amadey | 0a21dd97dbf41c86eac2b1269ae86745665079c44c43b4aeceb13bd980d38285

Analysis

max time kernel
143s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b21b1a50b225c5fbe8fc6f0a7065b2f.exe
Size

1.1MB
MD5

6b21b1a50b225c5fbe8fc6f0a7065b2f
SHA1

523d48b2aa9227cd915555221e66b2a1acc4f617
SHA256

0a21dd97dbf41c86eac2b1269ae86745665079c44c43b4aeceb13bd980d38285
SHA512

15b1d919109fad10a45125437b29b8589e192c43cdbee41571976d8476e6e79b11d54d2dcce1351b3c00bdf1e249a3e7f208c9ba61e26220ee18b827baa440ed
SSDEEP

24576:hy5Y3WxzTRJ/kaD4nUZOwz2jNoUVuIgJMcnu1ce5tuPSZ7uZ/OHEI:UsWxzTRmaMULANowkMcuOeUSZuZ

Score

10^/10

amadey healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.68.52/mac/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explonde.exe
strings_key
916aae73606d7a9e02a1d3b47c199688

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2188-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2188-42-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2188-43-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/2188-45-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2388-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

t2788993.exeu7432673.exeexplonde.exelegota.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	t2788993.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	u7432673.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	explonde.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	legota.exe

Executes dropped EXE 14 IoCs

Processes:

z9435241.exez6354729.exez2327218.exez2036875.exeq1413465.exer7486107.exes4072030.exet2788993.exeexplonde.exeu7432673.exelegota.exew3066045.exeexplonde.exelegota.exe

pid	process
4200	z9435241.exe
1148	z6354729.exe
3256	z2327218.exe
1068	z2036875.exe
1160	q1413465.exe
3368	r7486107.exe
4864	s4072030.exe
4452	t2788993.exe
4284	explonde.exe
3248	u7432673.exe
4804	legota.exe
2096	w3066045.exe
4204	explonde.exe
4856	legota.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

5112 rundll32.exe

pid	process
5112	rundll32.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

z2327218.exez2036875.exe6b21b1a50b225c5fbe8fc6f0a7065b2f.exez9435241.exez6354729.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z2327218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z2036875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6b21b1a50b225c5fbe8fc6f0a7065b2f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9435241.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6354729.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

q1413465.exer7486107.exes4072030.exe

description	pid	process	target process
PID 1160 set thread context of 2388	1160	q1413465.exe	AppLaunch.exe
PID 3368 set thread context of 2188	3368	r7486107.exe	AppLaunch.exe
PID 4864 set thread context of 2828	4864	s4072030.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1048	1160	WerFault.exe	q1413465.exe
716	3368	WerFault.exe	r7486107.exe
4488	2188	WerFault.exe	AppLaunch.exe
2980	4864	WerFault.exe	s4072030.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3868 schtasks.exe
3888 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2388 AppLaunch.exe
2388 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2388 AppLaunch.exe

pid	process
3868	schtasks.exe
3888	schtasks.exe

pid	process
2388	AppLaunch.exe
2388	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2388	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6b21b1a50b225c5fbe8fc6f0a7065b2f.exez9435241.exez6354729.exez2327218.exez2036875.exeq1413465.exer7486107.exes4072030.exet2788993.exeu7432673.exeexplonde.exe

