amadey | 5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1

Analysis

max time kernel
67s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2023, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
Size

787KB
MD5

5d26beb8eae1bcf1ba1fc82359f06df2
SHA1

430ce67550b5e47fa486b16b54ff1f87ff87be28
SHA256

5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1
SHA512

27ee89dc8d8975fa7d3609c4edeaed4a5eb1938755ff6e6c975d2d290aec3d1c21693657ce7c373e9e2ab63d204a284d7edd03d9c572433a5aa55fb33a8db581
SSDEEP

12288:kPoLpN82bScWfTvDb1XY7L7ezvBq0mBb3EKR234sLw5P6fyxEEi9NgyUI0L:dN82Mi34HsbHL5P6BEi9MI0L

Score

10^/10

amadey zgrat rat spyware stealer trojan

Malware Config

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/3876-140-0x000001B6E2A50000-0x000001B6E2B50000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
43	4528	rundll32.exe
44	4252	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	lef0tntp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	Utsysc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation	Lncijzzbob.exe

Executes dropped EXE 9 IoCs

pid	Process
2672	lef0tntp.exe
4032	Utsysc.exe
3664	Lncijzzbob.exe
3752	LaunchPatch.exe
508	Utsysc.exe
4344	Lncijzzbob.exe
4536	Utsysc.exe
3876	LaunchPatch.exe
5084	TypeId.exe

Loads dropped DLL 3 IoCs

pid	Process
880	rundll32.exe
4252	rundll32.exe
4528	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3664 set thread context of 4344	3664	Lncijzzbob.exe	136
PID 3752 set thread context of 3876	3752	LaunchPatch.exe	138

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
644	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2080	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	3664	Lncijzzbob.exe
Token: SeDebugPrivilege	3752	LaunchPatch.exe
Token: SeDebugPrivilege	4536	Utsysc.exe
Token: SeDebugPrivilege	3876	LaunchPatch.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2672	lef0tntp.exe
4344	Lncijzzbob.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 880	2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe	90
PID 2716 wrote to memory of 880	2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe	90
PID 2716 wrote to memory of 880	2716	5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe	90
PID 4764 wrote to memory of 4584	4764	DllHost.exe	93
PID 4764 wrote to memory of 4584	4764	DllHost.exe	93
PID 4764 wrote to memory of 4584	4764	DllHost.exe	93
PID 4584 wrote to memory of 2672	4584	cmd.exe	96
PID 4584 wrote to memory of 2672	4584	cmd.exe	96
PID 4584 wrote to memory of 2672	4584	cmd.exe	96
PID 4764 wrote to memory of 2080	4764	DllHost.exe	97
PID 4764 wrote to memory of 2080	4764	DllHost.exe	97
PID 4764 wrote to memory of 2080	4764	DllHost.exe	97
PID 2672 wrote to memory of 4032	2672	lef0tntp.exe	103
PID 2672 wrote to memory of 4032	2672	lef0tntp.exe	103
PID 2672 wrote to memory of 4032	2672	lef0tntp.exe	103
PID 4032 wrote to memory of 644	4032	Utsysc.exe	104
PID 4032 wrote to memory of 644	4032	Utsysc.exe	104
PID 4032 wrote to memory of 644	4032	Utsysc.exe	104
PID 4032 wrote to memory of 4836	4032	Utsysc.exe	106
PID 4032 wrote to memory of 4836	4032	Utsysc.exe	106
PID 4032 wrote to memory of 4836	4032	Utsysc.exe	106
PID 4836 wrote to memory of 724	4836	cmd.exe	108
PID 4836 wrote to memory of 724	4836	cmd.exe	108
PID 4836 wrote to memory of 724	4836	cmd.exe	108
PID 4836 wrote to memory of 1564	4836	cmd.exe	109
PID 4836 wrote to memory of 1564	4836	cmd.exe	109
PID 4836 wrote to memory of 1564	4836	cmd.exe	109
PID 4836 wrote to memory of 4972	4836	cmd.exe	110
PID 4836 wrote to memory of 4972	4836	cmd.exe	110
PID 4836 wrote to memory of 4972	4836	cmd.exe	110
PID 4836 wrote to memory of 4516	4836	cmd.exe	111
PID 4836 wrote to memory of 4516	4836	cmd.exe	111
PID 4836 wrote to memory of 4516	4836	cmd.exe	111
PID 4836 wrote to memory of 672	4836	cmd.exe	112
PID 4836 wrote to memory of 672	4836	cmd.exe	112
PID 4836 wrote to memory of 672	4836	cmd.exe	112
PID 4836 wrote to memory of 3592	4836	cmd.exe	113
PID 4836 wrote to memory of 3592	4836	cmd.exe	113
PID 4836 wrote to memory of 3592	4836	cmd.exe	113
PID 4032 wrote to memory of 3664	4032	Utsysc.exe	114
PID 4032 wrote to memory of 3664	4032	Utsysc.exe	114
PID 4032 wrote to memory of 3664	4032	Utsysc.exe	114
PID 4032 wrote to memory of 3752	4032	Utsysc.exe	116
PID 4032 wrote to memory of 3752	4032	Utsysc.exe	116
PID 4032 wrote to memory of 880	4032	Utsysc.exe	118
PID 4032 wrote to memory of 880	4032	Utsysc.exe	118
PID 4032 wrote to memory of 880	4032	Utsysc.exe	118
PID 880 wrote to memory of 4252	880	rundll32.exe	119
PID 880 wrote to memory of 4252	880	rundll32.exe	119
PID 4032 wrote to memory of 4528	4032	Utsysc.exe	120
PID 4032 wrote to memory of 4528	4032	Utsysc.exe	120
PID 4032 wrote to memory of 4528	4032	Utsysc.exe	120
PID 4252 wrote to memory of 1280	4252	rundll32.exe	122
PID 4252 wrote to memory of 1280	4252	rundll32.exe	122
PID 4252 wrote to memory of 4972	4252	rundll32.exe	123
PID 4252 wrote to memory of 4972	4252	rundll32.exe	123
PID 3664 wrote to memory of 4344	3664	Lncijzzbob.exe	136
PID 3664 wrote to memory of 4344	3664	Lncijzzbob.exe	136
PID 3664 wrote to memory of 4344	3664	Lncijzzbob.exe	136
PID 3664 wrote to memory of 4344	3664	Lncijzzbob.exe	136
PID 3664 wrote to memory of 4344	3664	Lncijzzbob.exe	136
PID 3664 wrote to memory of 4344	3664	Lncijzzbob.exe	136
PID 3664 wrote to memory of 4344	3664	Lncijzzbob.exe	136
PID 3664 wrote to memory of 4344	3664	Lncijzzbob.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe
"C:\Users\Admin\AppData\Local\Temp\5f0a841a24fe65880413ade13e1f90e07330640f5d0e8e06509a22201c4cb1b1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- \??\c:\windows\SysWOW64\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\3hjx2b0y.inf
  2⤵
  PID:880

