
Filesize
22KB

MD5
8f441196ee21b288e3d3f9abd72eebca

SHA1
c2c79c356b823b3c30331a33fdbfba855e1a79fc

SHA256
360c76dbf6962af12bd2f875ac270deda8571ca363f1f7f86c3859445ba5ceb8

SHA512
5f020c85906d65e16e19c7016e516dd5468cc0e83a1ea45de0af7e566198d07673acb6ba5c5c208df33db9bd5e5bfd36573664b8abdca3d4739b2eaf1ebe475c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2662109.exe
Filesize
22KB

MD5
8f441196ee21b288e3d3f9abd72eebca

SHA1
c2c79c356b823b3c30331a33fdbfba855e1a79fc

SHA256
360c76dbf6962af12bd2f875ac270deda8571ca363f1f7f86c3859445ba5ceb8

SHA512
5f020c85906d65e16e19c7016e516dd5468cc0e83a1ea45de0af7e566198d07673acb6ba5c5c208df33db9bd5e5bfd36573664b8abdca3d4739b2eaf1ebe475c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7299675.exe
Filesize
1.2MB

MD5
78a750e874ed54f9946f77ee8d58c7ed

SHA1
669411690488dd478d404fffa903b0097e78e60a

SHA256
05e349cc4f38bfb11981f186a5c52ed28f14b4a93b25a0a1f251efca465582d0

SHA512
325e96b80fca8e08ae752ab64a69f55d6bdc2f1b65900be8a4e9b2ef3f4894e5d762280c26d41d0229d0fdf2b5ea2287d96ea884e447a884cf5ebf7665753d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7299675.exe
Filesize
1.2MB

MD5
78a750e874ed54f9946f77ee8d58c7ed

SHA1
669411690488dd478d404fffa903b0097e78e60a

SHA256
05e349cc4f38bfb11981f186a5c52ed28f14b4a93b25a0a1f251efca465582d0

SHA512
325e96b80fca8e08ae752ab64a69f55d6bdc2f1b65900be8a4e9b2ef3f4894e5d762280c26d41d0229d0fdf2b5ea2287d96ea884e447a884cf5ebf7665753d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u8489733.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u8489733.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6397376.exe
Filesize
1.0MB

MD5
93dc722b62578c45f3535c0bc83000d0

SHA1
be8ad83beaa20d4b3745a67c75ae62ea2deafd02

SHA256
e0f1c9cf65aa9708e62f45235228a12d9571f8bf8e7ea877a7f5dc8e163b4d7a

SHA512
7e58032048ff56d802d106ca552e123fe6ccf602299343bdcacc856c649d0b80883e587c6526521404446fd1aca4f4b45f0080825316a49dda72a9ab286036c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6397376.exe
Filesize
1.0MB

MD5
93dc722b62578c45f3535c0bc83000d0

SHA1
be8ad83beaa20d4b3745a67c75ae62ea2deafd02

SHA256
e0f1c9cf65aa9708e62f45235228a12d9571f8bf8e7ea877a7f5dc8e163b4d7a

SHA512
7e58032048ff56d802d106ca552e123fe6ccf602299343bdcacc856c649d0b80883e587c6526521404446fd1aca4f4b45f0080825316a49dda72a9ab286036c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1089188.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1089188.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7227121.exe
Filesize
881KB

MD5
aec5079e8a6c6231f71c730fb8e94599

SHA1
877d78568b0323ee05480acaa5f106f993ddfd96

SHA256
440e54063fd1f15ae362fe2585e956d9589c9d55ef6dcc0030e12f6030fcdf39

SHA512
0f8d02427ff3957a506cf4a5901fcc12ba99b6f47a2c6aef59cf4882bd0b3b4e6b7d344f6e9cae8ed82f07bab573ade687624de35be2dbf38a5c3032ddc4f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7227121.exe
Filesize
881KB

MD5
aec5079e8a6c6231f71c730fb8e94599

SHA1
877d78568b0323ee05480acaa5f106f993ddfd96

SHA256
440e54063fd1f15ae362fe2585e956d9589c9d55ef6dcc0030e12f6030fcdf39

SHA512
0f8d02427ff3957a506cf4a5901fcc12ba99b6f47a2c6aef59cf4882bd0b3b4e6b7d344f6e9cae8ed82f07bab573ade687624de35be2dbf38a5c3032ddc4f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8188066.exe
Filesize
1.0MB

MD5
cf2b0cd6584f671e598347890b2c045f

SHA1
8262c206c5b7526971316b8ebf3b7994c329bc46

SHA256
f16275f19d0f5f4d40cd13d1a465d543882df7912baa3f187a6677e960c7a54c

SHA512
37532a6ff37ec78af61451f56ccd6b5f6a27ef98eb47dd1d09c3b47a8841655c503e9d73e4dc54fd6a57c30e0a8cd6ba0f2e9b58e0c6056e951022ca7fce3ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8188066.exe
Filesize
1.0MB

