amadey | 0894e9f826f0067a6d6a8845074529d7aab98ac2106e580463fcc2526e8c2b1b

Analysis

max time kernel
300s
max time network
303s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
05/11/2023, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0894e9f826f0067a6d6a8845074529d7aab98ac2106e580463fcc2526e8c2b1b.exe
Size

1.8MB
MD5

654a680c834eb9f3a73f73b1ff7b8eed
SHA1

19cc65a0252c0520488884e36f0e0280ae3c6939
SHA256

0894e9f826f0067a6d6a8845074529d7aab98ac2106e580463fcc2526e8c2b1b
SHA512

24ba1db6229502e9080901fc7794feb2a387516a810c6c2060f23f5916c6210e9fc23cc2bc6345d938e395120ea4abebfb65f1e8922abde3b0232b80a650b55e
SSDEEP

49152:Xyx4LEHFWrwcCTTij3Q51hkJ4inCK3CdIWJc7M:iALMcCSjohHNIf

Score

10^/10

amadey redline smokeloader plost backdoor evasion infostealer persistence trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/3292-71-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Executes dropped EXE 17 IoCs

pid	Process
3316	QE5wt98.exe
5028	MD3aU43.exe
2244	rj8zS64.exe
3824	kP9Tn15.exe
2228	JI9TD75.exe
2156	1BN19FO5.exe
2052	2PH1623.exe
1396	3Qt45HW.exe
2776	4VT749fk.exe
4968	5Rc1fE2.exe
3600	explothe.exe
2432	6nf9rr6.exe
3576	7Hq9rJ10.exe
4372	explothe.exe
3752	explothe.exe
3464	explothe.exe
1380	explothe.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	QE5wt98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	MD3aU43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	rj8zS64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	kP9Tn15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	JI9TD75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0894e9f826f0067a6d6a8845074529d7aab98ac2106e580463fcc2526e8c2b1b.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 3252	2156	1BN19FO5.exe	78
PID 2052 set thread context of 4880	2052	2PH1623.exe	81
PID 2776 set thread context of 3292	2776	4VT749fk.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
820	4880	WerFault.exe	81