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Windows\temp\lef0tntp.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\temp\lef0tntp.exe
    C:\Windows\temp\lef0tntp.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
      "C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4032
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:644
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ea7c8244c8" /P "Admin:N"&&CACLS "..\ea7c8244c8" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:724
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "Utsysc.exe" /P "Admin:N"
        6⤵
        
        PID:1564
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "Utsysc.exe" /P "Admin:R" /E
        6⤵
        
        PID:4972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:4516
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ea7c8244c8" /P "Admin:N"
        6⤵
        
        PID:672
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\ea7c8244c8" /P "Admin:R" /E
        6⤵
        
        PID:3592
    - - C:\Users\Admin\AppData\Local\Temp\1000088001\Lncijzzbob.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000088001\Lncijzzbob.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3664
      - C:\Users\Admin\AppData\Local\Temp\1000088001\Lncijzzbob.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000088001\Lncijzzbob.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\fbae0edf68\Utsysc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fbae0edf68\Utsysc.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
    - - C:\Users\Admin\AppData\Local\Temp\1000089001\LaunchPatch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000089001\LaunchPatch.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3752
      - C:\Users\Admin\AppData\Local\Temp\1000089001\LaunchPatch.exe
        
        C:\Users\Admin\AppData\Local\Temp\1000089001\LaunchPatch.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:880
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        
        PID:1280
        
        C:\Windows\system32\tar.exe
        
        tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\771604342093_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"
        7⤵
        
        PID:4972
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:4528
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM cmstp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2080

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
1⤵
- Executes dropped EXE
PID:508

C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
1⤵
- Executes dropped EXE
PID:5084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LaunchPatch.exe.log