description	pid	process	target process
PID 4248 wrote to memory of 4200	4248	6b21b1a50b225c5fbe8fc6f0a7065b2f.exe	z9435241.exe
PID 4248 wrote to memory of 4200	4248	6b21b1a50b225c5fbe8fc6f0a7065b2f.exe	z9435241.exe
PID 4248 wrote to memory of 4200	4248	6b21b1a50b225c5fbe8fc6f0a7065b2f.exe	z9435241.exe
PID 4200 wrote to memory of 1148	4200	z9435241.exe	z6354729.exe
PID 4200 wrote to memory of 1148	4200	z9435241.exe	z6354729.exe
PID 4200 wrote to memory of 1148	4200	z9435241.exe	z6354729.exe
PID 1148 wrote to memory of 3256	1148	z6354729.exe	z2327218.exe
PID 1148 wrote to memory of 3256	1148	z6354729.exe	z2327218.exe
PID 1148 wrote to memory of 3256	1148	z6354729.exe	z2327218.exe
PID 3256 wrote to memory of 1068	3256	z2327218.exe	z2036875.exe
PID 3256 wrote to memory of 1068	3256	z2327218.exe	z2036875.exe
PID 3256 wrote to memory of 1068	3256	z2327218.exe	z2036875.exe
PID 1068 wrote to memory of 1160	1068	z2036875.exe	q1413465.exe
PID 1068 wrote to memory of 1160	1068	z2036875.exe	q1413465.exe
PID 1068 wrote to memory of 1160	1068	z2036875.exe	q1413465.exe
PID 1160 wrote to memory of 2388	1160	q1413465.exe	AppLaunch.exe
PID 1160 wrote to memory of 2388	1160	q1413465.exe	AppLaunch.exe
PID 1160 wrote to memory of 2388	1160	q1413465.exe	AppLaunch.exe
PID 1160 wrote to memory of 2388	1160	q1413465.exe	AppLaunch.exe
PID 1160 wrote to memory of 2388	1160	q1413465.exe	AppLaunch.exe
PID 1160 wrote to memory of 2388	1160	q1413465.exe	AppLaunch.exe
PID 1160 wrote to memory of 2388	1160	q1413465.exe	AppLaunch.exe
PID 1160 wrote to memory of 2388	1160	q1413465.exe	AppLaunch.exe
PID 1068 wrote to memory of 3368	1068	z2036875.exe	r7486107.exe
PID 1068 wrote to memory of 3368	1068	z2036875.exe	r7486107.exe
PID 1068 wrote to memory of 3368	1068	z2036875.exe	r7486107.exe
PID 3368 wrote to memory of 2188	3368	r7486107.exe	AppLaunch.exe
PID 3368 wrote to memory of 2188	3368	r7486107.exe	AppLaunch.exe
PID 3368 wrote to memory of 2188	3368	r7486107.exe	AppLaunch.exe
PID 3368 wrote to memory of 2188	3368	r7486107.exe	AppLaunch.exe
PID 3368 wrote to memory of 2188	3368	r7486107.exe	AppLaunch.exe
PID 3368 wrote to memory of 2188	3368	r7486107.exe	AppLaunch.exe
PID 3368 wrote to memory of 2188	3368	r7486107.exe	AppLaunch.exe
PID 3368 wrote to memory of 2188	3368	r7486107.exe	AppLaunch.exe
PID 3368 wrote to memory of 2188	3368	r7486107.exe	AppLaunch.exe
PID 3368 wrote to memory of 2188	3368	r7486107.exe	AppLaunch.exe
PID 3256 wrote to memory of 4864	3256	z2327218.exe	s4072030.exe
PID 3256 wrote to memory of 4864	3256	z2327218.exe	s4072030.exe
PID 3256 wrote to memory of 4864	3256	z2327218.exe	s4072030.exe
PID 4864 wrote to memory of 2828	4864	s4072030.exe	AppLaunch.exe
PID 4864 wrote to memory of 2828	4864	s4072030.exe	AppLaunch.exe
PID 4864 wrote to memory of 2828	4864	s4072030.exe	AppLaunch.exe
PID 4864 wrote to memory of 2828	4864	s4072030.exe	AppLaunch.exe
PID 4864 wrote to memory of 2828	4864	s4072030.exe	AppLaunch.exe
PID 4864 wrote to memory of 2828	4864	s4072030.exe	AppLaunch.exe
PID 4864 wrote to memory of 2828	4864	s4072030.exe	AppLaunch.exe
PID 4864 wrote to memory of 2828	4864	s4072030.exe	AppLaunch.exe
PID 1148 wrote to memory of 4452	1148	z6354729.exe	t2788993.exe
PID 1148 wrote to memory of 4452	1148	z6354729.exe	t2788993.exe
PID 1148 wrote to memory of 4452	1148	z6354729.exe	t2788993.exe
PID 4452 wrote to memory of 4284	4452	t2788993.exe	explonde.exe
PID 4452 wrote to memory of 4284	4452	t2788993.exe	explonde.exe
PID 4452 wrote to memory of 4284	4452	t2788993.exe	explonde.exe
PID 4200 wrote to memory of 3248	4200	z9435241.exe	u7432673.exe
PID 4200 wrote to memory of 3248	4200	z9435241.exe	u7432673.exe
PID 4200 wrote to memory of 3248	4200	z9435241.exe	u7432673.exe
PID 3248 wrote to memory of 4804	3248	u7432673.exe	legota.exe
PID 3248 wrote to memory of 4804	3248	u7432673.exe	legota.exe
PID 3248 wrote to memory of 4804	3248	u7432673.exe	legota.exe
PID 4248 wrote to memory of 2096	4248	6b21b1a50b225c5fbe8fc6f0a7065b2f.exe	w3066045.exe
PID 4248 wrote to memory of 2096	4248	6b21b1a50b225c5fbe8fc6f0a7065b2f.exe	w3066045.exe
PID 4248 wrote to memory of 2096	4248	6b21b1a50b225c5fbe8fc6f0a7065b2f.exe	w3066045.exe
PID 4284 wrote to memory of 3868	4284	explonde.exe	schtasks.exe
PID 4284 wrote to memory of 3868	4284	explonde.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\6b21b1a50b225c5fbe8fc6f0a7065b2f.exe
"C:\Users\Admin\AppData\Local\Temp\6b21b1a50b225c5fbe8fc6f0a7065b2f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4248