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Qt45HW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Qt45HW.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3Qt45HW.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1396	3Qt45HW.exe
1396	3Qt45HW.exe
3252	AppLaunch.exe
3252	AppLaunch.exe
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found
3220	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3220	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1396	3Qt45HW.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	3252	AppLaunch.exe
Token: SeShutdownPrivilege	3220	Process not Found
Token: SeCreatePagefilePrivilege	3220	Process not Found
Token: SeShutdownPrivilege	3220	Process not Found
Token: SeCreatePagefilePrivilege	3220	Process not Found
Token: SeShutdownPrivilege	3220	Process not Found
Token: SeCreatePagefilePrivilege	3220	Process not Found
Token: SeShutdownPrivilege	3220	Process not Found
Token: SeCreatePagefilePrivilege	3220	Process not Found
Token: SeShutdownPrivilege	3220	Process not Found
Token: SeCreatePagefilePrivilege	3220	Process not Found
Token: SeShutdownPrivilege	3220	Process not Found
Token: SeCreatePagefilePrivilege	3220	Process not Found
Token: SeShutdownPrivilege	3220	Process not Found
Token: SeCreatePagefilePrivilege	3220	Process not Found
Token: SeShutdownPrivilege	3220	Process not Found
Token: SeCreatePagefilePrivilege	3220	Process not Found
Token: SeShutdownPrivilege	3220	Process not Found
Token: SeCreatePagefilePrivilege	3220	Process not Found
Token: SeShutdownPrivilege	3220	Process not Found
Token: SeCreatePagefilePrivilege	3220	Process not Found
Token: SeShutdownPrivilege	3220	Process not Found
Token: SeCreatePagefilePrivilege	3220	Process not Found
Token: SeShutdownPrivilege	3220	Process not Found
Token: SeCreatePagefilePrivilege	3220	Process not Found
Token: SeShutdownPrivilege	3220	Process not Found
Token: SeCreatePagefilePrivilege	3220	Process not Found
Token: SeShutdownPrivilege	3220	Process not Found
Token: SeCreatePagefilePrivilege	3220	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 3316	2212	0894e9f826f0067a6d6a8845074529d7aab98ac2106e580463fcc2526e8c2b1b.exe	71
PID 2212 wrote to memory of 3316	2212	0894e9f826f0067a6d6a8845074529d7aab98ac2106e580463fcc2526e8c2b1b.exe	71
PID 2212 wrote to memory of 3316	2212	0894e9f826f0067a6d6a8845074529d7aab98ac2106e580463fcc2526e8c2b1b.exe	71
PID 3316 wrote to memory of 5028	3316	QE5wt98.exe	72
PID 3316 wrote to memory of 5028	3316	QE5wt98.exe	72
PID 3316 wrote to memory of 5028	3316	QE5wt98.exe	72
PID 5028 wrote to memory of 2244	5028	MD3aU43.exe	73
PID 5028 wrote to memory of 2244	5028	MD3aU43.exe	73
PID 5028 wrote to memory of 2244	5028	MD3aU43.exe	73
PID 2244 wrote to memory of 3824	2244	rj8zS64.exe	74
PID 2244 wrote to memory of 3824	2244	rj8zS64.exe	74
PID 2244 wrote to memory of 3824	2244	rj8zS64.exe	74
PID 3824 wrote to memory of 2228	3824	kP9Tn15.exe	75
PID 3824 wrote to memory of 2228	3824	kP9Tn15.exe	75
PID 3824 wrote to memory of 2228	3824	kP9Tn15.exe	75
PID 2228 wrote to memory of 2156	2228	JI9TD75.exe	76
PID 2228 wrote to memory of 2156	2228	JI9TD75.exe	76
PID 2228 wrote to memory of 2156	2228	JI9TD75.exe	76
PID 2156 wrote to memory of 4508	2156	1BN19FO5.exe	77
PID 2156 wrote to memory of 4508	2156	1BN19FO5.exe	77
PID 2156 wrote to memory of 4508	2156	1BN19FO5.exe	77
PID 2156 wrote to memory of 3252	2156	1BN19FO5.exe	78
PID 2156 wrote to memory of 3252	2156	1BN19FO5.exe	78
PID 2156 wrote to memory of 3252	2156	1BN19FO5.exe	78
PID 2156 wrote to memory of 3252	2156	1BN19FO5.exe	78
PID 2156 wrote to memory of 3252	2156	1BN19FO5.exe	78
PID 2156 wrote to memory of 3252	2156	1BN19FO5.exe	78
PID 2156 wrote to memory of 3252	2156	1BN19FO5.exe	78
PID 2156 wrote to memory of 3252	2156	1BN19FO5.exe	78
PID 2228 wrote to memory of 2052	2228	JI9TD75.exe	79
PID 2228 wrote to memory of 2052	2228	JI9TD75.exe	79
PID 2228 wrote to memory of 2052	2228	JI9TD75.exe	79
PID 2052 wrote to memory of 4444	2052	2PH1623.exe	80
PID 2052 wrote to memory of 4444	2052	2PH1623.exe	80
PID 2052 wrote to memory of 4444	2052	2PH1623.exe	80
PID 2052 wrote to memory of 4880	2052	2PH1623.exe	81
PID 2052 wrote to memory of 4880	2052	2PH1623.exe	81
PID 2052 wrote to memory of 4880	2052	2PH1623.exe	81
PID 2052 wrote to memory of 4880	2052	2PH1623.exe	81
PID 2052 wrote to memory of 4880	2052	2PH1623.exe	81
PID 2052 wrote to memory of 4880	2052	2PH1623.exe	81
PID 2052 wrote to memory of 4880	2052	2PH1623.exe	81
PID 2052 wrote to memory of 4880	2052	2PH1623.exe	81
PID 2052 wrote to memory of 4880	2052	2PH1623.exe	81
PID 2052 wrote to memory of 4880	2052	2PH1623.exe	81
PID 3824 wrote to memory of 1396	3824	kP9Tn15.exe	82
PID 3824 wrote to memory of 1396	3824	kP9Tn15.exe	82
PID 3824 wrote to memory of 1396	3824	kP9Tn15.exe	82
PID 2244 wrote to memory of 2776	2244	rj8zS64.exe	85
PID 2244 wrote to memory of 2776	2244	rj8zS64.exe	85
PID 2244 wrote to memory of 2776	2244	rj8zS64.exe	85
PID 2776 wrote to memory of 3292	2776	4VT749fk.exe	86
PID 2776 wrote to memory of 3292	2776	4VT749fk.exe	86
PID 2776 wrote to memory of 3292	2776	4VT749fk.exe	86
PID 2776 wrote to memory of 3292	2776	4VT749fk.exe	86
PID 2776 wrote to memory of 3292	2776	4VT749fk.exe	86
PID 2776 wrote to memory of 3292	2776	4VT749fk.exe	86
PID 2776 wrote to memory of 3292	2776	4VT749fk.exe	86
PID 2776 wrote to memory of 3292	2776	4VT749fk.exe	86
PID 5028 wrote to memory of 4968	5028	MD3aU43.exe	87
PID 5028 wrote to memory of 4968	5028	MD3aU43.exe	87
PID 5028 wrote to memory of 4968	5028	MD3aU43.exe	87
PID 4968 wrote to memory of 3600	4968	5Rc1fE2.exe	88
PID 4968 wrote to memory of 3600	4968	5Rc1fE2.exe	88