Filesize
1KB

MD5
159a40ccfd419bd60a20a1c278edaafd

SHA1
09bc35e46135b6b44c609fe6514ab7e2c8696a99

SHA256
24487f4b6318683dcd81970e9f57fb45167575f687f7831a563176e20da657b6

SHA512
b5c5b8c23479afff6b72c37c2cc1204c079ae003bae586d082d2b05acfdab8753fea78c5e53f692e4a45aba6746703d9ca99a2d0fa7bd88a7f35a910d1ad1ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000088001\Lncijzzbob.exe

Filesize
10KB

MD5
e84d471a80ec83eb8af3c140a6e4226b

SHA1
0fa7ab7b987a21968e212fc6880a8a9221ea183c

SHA256
cb17971c69696d81a364f55879b02caae2bd0135d0d1d6bfba48868f7a2f1d30

SHA512
671afbdc9d7e5999a5dbc80436e74003282f2d1ca75bc6506c7b6c32bec0c9cd8e923e4641a3c4e43b1f406c50fd7adbf8ec56b7ebbad379618f4310da472b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000088001\Lncijzzbob.exe

Filesize
10KB

MD5
e84d471a80ec83eb8af3c140a6e4226b

SHA1
0fa7ab7b987a21968e212fc6880a8a9221ea183c

SHA256
cb17971c69696d81a364f55879b02caae2bd0135d0d1d6bfba48868f7a2f1d30

SHA512
671afbdc9d7e5999a5dbc80436e74003282f2d1ca75bc6506c7b6c32bec0c9cd8e923e4641a3c4e43b1f406c50fd7adbf8ec56b7ebbad379618f4310da472b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000088001\Lncijzzbob.exe

Filesize
10KB

MD5
e84d471a80ec83eb8af3c140a6e4226b

SHA1
0fa7ab7b987a21968e212fc6880a8a9221ea183c

SHA256
cb17971c69696d81a364f55879b02caae2bd0135d0d1d6bfba48868f7a2f1d30

SHA512
671afbdc9d7e5999a5dbc80436e74003282f2d1ca75bc6506c7b6c32bec0c9cd8e923e4641a3c4e43b1f406c50fd7adbf8ec56b7ebbad379618f4310da472b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000088001\Lncijzzbob.exe

Filesize
10KB

MD5
e84d471a80ec83eb8af3c140a6e4226b

SHA1
0fa7ab7b987a21968e212fc6880a8a9221ea183c

SHA256
cb17971c69696d81a364f55879b02caae2bd0135d0d1d6bfba48868f7a2f1d30

SHA512
671afbdc9d7e5999a5dbc80436e74003282f2d1ca75bc6506c7b6c32bec0c9cd8e923e4641a3c4e43b1f406c50fd7adbf8ec56b7ebbad379618f4310da472b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000089001\LaunchPatch.exe

Filesize
3.5MB

MD5
24db6db335c5b7c247da4fe717b63f25

SHA1
328d016e4ebc7253e6844f8839b085587f722d72

SHA256
14ed823d0f5b4a6074fd3e70646505cda2918d403a6b2fd9e5b0705f933e5f08

SHA512
ff82c5218cf3eaff4dd80f18778bc502f4cc964fe3a1c11127bbaf1efe71dd2d46ba37d08350eb806529fe33f634486e04622c0ad9194754683af37146244870

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000089001\LaunchPatch.exe

Filesize
3.5MB

MD5
24db6db335c5b7c247da4fe717b63f25

SHA1
328d016e4ebc7253e6844f8839b085587f722d72

SHA256
14ed823d0f5b4a6074fd3e70646505cda2918d403a6b2fd9e5b0705f933e5f08

SHA512
ff82c5218cf3eaff4dd80f18778bc502f4cc964fe3a1c11127bbaf1efe71dd2d46ba37d08350eb806529fe33f634486e04622c0ad9194754683af37146244870

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000089001\LaunchPatch.exe

Filesize
3.5MB

MD5
24db6db335c5b7c247da4fe717b63f25

SHA1
328d016e4ebc7253e6844f8839b085587f722d72

SHA256
14ed823d0f5b4a6074fd3e70646505cda2918d403a6b2fd9e5b0705f933e5f08

SHA512
ff82c5218cf3eaff4dd80f18778bc502f4cc964fe3a1c11127bbaf1efe71dd2d46ba37d08350eb806529fe33f634486e04622c0ad9194754683af37146244870