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9435241.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9435241.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6354729.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6354729.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2327218.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2327218.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2036875.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2036875.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1413465.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1413465.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 568
7⤵
- Program crash
PID:1048

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7486107.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7486107.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 540
8⤵
- Program crash
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 564
7⤵
- Program crash
PID:716

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4072030.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4072030.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 572
6⤵
- Program crash
PID:2980

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2788993.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2788993.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4452

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
6⤵
- Creates scheduled task(s)
PID:3868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:5032

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:N"
7⤵
PID:5104

C:\Windows\SysWOW64\cacls.exe
CACLS "explonde.exe" /P "Admin:R" /E
7⤵
PID:4184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:1500

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:4764

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:1576

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
6⤵
- Loads dropped DLL
PID:5112

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7432673.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7432673.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3248

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:4804

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
5⤵
- Creates scheduled task(s)
PID:3888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
5⤵
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1600

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
6⤵
PID:2124

C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
6⤵
PID:3328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4432

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
6⤵
PID:2740

C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
6⤵
PID:3892

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
5⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3066045.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3066045.exe
2⤵
- Executes dropped EXE
PID:2096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1160 -ip 1160
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3368 -ip 3368
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2188 -ip 2188
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4864 -ip 4864
1⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
- Executes dropped EXE
PID:4204

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
1⤵
- Executes dropped EXE
PID:4856

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3066045.exe
Filesize
22KB

MD5
d974cabe26fd60b669ceb0dc30ebc010

SHA1
13b9c0045d1c79b624c6b3fd9604e86a24400d8a

SHA256
2e1fc3d53dc03cda6c5975a7fadbfefba1de99534a5a66860227e389c68b55f5

SHA512
4cfe834eddbdec36f7e9235cf3bf9b4a6bbd42558e235396b5084a4d4a8b5156c2e2d616e573309b35754aa53012e03e022826046a101e1ee2c4095de663ed71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w3066045.exe
Filesize
22KB

MD5
d974cabe26fd60b669ceb0dc30ebc010

SHA1
13b9c0045d1c79b624c6b3fd9604e86a24400d8a

SHA256
2e1fc3d53dc03cda6c5975a7fadbfefba1de99534a5a66860227e389c68b55f5

SHA512
4cfe834eddbdec36f7e9235cf3bf9b4a6bbd42558e235396b5084a4d4a8b5156c2e2d616e573309b35754aa53012e03e022826046a101e1ee2c4095de663ed71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9435241.exe
Filesize
997KB

MD5
7a642afab8394d6aaa5cbae66866b7b6

SHA1
c71576789b2555a912848fc42810fee82c4e6a7e

SHA256
02ea308cb24014385d6cc05d5b7a6ded87cf292ed5e3204f6d70372d74026878

SHA512
4a98dae51dad95babba2ba27f68ceb0df1cdcf07b43671d45f5e160eddd6b3e7c6848c407eb9d627ed0f7fb15bcb2f0da1aa41db71e4f3fe34a14708756bbb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9435241.exe
Filesize
997KB