C:\Users\Admin\AppData\Local\Temp\0894e9f826f0067a6d6a8845074529d7aab98ac2106e580463fcc2526e8c2b1b.exe
"C:\Users\Admin\AppData\Local\Temp\0894e9f826f0067a6d6a8845074529d7aab98ac2106e580463fcc2526e8c2b1b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QE5wt98.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QE5wt98.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MD3aU43.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MD3aU43.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rj8zS64.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rj8zS64.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kP9Tn15.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kP9Tn15.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3824
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JI9TD75.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JI9TD75.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1BN19FO5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1BN19FO5.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:4508
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2PH1623.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2PH1623.exe
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:4444
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 568
        9⤵
        Program crash
        
        PID:820
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Qt45HW.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Qt45HW.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1396
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4VT749fk.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4VT749fk.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2776
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3292
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Rc1fE2.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Rc1fE2.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
        5⤵
        Executes dropped EXE
        
        PID:3600
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3628
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        7⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        7⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        7⤵
        
        PID:204
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        7⤵
        
        PID:752
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6nf9rr6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6nf9rr6.exe
    3⤵
    - Executes dropped EXE
    PID:2432
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Hq9rJ10.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Hq9rJ10.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
    3⤵
    PID:2924

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:4372

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:3752

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:3464

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Hq9rJ10.exe

Filesize
72KB

MD5
0385e3b02b8cc26a56708f5d7ad4fda3

SHA1
726aded8c300e3ce90005492902266dedd76a324

SHA256
7beb4afa32368d11d52324e6249028761dc621c121ff7b5ece80ffdc5afb83cf

SHA512
2842dfc44a0f42207de27b2611fe34717f6cd664bc0c81ae88d415e107d975932c6e606c4d030df9e6c4864b3dcb9700bd6a1ce3630e4871802135cdec86df2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Hq9rJ10.exe

Filesize
72KB

MD5
0385e3b02b8cc26a56708f5d7ad4fda3

SHA1
726aded8c300e3ce90005492902266dedd76a324

SHA256
7beb4afa32368d11d52324e6249028761dc621c121ff7b5ece80ffdc5afb83cf

SHA512
2842dfc44a0f42207de27b2611fe34717f6cd664bc0c81ae88d415e107d975932c6e606c4d030df9e6c4864b3dcb9700bd6a1ce3630e4871802135cdec86df2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QE5wt98.exe

Filesize
1.7MB

MD5
c4ae6445f8033cc716acf0a4342288fa

SHA1
124056dccf4a193287a89dad6554b60118ad8d39

SHA256
b5d77a4b884e1bed1e90e70d07c9ad23b83f253d5e327e69a61ed30ea79f63f9

SHA512
638da44bebfee3fe16052d1d45f7c31ccb73f49b3ba4c23f34c7cabb3ba43b897db2ba09c7e08e430e8f99f8c6f94a065b279e5064bc9903a1f393eaada11d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QE5wt98.exe