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000089001\LaunchPatch.exe

Filesize
3.5MB

MD5
24db6db335c5b7c247da4fe717b63f25

SHA1
328d016e4ebc7253e6844f8839b085587f722d72

SHA256
14ed823d0f5b4a6074fd3e70646505cda2918d403a6b2fd9e5b0705f933e5f08

SHA512
ff82c5218cf3eaff4dd80f18778bc502f4cc964fe3a1c11127bbaf1efe71dd2d46ba37d08350eb806529fe33f634486e04622c0ad9194754683af37146244870

Download Submit
C:\Users\Admin\AppData\Local\Temp\771604342093

Filesize
74KB

MD5
31265964d7fd2fb5a91e13a0b3b9f718

SHA1
68e1ad6059ee5588765356fbcf88501d43fc5ff8

SHA256
c4438849eecc6688e63bc0f5dfb69f1647748d7f0f94ac8f623416306ea1aae4

SHA512
06a7aa4bc4d96f69c431e2905fe5e0a70cdc3ceef87bd08136cc26aab56ae613a4966415415e1ad053946b2cb1710716dacd7fc3c83f03e16c3e61f309cb1828

Download Submit
C:\Users\Admin\AppData\Local\Temp\771604342093_Desktop.tar

Filesize
1024B

MD5
0f343b0931126a20f133d67c2b018a3b

SHA1
60cacbf3d72e1e7834203da608037b1bf83b40e8

SHA256
5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef

SHA512
8efb4f73c5655351c444eb109230c556d39e2c7624e9c11abc9e3fb4b9b9254218cc5085b454a9698d085cfa92198491f07a723be4574adc70617b73eb0b6461

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

Filesize
307KB

MD5
b6d627dcf04d04889b1f01a14ec12405

SHA1
f7292c3d6f2003947cc5455b41df5f8fbd14df14

SHA256
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf

SHA512
1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

Filesize
307KB

MD5
b6d627dcf04d04889b1f01a14ec12405

SHA1
f7292c3d6f2003947cc5455b41df5f8fbd14df14

SHA256
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf

SHA512
1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

Filesize
307KB

MD5
b6d627dcf04d04889b1f01a14ec12405

SHA1
f7292c3d6f2003947cc5455b41df5f8fbd14df14

SHA256
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf

SHA512
1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

Filesize
307KB

MD5
b6d627dcf04d04889b1f01a14ec12405

SHA1
f7292c3d6f2003947cc5455b41df5f8fbd14df14

SHA256
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf

SHA512
1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbae0edf68\Utsysc.exe

Filesize
10KB

MD5
e84d471a80ec83eb8af3c140a6e4226b

SHA1
0fa7ab7b987a21968e212fc6880a8a9221ea183c

SHA256
cb17971c69696d81a364f55879b02caae2bd0135d0d1d6bfba48868f7a2f1d30

SHA512
671afbdc9d7e5999a5dbc80436e74003282f2d1ca75bc6506c7b6c32bec0c9cd8e923e4641a3c4e43b1f406c50fd7adbf8ec56b7ebbad379618f4310da472b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbae0edf68\Utsysc.exe

Filesize
10KB

MD5
e84d471a80ec83eb8af3c140a6e4226b

SHA1
0fa7ab7b987a21968e212fc6880a8a9221ea183c

SHA256
cb17971c69696d81a364f55879b02caae2bd0135d0d1d6bfba48868f7a2f1d30

SHA512
671afbdc9d7e5999a5dbc80436e74003282f2d1ca75bc6506c7b6c32bec0c9cd8e923e4641a3c4e43b1f406c50fd7adbf8ec56b7ebbad379618f4310da472b0a

Download Submit
C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll

Filesize
102KB

MD5
ceffd8c6661b875b67ca5e4540950d8b

SHA1
91b53b79c98f22d0b8e204e11671d78efca48682

SHA256
da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2

SHA512
6f78e3479c7b80cee0c2cea33a5b3e06c65b3e85a558f2df4b72211f714b81a2549daed0bc7ffe1456867b447ede9caeec73a6c4d2b345aad664d501212d07d4

Download Submit
C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll

Filesize
102KB

MD5
ceffd8c6661b875b67ca5e4540950d8b

SHA1
91b53b79c98f22d0b8e204e11671d78efca48682

SHA256
da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2

SHA512
6f78e3479c7b80cee0c2cea33a5b3e06c65b3e85a558f2df4b72211f714b81a2549daed0bc7ffe1456867b447ede9caeec73a6c4d2b345aad664d501212d07d4