MD5
7a642afab8394d6aaa5cbae66866b7b6

SHA1
c71576789b2555a912848fc42810fee82c4e6a7e

SHA256
02ea308cb24014385d6cc05d5b7a6ded87cf292ed5e3204f6d70372d74026878

SHA512
4a98dae51dad95babba2ba27f68ceb0df1cdcf07b43671d45f5e160eddd6b3e7c6848c407eb9d627ed0f7fb15bcb2f0da1aa41db71e4f3fe34a14708756bbb6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7432673.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u7432673.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6354729.exe
Filesize
814KB

MD5
6b81abe1cbb731807e5397fb00f472c7

SHA1
60f8115d3a0e22e9c6ffc6b0d1c0f41862a164b5

SHA256
69f21d8eca0608fbfec66d4b08f63d7cd78d09eb9f98d330f3c0efcc537ea8fc

SHA512
3e9f6785f848f2ed51fa32a1f9b256b258b0f65f221f3eb028c94dccc3814704b1981eb737ed35347b84c01971f2c55688f7b8e92b2152efd8e98831fac0c95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6354729.exe
Filesize
814KB

MD5
6b81abe1cbb731807e5397fb00f472c7

SHA1
60f8115d3a0e22e9c6ffc6b0d1c0f41862a164b5

SHA256
69f21d8eca0608fbfec66d4b08f63d7cd78d09eb9f98d330f3c0efcc537ea8fc

SHA512
3e9f6785f848f2ed51fa32a1f9b256b258b0f65f221f3eb028c94dccc3814704b1981eb737ed35347b84c01971f2c55688f7b8e92b2152efd8e98831fac0c95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2788993.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2788993.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2327218.exe
Filesize
631KB

MD5
91b6723929525c96efc46be907630dd2

SHA1
f0b216cd013db666fd314fa470e28f3411131a2a

SHA256
95ab92acde581f0ab501c1759d24dae1677b7f956de0c285a190177411b5e7c7

SHA512
7cecb178912166fe3073c1ecb8db024c7fc0cdc341f330b886c1be66ec73edbd541f10e9e8cb07d9f14483e9669729b0ec9ffd5156525b1c7f6c6baa9f625452

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2327218.exe
Filesize
631KB

MD5
91b6723929525c96efc46be907630dd2

SHA1
f0b216cd013db666fd314fa470e28f3411131a2a

SHA256
95ab92acde581f0ab501c1759d24dae1677b7f956de0c285a190177411b5e7c7

SHA512
7cecb178912166fe3073c1ecb8db024c7fc0cdc341f330b886c1be66ec73edbd541f10e9e8cb07d9f14483e9669729b0ec9ffd5156525b1c7f6c6baa9f625452

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4072030.exe
Filesize
413KB

MD5
2254be7bf27a7fecadb2abea4dcdd7f6

SHA1
08618b11878c8698db9c932b033904ed4d363004

SHA256
90a90efd8f8d8ad51ee560ecfec2ded5e904f4acf77f2cb1d5797eedc6e2b345

SHA512
a98567dc37a8e87aaf873e2590e47c63824b474af3f1c178d2df189761f2e23160f69da118a347afbd9ebcff4ece9289a46bfcc9e0930df83356971d359ca398

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4072030.exe
Filesize
413KB

MD5
2254be7bf27a7fecadb2abea4dcdd7f6

SHA1
08618b11878c8698db9c932b033904ed4d363004

SHA256
90a90efd8f8d8ad51ee560ecfec2ded5e904f4acf77f2cb1d5797eedc6e2b345

SHA512
a98567dc37a8e87aaf873e2590e47c63824b474af3f1c178d2df189761f2e23160f69da118a347afbd9ebcff4ece9289a46bfcc9e0930df83356971d359ca398

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2036875.exe
Filesize
353KB

MD5
6fd8861be51e00b9ea6b96aebdab3e5f

SHA1
f2bc414fc7b847485b6b6e21484c161e99fe9a00

SHA256
0171e32a44ed1119add8bd15362ed84075b26c9b1336a75b356a87c4fb2341b6

SHA512
5d46b98926cc20de85a3b2678c90d5c0b8faf9c46c75b2da83c0bb1c0f7cd513ca395664442d4fb79fa387bfc8c09ffe6783d990782909a4968d7673cd8dbc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2036875.exe
Filesize
353KB