MD5
cf2b0cd6584f671e598347890b2c045f

SHA1
8262c206c5b7526971316b8ebf3b7994c329bc46

SHA256
f16275f19d0f5f4d40cd13d1a465d543882df7912baa3f187a6677e960c7a54c

SHA512
37532a6ff37ec78af61451f56ccd6b5f6a27ef98eb47dd1d09c3b47a8841655c503e9d73e4dc54fd6a57c30e0a8cd6ba0f2e9b58e0c6056e951022ca7fce3ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5231932.exe
Filesize
490KB

MD5
22d3caaaa4352016280256baf0919a4c

SHA1
429ddbf03ee1ca60a16fdbade7cc06dcb405d755

SHA256
8cd34f62a2d31f26882cd684209f1d3ad3b1dbb2444ff1c4a7d4f26bb7350442

SHA512
61450328c8eaa3d8a450cd6705f32e45eacd797a02b5e818c362e2e7738c9904052823fe5c44c4ccc8b217d63f717c1c8de12b26f6bdb1180083abe27665cb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5231932.exe
Filesize
490KB

MD5
22d3caaaa4352016280256baf0919a4c

SHA1
429ddbf03ee1ca60a16fdbade7cc06dcb405d755

SHA256
8cd34f62a2d31f26882cd684209f1d3ad3b1dbb2444ff1c4a7d4f26bb7350442

SHA512
61450328c8eaa3d8a450cd6705f32e45eacd797a02b5e818c362e2e7738c9904052823fe5c44c4ccc8b217d63f717c1c8de12b26f6bdb1180083abe27665cb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3728816.exe
Filesize
860KB

MD5
6395bdff5f7a204399ef5d7f1970c2e2

SHA1
cf72d6b1e5180f2c312ad557b4e08bd1e541e7e5

SHA256
3d41ab83419e1be9b6be905c133f67f0a3db36798fcbbfa5ca116f2a37a274b8

SHA512
5810beb38d260bf8853b354dc4f2df28a59bd6fb1150640496eee1e99d028b88a2239e5d7776dcda8985a2bac61ff6e5cb01e8eda754ac3a487af129951e0d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3728816.exe
Filesize
860KB

MD5
6395bdff5f7a204399ef5d7f1970c2e2

SHA1
cf72d6b1e5180f2c312ad557b4e08bd1e541e7e5

SHA256
3d41ab83419e1be9b6be905c133f67f0a3db36798fcbbfa5ca116f2a37a274b8

SHA512
5810beb38d260bf8853b354dc4f2df28a59bd6fb1150640496eee1e99d028b88a2239e5d7776dcda8985a2bac61ff6e5cb01e8eda754ac3a487af129951e0d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5209601.exe
Filesize
1016KB

MD5
f744162830567b060876c8647dfc2a74

SHA1
40b66e43ee65348f9add67f09d08ab5283143498

SHA256
bb78246541ad7119d9fecad2f9d378b752231162633e72c56e382432330654a5

SHA512
0c844d7be44b76105f2095f62eeb0d942de76ac8b0ec968387caea68c1409e0379ddfc80a96e2ede94fb5d50358c47dd2d238d998db8ddc91c50c72f2ee72ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5209601.exe
Filesize
1016KB

MD5
f744162830567b060876c8647dfc2a74

SHA1
40b66e43ee65348f9add67f09d08ab5283143498

SHA256
bb78246541ad7119d9fecad2f9d378b752231162633e72c56e382432330654a5

SHA512
0c844d7be44b76105f2095f62eeb0d942de76ac8b0ec968387caea68c1409e0379ddfc80a96e2ede94fb5d50358c47dd2d238d998db8ddc91c50c72f2ee72ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
memory/820-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/820-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/820-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/820-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2528-68-0x000000000AB90000-0x000000000ABA2000-memory.dmp

Filesize
72KB

Download
memory/2528-75-0x000000000ABF0000-0x000000000AC2C000-memory.dmp

Filesize
240KB

Download
memory/2528-66-0x000000000AC60000-0x000000000AD6A000-memory.dmp

Filesize
1.0MB

Download
memory/2528-62-0x000000000B0F0000-0x000000000B708000-memory.dmp

Filesize
6.1MB

Download
memory/2528-55-0x0000000005450000-0x0000000005456000-memory.dmp

Filesize
24KB

Download
memory/2528-54-0x0000000074040000-0x00000000747F0000-memory.dmp

Filesize
7.7MB

Download
memory/2528-53-0x0000000074040000-0x00000000747F0000-memory.dmp

Filesize
7.7MB

Download
memory/2528-67-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/2528-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2528-89-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/2528-87-0x000000000AD70000-0x000000000ADBC000-memory.dmp

Filesize
304KB

Download
memory/5044-36-0x0000000074040000-0x00000000747F0000-memory.dmp

Filesize
7.7MB

Download
memory/5044-37-0x0000000074040000-0x00000000747F0000-memory.dmp

Filesize
7.7MB

Download
memory/5044-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5044-47-0x0000000074040000-0x00000000747F0000-memory.dmp

Filesize
7.7MB

Download