Filesize
1.7MB

MD5
c4ae6445f8033cc716acf0a4342288fa

SHA1
124056dccf4a193287a89dad6554b60118ad8d39

SHA256
b5d77a4b884e1bed1e90e70d07c9ad23b83f253d5e327e69a61ed30ea79f63f9

SHA512
638da44bebfee3fe16052d1d45f7c31ccb73f49b3ba4c23f34c7cabb3ba43b897db2ba09c7e08e430e8f99f8c6f94a065b279e5064bc9903a1f393eaada11d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6nf9rr6.exe

Filesize
181KB

MD5
7454f0810bf5ef8a50d25566d6b165b6

SHA1
fa3e6cfba57861c611f26a86287c2107387377d2

SHA256
9c5902b52f845e83bf4f08aaba4d780edd649c6deb5f65ce53a4f4cd9a9747de

SHA512
003477a6b8a89b9122252f913a53d4b8ac95097f14a9823e1c89702ffd334a85bc4953504768a75b261bf2782b109d1b8e720b334cef0b506306a578b71183eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6nf9rr6.exe

Filesize
181KB

MD5
7454f0810bf5ef8a50d25566d6b165b6

SHA1
fa3e6cfba57861c611f26a86287c2107387377d2

SHA256
9c5902b52f845e83bf4f08aaba4d780edd649c6deb5f65ce53a4f4cd9a9747de

SHA512
003477a6b8a89b9122252f913a53d4b8ac95097f14a9823e1c89702ffd334a85bc4953504768a75b261bf2782b109d1b8e720b334cef0b506306a578b71183eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MD3aU43.exe

Filesize
1.5MB

MD5
6482fe15d112f04ba140c7feafdc3835

SHA1
9d702f0fa416910e5060355db17095a0d027b7de

SHA256
ecf0416c81373f9afab348397e23d59345b7d4ab3a89b0598848d3c5ef9b0e38

SHA512
f7797c81eeb119b27a2ee75a7a0db8b695b7a1b5f3533a39937a03cf20e6f0e6c87119cdc3d7593c8ae8bf4c03be857589bc328baab1647f4e2ca8d1efaa8db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MD3aU43.exe

Filesize
1.5MB

MD5
6482fe15d112f04ba140c7feafdc3835

SHA1
9d702f0fa416910e5060355db17095a0d027b7de

SHA256
ecf0416c81373f9afab348397e23d59345b7d4ab3a89b0598848d3c5ef9b0e38

SHA512
f7797c81eeb119b27a2ee75a7a0db8b695b7a1b5f3533a39937a03cf20e6f0e6c87119cdc3d7593c8ae8bf4c03be857589bc328baab1647f4e2ca8d1efaa8db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Rc1fE2.exe

Filesize
222KB

MD5
dbb35c4bd0ef3af62dfca1a68995f6ba

SHA1
f9463574847ad0b98626610dd273a591bdd1f7db

SHA256
ffbe582cb068399f76008ca29794ff4797d38998462190f62eab80c3c6a5060d

SHA512
1315bda0ead2add83f5455e8fa22a127b5f9d4c0db1747bc6f0244457342597da4e9e7ca5b1a1daf89f3619bb4cd92f6acd252e9926e14766ac734010136edc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Rc1fE2.exe

Filesize
222KB

MD5
dbb35c4bd0ef3af62dfca1a68995f6ba

SHA1
f9463574847ad0b98626610dd273a591bdd1f7db

SHA256
ffbe582cb068399f76008ca29794ff4797d38998462190f62eab80c3c6a5060d

SHA512
1315bda0ead2add83f5455e8fa22a127b5f9d4c0db1747bc6f0244457342597da4e9e7ca5b1a1daf89f3619bb4cd92f6acd252e9926e14766ac734010136edc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rj8zS64.exe