MD5
6fd8861be51e00b9ea6b96aebdab3e5f

SHA1
f2bc414fc7b847485b6b6e21484c161e99fe9a00

SHA256
0171e32a44ed1119add8bd15362ed84075b26c9b1336a75b356a87c4fb2341b6

SHA512
5d46b98926cc20de85a3b2678c90d5c0b8faf9c46c75b2da83c0bb1c0f7cd513ca395664442d4fb79fa387bfc8c09ffe6783d990782909a4968d7673cd8dbc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1413465.exe
Filesize
250KB

MD5
9cbdd8bbc88ebea3ade8fad642a817dc

SHA1
c8597bd5b8ed23514ff7d7944866e53663ef699b

SHA256
b1e41df8a615eea08695d4d89a1772afa04a3fab09a5524ed1aaa12cf771f8a5

SHA512
2b2e5dd1aa883b7392714bee5a501b9e6bf0a6b09cc7530edcb48d516d87d03461fb4c9a8d0c0b5f2e5e4172430b77a5761e77c9cf243a232678f0c59d7a7112

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1413465.exe
Filesize
250KB

MD5
9cbdd8bbc88ebea3ade8fad642a817dc

SHA1
c8597bd5b8ed23514ff7d7944866e53663ef699b

SHA256
b1e41df8a615eea08695d4d89a1772afa04a3fab09a5524ed1aaa12cf771f8a5

SHA512
2b2e5dd1aa883b7392714bee5a501b9e6bf0a6b09cc7530edcb48d516d87d03461fb4c9a8d0c0b5f2e5e4172430b77a5761e77c9cf243a232678f0c59d7a7112

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7486107.exe
Filesize
379KB

MD5
f625c585eb619d0058403eac2521418e

SHA1
67b72232735deccc4a59edf6868b1555c24b379a

SHA256
b7bc02da193515ce4970ce9d3d710de270840d595e04a0c3714de298a5deddef

SHA512
2fb9bc40880a39677996867ce9d44c0fb2e72c7a9c0265f57a906df0ee59295a8027fe185359563e0106c10a514aca24d87b82c2aed33a682bae25057598e674

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7486107.exe
Filesize
379KB

MD5
f625c585eb619d0058403eac2521418e

SHA1
67b72232735deccc4a59edf6868b1555c24b379a

SHA256
b7bc02da193515ce4970ce9d3d710de270840d595e04a0c3714de298a5deddef

SHA512
2fb9bc40880a39677996867ce9d44c0fb2e72c7a9c0265f57a906df0ee59295a8027fe185359563e0106c10a514aca24d87b82c2aed33a682bae25057598e674

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
2ac6d3fcf6913b1a1ac100407e97fccb

SHA1
809f7d4ed348951b79745074487956255d1d0a9a

SHA256
30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

SHA512
79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
2ac6d3fcf6913b1a1ac100407e97fccb

SHA1
809f7d4ed348951b79745074487956255d1d0a9a

SHA256
30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

SHA512
79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
2ac6d3fcf6913b1a1ac100407e97fccb

SHA1
809f7d4ed348951b79745074487956255d1d0a9a

SHA256
30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

SHA512
79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
273B

MD5
0c459e65bcc6d38574f0c0d63a87088a

SHA1
41e53d5f2b3e7ca859b842a1c7b677e0847e6d65

SHA256
871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4

SHA512
be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d

Download Submit
memory/2188-45-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2188-43-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2188-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2188-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2388-36-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2388-53-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2388-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2388-37-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2828-87-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2828-60-0x00000000058C0000-0x00000000059CA000-memory.dmp

Filesize
1.0MB

Download
memory/2828-59-0x0000000005DD0000-0x00000000063E8000-memory.dmp

Filesize
6.1MB

Download
memory/2828-69-0x0000000005830000-0x000000000587C000-memory.dmp

Filesize
304KB

Download
memory/2828-88-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/2828-62-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/2828-50-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2828-51-0x00000000014F0000-0x00000000014F6000-memory.dmp

Filesize
24KB

Download
memory/2828-49-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2828-61-0x0000000005750000-0x0000000005762000-memory.dmp

Filesize
72KB

Download
memory/2828-64-0x00000000057F0000-0x000000000582C000-memory.dmp

Filesize
240KB

Download