Download Submit
C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll

Filesize
102KB

MD5
ceffd8c6661b875b67ca5e4540950d8b

SHA1
91b53b79c98f22d0b8e204e11671d78efca48682

SHA256
da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2

SHA512
6f78e3479c7b80cee0c2cea33a5b3e06c65b3e85a558f2df4b72211f714b81a2549daed0bc7ffe1456867b447ede9caeec73a6c4d2b345aad664d501212d07d4

Download Submit
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll

Filesize
1.1MB

MD5
1c27631e70908879e1a5a8f3686e0d46

SHA1
31da82b122b08bb2b1e6d0c904993d6d599dc93a

SHA256
478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9

SHA512
7230ccad5e910f4f1aafb26642670c227a5d6e30f9c3de9a111e9c471651e54e352c56f34093667e6a51e78d01f3271c5e9d3248de5e1e82ae0e5d2aaea977dd

Download Submit
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll

Filesize
1.1MB

MD5
1c27631e70908879e1a5a8f3686e0d46

SHA1
31da82b122b08bb2b1e6d0c904993d6d599dc93a

SHA256
478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9

SHA512
7230ccad5e910f4f1aafb26642670c227a5d6e30f9c3de9a111e9c471651e54e352c56f34093667e6a51e78d01f3271c5e9d3248de5e1e82ae0e5d2aaea977dd

Download Submit
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll

Filesize
1.1MB

MD5
1c27631e70908879e1a5a8f3686e0d46

SHA1
31da82b122b08bb2b1e6d0c904993d6d599dc93a

SHA256
478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9

SHA512
7230ccad5e910f4f1aafb26642670c227a5d6e30f9c3de9a111e9c471651e54e352c56f34093667e6a51e78d01f3271c5e9d3248de5e1e82ae0e5d2aaea977dd

Download Submit
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll

Filesize
1.1MB

MD5
1c27631e70908879e1a5a8f3686e0d46

SHA1
31da82b122b08bb2b1e6d0c904993d6d599dc93a

SHA256
478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9

SHA512
7230ccad5e910f4f1aafb26642670c227a5d6e30f9c3de9a111e9c471651e54e352c56f34093667e6a51e78d01f3271c5e9d3248de5e1e82ae0e5d2aaea977dd

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe

Filesize
1.2MB

MD5
2788425499c155762f81cea2fced3d96

SHA1
37ec19133d18a475a89b08f152efe266e1b58a7f

SHA256
0745e908ea060f7933c6d8d5de747f11a600c41cc058a1ec2e664d6db64e14fd

SHA512
4fb76d3a8de55a42085dcb141045bcd80d4cea85a6a605911caa4b8e4350a142ff40f5311ef9718326317ef75650033af69c14c8c2c46375e385f8f99a16d7d7

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe

Filesize
837KB

MD5
9fb06c32cd566148367c94913919c5a7

SHA1
7f70e757332c9b63f5c4dc51d8b3e76f56acb8ec

SHA256
835f1ecf209a54d9329a6104460b3a7348800b1c47ea67bba704267a6331f3e4

SHA512
55595a5844520db01d76b7ed21e14478c9bab32da5821f7ed3f703e2d91a5c6131543b86893a52577bf97e8b5d5c35e9e1e836301a40758be7c90bad0b2eed05

Download Submit
C:\Windows\Temp\lef0tntp.exe

Filesize
307KB

MD5
b6d627dcf04d04889b1f01a14ec12405

SHA1
f7292c3d6f2003947cc5455b41df5f8fbd14df14

SHA256
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf

SHA512
1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

Download Submit
C:\Windows\temp\3hjx2b0y.inf

Filesize
597B

MD5
bb6591ec83e9ec26312189020abc6fca

SHA1
0016cac4e16db283f9d655a38f410087cad2355e

SHA256
4d5d8b17d0c66ce7e6445fde60f10d742305374ea793169e0ceedc74ac0d2843

SHA512
0db5f3626260eda9c87c2b70ae2baeaaaab67f4eb67a315c2a73ff5d08de1a074dd0dc905bbd58a7f4126ff9e3af28018fed3d6abf29140f75ea16a0586febc9

