amadey | 71d4fb80ea15c325f773dc577afdc8406fbba4769f90817b78ee0cd7b629719d

Analysis

max time kernel
172s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71d4fb80ea15c325f773dc577afdc8406fbba4769f90817b78ee0cd7b629719d.exe
Size

1.3MB
MD5

6b709a2ac7c74ad04476d6ff9993d4f5
SHA1

9713eb2f7b44ce77bb1ce8c57e0d63fd5d6ca346
SHA256

71d4fb80ea15c325f773dc577afdc8406fbba4769f90817b78ee0cd7b629719d
SHA512

8b2ad14b3b5ed3f57e5aa0134cd62a00f42521a8b931ad83f485567bc62a57bc6de29fe41a309c7741e0e9fc6f764b1ff0e2868e8760393b89e49fbdbfc4256a
SSDEEP

24576:5ytB8KvJGwl6+JmaKjwC2ESD0Uc1iOvkwD8q/cvI3VclbG9Ysi:stqWoO6CmaEPyD0Uc1iELD8qUvmVclOt

Score

10^/10

amadey healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4204-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4204-43-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4204-42-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4204-45-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/540-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explonde.exelegota.exet9990701.exeu0981323.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	legota.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	t9990701.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	u0981323.exe

Executes dropped EXE 12 IoCs

Processes:

z3922007.exez5850088.exez8858974.exez6702390.exeq3576810.exer9273524.exes7854531.exet9990701.exeexplonde.exeu0981323.exelegota.exew0488140.exe

pid	process
1060	z3922007.exe
2204	z5850088.exe
2772	z8858974.exe
2912	z6702390.exe
4896	q3576810.exe
1980	r9273524.exe
3612	s7854531.exe
3960	t9990701.exe
3184	explonde.exe
2096	u0981323.exe
3704	legota.exe
3428	w0488140.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

z5850088.exez8858974.exez6702390.exe71d4fb80ea15c325f773dc577afdc8406fbba4769f90817b78ee0cd7b629719d.exez3922007.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5850088.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z8858974.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z6702390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	71d4fb80ea15c325f773dc577afdc8406fbba4769f90817b78ee0cd7b629719d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3922007.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

q3576810.exer9273524.exes7854531.exe

description	pid	process	target process
PID 4896 set thread context of 540	4896	q3576810.exe	AppLaunch.exe
PID 1980 set thread context of 4204	1980	r9273524.exe	AppLaunch.exe
PID 3612 set thread context of 4656	3612	s7854531.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1708	4896	WerFault.exe	q3576810.exe
896	1980	WerFault.exe	r9273524.exe
4444	4204	WerFault.exe	AppLaunch.exe
724	3612	WerFault.exe	s7854531.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2176 schtasks.exe
2016 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

540 AppLaunch.exe
540 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 540 AppLaunch.exe

pid	process
2176	schtasks.exe
2016	schtasks.exe

pid	process
540	AppLaunch.exe
540	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	540	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

71d4fb80ea15c325f773dc577afdc8406fbba4769f90817b78ee0cd7b629719d.exez3922007.exez5850088.exez8858974.exez6702390.exeq3576810.exer9273524.exes7854531.exet9990701.exeu0981323.exeexplonde.exe