Filesize
1.3MB

MD5
25eda5d87b10dcfa6ff54acf4ce3908a

SHA1
ebc9a3d347aca4b2a959a2e43e8fb01e84ce630f

SHA256
3ca367160b499ffdac5ea3d4157769f2481c2568bf0bf4c789aeded3e66b8a0c

SHA512
a289cdf868491caa52ef167294562cd967e000e2f72e9383ecd8bd8f85923886441acc2769a5a465d1dc0f262c593c0b83cd7b36e4b9dc2b6cbbd0fb465a3c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rj8zS64.exe

Filesize
1.3MB

MD5
25eda5d87b10dcfa6ff54acf4ce3908a

SHA1
ebc9a3d347aca4b2a959a2e43e8fb01e84ce630f

SHA256
3ca367160b499ffdac5ea3d4157769f2481c2568bf0bf4c789aeded3e66b8a0c

SHA512
a289cdf868491caa52ef167294562cd967e000e2f72e9383ecd8bd8f85923886441acc2769a5a465d1dc0f262c593c0b83cd7b36e4b9dc2b6cbbd0fb465a3c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4VT749fk.exe

Filesize
1.9MB

MD5
730ec4132da8c3f5da7ddb66640d998e

SHA1
d1b64c7aa78afaac7170945ffbb8a74af5483c84

SHA256
029540664283f728896893e07de71beca51ef0e1edfcce5b54d0d0b1b16dcb18

SHA512
31d78bd0396ae6aa7d3b65142254ba86524ceb7c9db0cd3285171e708208353b5c27adb7be97a6ede937f6e33133b2e1407eed3972176e36ffcfb6408092ea9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4VT749fk.exe

Filesize
1.9MB

MD5
730ec4132da8c3f5da7ddb66640d998e

SHA1
d1b64c7aa78afaac7170945ffbb8a74af5483c84

SHA256
029540664283f728896893e07de71beca51ef0e1edfcce5b54d0d0b1b16dcb18

SHA512
31d78bd0396ae6aa7d3b65142254ba86524ceb7c9db0cd3285171e708208353b5c27adb7be97a6ede937f6e33133b2e1407eed3972176e36ffcfb6408092ea9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kP9Tn15.exe

Filesize
782KB

MD5
1ed1084ad30fdce4b010b1528e521fa9

SHA1
2f590c1711f04d897790e6111fb3ddf81e62fffe

SHA256
34b7aef77b796fbacc7d55dbed461383c393d91eb81bdb378b3e531fa593956a

SHA512
f71eab2e473e0aa844a057ad5d1f00049546edf3ca2aff353456a7757d194c0cc594dccd1428ce2ced56f18fad1e5434f80637cfd7fd8fd4a39624b65c55e565

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kP9Tn15.exe

Filesize
782KB

MD5
1ed1084ad30fdce4b010b1528e521fa9

SHA1
2f590c1711f04d897790e6111fb3ddf81e62fffe

SHA256
34b7aef77b796fbacc7d55dbed461383c393d91eb81bdb378b3e531fa593956a

SHA512
f71eab2e473e0aa844a057ad5d1f00049546edf3ca2aff353456a7757d194c0cc594dccd1428ce2ced56f18fad1e5434f80637cfd7fd8fd4a39624b65c55e565

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Qt45HW.exe

Filesize
31KB

MD5
81b72a32ef61e14f1d9860e84dc420a9

SHA1
39b722bcc035d86afaa76469fbf4ca5383619715

SHA256
d6d2344afc0f57d17f28fac3ef22c6c4577bd93d29e9e57235da863ae6fccd34

SHA512
3fafd9e5a76605582ce107c7f8574013878ef40642e28adfd85576f4f65781e3da54a5e5c5c408815bcf4327d21da268f84e5ba388adb1f84f83d868ef21d8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Qt45HW.exe

Filesize
31KB

MD5
81b72a32ef61e14f1d9860e84dc420a9

SHA1
39b722bcc035d86afaa76469fbf4ca5383619715

SHA256
d6d2344afc0f57d17f28fac3ef22c6c4577bd93d29e9e57235da863ae6fccd34

SHA512
3fafd9e5a76605582ce107c7f8574013878ef40642e28adfd85576f4f65781e3da54a5e5c5c408815bcf4327d21da268f84e5ba388adb1f84f83d868ef21d8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JI9TD75.exe