Download Submit
C:\Windows\temp\lef0tntp.exe

Filesize
307KB

MD5
b6d627dcf04d04889b1f01a14ec12405

SHA1
f7292c3d6f2003947cc5455b41df5f8fbd14df14

SHA256
9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf

SHA512
1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

Download Submit
memory/2716-9-0x0000000000730000-0x0000000000826000-memory.dmp

Filesize
984KB

Download
memory/2716-13-0x0000000007420000-0x00000000074B2000-memory.dmp

Filesize
584KB

Download
memory/2716-18-0x0000000004C80000-0x0000000004C8A000-memory.dmp

Filesize
40KB

Download
memory/2716-0-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2716-11-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download
memory/2716-12-0x0000000006E60000-0x0000000007404000-memory.dmp

Filesize
5.6MB

Download
memory/2716-16-0x0000000007500000-0x0000000007510000-memory.dmp

Filesize
64KB

Download
memory/2716-22-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/2716-21-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2716-8-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/2716-1-0x0000000000730000-0x0000000000826000-memory.dmp

Filesize
984KB

Download
memory/3664-57-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/3664-58-0x0000000073670000-0x0000000073E20000-memory.dmp

Filesize
7.7MB

Download
memory/3664-59-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/3664-61-0x00000000061A0000-0x0000000006200000-memory.dmp

Filesize
384KB

Download
memory/3664-62-0x0000000006320000-0x0000000006380000-memory.dmp

Filesize
384KB

Download
memory/3664-60-0x00000000060B0000-0x0000000006128000-memory.dmp

Filesize
480KB

Download
memory/3664-108-0x0000000073670000-0x0000000073E20000-memory.dmp

Filesize
7.7MB

Download
memory/3664-109-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/3664-63-0x0000000006380000-0x00000000063CC000-memory.dmp

Filesize
304KB

Download
memory/3664-64-0x0000000006570000-0x00000000065D6000-memory.dmp

Filesize
408KB

Download
memory/3664-119-0x0000000073670000-0x0000000073E20000-memory.dmp

Filesize
7.7MB

Download
memory/3752-77-0x0000024E73690000-0x0000024E73A08000-memory.dmp

Filesize
3.5MB

Download
memory/3752-91-0x0000024E76140000-0x0000024E76228000-memory.dmp

Filesize
928KB

Download
memory/3752-78-0x00007FFA200F0000-0x00007FFA20BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3752-79-0x0000024E76130000-0x0000024E76140000-memory.dmp

Filesize
64KB

Download
memory/3752-112-0x0000024E76130000-0x0000024E76140000-memory.dmp

Filesize
64KB

Download
memory/3752-141-0x00007FFA200F0000-0x00007FFA20BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3752-111-0x00007FFA200F0000-0x00007FFA20BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3752-105-0x0000024E76400000-0x0000024E764D0000-memory.dmp

Filesize
832KB

Download
memory/3752-102-0x0000024E76230000-0x0000024E76300000-memory.dmp

Filesize
832KB

Download
memory/3876-149-0x00007FFA200F0000-0x00007FFA20BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3876-145-0x000001B6CA2F0000-0x000001B6CA346000-memory.dmp

Filesize
344KB

Download
memory/3876-136-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3876-146-0x000001B6E2CA0000-0x000001B6E2CF4000-memory.dmp

Filesize
336KB

Download
memory/3876-144-0x000001B6CA1A0000-0x000001B6CA1A8000-memory.dmp

Filesize
32KB

Download
memory/3876-140-0x000001B6E2A50000-0x000001B6E2B50000-memory.dmp

Filesize
1024KB

Download
memory/3876-142-0x00007FFA200F0000-0x00007FFA20BB1000-memory.dmp

Filesize
10.8MB

Download
memory/3876-143-0x000001B6CA120000-0x000001B6CA130000-memory.dmp

Filesize
64KB

Download
memory/4344-118-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4344-116-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4344-133-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4344-113-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4344-117-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4536-135-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4536-134-0x0000000072BD0000-0x0000000073380000-memory.dmp

Filesize
7.7MB

Download
memory/4536-150-0x0000000072BD0000-0x0000000073380000-memory.dmp

Filesize
7.7MB

Download
memory/4536-151-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/5084-154-0x00007FFA20160000-0x00007FFA20C21000-memory.dmp

Filesize
10.8MB

Download