description	pid	process	target process
PID 3564 wrote to memory of 1060	3564	71d4fb80ea15c325f773dc577afdc8406fbba4769f90817b78ee0cd7b629719d.exe	z3922007.exe
PID 3564 wrote to memory of 1060	3564	71d4fb80ea15c325f773dc577afdc8406fbba4769f90817b78ee0cd7b629719d.exe	z3922007.exe
PID 3564 wrote to memory of 1060	3564	71d4fb80ea15c325f773dc577afdc8406fbba4769f90817b78ee0cd7b629719d.exe	z3922007.exe
PID 1060 wrote to memory of 2204	1060	z3922007.exe	z5850088.exe
PID 1060 wrote to memory of 2204	1060	z3922007.exe	z5850088.exe
PID 1060 wrote to memory of 2204	1060	z3922007.exe	z5850088.exe
PID 2204 wrote to memory of 2772	2204	z5850088.exe	z8858974.exe
PID 2204 wrote to memory of 2772	2204	z5850088.exe	z8858974.exe
PID 2204 wrote to memory of 2772	2204	z5850088.exe	z8858974.exe
PID 2772 wrote to memory of 2912	2772	z8858974.exe	z6702390.exe
PID 2772 wrote to memory of 2912	2772	z8858974.exe	z6702390.exe
PID 2772 wrote to memory of 2912	2772	z8858974.exe	z6702390.exe
PID 2912 wrote to memory of 4896	2912	z6702390.exe	q3576810.exe
PID 2912 wrote to memory of 4896	2912	z6702390.exe	q3576810.exe
PID 2912 wrote to memory of 4896	2912	z6702390.exe	q3576810.exe
PID 4896 wrote to memory of 1428	4896	q3576810.exe	AppLaunch.exe
PID 4896 wrote to memory of 1428	4896	q3576810.exe	AppLaunch.exe
PID 4896 wrote to memory of 1428	4896	q3576810.exe	AppLaunch.exe
PID 4896 wrote to memory of 540	4896	q3576810.exe	AppLaunch.exe
PID 4896 wrote to memory of 540	4896	q3576810.exe	AppLaunch.exe
PID 4896 wrote to memory of 540	4896	q3576810.exe	AppLaunch.exe
PID 4896 wrote to memory of 540	4896	q3576810.exe	AppLaunch.exe
PID 4896 wrote to memory of 540	4896	q3576810.exe	AppLaunch.exe
PID 4896 wrote to memory of 540	4896	q3576810.exe	AppLaunch.exe
PID 4896 wrote to memory of 540	4896	q3576810.exe	AppLaunch.exe
PID 4896 wrote to memory of 540	4896	q3576810.exe	AppLaunch.exe
PID 2912 wrote to memory of 1980	2912	z6702390.exe	r9273524.exe
PID 2912 wrote to memory of 1980	2912	z6702390.exe	r9273524.exe
PID 2912 wrote to memory of 1980	2912	z6702390.exe	r9273524.exe
PID 1980 wrote to memory of 4204	1980	r9273524.exe	AppLaunch.exe
PID 1980 wrote to memory of 4204	1980	r9273524.exe	AppLaunch.exe
PID 1980 wrote to memory of 4204	1980	r9273524.exe	AppLaunch.exe
PID 1980 wrote to memory of 4204	1980	r9273524.exe	AppLaunch.exe
PID 1980 wrote to memory of 4204	1980	r9273524.exe	AppLaunch.exe
PID 1980 wrote to memory of 4204	1980	r9273524.exe	AppLaunch.exe
PID 1980 wrote to memory of 4204	1980	r9273524.exe	AppLaunch.exe
PID 1980 wrote to memory of 4204	1980	r9273524.exe	AppLaunch.exe
PID 1980 wrote to memory of 4204	1980	r9273524.exe	AppLaunch.exe
PID 1980 wrote to memory of 4204	1980	r9273524.exe	AppLaunch.exe
PID 2772 wrote to memory of 3612	2772	z8858974.exe	s7854531.exe
PID 2772 wrote to memory of 3612	2772	z8858974.exe	s7854531.exe
PID 2772 wrote to memory of 3612	2772	z8858974.exe	s7854531.exe
PID 3612 wrote to memory of 4656	3612	s7854531.exe	AppLaunch.exe
PID 3612 wrote to memory of 4656	3612	s7854531.exe	AppLaunch.exe
PID 3612 wrote to memory of 4656	3612	s7854531.exe	AppLaunch.exe
PID 3612 wrote to memory of 4656	3612	s7854531.exe	AppLaunch.exe
PID 3612 wrote to memory of 4656	3612	s7854531.exe	AppLaunch.exe
PID 3612 wrote to memory of 4656	3612	s7854531.exe	AppLaunch.exe
PID 3612 wrote to memory of 4656	3612	s7854531.exe	AppLaunch.exe
PID 3612 wrote to memory of 4656	3612	s7854531.exe	AppLaunch.exe
PID 2204 wrote to memory of 3960	2204	z5850088.exe	t9990701.exe
PID 2204 wrote to memory of 3960	2204	z5850088.exe	t9990701.exe
PID 2204 wrote to memory of 3960	2204	z5850088.exe	t9990701.exe
PID 3960 wrote to memory of 3184	3960	t9990701.exe	explonde.exe
PID 3960 wrote to memory of 3184	3960	t9990701.exe	explonde.exe
PID 3960 wrote to memory of 3184	3960	t9990701.exe	explonde.exe
PID 1060 wrote to memory of 2096	1060	z3922007.exe	u0981323.exe
PID 1060 wrote to memory of 2096	1060	z3922007.exe	u0981323.exe
PID 1060 wrote to memory of 2096	1060	z3922007.exe	u0981323.exe
PID 2096 wrote to memory of 3704	2096	u0981323.exe	legota.exe
PID 2096 wrote to memory of 3704	2096	u0981323.exe	legota.exe
PID 2096 wrote to memory of 3704	2096	u0981323.exe	legota.exe
PID 3184 wrote to memory of 2176	3184	explonde.exe	schtasks.exe
PID 3184 wrote to memory of 2176	3184	explonde.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\71d4fb80ea15c325f773dc577afdc8406fbba4769f90817b78ee0cd7b629719d.exe
"C:\Users\Admin\AppData\Local\Temp\71d4fb80ea15c325f773dc577afdc8406fbba4769f90817b78ee0cd7b629719d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3922007.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3922007.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5850088.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5850088.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8858974.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8858974.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2772