Filesize
658KB

MD5
6f300bbbdda35519d348aef39c7c01e4

SHA1
a6ceb1317b88700cf282e0b22a6e0fd7f73833cb

SHA256
957e156db3f5d02bf2c3863fb92aa01e97aba097031b82169084022e36aa518c

SHA512
a7ce851fcacf3be4bc69091e8d78195ceb66ec3b1a3c6f9ffe2d612320533f9d81da00abab97252094e1b1a3ea02c55a02befaa2b3ae58a6d20fb38c0c6783bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\JI9TD75.exe

Filesize
658KB

MD5
6f300bbbdda35519d348aef39c7c01e4

SHA1
a6ceb1317b88700cf282e0b22a6e0fd7f73833cb

SHA256
957e156db3f5d02bf2c3863fb92aa01e97aba097031b82169084022e36aa518c

SHA512
a7ce851fcacf3be4bc69091e8d78195ceb66ec3b1a3c6f9ffe2d612320533f9d81da00abab97252094e1b1a3ea02c55a02befaa2b3ae58a6d20fb38c0c6783bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1BN19FO5.exe

Filesize
1.6MB

MD5
67ef8f2eb4949d5db808da267d40b010

SHA1
ed0d887ff9d074367f34a6aa281d3dd59bf87438

SHA256
36a0770908eb7c6e730cd0b928dc6c97b2de372767c55292940fae7ee23eb50b

SHA512
a71628b2049a4887a914151d8c68538dbc310270b13ab52672a33a1d841b86f7ee36b5adf942b23e92600694800cb059c053c5dea1c77e6da7a0ae58aa52c9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1BN19FO5.exe

Filesize
1.6MB

MD5
67ef8f2eb4949d5db808da267d40b010

SHA1
ed0d887ff9d074367f34a6aa281d3dd59bf87438

SHA256
36a0770908eb7c6e730cd0b928dc6c97b2de372767c55292940fae7ee23eb50b

SHA512
a71628b2049a4887a914151d8c68538dbc310270b13ab52672a33a1d841b86f7ee36b5adf942b23e92600694800cb059c053c5dea1c77e6da7a0ae58aa52c9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2PH1623.exe

Filesize
1.8MB

MD5
64309252cd2b9cd86db027a1d455ccf8

SHA1
8c0048a67f6fc9cdfe27d1e11ec6337a26b12639

SHA256
d6bbd0ed0c114d616d20cb595ca35379c33865d5f7238730fa5e46db7d9443b5

SHA512
d9f3384544b1502d363c173639ff0c9ad0d77cf0b56c19fbdf78ba9c4d95cf1172d9d45d1fd61bedc0d025f95d56a124fd783d206e51f61743c6a4baf73d51c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2PH1623.exe

Filesize
1.8MB

MD5
64309252cd2b9cd86db027a1d455ccf8

SHA1
8c0048a67f6fc9cdfe27d1e11ec6337a26b12639

SHA256
d6bbd0ed0c114d616d20cb595ca35379c33865d5f7238730fa5e46db7d9443b5

SHA512
d9f3384544b1502d363c173639ff0c9ad0d77cf0b56c19fbdf78ba9c4d95cf1172d9d45d1fd61bedc0d025f95d56a124fd783d206e51f61743c6a4baf73d51c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
dbb35c4bd0ef3af62dfca1a68995f6ba

SHA1
f9463574847ad0b98626610dd273a591bdd1f7db

SHA256
ffbe582cb068399f76008ca29794ff4797d38998462190f62eab80c3c6a5060d

SHA512
1315bda0ead2add83f5455e8fa22a127b5f9d4c0db1747bc6f0244457342597da4e9e7ca5b1a1daf89f3619bb4cd92f6acd252e9926e14766ac734010136edc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
dbb35c4bd0ef3af62dfca1a68995f6ba