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6702390.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6702390.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3576810.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3576810.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:1428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 152
7⤵
- Program crash
PID:1708

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9273524.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9273524.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 540
8⤵
- Program crash
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 148
7⤵
- Program crash
PID:896

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7854531.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7854531.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 592
6⤵
- Program crash
PID:724

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9990701.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9990701.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
6⤵
- Creates scheduled task(s)
PID:2176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4944

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:N"
7⤵
PID:3692

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:R" /E
7⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:2372

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:3256

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0981323.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0981323.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:3704

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
5⤵
- Creates scheduled task(s)
PID:2016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
5⤵
PID:1368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2196

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
6⤵
PID:4512

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
6⤵
PID:896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1768

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
6⤵
PID:2912

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
6⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0488140.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0488140.exe
2⤵
- Executes dropped EXE
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4896 -ip 4896
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1980 -ip 1980
1⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4204 -ip 4204
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3612 -ip 3612
1⤵
PID:4816

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0488140.exe
Filesize
22KB

MD5
0485b4ec547b19ea219cfd47dbc21172

SHA1
eac15aa7a52cfa66d5c015130dc658cd754679aa

SHA256
b246e4a5a26cc8e1a54fd3a9bfa6f6431747b27759e3ad60bc3b26c74a6e9a40

SHA512
ab3298e545c3a7efdb9ccf068c47db44f748ca11294986588d365b01f69936746d5f89bd80991dd359cbaba59f30116579697785bc96e76d651b1170716d4eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0488140.exe
Filesize
22KB

MD5
0485b4ec547b19ea219cfd47dbc21172

SHA1
eac15aa7a52cfa66d5c015130dc658cd754679aa

SHA256
b246e4a5a26cc8e1a54fd3a9bfa6f6431747b27759e3ad60bc3b26c74a6e9a40

SHA512
ab3298e545c3a7efdb9ccf068c47db44f748ca11294986588d365b01f69936746d5f89bd80991dd359cbaba59f30116579697785bc96e76d651b1170716d4eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3922007.exe
Filesize
1.2MB

MD5
3acf65e353e329885eabd914b7c27331

SHA1
9308d58925ad6c6d89f306995e6ce41dbc7af7b9

SHA256
27bdb3e61c6ccdcc8a808e5091e880e09e42e62fc0715b57eb392c5b42ae6054

SHA512
286087381d51e616e53d00bae829eade88089886b4ae3fa5949d62088ff9721b123e67a225148ab43f5c6c3ff3005efdffe0e3f9454d098e255a9dde915366c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3922007.exe
Filesize
1.2MB

MD5
3acf65e353e329885eabd914b7c27331

SHA1
9308d58925ad6c6d89f306995e6ce41dbc7af7b9

SHA256
27bdb3e61c6ccdcc8a808e5091e880e09e42e62fc0715b57eb392c5b42ae6054

SHA512
286087381d51e616e53d00bae829eade88089886b4ae3fa5949d62088ff9721b123e67a225148ab43f5c6c3ff3005efdffe0e3f9454d098e255a9dde915366c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0981323.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0981323.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5850088.exe
Filesize
1.0MB

MD5
6021bd54dadcaef53096a3d67e65b7e6

SHA1
dcde70e1979ae2d28f68fbaaa1bbcff27a40393f

SHA256
36e87ed20c5ab4d39b21ba29912cc373878bdf7dfe349db5ed786d14f262396b

SHA512
983dfa76442e81a1a578cfead823bd1904c8b084300f0fd585b473d822e3f2a5ca60524e8b72549514efa5b4e1976b46049d1061d7ad6bbf8faf23cdf79c4fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5850088.exe
Filesize
1.0MB

MD5
6021bd54dadcaef53096a3d67e65b7e6

SHA1
dcde70e1979ae2d28f68fbaaa1bbcff27a40393f

SHA256
36e87ed20c5ab4d39b21ba29912cc373878bdf7dfe349db5ed786d14f262396b

SHA512
983dfa76442e81a1a578cfead823bd1904c8b084300f0fd585b473d822e3f2a5ca60524e8b72549514efa5b4e1976b46049d1061d7ad6bbf8faf23cdf79c4fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9990701.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9990701.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8858974.exe
Filesize
882KB

MD5
762298e9b83b489434dca668f5d3e8bd

SHA1
1976aa1d529c7b28e91d5a7e49c666c8234a3a90

SHA256
2782fb195effff4a301f09e609566a14529ab0474c9f78ce4cc724fc2fa41ae0

SHA512
9eea36e1141c538af4be4d0f31ee2b94927b4fada4742650faaab08a71eff2bdf24c5391530dccd22ab23d228caecb70e922dbdb1b5f17fdf6946b3cd3d81b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8858974.exe
Filesize
882KB

MD5
762298e9b83b489434dca668f5d3e8bd

SHA1
1976aa1d529c7b28e91d5a7e49c666c8234a3a90

SHA256
2782fb195effff4a301f09e609566a14529ab0474c9f78ce4cc724fc2fa41ae0

SHA512
9eea36e1141c538af4be4d0f31ee2b94927b4fada4742650faaab08a71eff2bdf24c5391530dccd22ab23d228caecb70e922dbdb1b5f17fdf6946b3cd3d81b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7854531.exe
Filesize
1.0MB

MD5
8c1cb281516a9c8c63a43f4e39fcddd7

SHA1
7fcdc50f3af37ab23d87f9dbfe5eca3e88a69591

SHA256
9114b7022362c6fd7cd6b8b3aa64b71e2ebb52747dc5bbeeb175c7e3b9edfaf2

SHA512
ca1530625b8537d726f50e3610af253044fd115169bf0769165ea4adc6dcc6217cfa183ca6a6b3bef2d8e3c86be169749faa2fa844b9bd67963095b4c2409240

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7854531.exe
Filesize
1.0MB

MD5
8c1cb281516a9c8c63a43f4e39fcddd7

SHA1
7fcdc50f3af37ab23d87f9dbfe5eca3e88a69591

SHA256
9114b7022362c6fd7cd6b8b3aa64b71e2ebb52747dc5bbeeb175c7e3b9edfaf2

SHA512
ca1530625b8537d726f50e3610af253044fd115169bf0769165ea4adc6dcc6217cfa183ca6a6b3bef2d8e3c86be169749faa2fa844b9bd67963095b4c2409240