SHA1
f9463574847ad0b98626610dd273a591bdd1f7db

SHA256
ffbe582cb068399f76008ca29794ff4797d38998462190f62eab80c3c6a5060d

SHA512
1315bda0ead2add83f5455e8fa22a127b5f9d4c0db1747bc6f0244457342597da4e9e7ca5b1a1daf89f3619bb4cd92f6acd252e9926e14766ac734010136edc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
dbb35c4bd0ef3af62dfca1a68995f6ba

SHA1
f9463574847ad0b98626610dd273a591bdd1f7db

SHA256
ffbe582cb068399f76008ca29794ff4797d38998462190f62eab80c3c6a5060d

SHA512
1315bda0ead2add83f5455e8fa22a127b5f9d4c0db1747bc6f0244457342597da4e9e7ca5b1a1daf89f3619bb4cd92f6acd252e9926e14766ac734010136edc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
dbb35c4bd0ef3af62dfca1a68995f6ba

SHA1
f9463574847ad0b98626610dd273a591bdd1f7db

SHA256
ffbe582cb068399f76008ca29794ff4797d38998462190f62eab80c3c6a5060d

SHA512
1315bda0ead2add83f5455e8fa22a127b5f9d4c0db1747bc6f0244457342597da4e9e7ca5b1a1daf89f3619bb4cd92f6acd252e9926e14766ac734010136edc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
dbb35c4bd0ef3af62dfca1a68995f6ba

SHA1
f9463574847ad0b98626610dd273a591bdd1f7db

SHA256
ffbe582cb068399f76008ca29794ff4797d38998462190f62eab80c3c6a5060d

SHA512
1315bda0ead2add83f5455e8fa22a127b5f9d4c0db1747bc6f0244457342597da4e9e7ca5b1a1daf89f3619bb4cd92f6acd252e9926e14766ac734010136edc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
dbb35c4bd0ef3af62dfca1a68995f6ba

SHA1
f9463574847ad0b98626610dd273a591bdd1f7db

SHA256
ffbe582cb068399f76008ca29794ff4797d38998462190f62eab80c3c6a5060d

SHA512
1315bda0ead2add83f5455e8fa22a127b5f9d4c0db1747bc6f0244457342597da4e9e7ca5b1a1daf89f3619bb4cd92f6acd252e9926e14766ac734010136edc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
222KB

MD5
dbb35c4bd0ef3af62dfca1a68995f6ba

SHA1
f9463574847ad0b98626610dd273a591bdd1f7db

SHA256
ffbe582cb068399f76008ca29794ff4797d38998462190f62eab80c3c6a5060d

SHA512
1315bda0ead2add83f5455e8fa22a127b5f9d4c0db1747bc6f0244457342597da4e9e7ca5b1a1daf89f3619bb4cd92f6acd252e9926e14766ac734010136edc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is64.bat

Filesize
181B

MD5
225edee1d46e0a80610db26b275d72fb

SHA1
ce206abf11aaf19278b72f5021cc64b1b427b7e8

SHA256
e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559

SHA512
4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504

Download Submit
memory/1396-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1396-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3220-64-0x0000000000D20000-0x0000000000D36000-memory.dmp

Filesize
88KB

Download
memory/3252-115-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/3252-130-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/3252-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3252-48-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/3292-90-0x000000000BCD0000-0x000000000BD62000-memory.dmp

Filesize
584KB

Download
memory/3292-100-0x000000000CC00000-0x000000000D206000-memory.dmp

Filesize
6.0MB

Download
memory/3292-103-0x000000000C5F0000-0x000000000C6FA000-memory.dmp

Filesize
1.0MB

Download
memory/3292-104-0x000000000BF40000-0x000000000BF52000-memory.dmp

Filesize
72KB

Download
memory/3292-105-0x000000000BFA0000-0x000000000BFDE000-memory.dmp

Filesize
248KB

Download
memory/3292-94-0x000000000BE60000-0x000000000BE6A000-memory.dmp

Filesize
40KB

Download
memory/3292-87-0x000000000C0F0000-0x000000000C5EE000-memory.dmp

Filesize
5.0MB

Download
memory/3292-110-0x000000000BFE0000-0x000000000C02B000-memory.dmp

Filesize
300KB

Download
memory/3292-80-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/3292-71-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3292-131-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/4880-59-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download