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6702390.exe
Filesize
491KB

MD5
bdb432b16c6cf3bb9f08deca61155fc7

SHA1
d6081a74f075940807dd254e6561933a47b0c6fc

SHA256
fe1343bca9d622f6fbf40fdaf026d29c01bd2cc17f4b1731872b43e6b14ecd59

SHA512
2e12428271c1d4d3898e870377414f3df24d6e174c5b796c9fe32593c6bbaf94f26b77bd604e8a45d6ad747b61ba7dfd89b23827348f2d10e8d9faf84494600c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6702390.exe
Filesize
491KB

MD5
bdb432b16c6cf3bb9f08deca61155fc7

SHA1
d6081a74f075940807dd254e6561933a47b0c6fc

SHA256
fe1343bca9d622f6fbf40fdaf026d29c01bd2cc17f4b1731872b43e6b14ecd59

SHA512
2e12428271c1d4d3898e870377414f3df24d6e174c5b796c9fe32593c6bbaf94f26b77bd604e8a45d6ad747b61ba7dfd89b23827348f2d10e8d9faf84494600c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3576810.exe
Filesize
860KB

MD5
f025fb41df634d99e36bd5a4e991a2a2

SHA1
17089d9d4669770d01bb091824d71915ef2d5b92

SHA256
0c74a149a33886627f1f2c0fa4e0db3c72472c36ea7eb15debc82f4ce6e4770d

SHA512
ba29113e9c99fc6ee8643c04d99fc1cf8aa09e5797febb74be9b743f83973e8ac191ac3354206fe272cd476aa22d368ad5ab196b17ec9bc82061046685ccc67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3576810.exe
Filesize
860KB

MD5
f025fb41df634d99e36bd5a4e991a2a2

SHA1
17089d9d4669770d01bb091824d71915ef2d5b92

SHA256
0c74a149a33886627f1f2c0fa4e0db3c72472c36ea7eb15debc82f4ce6e4770d

SHA512
ba29113e9c99fc6ee8643c04d99fc1cf8aa09e5797febb74be9b743f83973e8ac191ac3354206fe272cd476aa22d368ad5ab196b17ec9bc82061046685ccc67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9273524.exe
Filesize
1016KB

MD5
478cb5d62baf47a0345dcda7d2f310aa

SHA1
e27bca1458627ffc1b72ee00bc523d619b1ee2f5

SHA256
dbbb522d777edf47f3f8ea2c15cc501552fbaee7a0918ed0d88cba460192518c

SHA512
0e7a34421062e1da26fa284b4e2b4d52d8dba95196642419a4dbf4695ef522348f738f29d49ec440faf2211ad745b97242613991b0802dab50633bfaebf661c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9273524.exe
Filesize
1016KB

MD5
478cb5d62baf47a0345dcda7d2f310aa

SHA1
e27bca1458627ffc1b72ee00bc523d619b1ee2f5

SHA256
dbbb522d777edf47f3f8ea2c15cc501552fbaee7a0918ed0d88cba460192518c

SHA512
0e7a34421062e1da26fa284b4e2b4d52d8dba95196642419a4dbf4695ef522348f738f29d49ec440faf2211ad745b97242613991b0802dab50633bfaebf661c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
memory/540-36-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/540-78-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/540-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/540-37-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/4204-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4204-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4204-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4204-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4656-51-0x0000000004D00000-0x0000000004D06000-memory.dmp

Filesize
24KB

Download
memory/4656-49-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4656-50-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/4656-59-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/4656-82-0x00000000053E0000-0x00000000059F8000-memory.dmp

Filesize
6.1MB

Download
memory/4656-83-0x00000000050D0000-0x00000000051DA000-memory.dmp

Filesize
1.0MB

Download
memory/4656-84-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4656-85-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4656-86-0x0000000005000000-0x000000000503C000-memory.dmp

Filesize
240KB

Download
memory/4656-87-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/4656-88-0x0000000005050000-0x000000000509C000-memory.dmp

Filesize
304KB

Download